Security at Beckon
Beckon incorporates security practices into every aspect of the product design and development life cycle and we also perform regular security reviews and security vulnerability testing of the Beckon production systems to ensure adherence to our security goals.
The Beckon application provides a variety of security features:
- Input and output checking within Beckon validates expected user input and output. The Beckon application verifies users’ access rights to all URIs submitted. Only if a user has the right to access a given URI is the request forwarded to the application logic.
- All content users provide to the application is either escaped or rejected as appropriate as to prevent cross site scripting attacks, SQL injection and similar attacks.
- A permissioning system provides differentiated access to application functionality depending on the requirements of users with different access rights and roles.
- Separate architectural layers within Beckon govern read and write access to all data within Beckon, actively inspecting all transactions involving stored data and rejecting attempted unauthorized access, whether performed by end-users or undiscovered issues within the application logic.
- Preventative measures include frequent testing for cross-site-scripting, script insertion, style highjacking, cookie theft, etc.
- All access to data within Beckon is performed via an encrypted HTTPS connection secured by a Class 3 Extended Validation Secure Server Certificate using 256-bit encryption.
- Our servers are located behind redundant firewalls and load balancers.
- The Beckon application servers are not directly accessible from the Internet except through the load balancers.
- Only application relevant ports like port 80 (http), and port 443 (https) are allowed by the load balancers.
- Beckon’s databases are firewalled from the application servers. No direct access from the Internet to the database servers is allowed.
- Servers are regularly updated with the latest security patches.
- All management traffic to the servers is encrypted and controlled by regularly changing access keys.
- Administrative access to servers is restricted to authorized staff and must occur over a secure encrypted session.
- Beckon performs regular 3rd party host penetration testing on all production servers.
Beckon is built on top of Amazon AWS and receives the benefit of Amazon’s audit and security measures as detailed at https://aws.amazon.com/security/. Security reports, certifications and attestations achieved by AWS include SAS 70 Type II, SOC 1 Type 2, SOC 2, ISO 27001 and others.
PROACTIVE MONITORING AND REMEDIATION
Beckon monitors all servers and services 24×7. Alerts are generated for various failure conditions, health statistics, and service availability measures. Failure of select critical components of Beckon causes automatic and transparent replacement of failed or failing components while alerting operations personnel to the condition.
REDUNDANCY AND BACKUPS
Beckon is designed with multiple redundancies avoiding single points of failure for maximum availability.
- Beckon is built atop Amazon AWS. Beckon inherits and extends many of AWS powerful availability and redundancy features, adhering to best practices for architecting on AWS for high availability.
- All data within the Beckon application is stored in at least two separate physical locations in real time.
- Replication at the database layer is set up to replicate data from the master to the slave database in a physically separate datacenter in real time.
- The Beckon application is designed with redundancy, eliminating single points of failure from all critical systems including load balancers, firewalls, switches and routers.
- Regular backups are made and stored in at least two physical locations.
THIRD PARTY TESTING AND AUDITS
Beckon regularly conducts security vulnerability and penetration testing using independent third party services.
SECURITY TESTING POLICY
Beckon will support our customers’ safe and responsible security testing, and reporting of security issues in compliance with a few simple rules as follows.
- All security testing must be coordinated and approved by Beckon security. Please contact the Beckon security team to discuss the details and arrange for security testing environments at security [at] beckon [dot] com.
- Report any issues or concerns privately and securely to Beckon security by sending email to security [at] beckon [dot] com. If at all possible, please use protection and encryption like SMIME certificates or PGP encryption. Refer to the following section for more details on how to report security issues.
- Do not attempt any testing that could cause or trigger a Denial-of-Service condition.
- Do not attempt to access, modify, or delete information that does not belong to you or your organization.
REPORTING SECURITY ISSUES
To report security issues or problems with any of Beckon’s services please follow these rules:
- If you want to conduct security testing you must follow our Security Testing Policy above.
- Report all issues privately and securely to the Beckon security team by sending email to security [at] beckon [dot] com and sign and encrypt your email using SMIME certificates or PGP encryption.
- To exchange SMIME certificates or PGP encryption key credentials please send a signed email message to security [at] beckon [dot] com.
- No access to SMIME or PGP? Send us an email at security [at] beckon [dot] com and together we will find a different secure arrangement.
- When you report issues, please provide full details of the issue and all steps required to replicate the problem.
- Provide us with your contact information so we can follow up and ask for clarification or details if necessary.
REQUESTING SECURITY INFORMATION
Feel free to email security [at] beckon [dot] com to request additional information, or get specific questions answered. Please keep in mind that certain documentation will only be made available to Beckon customers.
UPDATING OF SECURITY PRACTICES
Of course, Beckon updates these practices from time to time in response to changes in technology, business operations and security threats.