We take your data security seriously.
We are an IT security company and we know your security information is of great importance to you. With this in mind we have designed ARAT risk assessment service which is cost effective but still highly secure. In the following chapters we explain the technical details which are the foundation for the security of the tool. You are welcome to read them and write to us if you have some questions left.
Infrastructure, on which the service is running, is if necessary, extensible, so that the end user always has a maximum responsive service. Connectivity of nodes and their servers to the parent node enables easy distribution of new software versions and catalog updates, allowing the end user to always have an updated service.
ARAT service is available in the Astec data center, certified according to the ISO 27001 information security standard and is hosted in a high-security area, which is confirmed as an Administrative area by the Government Office for the Protection of Classified Information.
Physical security is maintained with high security controls like contactless cards, biometrics, video surveillance, access logging, alarm systems and 24/7 professional security company readiness.
ARAT solution can be installed as a virtual appliance on VMWARE or Hyper-V platform. Physical and infrastructure Security for on-premise solution is end-customer’s responsibility.
The service is accessed through a standard secure https protocol, using an AES 256 bit encryption. The client can be any modern browser that runs on an established operating system of a desktop computer, tablet, phone, and ultimately on an arbitrary complex server system. Exchange of data between nodes is realized via authenticated encrypted communications that only use open and established protocols and standards: https, XML and X.509. The connection is encrypted using AES-256_CBC, with SHA1 for message authentication and DHE_RSA as the key exchange mechanism.
Application authentication is based on user passwords stored in local database. Application requests strong password. Passwords are encrypted using one way hash- algorithm.
User data is stored in a database, which is designed to allow individual customer data privacy. Each customer has its own database (multi-tenancy), which provides a high level of security, data privacy and enhanced management of the entire system. Data exports are available only to the corresponding customer. Exports are intended for data backup and are customer responsibility. Cloud owner can restore data only on customer’s written request.
Application ARAT and infrastructure are regularly assessed for vulnerabilities and application security flaws. Cloud solution in Astec datacenter is assessed by Nessus and BurpSuite Professional tools.
ARAT Installations in external CLOUDs can be assessed by Astec for additional contract agreement.
All of the employees have signed an NDA with compensation and criminal liability; some of them are even Security Cleared Professionals.
Astec has been in the IT security business for over 20 years and has as the third company in Slovenia obtained the ISO / IEC 27001:2005 certificate and has reconfirmed it ever since. This confirms that the ARAT service also complies with the requirements and recommendations of the ISO / IEC 27005 for the implementation of ISMS. Astec puts high importance on security of its clients’ business data, so special attention is devoted to protecting and securing customer data to prevent unauthorized access to sensitive information from unauthorized users, as well as external attackers.