IT & Security
Oct 07, 2021 2021-10-08 8:34IT & Security
IT & Security
MittVarsel’s philosophy regarding security is very simple. Everything that happens in the MittVarsel-system, will be encrypted with the most secure technologies to ensure safety of all sensitive information.
Encryption
All end-to-end communication is encrypted with industry standard 256-bit SSL connectivity. Certificate is issued annually by Let’s Encrypt / Verisign. Person-sensitive information (whistleblowing details, customer information, etc.) is stored in our cloud system and encrypted with AES-128.
Database
Database is built on open-source technologies MySQL and MongoDB. Encrypted database is mirrored to three separate locations in order to maintain redundancy.
Two-factor authentication
All users of the solution can have two-factor authentication activated via SMS, to ensure that no unauthorized person can access the accounts. 2FA costs nothing extra to use and is included in all setups of the whistleblowing system. 2FA can be made mandatory.
Backup, rolling-release and maintenance
Backups are made every hour. Encrypted backups are stored in three separate locations. New functionality, system maintenance and system updates follow the rolling-release model. The launch of new features, changes or updates does not result in downtime for the system. Changes are made in source code control, and it is arranged for roll-back if the need should arise.
Measures for protection against data breaches
The measures that are expected to secure against data breaches are:
- Software maintenance
- Update to latest versions
Encryption, obfuscation of personal sensitive information and auto-generation of passwords means that any data that would be breached will regardless be of little use and only display non-usable/non-identifiable information.
DDoS protection
MittVarsel/ MyVoice protects critical infrastructure using Cloudflare, which, among other things, protects against DDoS attacks and maintains a CDN platform available for increased security and load time of the system. In case of traffic that may be perceived as suspicious, automatic routines are run to verify the traffic, such as Google reCAPTCHA. All forms and inputs are protected by Google reCAPTCHA (v2 and v3).
Redundancy
The system is at all times mirrored to three separate independent locations. Each location is monitored (UptimeRobot / Site24x7), and in case of deviations (such as packet loss, unavailability or error messages), automatic switching to an available location ensures maximum redundancy and uptime.
The following are mirrored:
- Source code
- Database
- Server setup (using Docker and OS-level virtualization)
As a result of the above measures taken to maintain redundancy, MittVarsel and other relevant systems showed 100% availability during 2019.
API
MittVarsel.no/ MyVoice has an internal REST API that can be used for integration with third-party systems, such as archive systems. MittVarsel.no’s API is flexible and can retrieve and pass on the necessary information in a safe and secure way.