360° Data security and protection

Security by design

Data security and protection is the most basic building block of information systems. As complexity increases and data access is from multiple channels, systems and devices, Entersoft Business Suite incorporates multiple levels of data access control, which are constantly expanding and adapting to technological and institutional developments, through a powerful framework used by the full range of applications from wherever they run (on premises, on cloud, via browsers or mobile devices & tablets).

Passcodes policy

Simple-strong code, parametric rules of code complexity, change code frequency-code duration (in days), immediate change at the next login. The Entersoft framework uses the DES algorithm to encrypt passwords.

Access channels

Definition of channel from which a user can be excluded e.g. from the internet or other subnet or from specific IPs.

LDAP certification

Lightweight Directory Access Protocol, for exploitation from the company’s domain server.

Two factor authentication

The requirement for confirmation of two-factor-authentication for access to Desktop applications or WebApi or eCommerce etc. can be activated per user. It can even be set that for the same user TFA is activated only for Web Apps and not Desktop applications. To configure TFA on mobile, use either Microsoft Authenticator or Google Authenticator.

User account inactivation

After repeated failed login attempts, the user may be disabled, for re-checking.

“Read-only” user

With a single click, without additional actions for prohibition of access privileges, it can be determined that the user cannot save, but only display information.

User menus

A "rough" way of restricting users to specific functions that concern them (mainly for reasons of simplicity and understanding and not because there is a guarantee of their exclusion from everything else) is to define a specific menu per user, instead of the rich application menu.

Access to functionality

All entities, functions, views, dashboards, prints, mass processes and fields are available for award or block access rights to "user roles". If a user has multiple "roles", system access rights are "merged" (aggregated). If an access privilege is not assigned at all, it is assumed as "prohibited". The allocation of rights can be done in whole areas of functionality in a massive way either at detail level (which prevails), up to a field level. The access rights are inter-company, i.e. they apply to all the companies that each user has access to. Permissions can be specified for each functionality, depending on the respective area (insert, modify, display, delete, print, execute - query, copy to clipboard, etc.)

Access to specific entities

Especially for transactions, the rights are granted separately by document series (context or massively) and also include additional features such as blocking access at prices/discounts, blocking line deletion or changing items, create by typing (i.e. may ONLY be allowed through a transition from a previous stage of the process) etc. Many “documents” meant to be posted to Accounting may also contain information not concerning Accounting. For this reason, Entersoft Business Suite provides a system for exceeding accounting controls for specific user roles, for various data classes such as e.g. cash flow configuration, corporate dimensions, salesmen and commissions data, etc., via an end-user interface. Alongside, a set of additional prohibitions, (apart from those that the system executes in "official" documents) can be configured, for specific transactions, for specific groups of users, under specific conditions e.g. prohibition of changing “process stage” or user-definable fields, etc. There is also a special forethought for various entities, where access would be preferable on a case-by-case basis and not by global blocking or granting access rights, such as:
  • the actions of sales and customer service departments staff (appointments, seminars, visits, requests, resolutions, complaints, etc.)
  • the budget sheets, which protected by an extensive system of roles (author, approval responsible etc.) with date limits for changes & finalization, with controls depending on budget’s "state", etc.

Protecting the customization level

At the level of entities, forms, fields, views, printings, documents, etc. added at the implementation level, the entire security system is available and works just like the product-level. At the level of business rules & processes defined at the implementation level, it is necessary to include a special provision for the user group which granted to access at the relevant processes, IF necessary (since many times, access is ensured by placing the feature or process on screens or lists or entities, with already configured privileges.

Time-based access tokens

Whenever a login takes place it is exchanged for a secure access token that expires after a few minutes and the token becomes void, while on any subsequent call it is renewed. This time-lease varies depending on the nature of the application (Entersoft Analyzer, Request For Approval or an integration Service such as Entersoft eCom Connector or Connector for Microsoft Power BI etc.

Safe connection at Entersoft Cloud Apps

The full list of servers and services that are part of the Entersoft Web API and the Entersoft Web Applications are secured through Green Level Certificates issued by global trusted organizations and supported by all the browsers on all platforms and devices.

Data protection at Entersoft Cloud Apps

The architecture of Entersoft Web API Server that connects Entersoft Application Server (EAS) to all the Entersoft Cloud Store applications never stores any data transferred back and forth the client applications, the Entersoft Web API Server and the EAS.

GDPR procedures embedded in the system

  • Procedure for document Data protection policy
  • Procedure for announcement of scope of using or handling personal data
  • Procedure for sending a campaign and obtaining a consent to use personal data
  • Procedures for accepting, changing or anonymization of personal data
  • Data protection system against unauthorized users (Role Based Security)
  • Field Level Security system so that the readability of "sensitive" fields can be adjusted only by roles related to the scopes defined
  • Special classification of fields for this purpose (GDPR), to be recognized, protected, and controlled massively under processing scope (Field Set Security Grouping - FSSG)
  • History of field changes (Audit trail & reporting) as well as logging of data publishing (exports, print reports, copy to clipboard, etc.) for easy detection of possible leaks
  • Optional Database encryption - available in MS SQL Server 2016
  • Ability to “mask” the content of "sensitive" fields at user interface level (e.g. name as *****, phone as 210 ***** 50 and so on.
  • In multinational installations, possibility to hide personal data not concerning a company (in DBs with a common list of contacts), especially for group companies outside the EU (so GDPR object).

The system records and documents

  • Insert, Delete, Modify into entities and fields
  • Execution of procedures
  • Execution of views & reports of any kind
  • Sign-in / Sign-out users
  • Version upgrades

Track changes

Regarding the fields, the system provides for recording the history (user, date, previous value) of value changes of the commonly "sensitive" fields, but you can choose this "track changes" property for any other field (ability necessary also in case of adding fields and tables at a customization level). Access to this information is ready within the entity management screens (for specific entity control), but also in bulk control views with criteria targeted to help identify problems.

Messages while processes executed

Some (time consuming) processes extract information during their execution, for the time, the results, the terminal, etc. for evaluation by the IT department. Such processes are the Stock Valuation, the periodical Closings, the various recalculations and so on.

Events log

The system keeps a detailed history of the execution of a wide range of "events" such as user sign-in, sign-out, deletion of records, approvals of credit overruns, backup, server restart, S/W version upgrades, recalculation tasks, official printings etc., for which it provides all the necessary information to investigate potential problems.

Audit trail at Entersoft Cloud Apps

  • Every login within an application of the subscription is encrypted, archived, and stored for later review by the Subscription Administrator.
  • For a rolling period of 90 days, Entersoft Cloud Store keeps detailed track and provides insights about the use, the errors and the quota consumption, if any.