ARAT SECURITY

We are an IT security company and we know your security information is of great importance to you. With this in mind we have designed ARAT risk assessment service which is cost effective but still highly secure. In the following chapters we explain the technical details which are the foundation for the security of the tool. You are welcome to read them and write to us if you have some questions left.

Infrastructure

Infrastructure, on which the service is running, is if necessary, extensible, so that the end user always has a maximum responsive service. Connectivity of nodes and their servers to the parent node enables easy distribution of new software versions and catalog updates, allowing the end user to always have an updated service.

Data Center

ARAT service is available in the Astec data center, certified according to the ISO 27001 information security standard and is hosted in a high-security area, which is confirmed as an Administrative area by the Government Office for the Protection of Classified Information.

Datacenter security consists of:

• 100% Internet
• Dual ISP connectivity
• IPv4 & IPv6 addressing scheme
• PS layer
• Firewall layer
• Hardening of VMware environment

Physical security is maintained with high security controls like contactless cards, biometrics, video surveillance, access logging, alarm systems and 24/7 professional security company readiness.

Onpremise installation

ARAT solution can be installed as a virtual appliance on VMWARE or Hyper-V platform. Physical and infrastructure Security for on-premise solution is end-customer’s responsibility.

Application security

Interoperability and SSL Secured connectivity

The service is accessed through a standard secure https protocol, using an AES 256 bit encryption. The client can be any modern browser that runs on an established operating system of a desktop computer, tablet, phone, and ultimately on an arbitrary complex server system. Exchange of data between nodes is realized via authenticated encrypted communications that only use open and established protocols and standards: https, XML and X.509. The connection is encrypted using AES-256_CBC, with SHA1 for message authentication and DHE_RSA as the key exchange mechanism.

Authentication

Application authentication is based on user passwords stored in local database. Application requests strong password. Passwords are encrypted using one way hash- algorithm.

Data safety

User data is stored in a database, which is designed to allow individual customer data privacy. Each customer has its own database (multi-tenancy), which provides a high level of security, data privacy and enhanced management of the entire system. Data exports are available only to the corresponding customer. Exports are intended for data backup and are customer responsibility. Cloud owner can restore data only on customer’s written request.

Best coding practices

ARAT is written using most of the latest coding best practices. The application architecture follows the pattern of MVC programming model. For all code languages, we require indentation to be done via soft tabs. We prefer readability over file-size savings when it comes to maintaining existing files. Plenty of whitespace is encouraged, along with ASCII art, where appropriate. There is no need for any developer to purposefully compress HTML or CSS, nor obfuscate JavaScript. We have developed our own coding standards for different coding languages and have separate coding standards for Javascritp, PHP and SQL. ARAT source code is well documented and versioned in a GIT code versioning system.

Security assessment

Application ARAT and infrastructure are regularly assessed for vulnerabilities and application security flaws. Cloud solution in Astec datacenter is assessed by Nessus and BurpSuite Professional tools.

ARAT Installations in external CLOUDs can be assessed by Astec for additional contract agreement.

Astec staff

All of the employees have signed an NDA with compensation and criminal liability; some of them are even Security Cleared Professionals.

About Astec

Astec has been in the IT security business for over 20 years and has as the third company in Slovenia obtained the ISO / IEC 27001:2005 certificate and has reconfirmed it ever since. This confirms that the ARAT service also complies with the requirements and recommendations of the ISO / IEC 27005 for the implementation of ISMS. Astec puts high importance on security of its clients’ business data, so special attention is devoted to protecting and securing customer data to prevent unauthorized access to sensitive information from unauthorized users, as well as external attackers.