What is the importance of Data Security in Organizations?
Data is being produced and used by organizations at unprecedented rates. Big Data's growth presents challenges and issues for information and data protection.
Organizations are also struggling to keep up with the growing number of cyber-attacks, which has resulted in a rise in the number of security breaches by more than 100% over the past few years. According to Gartner, there will be more than 90 million attacks on organizations' IT systems this year alone.
Data security is one of the most important issues for organizations today because it has become essential for business continuity and competitiveness. This is especially true for small and mid-sized companies that lack the resources to invest in comprehensive data protection programs.
The key to preventing a breach is having strong security measures in place that can be easily enforced across an organization's entire infrastructure — not just at one point in time.
What steps have we taken to ensure Data Security?
We have taken multiple measures to ensure that data of each and every Clappia Workplace is protected from any unauthorized access. Some of these measures include:
Cloud Security: All of our infrastructure is hosted on Amazon Web Services (AWS) which supports every major security and privacy standard including ISO 27001, FedRamp, SOC1 and SOC2. As a result of this, we are able to ensure that all data stored on AWS is secure.
SSL: All the data that users submit on Clappia is transmitted from the Clappia web and mobile apps to the Clappia servers over SSL protocol, which ensures that there is an encrypted channel between the user’s device and Clappia’s servers and that the data cannot be accessed or manipulated by an attacker while it is in transit.
Data encryption at rest: Apart from protecting data while it is in transit, we need to ensure security of data while it is at rest. All the customer data - App submissions, user profiles, app definitions etc is stored in Amazon DynamoDB. This data is encrypted using 256-bit Advanced Encryption Standard (AES-256) before being stored in DynamoDB. This ensures that the data is secure from any unauthorized access.
Password Hashing: All the user passwords are hashed using SHA-1 HMAC algorithm in combination with a Key Derivation function before storing them in the database. This approach prevents brute force attacks that are run by trying every possible password combination one after another.
Single Sign-On (SSO): Usernames and passwords are the main target of cyber criminals. Every time a user logs in to a new application, it’s an opportunity for attackers. In fact, 59% of users use the same or similar passwords on multiple accounts. Thus, if an attacker gets access through one poorly secured website, they are likely to be able to access other corporate systems.
SSO allows users to maintain only one set of login credentials to gain access to multiple applications. This reduces the number of attack surfaces because users use only one set of credentials.
We allow users to Sign In with Google and access their Clappia apps. We also integrate with Active Directory (AD), LinkedIn, Facebook and other Enterprise SSO Services.
Custom permission model: Each Clappia Workplace gets a custom permission model that the Admins can define. The permission model ensures that data from one Workplace is not accessible to users of other Workplaces. Within a Workplace, Admins can define multiple levels of permissions - App Admins, Data Admins, Data Viewers, Submitters etc. This ensures data privacy at the granularity level of a single record - each user can access/update only those records that he/she is authorized to.
Prevention against Denial of Service (DoS) attacks: DoS attacks aim to overload a service with traffic in order to shut it down or render it unreachable to users.
Since Clappia is based on the Serverless architecture, DoS attacks are practically difficult to use to bring it down. But by using services like ReCaptcha and Amazon Web Application Firewall (WAF), we are able to stop such attacks. These services identify continuous malicious requests and block the corresponding users or IP addresses from making any further requests to the platform.
Backup and Disaster Recovery: We maintain continuous backups of all the data by using point-in-time recovery (PITR) at a per-second granularity. So in the event of any issues, we can restore to any given second in the preceding 35 days.
Data Retention/Deletion: All the Workplace Data - including App Definitions, Submissions, Files/Images uploaded, user profiles are retained for as long as the Data Admins desire. If the Data Admins delete some or all submissions of their Workplace, we archive this data for a period of 30 days before deleting them permanently from our system. This is done in case you wish to restore your data for some reason.
All other data like system logs, user activity logs are purged after 30 days.
Logs Encryption: We maintain a comprehensive log of all user activities for troubleshooting and support purposes in Amazon CloudWatch. All these logs are also encrypted with AES-256. Additionally, we also mask passwords and any other sensitive user data before logging them.
Change Management: Every change that is released on a software platform introduces risk in the form of a possible attack surface. Organizations can remove this risk through change management, enabling them to introduce positive changes with little impact on existing services.
We follow a strict Change Management process where all proposed changes go through a round of security review.Only after the changes are reviewed and approved, they are implemented into production. This mitigates any potential risks associated with new platform releases.
Data is a key asset of any organization and the security of data, irrespective of its size and nature, sets the foundation for the success of any organization. The first step is to understand the importance of data security.
In this day and age, cyber-attacks are genuine and we can't be prepared enough. We, at Clappia, are committed to protecting your data and privacy rights. We take data security very seriously and we’re continuously working on establishing top-notch security standards to handle your data along with our globally validated infrastructure tools to help us assure that your data is fully secure.
We hope that this article was helpful and informative, covering all the aspects of Data Security within Clappia.