Security Practices¶
We believe that a strong security culture is essential to maintaining trust, and our commitment to security is paramount. Key to this commitment is our platform architecture which ensures Enclave customers retain complete sovereignty over their network data.
We have built a robust set of internal security practices at Enclave underscoring our commitment to protecting the security, trust and integrity of our systems and our customers.
This document outlines the security measures we implement to ensure the security, integrity and continuous operation of our services.
Application Development¶
The Enclave Platform is built using a Secure Design Life Cycle based on OWASP and SANS frameworks, with industry leading Coding Standards and operational procedures which mandate strict change management processes designed to protect the integrity of your systems and our platform.
Our SDLC¶
Enclave uses a Continuous Integration and Continuous Deployment model, which means all of our code changes are committed to a source code repository, reviewed, tested, and shipped in quick succession. The rapid iteration model significantly improves our response time to bugs, vulnerabilities, and security incidents.
We design and build Enclave with Security in Mind. Every line of code we write is considered and reviewed through a security lens. As this section describes, we combine this mindset with:
-
Whole system and new feature threat modeling: This involves analysing potential security threats to both the entire system and each new feature. This process helps identify vulnerabilities early in the development cycle, allowing for more secure design decisions.
-
Requirements analysis prior to writing code: This step ensures that the team fully understands the requirements and objectives before any coding begins. It helps in identifying potential security and functionality gaps in the initial stages.
-
Mandatory version control: Version control is essential for tracking changes, managing different versions of the code, and facilitating collaborative development. It also aids in maintaining a historical record of the project's evolution.
-
Mandatory code reviews: We enforce a strict policy of peer code reviews, focusing on identifying and mitigating potential security vulnerabilities. This practice ensures that code is examined by multiple eyes, which can catch errors that the original developer might miss.
-
Monthly engineering team retrospectives: Regular retrospectives help the team reflect on the past month's work, discuss what went well and what could be improved. This continuous improvement process is vital for enhancing both the development process and the product.
-
Test-driven development: Our quality assurance process includes extensive testing regimes, combining both automated tools and manual testing techniques, to uncover and rectify any security issues. This method involves writing tests before the actual code, ensuring all functionality is properly tested.
-
Comprehensive release test plans: Before any release, we develop and follow a detailed test plan that covers all aspects of the software to ensure that it meets quality and security standards.
-
Automation of any and all complex or repetitive tasks: Automating complex and repetitive tasks reduces the chance of human error, increases efficiency, and frees up time for the team to focus on more critical tasks.
-
Continuous integration and continuous deployment: Deployment of our applications is conducted via secure, encrypted channels, minimizing the risk of interception or tampering. This process involves regularly integrating code changes into a central repository, followed by automated testing and deployment.
-
Comprehensive changelog records: Keeping a detailed record of all changes, updates, and fixes helps in tracking the evolution of the software and is essential for debugging and compliance purposes.
-
Internal knowledge management: Having a centralized repository of knowledge and documentation helps in preserving organizational know-how, aids new team members in getting up to speed, and serves as a reference for best practices and solutions.
-
Automated documentation: Automated documentation tools help in keeping the project documentation up to date with the latest code changes, reducing the manual effort required for documentation.
-
Low technical debt: The management's commitment to keeping technical debt low ensures that the codebase remains clean, well-organized, and manageable, which is crucial for long-term maintainability and security.
Coding Standards¶
We develop according to gitflow principles and use automatic code analysers to enforce coding standards. Our developers adhere to industry-leading secure coding standards, which are regularly updated to address new threats and maintain good practice.
Key focus areas include:
-
Input Validation: We aim to ensure all input received from users, systems, or other services is validated for correctness, completeness, and security. This involves checking for proper data types, lengths, formats, and ranges to prevent common vulnerabilities like SQL injection and cross-site scripting (XSS).
-
Authentication and Authorization: We have implemented robust authentication mechanisms to verify user identities and ensure that users can only access resources and perform actions for which they have permission. This includes requiring strong passwords supporting multi-factor authentication and IdP integrations with major identity providers.
-
Data Encryption: We protect sensitive data in our custody by encrypting it both in transit and at rest. We use industry-standard encryption protocols like TLS for data in transit and strong encryption algorithms for data at rest to prevent unauthorised access.
-
Error Handling: We have a consistent and secure error-handling strategy that prevents leakage of sensitive information through error messages. We also work hard to ensure error handling routines don't expose system details, and log errors for internal review.
-
Dependency Management: We carefully manage software dependencies, ensuring they are up-to-date and free from known vulnerabilities, thus safeguarding our applications from external threats. This involves regularly scanning dependencies for vulnerabilities and promptly updating or replacing them.
-
Secure Code Storage: We store source code in private, access-controlled GitHub repositories. We limit access to the code repository to authorised personnel only and monitor access patterns for unusual activities.
-
Secure Session Management: We maintain secure session management practices which prevent session hijacking and fixation attacks. This includes secure, random session identifiers, short session timeouts, and ensuring session data is protected.
-
Cross-Site Request Forgery Protection: We have implemented measures which protect against Cross-Site Request Forgery (CSRF) attacks.
-
Code Analysis Tools: Enclave use static and dynamic code analysis tools to automatically scan for vulnerabilities and enforce coding best practices. This helps us to identify security flaws and other issues early in the development process.
-
Regular Security Training: We invest in continuous security training for our development team, keeping them abreast of the latest security trends and practices. This ensures that team members are aware of the latest threats and how to mitigate them in their code.
Security Monitoring¶
Post-deployment, our platform is continuously monitored for vulnerabilities, with regular updates rolled out to address any emerging threats.
We have automated testing in place which verifies security functions in our source code, with robust protocols and automated tooling in place to identify and upgrade third party packages and dependencies with reported vulnerabilities during development.
Platform¶
The Enclave platform is co-located in Microsoft's Azure UK South region (London, UK) and entirely immutable. Our platform services are provisioned using change controlled Infrastructure as Code (IaC) with single-click deployment and a mature CI/CD pipeline complete with:
- Automated testing.
- Automated documentation generation (where possible).
- GitHub version control and automation actions.
- Static code analysis and automated testing for every PR merge.
- Infrastructure operationalised using containers and artifact management.
Data centers¶
The Azure UK-South data center, located in London, has several security credentials and compliances that ensure its robustness and reliability for handling sensitive data, namely:
- ISO/IEC 27001: For information security management.
- ISO/IEC 27017: Cloud-specific security controls.
- ISO/IEC 27018: For protecting personal data in the cloud.
- SOC 1, SOC 2, SOC 3: Service Organization Control reports for internal controls over financial reporting, security, availability, processing integrity, confidentiality, and privacy.
- PCI DSS: Payment Card Industry Data Security Standard for handling credit card data.
- HIPAA: Health Insurance Portability and Accountability Act for health information.
- FedRAMP: Federal Risk and Authorization Management Program for US government data.
- GDPR: General Data Protection Regulation for data protection and privacy in the European Union.
- CSA STAR Certification: Cloud Security Alliance for security best practices in cloud computing.
- ENISA IAF: European Union Agency for Cybersecurity's Information Assurance Framework.
- UK G-Cloud: For UK government cloud services.
Microsoft Azure data centers, including the UK-South data center, are certified to comply with a comprehensive portfolio of internationally recognized standards, which is among the most extensive of any cloud service provider. This includes rigorous physical security measures, such as access approval required at multiple levels - from the facility’s perimeter to the data center floor, reducing the risk of unauthorized physical access.
Additionally, Microsoft Azure provides a range of cloud services and solutions, emphasizing security and compliance across various domains. This includes Azure confidential computing, which protects data and code while in use in the cloud, and Azure Policy, which helps define and enforce policies for internal and external compliance.
Availability Zones¶
Azure UK South Availability Zones consist of physically separate locations within the Azure UK South region. Each Availability Zone includes one or more data centers equipped with independent power, cooling, and networking to ensure high availability and resilience. These zones provide a service-level agreement (SLA) of 99.99% uptime for virtual machines which supports our own application-level platform availability.
Data Encryption¶
Platform secrets are stored securely in Azure Key Vault. Backups of customer account data and policy configuration are encrypted at rest, with access to decryption keys for backups tightly controlled.
Networking¶
We implement Azure's network security features, including firewalls, DDoS protection, and intrusion detection systems, to safeguard our services from external threats.
Internal platform connectivity utilises private networks wherever possible, with network traffic inbound from the public Internet to the platform segmented away from private networks.
Security Assessments¶
Ongoing security assessments are conducted to identify and mitigate any vulnerabilities within our cloud infrastructure.
Data Residency¶
Compliance with data residency laws is ensured by hosting our services exclusively in the Azure UK region, aligning with local regulatory requirements.
Access to Data¶
Strict access control policies are in place, ensuring only authorized personnel have access to our cloud resources. This includes multi-factor authentication and regular audits of access logs.
Enclave adheres strictly to the principle of least privilege. This means that only those users with a strict business need to access data are allowed to do so. Access to sensitive systems must be requested, and is only granted on a time-limited basis using Azure Privileged Identity Management (PIM).
Monitoring & Alerting¶
Enclave employs multiple real-time monitoring systems with 24/7 alerting to inform us of violations of policy as well as suspicious activity that may indicate a compromise. These systems include intrusion detection and prevention systems at each layer of our ‘stack’. We maintain on-call staff trained and prepared to handle unexpected events and incidents.
Vulnerability Management¶
We employ a vulnerability management program to actively identify weaknesses in our systems. Our security engineers perform regular scans to detect and respond to vulnerabilities. We also employ automated vulnerability scanning on all deployment systems.
We also recognise threat modeling with STRIDE, Persona non Grata (PnG), Attack Trees, and CVSS scoring approaches to inform and direct ongoing application development.
Patching¶
Operating system security updates are automatically applied to the Enclave production environment.
Product Security¶
Architecture¶
The Enclave solution is composed of three major components:
- A fully managed and Cloud-delivered discovery service, policy engine and set of API endpoints.
- A set of fully managed Cloud-delivered traffic relay servers.
- Client-side software agents for popular operating systems.
The Enclave model establishes directly connected virtual overlay networks between participating systems which operate on the host at either OSI model Layer2 (Ethernet) or Layer3 (IP).
Connectivity between peers is established using outbound-only traffic and the principles established in the ICE (Interactive Connectivity Establishment) RFCs (Learn more). Network traffic relays may be introduced between systems in some NAT scenarios to successfully establish connectivity, but traffic relays are incapable of decrypting the end-to-end encryption.
Encryption¶
- All network connections established by Enclave are mutually authenticated and all traffic is end-to-end encrypted in transit. We use libsodium to construct cryptographic primitives. Please see our key exchange and tunnel encryption documentation for more information.
- Enclave does not collect, store or transmit sensitive Personal Identifiable Information (PII) customer information.
- All platform encryption and signing keys are stored in Azure Key Vault.
- All customer passwords are salted, hashed (with 8,192 iterations, work factor 13) and versioned with BCrypt.
OpenID Connect (OIDC)¶
Enclave provides support for OIDC authentication. This allows us to integrate with many enterprise authentication systems like Microsoft, Google, GitHub, Okta, Duo, JumpCloud and more, allowing customers to directly control how their users access and use Enclave.
Testing¶
Testing is performed at each step of development and includes unit, integration, acceptance, ad-hoc, and static and dynamic security testing. Tests are developed by a combination of development and security engineers using automated and manual techniques.
We also employ specialized security consultants to review and test our applications, systems, and code. This includes penetration testing consisting of white box, code driven, and threat based testing.
Tenant Isolation¶
Enclave provides strict logical segregation of data by validating ownership metadata at each layer of processing and validating that against authentication and access control information for the requesting session.
Session Duration¶
Administrator sessions to the Enclave portal expire after 5 days (7,200 minutes) of inactivity. This is presently not user-configurable.
Password Complexity¶
Accounts directly registered with the Enclave Identity Provider (username and password) must have a minimum password length of 8 characters, however we recommend customers integrate Enclave with their IdP of choice to enforce any bespoke password requirements of the organisation.
2FA (MFA)¶
Enclave supports Two-Factor Authentication (2FA) in order to harden password based authentication. We accomplish this by utilizing a second factor called a Temporary One Time Password (TOTP), or more commonly called Token Authentication. This is a broadly used security mechanism supported by common devices such as Google Authenticator, and adds an additional layer of protection when using password authentication. We allow customers to require the use of 2FA.
Business Continuity¶
We believe service resiliency and recovery are critical to the success of any SaaS product offering, and employ a rigorous and regularly tested BC/DR plan led by executive management.
Operational Practices¶
Training & Awareness¶
Security is everyone's responsibility, and the foundation of that is our Security Training & Awareness program. Our program is built from our internal policies and procedures, and communicates these responsibilities and expectations to call staff. Training is reaffirmed at a regular cadence.
Embedded security experts¶
We embed security experts throughout the business to ensure proper risk evaluation and threat modeling as well as ensuring that security practices are consistently employed. These experts are able to form a deep understanding of the threats and controls specific to the systems and processes being used and allow us to maintain a strong security posture company-wide.
Change management¶
Enclave employs a strict change management process that encompasses feature evaluation, comment and design, threat modeling, multiple layers of testing, and release procedures. At each level approval from peers and management, as well as a dedicated security review, is required.
Incident management¶
At Enclave, preparing for failure is a way of life, and we exemplify this in our Incident Management programs. We employ Chaos Engineering to ensure speed and efficacy in our responses, and ensure impacts are as low as possible. These practices and regular testing ensure we and our customers can be confident in our ability to gracefully handle incidents.
Incident response¶
Enclave follows a contain, eradicate, recover, and notify security incident response process. We ask security researches to follow our vulnerability disclosure policy.
Upon identifying or receiving notification of a potential security incident, without undue delay we conduct an initial assessment to triage the event according to scope, severity, urgency, likelihood and impact. If triage indicates a need, we initiate a formal investigation. Our response is typically swift, within hours, but complex cases or extenuating circumstances may require up to 24 hours to start the investigation, although this is rare.
Incident response policy¶
If it is determined that a computer-security incident has occurred, we are committed to notifying affected customers as expediently as possible and will work proactively with the National Cyber Security Centre (NCSC), Information Commissioner's Office (ICO) and other relevant bodies as necessary.
Our policy is to ensure that notifications are made within 72 hours from the time we determine that a security incident has occurred.
This timeline allows us to accurately understand the nature and extent of the incident and to gather all necessary information to provide our customers with accurate and helpful details. During the notification process, we aim to provide clear information about the nature of the breach, the types of data involved, the potential impact on our customers, and the steps we are taking to address the incident. We will also aim to offer guidance on how customers can protect themselves from potential harm resulting from the breach.
Incident response process¶
-
Initial assessment: Enclave detects the security incident, either through internal monitoring, a report from an external researcher, or another source. Our security team assesses the scope, severity, urgency, likelihood and impact of the incident. At this point we will also determine whether external expertise is needed for the investigation.
-
Containment: Immediate steps are taken to contain the incident. This might involve temporarily disabling affected services, revoking access, or implementing other controls to prevent further exploitation.
-
Investigation and root cause analysis: Our team will begin a thorough investigation to understand how the vulnerability was exploited and identify the root cause.
-
Legal compliance assessment: We will decide if and when to notify law enforcement, and other agencies based on the nature of the incident and our legal obligations. We also will assess whether the need for notification to the UK Information Commissioner's Office (ICO) within 72 hours under the European GDPR framework is required, and also determine if affected individuals need to be informed without undue delay.
-
Patch development and testing: We will develop a fix for the vulnerability, and rigorously test it to ensure the patch does not introduce new issues or negatively affect system functionality.
-
CVSS assignment: If necessary, we will assign a Common Vulnerability Scoring System (CVSS) score to the vulnerability based on its severity, complexity, impact, and other factors to help our customers prioritising their own remediation response and assess potential impact.
-
CVE assignment: If necessary, we will request a Common Vulnerabilities and Exposures (CVE) identifier.
-
Internal and external communication: We will prepare communication materials that describe the incident, its impact, steps taken to resolve it, and measures customers should take.
-
Patch deployment and customer notification: We will now notify customers and partners about the incident or vulnerability. We will also, where applicable, release a patch to resolve the vulnerability.
-
Postmortem and lessons learned: After resolving the incident, our team will conduct a postmortem analysis to identify lessons learned, improve future incident response efforts, and enhance security posture.
-
Compliance and reporting: Ensure compliance with legal and regulatory requirements related to the security incident. This may involve reporting the incident to relevant authorities, especially if personal data or critical infrastructure is involved.
-
Ongoing monitoring and prevention: Implement measures to prevent future occurrences.
Hiring practices¶
Enclave strives to attract and hire the best and brightest experts in their fields. We welcome new members of our team and challenge them to produce their best work. Prior to hiring we perform checks including employment, references and work visa verification. For members of our team that have Administrator access to our infrastructure we also conduct background checks using the UK Disclosure and Barring service.
New employees are required to sign a confidentiality agreement, and undergo an onboarding process that includes security awareness training as well as role specific training. Security awareness training is reaffirmed by all staff on an ongoing basis.
Privacy¶
GDPR¶
Enclave adheres to GDPR guidelines, ensuring the protection and privacy of personal data in accordance with European Union regulations.
Policy¶
Please see our privacy policy at https://enclave.io/privacy.
Last updated Feb 19, 2024