Elafent Security Whitepaper

Last updated 13 December 2017

1. Introduction

Security is a moving target and something that can't merely be looked at as a once-over exercise and then left alone. Threats are constantly being developed and evolve continuously, hence our approach is to perpetually adopt best practices and adapt to change. This whitepaper covers various facets that are essential to our development and operations practices in relation to security and related topics.

Your data and our systems are critically important to us at Elafent. They are fundamental to our cloud based products and we take significant measures to keep your data and our systems secure. Protecting your data is even more important to us than providing a great user experience and for those of you that use our products, you'll know we love providing awesome user experiences.

We take a holistic and multi-faceted approach to protecting our platform and your data. Constant review of our security practices and processes is routine and aligned with best practices.

The key areas outlined in this document include security approaches in the following domains -

  • Hardware Infrastructure

  • Operational Practices

  • Customer Data

  • Software Development.

This whitepaper is correct at the time of writing and we recommend regularly checking in to receive the most up to date information.

2. Hardware Infrastructure

Elafent’s cloud based platform is delivered from facilities located within Australia.

In order to support the unique capability of our products and high levels of security, performance, availability and scalability, we utilise a combination of -

  • Elafent hardware and infrastructure colocated within a world class, leading data centre provider in Australia

  • Infrastructure and services delivered through Amazon Web Services (AWS).

2.1 Data Centre Specifications

Our primary infrastructure and capability resides within a data centre where we run and operate our own hardware. This main data centre delivers reliability, security and interconnections to serve as our colocation facility. It has been accredited with the following certifications -

  • ISO 27001 (Security Management Standard)

  • SSAE16/ISAE3402 SOC-1 Type II (Attestation and Assurance Engagements)

  • PCI-DSS (Payment Card Standards).

This data centre is also equipped with and provides -

  • Power redundancy (N+1)

  • Cooling redundancy (N+1 on chillers & N+25% on CRAC units)

  • Multiple redundant high speed internet communication links

  • Redundant, secure interconnect communication links between Elafent’s and customer data centres where required.

Customers interested in learning more about this data centre may reach out to Elafent to request a personalised guided tour of the facility.

2.2 Amazon Web Services

Where it makes sense, we adopt secure, best of breed capability to improve the experience delivered to our customers. Amazon Web Services (AWS) offers tried and proven services that assist in delivering parts of our micro-service architected platform. Through AWS, the Elafent platform is better positioned to support the likes of -

  • High Performance File Storage

  • Business Continuity & Disaster Recovery

  • Data and Configuration Backups.

Amazon is a global leader in delivering infrastructure services and is at the forefront in their domain.

The key certifications and attestations relevant to Amazon’s hosting operations include -

  • ISO 9001 (Global Quality Standard)

  • ISO 27001 (Security Management Standard)

  • ISO 27017 (Cloud Specific Controls)

  • ISO 27018 (Personal Data Protection)

  • SOC 1 (Audit Controls Report)

  • SOC 2 (Compliance Controls Report)

  • SOC 3 (General Controls Report)

  • PCI DSS Level 1 (Payment Card Standards)

  • SEC Rule 17-a-4 (Financial Data Standards)

  • IRAP (Australian Security Standards)

  • FIPS (Government Security Standards)

  • DoD SRG (Department of Defense Data)

  • FedRAMP (Government Data Standards).

Additional information on the certifications / attestations, laws, regulations and frameworks Amazon’s data centres are compliant with can be found at https://aws.amazon.com/compliance/.

Elafent’s AWS footprint is limited exclusively to the Amazon Web Services (Sydney Region, Australia). As such, none of the data Elafent stores within AWS resides outside of Australia.

2.2.1 Business Continuity & Disaster Recovery

Elafent maintains a footprint within AWS which acts as a - 

  • Warm standby for some data microservices and data storage

  • Cold standby (pilot light) for all other microservices.

Critical data is routinely replicated to AWS so that in any unlikely event, we are able to switch across to maintain continuity of Elafent’s platform and services.

The recovery time required for this process would generally be within an hour.

This approach means that we can deliver business continuity in the unlikely event of extended outages in our primary infrastructure.

2.2.2 Data Backups

In addition to the data which is replicated as part of our business continuity and disaster recovery processes, we also routinely back up critical data outside of our primary data centre so it is saved and protected in any unlikely event. This process is automated.

3. Operational Security

3.1 Architecture

Elafent’s products deliver a unique capability in the market, supporting the aggregationcorrelation and dissemination of high volumes of structured and unstructured data to improve operational decision making and drive better outcomes.

In order to support this capability and maintain a great user experience, we have designed and implemented a microservice based cloud architecture with a key focus on securityperformancescalabilityresiliency and redundancy.

A key consideration of this architecture is to have no single point of failure. As such, there are multiple instances of each of these key microservices and components spanning multiple independent physical hardware components. This means there will be minimal (if any) impact to our cloud services in the event of a physical hardware failure.

Access to services and data within the Elafent platform is controlled in accordance with the principle of least privilege. Each individual component is only able to access the information and resources that are required to fulfill a specific purpose.

Internet-facing services are in a separate network zone to back-end services. Front-end services are secured behind a firewall which restricts access to specific ports and for specific hostnames.

Inside the Elafent network, each microservice is secured with fine grained access controls that only authorised users/services from expected sources can access each microservice.

3.2 Penetration Testing & Vulnerability Assessments

Security threats don't stand still. Elafent stays on top of emerging vulnerabilities while continuing to maintain the highest levels of security by continuously performing automated penetration testing and vulnerability assessments on the Elafent platform using reputable 3rd party services.

These security vulnerability services are frequently updated and actively assess more than 700+ vulnerabilities. The output of these regular tests and assessments provide Elafent with a detailed report and a vulnerability threat score based on the Common Vulnerability Scoring System (CVSS).

We take the output these continuous tests very seriously as we strive to address any identified vulnerabilities quickly.

The Elafent app currently receives the best possible CVSS threat score of "0.0" which indicates that no low, medium or high severity vulnerabilities are present.

3.3 Incident Response

3.3.1 Monitoring

Elafent actively monitors the statusavailability and performance of our platform and microservices by using external reputable global 3rd party performance and availability monitoring services.

Automated notifications are generated based on this monitoring to alert the Elafent team as soon as an incident or outage occurs. This enables Elafent to proactively action any issues, so they can be resolved quickly with none or minimal impact to our customers.

This monitoring also enables us to proactively communicate information on issues or outages to our customers. We prefer to let you know if there’s an issue upfront, so you are kept in the loop as soon as possible rather than waiting for you to report a problem.

3.3.2 Support & User Feedback

Whilst we take substantial steps to actively monitor the status of our platform and keep customers updated, there may be still be some instances where our customers encounter an issue or identify a bug or enhancement and wish to raise it.

Elafent provides an in app feedback feature where customers can report a bug or issue efficiently without having to open a different application or webpage.

All feedback items raised through Elafent products flow into our support ticketing system as a new ticket and are triagedclassifiedprioritised and actioned accordingly depending on the severity and type of issue. Each user who raises a feedback item through the app will automatically be added to the ticket and will be kept up to date via email as the status of the ticket changes.

Support related issues can also be raised by customers in our support ticketing system via the following alternate channels -

We sincerely value the insight provided by our customers and the in app feedback feature also provides a channel for customers to share ideas and provide suggestions on where our products could be further improved and deliver more value. These items are classified as feature requests and will be taken into consideration as we continue to develop our product roadmap, allowing us to shape the future together.

3.4 Continuous Integration and Regular Product Releases

Elafent is continually working on improving the quality of our products and introducing new features and functionality. As such, we have regular automated releases and may even release multiple updates per day in either non-production or production environments, all without service disruption.

This short release cycle enables us to rapidly detect and address any issues to minimise the level of exposure and disruption to our customers.

4. Data Security

4.1 Access Controls

Within the Elafent platform customer data is segregated by stringent access control measures.

Each Elafent user has their own unique user account and is required to enter a secure password and authenticate before being able to access any information. Each user account is linked to an associated organisation to prevent any unauthorised access across customers so that each customer can only view their own data.

We encourage our customers to take advantage of our cloud based APIs to securely transfer data to and from the Elafent products and keep their data fresh and up to date. To secure this process, each customer organisation is provided with a unique, randomly generated API token which is required to be specified in all API requests in order for the request to be authenticated. Each customer can only update/access their own data via the API’s. For this reason, all API tokens should be treated as highly sensitive and treated as a secret by authorised users in your own organisation.

4.2 Encryption

All data transferred between Elafent’s services and our customers (including API requests) is encrypted using SSL over HTTPS.

Within Elafent’s cloud architecture, all data transferred between Elafent’s key components is also encrypted using HTTPS including data transferred between Elafent’s infrastructure & AWS. 

Our application scores an A+ rating from Qualys/SSL Labs server testing which means we have only secure protocols and key exchange methods, strong ciphers and key features such as HTTP Strict Transport Security (HSTS).

4.3 Passwords

All passwords stored within Elafent’s cloud architecture are hashed using the Argon2 key derivation function. Argon 2 was selected as the winner of the Password Hashing Competition in July 2015 and is considered to be the industry leader in password hashing.

User passwords cannot be retrieved (even by Elafent staff) and can only be reset. All functions within our products which relate to changing or resetting a password result in an email being sent to the end user to identify any unexpected activity.

To be nimble and address any security related concerns quickly, or in circumstances where we feel it's necessary, we may reset users passwords. If such a procedure is required, users would be notified and would be able to follow the straightforward instructions to get back up and running.

4.4 Data Ownership

At Elafent, our focus is on helping our customers get the most out of their data by bringing together related information and making it accessible in an easy to consume manner via web and mobile applications.

To be crystal clear, you own your data. At the end of your subscription, the data stored within our cloud architecture will be deleted.

If required, we can also provide you with an export of your data from our services, albeit given it’s usually come from your systems we are pretty sure you’ll already have it.

4.5 Privacy

Your privacy is a critically important consideration for us at Elafent and we have some fundamental principles -

  • We don’t store personal information on our infrastructure unless it is required for the ongoing operation of one of our services

  • We don’t share your personal information with anyone except to comply with the law or protect our rights

  • We don’t ask you for personal information unless we truly need it.

Elafent complies with all Australian government privacy standards as required to by law.

5. Development & DevOps

Elafent conducts 100% of our software development and devops activities, proudly in Australia by our dynamic team of amazing engineers. Our very experienced team has amassed a great deal of specialist knowledge and expertise, having worked together collectively for many decades. We channel this know-how into the development of our platform and services.

We endeavour to consult with industry best practices and align with OWASP (Open Web Application Security Project) Secure Coding Practices to maintain the highest levels of application security in our products. 

This commitment can be seen in the results of our automated penetration testing and vulnerability assessments where we receive a perfect "10/10" score for addressing the following OWASP top 10 security vulnerabilities -

  1. Injection

  2. Weak Authentication and Session Management

  3. Cross-Site Scripting (XSS)

  4. Insecure Direct Object References

  5. Security Misconfiguration

  6. Sensitive Data Exposure

  7. Missing Function Level Access Control

  8. Cross Site Request Forgery

  9. Using Components with Known Vulnerabilities

  10. Unvalidated Redirects and Forwards.

In addition, every new code release is peer reviewed and tested in multiple environments as part of our quality control and deployment process before getting released into production. Only the highest quality code is made available to our customers.

6. Conclusion

This whitepaper outlines the rigor and methods followed,  hence demonstrating that Elafent is fully committed to delivering the highest levels of security in our platform and services.

We’ve taken significant measures to protect your data and our systems through our comprehensive multi-faceted approach to security. Our customers can rest assured that their data is in safe hands and treated seriously.

Again, security is a moving target and we are never complacent about the potential threats posed on our systems. We continually review and update our security measures as the state of vulnerabilities evolve so that our customers are protected now and in the future.