360° Data security and protection

Security by design

Data security and protection is the most basic building block of information systems. As complexity increases and data access is from multiple channels, systems and devices, Entersoft Business Suite incorporates multiple levels of data access control, which are constantly expanding and adapting to technological and institutional developments, through a powerful framework used by the full range of applications from wherever they run (on premises, on cloud, via browsers or mobile devices & tablets).

Passcodes policy

Simple-strong code, parametric rules of code complexity, change code frequency-code duration (in days), immediate change at the next login. The Entersoft framework uses the DES algorithm to encrypt passwords.

Access channels

Definition of channel from which a user can be excluded e.g. from the internet or other subnet or from specific IPs.

LDAP certification

Lightweight Directory Access Protocol, for exploitation from the company’s domain server.

Two factor authentication

The requirement for confirmation of two-factor-authentication for access to Desktop applications or WebApi or eCommerce etc. can be activated per user. It can even be set that for the same user TFA is activated only for Web Apps and not Desktop applications. To configure TFA on mobile, use either Microsoft Authenticator or Google Authenticator.

User account inactivation

After repeated failed login attempts, the user may be disabled, for re-checking.

“Read-only” user

With a single click, without additional actions for prohibition of access privileges, it can be determined that the user cannot save, but only display information.

User menus

A "rough" way of restricting users to specific functions that concern them (mainly for reasons of simplicity and understanding and not because there is a guarantee of their exclusion from everything else) is to define a specific menu per user, instead of the rich application menu.

Access to functionality

All entities, functions, views, dashboards, prints, mass processes and fields are available for award or block access rights to "user roles". If a user has multiple "roles", system access rights are "merged" (aggregated). If an access privilege is not assigned at all, it is assumed as "prohibited". The allocation of rights can be done in whole areas of functionality in a massive way either at detail level (which prevails), up to a field level. The access rights are inter-company, i.e. they apply to all the companies that each user has access to. Permissions can be specified for each functionality, depending on the respective area (insert, modify, display, delete, print, execute - query, copy to clipboard, etc.)

Access to specific entities

Especially for transactions, the rights are granted separately by document series (context or massively) and also include additional features such as blocking access at prices/discounts, blocking line deletion or changing items, create by typing (i.e. may ONLY be allowed through a transition from a previous stage of the process) etc. Many “documents” meant to be posted to Accounting may also contain information not concerning Accounting. For this reason, Entersoft Business Suite provides a system for exceeding accounting controls for specific user roles, for various data classes such as e.g. cash flow configuration, corporate dimensions, salesmen and commissions data, etc., via an end-user interface. Alongside, a set of additional prohibitions, (apart from those that the system executes in "official" documents) can be configured, for specific transactions, for specific groups of users, under specific conditions e.g. prohibition of changing “process stage” or user-definable fields, etc. There is also a special forethought for various entities, where access would be preferable on a case-by-case basis and not by global blocking or granting access rights, such as:
  • the actions of sales and customer service departments staff (appointments, seminars, visits, requests, resolutions, complaints, etc.)
  • the budget sheets, which protected by an extensive system of roles (author, approval responsible etc.) with date limits for changes & finalization, with controls depending on budget’s "state", etc.

Protecting the customization level

At the level of entities, forms, fields, views, printings, documents, etc. added at the implementation level, the entire security system is available and works just like the product-level. At the level of business rules & processes defined at the implementation level, it is necessary to include a special provision for the user group which granted to access at the relevant processes, IF necessary (since many times, access is ensured by placing the feature or process on screens or lists or entities, with already configured privileges.

Time-based access tokens

Whenever a login takes place it is exchanged for a secure access token that expires after a few minutes and the token becomes void, while on any subsequent call it is renewed. This time-lease varies depending on the nature of the application (Entersoft Analyzer, Request For Approval or an integration Service such as Entersoft eCom Connector or Connector for Microsoft Power BI etc.

Safe connection at Entersoft Cloud Apps

The full list of servers and services that are part of the Entersoft Web API and the Entersoft Web Applications are secured through Green Level Certificates issued by global trusted organizations and supported by all the browsers on all platforms and devices.

Data protection at Entersoft Cloud Apps

The architecture of Entersoft Web API Server that connects Entersoft Application Server (EAS) to all the Entersoft Cloud Store applications never stores any data transferred back and forth the client applications, the Entersoft Web API Server and the EAS.

GDPR procedures embedded in the system

  • Procedure for document Data protection policy
  • Procedure for announcement of scope of using or handling personal data
  • Procedure for sending a campaign and obtaining a consent to use personal data
  • Procedures for accepting, changing or anonymization of personal data
  • Data protection system against unauthorized users (Role Based Security)
  • Field Level Security system so that the readability of "sensitive" fields can be adjusted only by roles related to the scopes defined
  • Special classification of fields for this purpose (GDPR), to be recognized, protected, and controlled massively under processing scope (Field Set Security Grouping - FSSG)
  • History of field changes (Audit trail & reporting) as well as logging of data publishing (exports, print reports, copy to clipboard, etc.) for easy detection of possible leaks
  • Optional Database encryption - available in MS SQL Server 2016
  • Ability to “mask” the content of "sensitive" fields at user interface level (e.g. name as *****, phone as 210 ***** 50 and so on.
  • In multinational installations, possibility to hide personal data not concerning a company (in DBs with a common list of contacts), especially for group companies outside the EU (so GDPR object).

The system records and documents

  • Insert, Delete, Modify into entities and fields
  • Execution of procedures
  • Execution of views & reports of any kind
  • Sign-in / Sign-out users
  • Version upgrades

Track changes

Regarding the fields, the system provides for recording the history (user, date, previous value) of value changes of the commonly "sensitive" fields, but you can choose this "track changes" property for any other field (ability necessary also in case of adding fields and tables at a customization level). Access to this information is ready within the entity management screens (for specific entity control), but also in bulk control views with criteria targeted to help identify problems.

Messages while processes executed

Some (time consuming) processes extract information during their execution, for the time, the results, the terminal, etc. for evaluation by the IT department. Such processes are the Stock Valuation, the periodical Closings, the various recalculations and so on.

Events log

The system keeps a detailed history of the execution of a wide range of "events" such as user sign-in, sign-out, deletion of records, approvals of credit overruns, backup, server restart, S/W version upgrades, recalculation tasks, official printings etc., for which it provides all the necessary information to investigate potential problems.

Audit trail at Entersoft Cloud Apps

  • Every login within an application of the subscription is encrypted, archived, and stored for later review by the Subscription Administrator.
  • For a rolling period of 90 days, Entersoft Cloud Store keeps detailed track and provides insights about the use, the errors and the quota consumption, if any.
How API authentication and credential management is enforced, in case an API is used without Mulesoft API gateway? Entersoft Web API, fully supports the concept of Application Keys, Developer Keys, Security Schemes, Security Policies, System Constraints. It provides all the means for a Customer / Subscriber to manage, monitor, log, alert the runtime of Entersoft Web API in the context of any Application that makes use of Entersoft Web API for both Entersoft and Custom applications. Providing Entersoft Web API through an API gateway management system such as Mulesoft or Microsoft, etc. this can be considered as a paid Custom Add-on in the context of a project.
How are security event logs being continuously monitored in case SIEM system is not in use? Security logs generated by the various subsystem and functional layers of the Entersoft Application architecture and are continuously transferred to the Entersoft Realtime Monitoring system that runs on Microsoft Azure.
What is the authentication mechanism for Mobile apps? No matter the MDM Solution that Customer has provisioned and applied, for any Device to be able to allow access to a “User” to the Entersoft Mobile Cross Application running on the Device, the Device must first be Registered to the Entersoft Back-End System and a User should be assigned to this Device. Furthermore, the User should be granted the Mobile Device Access right. Then User ID/ Password authentication scheme is in place.
Do the Mobile apps encrypt the data on device? The Entersoft Mobile Merchandising Cross-Platform app, stores the data that are defined by the Back-End configuration to be available offline for the specific User / Group / Device into an SQLite Database that it is stored on the sandbox of the Application which is protected and encrypted by the Operating System (Android OD, Apple iOS, Windows UWP). Further encryption within the SQLite database can be applied whenever this option is available by the underlying version of the OS.
How mobile apps can be managed by the company’s MDM/MAM system? Entersoft CRM and Entersoft Mobile SFA offer a core MDM subsystem that provides the fundamental operations for Device Management, i.e. Pairing the Device with a User and an Entersoft App, Activating/De-Activating the Device, Associate/De-Associate a User to a Device and an Entersoft App to the Device. Furthermore, Entersoft core MDM Subsystem provides operations with respect to Entersoft Mobile Apps such as: Lock a Device, Prohibit Data Sync in either or both directions, Register the last known location of the Device (assuming that the User has accepted and enabled the Location Services for an Entersoft App) and swipe an App from the Device. For every device registered into the Entersoft core MDM Subsystem, there is an extensive set of Log and Audit Trail records as well as the current known status of the Device with respect to an Entersoft Mobile Application including Location, UTC Datetime and other contextual fields.
The mobile apps can be hosted in private or public app store? The Entersoft Mobile Applications are not offered through the Public App Stores of the Platform Vendors (i.e. Google Play, Apple Store, Microsoft Store). In case of Apple iOS, Entersoft Mobile for iOS applications fully support “Enterprise Stores” where the Customer is full in charge of the Mobile Application (signing with their certificates, manage distribution certificates and profiles, etc.). This is highly recommended for large Enterprises and Organizations.
Does the system follow any secure SDLC practice? Entersoft fully imposes a Software Development Lifecycle Process in both the Product Development Process and the Implementation & Customization. For every sprint and S/W version to be delivered, there are Phases with Resources, Roles and Deliverables designed to deliver a high quality and meet-to-purpose S/W and Services solutions. From Requirements Capturing, Requirement Analysis, Specifications, Design, Implementation, Unit Testing, Integration Testing, Acceptance Testing to Quality Control there are methodologies, tools and automated bots in place, under a well-defined set of security policies in a secure and protected development environment. The Entersoft Development and Service provisioning processes are ISO-9001/2015 & ISO-20000/2018 certified. Security and risk management are essential factors for both standards and are audited yearly.
Does the system undergo regular Application Security Testing? On a yearly basis, Entersoft SA’s software products and software as a service (SAAS) services undergo extensive vulnerability tests, using a set of state-of-the-art technology vulnerability assessment tools and services that are the most applicable for the technologies and nature of the S/W subsystems of every product.