Data Security & Protection


Protecting your data & documents in our KYCsphere Software-as-as-Service (SaaS) application, is our primary concern. The application uses a multi-layered highest security model and industry standards, to ensure that your data & documents remain completely protected. KYCsphere application and database servers are deployed at Microsoft Windows Azure Cloud (Azure) Platform-as-a-Service (PaaS) at Microsoft's own datacenters. Designed to provide "Defense in Depth", the Azure platform drastically reduces the risk of failure. If failure does occur of any one security mechanism, it would not be able to compromise the security of the entire environment. On Azure platform we can further control the exact jurisdiction and geo location within it, where our KYCsphere servers and your data would be co-located, rather than it being scattered all over the Internet. Given below are the important areas of security risks and counter measures that are inbuilt within KYCsphere and Microsoft Azure service offerings:

KYCsphere Application Security


KYCsphere SaaS application in conjunction with Azure PaaS platform incorporates various security practices and features at the application layer to help ensure a security enhanced experience for all the KYCsphere customers. The application is architected & developed in such a way that it ensures secure usage of the application and administrative privileges that control and manage the various roles and permissions, across the different sections of the application.

  • Security-based Application Design: Prior to the release of KYCsphere version or any modifications within the live version, it is reviewed for its compliance to the current version of Microsoft's Security Development Lifecycles (SDL) management and the Trustworthy Computing. The reviews include threat models, code reviews and remediation plans. Testing of remediation is conducted prior to the release for deployment.
  • Identity and Access Management: The strongest security controls available are no protection against an attacker who gains unauthorized access to credentials or keys. Therefore credential and key management are critical components of the security design and implementation of KYCsphere. By design, the application ensures that only properly authenticated assigned end users & administrator entities are allowed access. For integration with customer's core applications, Service Management API (SMAPI) provides web services via the Representational State Transfer (REST) protocol. KYCsphere provides access to users based on their IP addresses and can optionally integrate with your existing identity management solution, such as Active Directory for single sign on, which would allow you to maintain centralized control of user identity management.
  • Least Privilege Accounts: End users assigned to different roles are restricted to running under a low-privilege account by default. This enables them to perform all such compliance tasks that fall under their roles pertaining to their assigned duties, domains like branch & department that they are part of, groups & pools of similar job functions that they belong to, etc. This eliminates the potential risk of sophisticated attacks and other exploits, which require enhanced privileges. It also protects the customer's compliance infrastructure and confidential data within, from attacks by its own dishonest employees.
  • SSL Mutual Authentication: All communications between KYCsphere application and Azure internal components are protected with SSL.
  • Encryption of Data: Encryption of sensitive data in storage and in transit is enabled within Azure to align with best practices for ensuring confidentiality and integrity of data. Internal communications are also protected using SSL encryption. Encryption algorithms like AES, that have years of real-world exposure and testing, are used. Additionally, a full array of cryptographic hash functionality including MD5 and SHA-2, to verify data correctness, create and validate digital signatures, and create non-identifiable tokens in place of sensitive data are used.
  • Deletion of Data: KYCsphere storage subsystem makes customer data unavailable when delete operations are performed. Successful execution of a delete operation removes all references to the associated data item and it cannot be accessed any further. All copies of the deleted data item are then garbage collected and purged. The physical bits are overwritten when the associated storage block is reused for storing other data.
  • Integrity of KYCsphere Application: Design of application, its configuration file and VM ensures full integrity of the application against unauthorized changes, while keeping the application and its database highly secure and scalable.
  • Audit Trails: KYCsphere implements multiple levels of monitoring of changes, logging audit trails and reporting, to provide this visibility to customers.

If you would like to receive more details, please fill-in your name along with email & press the button on the right.

* Name:
* Email:

Privacy Policy 

Azure Cloud Platform & Network Security


Microsoft Azure platform uses a variety of technologies including Firewalls, Network Address Translation Boxes (Load Balancers) and Filtering Routers to create barriers for unauthorized traffic at key junctions to and within the datacenters. The back-end network is made up of partitioned Local Area Networks for web and applications servers, data storage, and centralized administration. These servers are grouped into private address segments protected by filtering routers. KYCsphere, deployed at Azure, leverages this entire security technology infrastructure.

  • Secure Communication Channels: KYCsphere customers have the option to route their data through VPN or HTTPS secure channels. Core application backend systems can be fully integrated through the encrypted tunnel created by the VPN.
  • Filtering Routers: Filtering routers reject attempts to communicate between addresses and ports not configured as allowed. This helps to prevent common attacks that use "drones" or "zombies" searching for vulnerable servers. These types of attacks remain a favorite method of malicious attackers in search of vulnerabilities. Filtering routers, configured in KYCsphere, also support configuring back end services to be accessible only from their corresponding front ends.
  • Firewalls & Intrusion Detection: Firewalls restrict data communication to (and from) known and authorized ports, protocols, and destination (and source) IP addresses. KYCsphere, proactively leverages a series of firewalls that monitor malicious connection activity and blocks any unauthorized data communication requests access attempts, suspicious activity and unexpected behavior. Azure Cloud further implements automatic counter-measures against several types of network attacks, including port scanning, IP spoofing and denial of service attacks.
  • Isolation of Cloud Aggregates: In Azure the root VM is isolated from the guest VMs and the guest VMs from one another, and is managed by the hypervisor and the root OS. The hypervisor and the root OS provide network packet filters that assure that the un-trusted VMs cannot generate spoofed traffic, cannot receive traffic not addressed to them, cannot direct traffic to protected infrastructure endpoints and cannot send or receive inappropriate broadcast traffic.
  • Cryptographic Protection of Messages: TLS with at least 128 bit cryptographic keys is used to protect and control messages sent between clusters within a given Azure datacenter where KYCsphere resides.
  • Software Security Patch Management: Security patch management, an integral part of Azure operations, helps protect systems from known vulnerabilities. The Azure platform utilizes integrated deployment systems to manage the distribution and installation of security patches for Microsoft software that KYCsphere relies on.
  • Monitoring: Security is monitored at Azure with the aid of centralized monitoring, correlation, and analysis systems. Pertinent and timely monitoring reports and alerts are furnished to us to take corrective action whenever needed.
  • Compliance: Azure operates in the Microsoft Global Foundation Services (GFS) infrastructure, which is ISO27001 certified. ISO 27001 is recognized worldwide as one of the premiere international information security management standards.
  • Certification: Microsoft (including Azure) is Safe Harbor certified with the U.S. Department of Commerce. This allows for legal transfer of data to Microsoft for processing from within European Union and countries with aligned data protection laws.
  • Privacy: Azure platform, like other Microsoft services and products, is built in accordance with Microsoft Trustworthy Computing Initiative's privacy guidelines.

If you would like to receive more details, please fill-in your name along with email & press the button on the right.

* Name:
* Email:

Privacy Policy 

KYCsphere on Azure Availability, Fault-Tolerance & Redundancy


One of the main advantages provided by cloud platforms is robust availability based on extensive redundancy achieved with virtualization technology. KYCsphere deployed on Azure cloud offers numerous levels of redundancy to ensure maximum availability of customer's data.

  • Availability: Data is replicated within Azure to three separate nodes to minimize the impact of hardware failures. Further, the geographically distributed nature of the Azure cloud infrastructure could be leveraged by creating a second Storage Account to provide hot-failover capability to KYCsphere customers.
  • Fault Tolerance: The Azure platform is designed to be fault-tolerant and redundant, and therefore provides an ideal platform for KYCsphere application. From geographically diverse datacenter deployments to replicated role instances and storage, it provides required fault-tolerance and redundancy to KYCsphere.
  • Service Redundancy: Each layer of the Azure platform infrastructure is designed to continue operations in the event of failure, including redundant network devices at each layer and dual Internet service providers at each datacenter. Failover is in most cases automatic, requiring no human intervention, and the network is monitored by the Network Operations Center 24x7 to detect any anomalies or potential network issues.
  • Disaster Recovery: The Azure platform runs across multiple datacenters around the world. In the event of a catastrophic failure involving an entire datacenter, the KYCsphere team could bring another instance of the application and database live from the backup location, in a matter of a few hours. This backup location also serves as an excellent option as Disaster Recovery (DR) & Continuity site for customer data.

If you would like to receive more details, please fill-in your name along with email & press the button on the right.

* Name:
* Email:

Privacy Policy 

Divas Software, Azure Operations & Personnel Security


Developers and administrators are given sufficient privileges to carry out their assigned duties to manage the KYCsphere infrastructure. We deploy combinations of preventive, detective and reactive controls including tight access control to the application and sensitive data; mechanisms to detect malicious activity and multiple levels of monitoring, logging, and reporting. Additionally best practices are adopted to help protect against unauthorized developer or administrative activity.

  • Design of the Services: The KYCsphere deployed on Azure platform is designed to run without routine access of customer data by Divas Software or Microsoft personnel. Divas Software personnel only have access to application configuration, its update and to monitoring its performance.
  • Incident Response: Azure platform has operations personnel managing it 24 x 7. If it is a security incident, the documented procedures to follow in the event, will be implemented by the operations personnel. Also, a full communication plan is in place and will likewise be implemented in the event of such a security incident.
  • Auditing: Divas and Microsoft administrative operations are audited. The audit trail can be viewed to determine the history of changes.
  • Background Check: All personnel of Divas Software are subject to a thorough background check that checks for ID Verifications; Address History Verifications for past 10 years and history of criminal records at local police stations.
  • Non Disclosure Agreement: All personnel are required to sign a strict Non Disclosure Agreement (NDA) on joining Divas Software. They are also required to periodically certify that they have read it, have been complying with it and would continue to do so in future.
  • Security Training: All personnel at the time of their induction at Divas Software are given comprehensive security training on intellectual property protection, data & documents security, privacy policy, etc.

If you would like to receive more details, please fill-in your name along with email & press the button on the right.

* Name:
* Email:

Privacy Policy 

Azure Data Center Physical Security


Once the security of KYCsphere application, its database and Azure platform on which it is deployed and the personnel who mange it, has been ensured, the final frontier of physical security of the entire infrastructure is taken care of.

  • Physical Security: Azure platform is deployed across a network of global datacenters, each designed to run 24 x 7, and each employing various measures to help protect operations from power failure, physical intrusion, and network outages. These datacenters are compliant with applicable industry standards for physical security and reliability; managed, monitored, and administered by Microsoft operations staff. They are also designed for lights out operation.
  • Facilities Access: Microsoft uses highly secured access mechanisms, limited to a small number of operations personnel, who must regularly change their administrative access passwords. Datacenter access, and authority to open datacenter access tickets, is controlled by the network operations director in conjunction with local datacenter security practices.
  • Power Redundancy & Fail Over: Each datacenter facility has a minimum of two sources of electrical power, including a power generation capability for extended off-grid operation. Physical security controls are designed to fail closed during power outages or other environmental incidents. In case of fire or situations that could threaten life safety, the facilities are designed to allow egress without remaining exposed.
  • Media Disposal: Upon hardware systems end-of-life, Microsoft operational personnel follow rigorous data handling procedures and hardware disposal processes.

If you would like to receive more details, please fill-in your name along with email & press the button on the right.

* Name:
* Email:

Privacy Policy 

< BenefitsFAQs >
 

Home | Toolkit | Benefits | Security | FAQs | Support | About Us | Contact Us | Privacy Policy | Terms of Use | Copyright | Site Map | Feedback
© Copyright 1999-2012 Divas Software. All Rights Reserved.