Security by design
Data security and protection is the most basic building block of information systems. As complexity increases and data access is from multiple channels, systems and devices, Entersoft Business Suite incorporates multiple levels of data access control, which are constantly expanding and adapting to technological and institutional developments, through a powerful framework used by the full range of applications from wherever they run (on premises, on cloud, via browsers or mobile devices & tablets).
Passcodes policySimple-strong code, parametric rules of code complexity, change code frequency-code duration (in days), immediate change at the next login. The Entersoft framework uses the DES algorithm to encrypt passwords.
Access channelsDefinition of channel from which a user can be excluded e.g. from the internet or other subnet or from specific IPs.
LDAP certificationLightweight Directory Access Protocol, for exploitation from the company’s domain server.
Two factor authenticationThe requirement for confirmation of two-factor-authentication for access to Desktop applications or WebApi or eCommerce etc. can be activated per user. It can even be set that for the same user TFA is activated only for Web Apps and not Desktop applications. To configure TFA on mobile, use either Microsoft Authenticator or Google Authenticator.
User account inactivationAfter repeated failed login attempts, the user may be disabled, for re-checking.
“Read-only” userWith a single click, without additional actions for prohibition of access privileges, it can be determined that the user cannot save, but only display information.
User menusA "rough" way of restricting users to specific functions that concern them (mainly for reasons of simplicity and understanding and not because there is a guarantee of their exclusion from everything else) is to define a specific menu per user, instead of the rich application menu.
GDPR procedures embedded in the system
- Procedure for document Data protection policy
- Procedure for announcement of scope of using or handling personal data
- Procedure for sending a campaign and obtaining a consent to use personal data
- Procedures for accepting, changing or anonymization of personal data
- Data protection system against unauthorized users (Role Based Security)
- Field Level Security system so that the readability of "sensitive" fields can be adjusted only by roles related to the scopes defined
- Special classification of fields for this purpose (GDPR), to be recognized, protected, and controlled massively under processing scope (Field Set Security Grouping - FSSG)
- History of field changes (Audit trail & reporting) as well as logging of data publishing (exports, print reports, copy to clipboard, etc.) for easy detection of possible leaks
- Optional Database encryption - available in MS SQL Server 2016
- Ability to “mask” the content of "sensitive" fields at user interface level (e.g. name as *****, phone as 210 ***** 50 and so on.
- In multinational installations, possibility to hide personal data not concerning a company (in DBs with a common list of contacts), especially for group companies outside the EU (so GDPR object).
The system records and documents
- Insert, Delete, Modify into entities and fields
- Execution of procedures
- Execution of views & reports of any kind
- Sign-in / Sign-out users
- Version upgrades
Track changesRegarding the fields, the system provides for recording the history (user, date, previous value) of value changes of the commonly "sensitive" fields, but you can choose this "track changes" property for any other field (ability necessary also in case of adding fields and tables at a customization level). Access to this information is ready within the entity management screens (for specific entity control), but also in bulk control views with criteria targeted to help identify problems.
Messages while processes executedSome (time consuming) processes extract information during their execution, for the time, the results, the terminal, etc. for evaluation by the IT department. Such processes are the Stock Valuation, the periodical Closings, the various recalculations and so on.
Events logThe system keeps a detailed history of the execution of a wide range of "events" such as user sign-in, sign-out, deletion of records, approvals of credit overruns, backup, server restart, S/W version upgrades, recalculation tasks, official printings etc., for which it provides all the necessary information to investigate potential problems.
Audit trail at Entersoft Cloud Apps
- Every login within an application of the subscription is encrypted, archived, and stored for later review by the Subscription Administrator.
- For a rolling period of 90 days, Entersoft Cloud Store keeps detailed track and provides insights about the use, the errors and the quota consumption, if any.
|How API authentication and credential management is enforced, in case an API is used without Mulesoft API gateway?||Entersoft Web API, fully supports the concept of Application Keys, Developer Keys, Security Schemes, Security Policies, System Constraints. It provides all the means for a Customer / Subscriber to manage, monitor, log, alert the runtime of Entersoft Web API in the context of any Application that makes use of Entersoft Web API for both Entersoft and Custom applications. Providing Entersoft Web API through an API gateway management system such as Mulesoft or Microsoft, etc. this can be considered as a paid Custom Add-on in the context of a project.|
|How are security event logs being continuously monitored in case SIEM system is not in use?||Security logs generated by the various subsystem and functional layers of the Entersoft Application architecture and are continuously transferred to the Entersoft Realtime Monitoring system that runs on Microsoft Azure.|
|What is the authentication mechanism for Mobile apps?||No matter the MDM Solution that Customer has provisioned and applied, for any Device to be able to allow access to a “User” to the Entersoft Mobile Cross Application running on the Device, the Device must first be Registered to the Entersoft Back-End System and a User should be assigned to this Device. Furthermore, the User should be granted the Mobile Device Access right. Then User ID/ Password authentication scheme is in place.|
|Do the Mobile apps encrypt the data on device?||The Entersoft Mobile Merchandising Cross-Platform app, stores the data that are defined by the Back-End configuration to be available offline for the specific User / Group / Device into an SQLite Database that it is stored on the sandbox of the Application which is protected and encrypted by the Operating System (Android OD, Apple iOS, Windows UWP). Further encryption within the SQLite database can be applied whenever this option is available by the underlying version of the OS.|
|How mobile apps can be managed by the company’s MDM/MAM system?||Entersoft CRM and Entersoft Mobile SFA offer a core MDM subsystem that provides the fundamental operations for Device Management, i.e. Pairing the Device with a User and an Entersoft App, Activating/De-Activating the Device, Associate/De-Associate a User to a Device and an Entersoft App to the Device. Furthermore, Entersoft core MDM Subsystem provides operations with respect to Entersoft Mobile Apps such as: Lock a Device, Prohibit Data Sync in either or both directions, Register the last known location of the Device (assuming that the User has accepted and enabled the Location Services for an Entersoft App) and swipe an App from the Device. For every device registered into the Entersoft core MDM Subsystem, there is an extensive set of Log and Audit Trail records as well as the current known status of the Device with respect to an Entersoft Mobile Application including Location, UTC Datetime and other contextual fields.|
|The mobile apps can be hosted in private or public app store?||The Entersoft Mobile Applications are not offered through the Public App Stores of the Platform Vendors (i.e. Google Play, Apple Store, Microsoft Store). In case of Apple iOS, Entersoft Mobile for iOS applications fully support “Enterprise Stores” where the Customer is full in charge of the Mobile Application (signing with their certificates, manage distribution certificates and profiles, etc.). This is highly recommended for large Enterprises and Organizations.|
|Does the system follow any secure SDLC practice?||Entersoft fully imposes a Software Development Lifecycle Process in both the Product Development Process and the Implementation & Customization. For every sprint and S/W version to be delivered, there are Phases with Resources, Roles and Deliverables designed to deliver a high quality and meet-to-purpose S/W and Services solutions. From Requirements Capturing, Requirement Analysis, Specifications, Design, Implementation, Unit Testing, Integration Testing, Acceptance Testing to Quality Control there are methodologies, tools and automated bots in place, under a well-defined set of security policies in a secure and protected development environment. The Entersoft Development and Service provisioning processes are ISO-9001/2015 & ISO-20000/2018 certified. Security and risk management are essential factors for both standards and are audited yearly.|
|Does the system undergo regular Application Security Testing?||On a yearly basis, Entersoft SA’s software products and software as a service (SAAS) services undergo extensive vulnerability tests, using a set of state-of-the-art technology vulnerability assessment tools and services that are the most applicable for the technologies and nature of the S/W subsystems of every product.|