Data and IT Security at Basking is the highest priority. We have made enterprise-grade data security one of our main benefits and key differentiators by making use of advanced security mechanisms to ensure the highest level of security, reliability, redundancy, and scalability. Our AI and Wifi based workplace occupancy analytics platform is enterprise-ready!
This article describes the technical and organisational security mechanisms in place to ensure the maximum IT security standards.
Technical Security Mechanisms
Technical security mechanisms are technical techniques and tools used by Basking that are required to increase the security of our system at different levels.
– Full Encryption
At Basking, we encrypt all data during traffic and at rest. Our encryption standard uses a symmetric algorithm called AES-256-GCM. We use AWS KMS to store the encryption keys.
– Automatic Backups
Basking makes several automated backups at different steps in our data processing pipeline. This ensures quick and seamless recovery from a possible failure.
Backups are kept within the same private network and are never sent through the internet. They are also encrypted using our strong encryption standard.
– Serverless Architecture
Our serverless architecture is very efficient, flexible and easy to manage. It is built following AWS’ Well-Architected Framework and has the following major benefits:
- Operational Excellence
- Performance Efficiency
- Cost Optimisation
Especially on the security side, the serverless architecture enables us to delegate many of the critical security topics to AWS, as described in the shared responsibility model. Here, AWS is responsible for the security of the cloud, which includes everything from physical servers, storage and the services offered by AWS.
– Private Network + Strong Gate Keeper
All our data processing pipeline and storage is totally decoupled from the internet. All systems live and communicate within a private network.
The only access to the internet is performed via our API Gateway, which accepts only encrypted connections via https. The API gateway is secured additionally with AWS Shield, a managed DDoS protection system.
API Gateway is built with security and resilience in mind and uses AWS’ vast IT infrastructure capabilities to scale horizontally and follow the demand.
Management access to the cloud is possible only for selected employees and works only through an encrypted SSH tunnel from whitelisted IP addresses.
– Regular Third Party Vulnerability Tests
Basking works with Intruder.io, a cybersecurity company specialised in vulnerability scans and finding cybersecurity weaknesses. Intruder.io scans the Basking systems constantly and issues alerts if a security breach has been found.
– Strong Passwords and MFA
All access to the systems is secured with strong passwords with strict expiration dates. Additionally, MFA is mandatory. Additionally, user-specific passwords are not shared among employees.
– CI/CD Deployment Pipeline
Our CI/CD practice enforces automation in our development and deployment practices. This automation includes automatic static code review, manual code review by management and QA. All new features must pass these stages before they are released.
At Basking, we release new versions of our software continuously, which allows us to stay on top of potential security issues.
– Automatic Code Reviews
Every deployment of code and architecture undergoes a series of automatic and manual code reviews to ensure compatibility. The tests include
- Static lint and code review
- Automatic test routines
- Code review by management
– Architecture as Code Principle
We treat our infrastructure as code, and it follows the same CI/CD Deployment Pipeline.
– Centralised logs, Dashboards and Alerts
Finally, keeping an eye on our infrastructure is essential. Since we have all logs centralised, we can use tools like AWS CloudWatch to visualise the key elements and issue alerts if anomalies (deviations from expected behaviour) happen.
Organisational Security Mechanisms
– Strong, Comprehensive, and GDPR compliant Data Processing Agreement
Our Data Processing Agreement is the centrepiece of our services. It defines the boundary of what we do and how we do it. It demands strict data privacy mechanisms like pseudonymization and anonymization. By applying this mechanisms, Basking significantly reduces the risk of the data we process.
– Principle of Least Privilege
The principle of least privilege is important to limit the access to key components only to the employees or systems that are explicitly required. We make extensive use of access policy documents in our infrastructure and define different access levels and restrictions for each service we use.
– Strong Internal IT Security Policy
Our employees and third party contractors must follow our strong security policy. It governs the way we work and the tools we use, and it is inline with modern security practices.
– Employee and Partner Training
Basking employees and partners are trained during their onboarding in the topics of data privacy and IT security. Training is also repeated regularly to ensure all existing and new policies and understood and implemented.
Your IT Security Review
Usually, our customer’s IT security team will require more details to perform the full IT security review for Basking. We are here to help, please don’t hesitate to contact us.