Brightidea Security

Our clients trust Brightidea with their data. This is not something we take lightly. We combine enterprise-class security features with comprehensive audits of our applications, systems, and networks to ensure client and business data is always protected.

Data Center and Network Security

Data Center & Network Security

We ensure the confidentiality, availability and integrity of your data with industry best practices. Brightidea’s application is hosted in AWS data centers that are compliant with several certifications including ISO 27001 and SOC 2. Our Security Team is on call 24/7 to respond to security alerts and events.

Application Security

Application Security

We take steps to securely develop and test against security threats to ensure the safety of our client’s data. In addition, Brightidea employs third-party security experts to perform detailed penetration tests and web application vulnerability tests.

Product Security Features

Product Security Features

Clients can easily manage access policies with authentication and Single Sign-On (SSO) options. All communications with Brightidea servers are encrypted in transit using HTTPS and data is encrypted at rest using the industry-standard AES-256 algorithm.

Security Memberships and Privacy

Certifications, Memberships, & Privacy

We use best practices to achieve compliance with industry accepted general security and privacy frameworks such as SOC2, which in turn helps our customers meet their own compliance standards.

soc 2 type 2 logocloud security alliance logo privacy shield framework logo

Certifications, Memberships, & Privacy

We use best practices to achieve compliance with industry accepted general security and privacy frameworks such as SOC2, which in turn helps our customers meet their own compliance standards.

soc 2 type 2 logo

cloud security alliance logo

privacy shield framework logo

Data Center and Network Security

Data Center & Network Security

Physical Security

Facilities

Brightidea’s applications are hosted by Amazon Web Services (AWS). AWS’s global data center infrastructure is designed to ensure the highest level of performance and availability. AWS engages with external certifying bodies and independent auditors to provides considerable information regarding policies, processes, and controls resulting in certifications, audit reports, or at testations
 of compliance such as SOC 2, ISO 27001, ISO 27017 and CSA.

On-site Security

Our data center facilities feature a secured perimeter with multi-level security zones, 24/7 manned security, CCTV video surveillance, multi-factor authentication mechanisms for access control and security breach alarms.
 Learn more about AWS’s Data Center Controls.

Monitoring

All Brightidea Infrastructure, network systems, and devices are constantly monitored and logically administered by Brightidea staff. Physical security,
power, and internet connectivity are monitored by the individual facility providers.

Location

Brightidea leverages AWS Regions within the United States and the European Union.

Network Security

Security Team

Our Security Team is on call 24/7 to respond to security alerts and events.

Protection

Our network is protected by redundant network and web application firewalls, best-in-class router technology, secure HTTPS transport over public networks, regular audits, and Intrusion Detection and/or Prevention technologies (IDS/IPS) which monitor and/or block malicious traffic and network attacks.

Architecture

Our network security architecture consists of multiple security zones. More sensitive systems, like database servers, are protected in our most trusted zones. Other systems are housed in zones commensurate with their sensitivity, depending on function, information classification, and risk. Depending on the zone, additional security monitoring and access controls will apply. DMZs are utilized between the Internet, and internally between the different zones of trust.

Network Vulnerability Scanning

Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.

Third-Party Penetration Tests

In addition to our extensive internal scanning and testing program, each year Brightidea employs independent third-party security experts to perform penetration testing across Brightidea’s Production Network.

Security Incident Event Management (SIEM)

Our Security Incident Event Management (SIEM) program monitors logs from important network devices and host systems and alerts on triggers which notify the Security team for investigation and response.

Intrusion Detection and Prevention

Application data flow ingress and egress points are monitored with Intrusion Detection Systems (IDS) and/or Intrusion Prevention Systems (IPS). The systems are configured to generate alerts when incidents and values exceed predetermined thresholds and uses regularly updated signatures based on new threats. This includes 24/7 system monitoring.

Anti-Malware

Brightidea uses industry leading anti-malware solutions to protect against threats including malware, viruses, Trojans, and spyware. New anti-malware patterns and updates are applied frequently to ensure protection against the latest threats.

Data Loss Prevention

Brightidea has implemented data loss prevention tools that ensure control of USB and peripheral ports and to detect and prevent potential data breached and data ex-filtration by monitoring, detecting, and blocking sensitive data in motion and at rest.

Threat Intelligence Program

Brightidea participates in several threat intelligence sharing programs. We monitor threats posted to these threat intelligence networks, and act based on our risk and exposure.

DDoS Mitigation

Brightidea’s infrastructure is designed using a variety of AWS services and features such as AWS Web Application firewall & Shield to help mitigate Distributed Denial of Service (DDoS) attacks.

Logical Access

Access to Brightidea networks is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored. Multi-factor authentication is required for accessing our production networks.

Security Incident Response

In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.

Encryption

Encryption in Transit

Communications between you and the Brightidea application servers are encrypted via HTTPS and Transport Layer Security (TLS1.2 or higher) over public networks. TLS is also supported for encryption of emails.

Encryption at Rest

All client data is encrypted at rest using the industry-standard AES-256 algorithm. Brightidea uses AWS Key Management Service to manage keys. Keys are rotated annually.

Availability & Business Continuity

Uptime

Brightidea maintains a publicly available system status webpage which includes system availability details, scheduled maintenance, service incident history, and relevant security events.

Redundancy

Brightidea employs service clustering and network redundancies to eliminate single points of failure. Our backup program ensures Service Data is actively replicated across primary and secondary systems and facilities.

Business Continuity/Disaster Recovery

Our Business Continuity (BC) and Disaster Recovery (DR) programs ensure that our services remain available or are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Business Continuity and Disaster Recovery plans, and regularly scheduled testing.

Application Security

Application Security

Secure Development

Security Training

At least annually, engineers participate in secure code training covering OWASP Top 10 security flaws, common attack vectors and Brightidea security controls.

Application Framework Security Controls

Brightidea utilizes a modern application framework and prepared statements for all queries to limit exposure to OWASP Top 10 Security flaws. These include inherent controls that reduce our exposure to Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and SQL Injection (SQLi), among others.

Quality Assurance

Our QA department reviews and tests our code base. Application security engineers on staff identify, test and triage security vulnerabilities in code.

Separate Environments

Development, Testing and Staging environments are separated physically and logically from the Production environment. Client data is not used in non-production environments.

Application Vulnerabilities

Dynamic Vulnerability Scanning

We employ third-party, qualified security tools to continuously dynamically scan our application against the OWASP Top 10 security flaws. Application security engineers test and work with engineering teams to remediate any discovered issues.

Static Code Analysis

The source code repositories for our applications are continuously scanned for security issues via our integrated static analysis tools.

Security Penetration Testing

In addition to our extensive internal scanning and testing program, Brightidea employs third-party security experts annually to perform detailed application scans and penetration tests on our applications.

Product Security Features

Product Security Features

Authentication Security

Authentication Options

The Brightidea application support login using your Brightidea username/password combination. We use an industry leading and battle-tested algorithm to securely hash and salt all passwords. You may also enable login using third-party social media (Google, Twitter) end-user authentication.

On-site Security

Our data center facilities feature a secured perimeter with multi-level security zones, 24/7 manned security, CCTV video surveillance, multi-factor authentication mechanisms for access control and security breach alarms.
Learn more about AWS’s Data Center Controls.

Single Sign-on (SSO)

Single sign-on (SSO) allows you to authenticate users in your own systems without requiring them to enter additional login credentials for your Brightidea application using Security Assertion Markup Language (SAML). Learn more about SSO.

Configurable Password Policy

Brightidea provides default password rules as well as the ability to set custom password complexity rules.

Secure Credential Storage

Brightidea follows secure credential storage best practices by never storing passwords in human readable format, and only as the result of a secure, salted, one-way hash.

API Security & Authentication

Before users can access Brightidea data through your app, they must first authenticate and authorize against Brightidea. Once completed, your app will have the permissions and the resource to make API requests for data on behalf of the users. You must use the OAuth 2.0 standard to interact with the Brightidea Authentication page. Learn more about Brightidea API.

Additional Product Security Features

Access Privileges & Roles

Access to data within Brightidea’s applications is governed by access rights and can be configured to define granular access privileges. Brightidea has various permission levels for users. Learn more about Roles.

IP Restrictions

Brightidea’s applications can be configured to only allow access from specific IP address ranges you define. Learn more about IP Restriction.

Transmissions Security

All communications with Brightidea servers are encrypted using industry-standard HTTPS over public networks. This ensures that all traffic between you and Brightidea is secure during transit. Additionally, for email, our product supports Transport Layer Security (TLS), a protocol that encrypts and delivers email securely, mitigating eavesdropping and spoofing between mail servers.

Security Memberships and Privacy

Certifications, Memberships & Privacy

Certifications, Memberships & Privacy

SOC2 Type II Audit

Brightidea has completed a SOC2 Type II audit as of December 31, 2019.

Cloud Security Alliance (CSA) STAR Self-Assessment

Brightidea has registered for Cloud Security Alliance STAR Self-Assessment Level 1. The STAR registry documents our security and privacy controls. Download our completed Consensus Assessments Initiative Questionnaire (CAIQ)

US-EU Privacy Shield and US-Swiss Privacy Shield

Brightidea has certified with the US-EU Privacy Shield and the US-Swiss Privacy Shield programs set forth by the United States Department of Commerce.

Additional Security Methodologies

Security Awareness

Policies

Brightidea has developed a comprehensive set of security policies covering a range of topics. These policies are shared with, and made available to, all employees and contractors with access to Brightidea information assets.

Training

All new employees attend a Security Awareness Training which is given upon hire and annually thereafter. All engineers receive annual Secure Development Training. Additional security awareness updates are provided via email, blog posts, and in presentations during internal events.

Employee Security

Background Checks

Brightidea performs background checks on all new employees and contractors in accordance with local laws. The background check includes criminal, education, and employment verification.

Confidentiality Agreements

All new hires are screened through the hiring process and required to sign Non-Disclosure and Confidentiality agreements.