Security Practices At MiniOrange

Never Compromise on Security - We Secure It Right!

Our primary goal is to have a secure connections between people and technology. As a security company, we know that the expectations are great and the stakes are high. We at miniOrange believe in creating products and services that are secure, resilient and assured.

The miniOrange approach to security is based on the following principles:

The miniOrange platform is designed to provide a secure and reliable foundation for functionality to scale and manage cloud applications. This ensures that communications with miniOrange are secure and verified, control and access to the miniOrange service can be delegated across an organization, and that customer data remains secure. Additional security measures prevent cross-site scripting, forgery requests and SQL injections. miniOrange works with external security experts to validate the security of our design and implementation.

All access to miniOrange uses the https protocol. Customers are assigned their own domains, sub-domains, and cookies.

miniOrange uses strong encryption to secure sensitive customer data such as unique SAML keys that are created for authentication. We also store and encrypt credentials that users submit for secure browser applications (apps), configured within their SSO environment.

miniOrange does not implement any proprietary encryption. Customer data encryption is performed at the application layer. The use of application level encryption protects sensitive data, even in the event of partial compromise.

miniOrange encrypts the customer confidential data in the database. The encryption is performed using symmetric encryption 256-bit AES with exclusive keys. Customer exclusive symmetric keys ensures data segregation.

Amazon Web Services (AWS) - provides the infrastructure that hosts miniOrange’s Identity-as-a-Service platform. AWS SOC 2 report is available here: https://aws.amazon.com/artifact/

miniOrange takes several steps to secure customer data. For all queries, retrievals, and bulk updates, the miniOrange service returns or updates only validated data. All miniOrange system responses to a request are subject to any access restrictions in place for that customer and their miniOrange registered users. This user/customer relationship is revalidated on every request to ensure that only authorized users within the customer’s subdomain view the data.

Our state-of-the-art encryption technology protects customer data both at rest and in transit to the user’s browser, leaving no weak spots for attackers. miniOrange encrypted DB instances provide an additional layer of data protection by securing your data from unauthorized access to the underlying storage. We use Amazon RDS encryption to increase data protection of applications deployed in the cloud, and to fulfill compliance requirements for data-at-rest encryption.

miniOrange uses Amazon KMS (key management service) to encrypt data symmetrically. This uses cryptographic keys for our applications and is a useful technique for data encryption. miniOrange uses different versions of RSA, DSA, TRIPLE-DES, AES and HMAC. Confidential data of customers is also encrypted using one of the above mentioned versions of encryption. Confidential data includes any Personally Identifiable Information of the user such as Passwords.

When users are created in MiniOrange locally, they have a local miniOrange password, which is stored in the AWS RDS Database. We use salted bcrypt with a high number of rounds to protect the user passwords. Unlike other hashing algorithms designed for speed and thus susceptible to rainbow table or brute-force attacks, bcrypt is very slow and an adaptive function, meaning its hash function can be made more expensive and thus slower as computing power increases.

When users are in any third party Identity Provider or any directory like AD or any LDAP server, the authentication happens directly from the user identity provider, this kind of authentication is called delegated authentication.

Technical teams at miniOrange have a wide range of experience developing and operating market leading on-demand services. A comprehensive evaluation of infrastructure providers was performed in order to select the right partner for security and scalability of services.

miniOrange and Amazon (AWS) have a comprehensive approach to ensure security and reliability of the miniOrange service. It starts with the physical data center, extends through the compute, network, and storage layers of the service.

The AWS network provides protection against traditional network security issues including Distributed Denial Of Service attacks (DDoS), Man In the Middle (MITM) attacks, IP spoofing, port scanning, and packet sniffing by other tenants.

Our Cloud Solution is deployed on AWS behind a WAF and Load-balanced environment with automatic scaling up options enabled. You can click here to take a look at our high-level infrastructure diagram.

miniOrange cloud is hosted on AWS US East (N. Virginia), Europe, Australia and Ireland data centers behind an Elastic Load Balancer with multiple availability zones to ensure 99.99% uptime.

As miniOrange cloud service is hosted on AWS we have taken advantage of multiple monitoring tools to make sure the system is running smoothly at all times. Notifications have been set up to make sure proper teams are notified as in when an anomaly occurs or a status check fails. This protects against any DOS and DDOS attacks and prevents any unplanned surge of the load.

Regular snapshots of the server environment are taken regularly and databases are backed on a daily basis. If any disaster recovery needs to be done we can get the backup up and running in no time.

Amazon S3 has been used for storing backups and static content.

AWS Elasticache (Memcached) and DynamoDB have been used and implemented for caching.

miniOrange provides publicly available mechanisms for customers to report security and/or privacy events, including disasters. miniOrange monitors service continuity with upstream providers in the event of failure or disaster management.

miniorange implemented environmental controls, fail-over mechanisms or other redundancies to secure utility services and mitigate environmental conditions.

We begin building security into our software before we write any line of code. Strict security checkpoints govern every step of our development lifecycle from design through to coding, testing, and deployment. miniOrange's internal security team works with independent external security researchers to validate our software security.

Each year, we train our developers in the latest secure programming and code review techniques.

miniOrange's software security is regularly reviewed by peers, in-house security researchers.

miniOrange's security controls govern employees and contractors before, during, and after their time at miniOrange.

miniOrange's security team builds security into our culture by promoting security awareness and testing employees to ensure compliance.

We reduce risk by limiting production access to those that need it to do their jobs, while continuing to monitor their access.

Core security features of the underlying miniOrange platform include the ability to prevent Cross-Site Scripting (XSS), Cross-Site Request Forgery (XSRF), and SQL Injection attacks. Strong validation of input and requests and strict programmatic controls on SQL statements minimize these threats.

Man-in-the-Middle (MitM) Attacks - Occurs when an attacker intercepts a two-party transaction, inserting themselves in the middle. From there, cyber attackers can steal and manipulate data by interrupting traffic.
Denial-of-Service (DOS) Attack - DoS attacks work by flooding systems, servers, and/or networks with traffic to overload resources and bandwidth. The result is rendering the system unable to process and fulfill legitimate requests.
SQL Injections - This occurs when an attacker inserts malicious code into a server using server query language (SQL) forcing the server to deliver protected information.
Cross-site Scripting - A cross-site scripting attack sends malicious scripts into content from reliable websites. The malicious code joins the dynamic content that is sent to the victim’s browser.
Brute-force attack - A hacker tries hundreds or thousands of username/password combinations in an attempt to gain access.

As part of our security strategy miniOrange uses various popular testing tools like Netsparker to perform penetration testing in an effort to understand and improve overall service security. The assessment includes design review, source review and penetration testing. miniOrange developers identify security threats and develop solutions to any potential threats. We aggressively hunt for bugs in our software using security programs. We also believe in the customer’s right to conduct a penetration test on miniOrange, and so we provide them with test environments to do that.

We protect your data at every point in our infrastructure, including compute, storage, and network transmission. Each server in the miniOrange environment is monitored for machine health metrics twice per minute to track availability. AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All physical access by employees is logged and routinely audited.

Administrative access to the host operating systems to manage instances requires the use of multi-factor authentication. The administrative hosts systems are specifically designed, built, configured, and hardened to protect the management plane of the cloud. All access is logged and audited. We ensure that all of our service providers meet our data protection standards.

Security starts with the people we employ. Background checks are performed on all candidates for miniOrange and employees, contractors and third party users must confirm in writing that they understand their roles and responsibilities regarding information security as part of their employment or vendor contract.

Security Practices at miniOrange

Security Practices At MiniOrange

Never Compromise on Security - We Secure It Right!

The miniOrange approach to security is based on the following principles:

STAY CONNECTED

Product

Solutions

Resources

Company

Security Practices at miniOrange

Security Practices At MiniOrange

Never Compromise on Security - We Secure It Right!

The miniOrange approach to security is based on the following principles:

STAY CONNECTED

Product

Solutions

Resources

Company

Cookie Preferences

Privacy Policy

Strictly Necessary Cookies

Always Active

Performance Cookies

Always Active