All access to miniOrange uses the https protocol. Customers are assigned their own domains, sub-domains, and cookies.
miniOrange uses strong encryption to secure sensitive customer data such as unique SAML keys that are created for authentication. We also store and encrypt credentials that users submit for secure browser applications (apps), configured within their SSO environment.
miniOrange does not implement any proprietary encryption. Customer data encryption is performed at the application layer. The use of application level encryption protects sensitive data, even in the event of partial compromise.
miniOrange encrypts the customer confidential data in the database. The encryption is performed using symmetric encryption 256-bit AES with exclusive keys. Customer exclusive symmetric keys ensures data segregation.
Amazon Web Services (AWS) - provides the infrastructure that hosts miniOrange’s Identity-as-a-Service platform. AWS SOC 2 report is available here: https://aws.amazon.com/artifact/
miniOrange takes several steps to secure customer data. For all queries, retrievals, and bulk updates, the miniOrange service returns or updates only validated data.
All miniOrange system responses to a request are subject to any access restrictions in place for that customer and their miniOrange registered users. This user/customer relationship is revalidated on every request to ensure that only authorized users within the customer’s subdomain view the data.
Our state-of-the-art encryption technology protects customer data both at rest and in transit to the user’s browser, leaving no weak spots for attackers. miniOrange encrypted DB instances provide an additional layer of data protection by securing your data from unauthorized access to the underlying storage. We use Amazon RDS encryption to increase data protection of applications deployed in the cloud, and to fulfill compliance requirements for data-at-rest encryption.
miniOrange uses Amazon KMS (key management service) to encrypt data symmetrically. This uses cryptographic keys for our applications and is a useful technique for data encryption. miniOrange uses different versions of RSA, DSA, TRIPLE-DES, AES and HMAC. Confidential data of customers is also encrypted using one of the above mentioned versions of encryption. Confidential data includes any Personally Identifiable Information of the user such as Passwords.
When users are created in MiniOrange locally, they have a local miniOrange password, which is stored in the AWS RDS Database. We use salted bcrypt with a high number of rounds to protect the user passwords. Unlike other hashing algorithms designed for speed and thus susceptible to rainbow table or brute-force attacks, bcrypt is very slow and an adaptive function, meaning its hash function can be made more expensive and thus slower as computing power increases.
When users are in any third party Identity Provider or any directory like AD or any LDAP server, the authentication happens directly from the user identity provider, this kind of authentication is called delegated authentication.
Technical teams at miniOrange have a wide range of experience developing and operating market leading on-demand services. A comprehensive evaluation of infrastructure providers was performed in order to select the right partner for security and scalability of services.
miniOrange and Amazon (AWS) have a comprehensive approach to ensure security and reliability of the miniOrange service. It starts with the physical data center, extends through the compute, network, and storage layers of the service.
Our Cloud Solution is deployed on AWS behind a WAF and Load-balanced environment with automatic scaling up options enabled. You can click here to take a look at our high-level infrastructure diagram.
miniOrange cloud is hosted on AWS US East (N. Virginia), Europe, Australia and Ireland data centers behind an Elastic Load Balancer with multiple availability zones to ensure 99.99% uptime.
As miniOrange cloud service is hosted on AWS we have taken advantage of multiple monitoring tools to make sure the system is running smoothly at all times. Notifications have been set up to make sure proper teams are notified as in when an anomaly occurs or a status check fails. This protects against any DOS and DDOS attacks and prevents any unplanned surge of the load.
Regular snapshots of the server environment are taken regularly and databases are backed on a daily basis. If any disaster recovery needs to be done we can get the backup up and running in no time.
Amazon S3 has been used for storing backups and static content.
AWS Elasticache (Memcached) and DynamoDB have been used and implemented for caching.
We begin building security into our software before we write any line of code. Strict security checkpoints govern every step of our development lifecycle from design through to coding, testing, and deployment. miniOrange's internal security team works with independent external security researchers to validate our software security.
Each year, we train our developers in the latest secure programming and code review techniques.
miniOrange's software security is regularly reviewed by peers, in-house security researchers.
miniOrange's security controls govern employees and contractors before, during, and after their time at miniOrange.
miniOrange's security team builds security into our culture by promoting security awareness and testing employees to ensure compliance.
We reduce risk by limiting production access to those that need it to do their jobs, while continuing to monitor their access.
We protect your data at every point in our infrastructure, including compute, storage, and network transmission. Each server in the miniOrange environment is monitored for machine health metrics twice per minute to track availability. AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All physical access by employees is logged and routinely audited.
Administrative access to the host operating systems to manage instances requires the use of multi-factor authentication. The administrative hosts systems are specifically designed, built, configured, and hardened to protect the management plane of the cloud. All access is logged and audited. We ensure that all of our service providers meet our data protection standards.
