Nakisa’s security commitment
Nakisa’s promise to all our clients is to be their most trusted software partner, and we work on building that trust from day one. We take your data security seriously – maintaining a high-security environment is at the core of our practices, and we want to be transparent about our approach so you can be confident in our partnership.
Our security foundation is built using the most established, industry-leading practices and technology services providers. Plus, our team of experts rigorously adheres to the highest industry standards, to protect your data and systems at every stage of the process.
This overview provides cybersecurity, risk management, and IT professionals as well as decision-makers with visibility into Nakisa’s best practices and information on how we extract, manipulate, store, use and protect your data so you can perform your daily operations with peace of mind.
COMPLIANCE AND CERTIFICATIONS
SOC 1 & SOC 2 compliance
Nakisa’s operations, policies, and procedures are audited regularly to ensure that we meet and exceed all standards expected of SaaS service providers. As an additional layer, systems that are used to serve clients or support Nakisa’s internal IT needs are also regularly audited. Our SOC 1 and SOC 2 reports are available in December of each year, and you can access the most recent reports by reaching out to our team or your dedicated Nakisa Account Manager.
Our service provider’s compliance efforts
To aid with the compliance efforts, our cloud hosting provider regularly achieves third-party validation for thousands of global compliance requirements. Our cloud hosting provider supports numerous security standards and compliance certifications, which include ISO 9001, 27001, 27017, 27018, SOC 1, SOC2, SOC 3, PCI-DSS, HIPAA/HITECH, FedRamp, GDPR, FIPS 140-2 and NIST 800-171. This helps satisfy the compliance requirements for most of the regulatory agencies around the world.
As a SaaS provider, Nakisa has comprehensively evaluated GDPR requirements and implemented numerous privacy and security practices to ensure that our cloud solutions are GDPR ready.
These practices include:
- Training employees on security and privacy practices
- Conducting privacy impact assessments
- Providing sufficient data transfer methods to our customers
- Maintaining records of processing activities
- Search for records within the app, with support provided if you need the removal of certain information.
- Providing our customers with configurable privacy and compliance settings such as using their own SSO, controlling who can access the application and what kind of information, and more.
External and internal IT policies and procedures
Robust information security policies are set in place and are enforced company-wide, as well as with contractors, and are available to our SOC 1 and SOC 2 auditors through Nakisa portals. Here are a few of our internal policies that ensure our team handles our clients’ data with the utmost security:
- Change Management Policy
- Risk Management Methodology
- Access Management Policy
- Information Security Policy
- Risk Management policy
- Information Asset Management Policy
- Incident Management Policy
- Data Retention and Disposal policy
- Data Protection Policy
- Data Retention and Disposal
- Information Security Awareness Policy
We review these internal policies annually and communicate changes to our employees via internal communication portals. More details on the above policies are provided in our SOC reports.
ACCESS TO INFORMATION
Encryption of data at rest and in transit
Users accessing Nakisa solutions via the internet are protected by Transport Layer Security (TLS) and Hypertext Transfer Protocol Secure (HTTPS). All data including backups are fully encrypted by using AES 256 for data at rest (See Encryption key management) and TLS 1.3 for Data in transit.
Encryption key management
Encryption of data at rest is possible by leveraging a solution from our global cloud service provider and is managed by software, avoiding exposure to any human. To ensure maximum security, the keys are not managed by any one person. They are only visible to the client instance and can be used to decrypt data within the instance only. Also, note that the key management is compliant with FIPS 140-2 which provides independent assurances about the confidentiality and integrity of our key management. Please note that as part of our application architecture, we make sure your databases are logically separated from other client’s, thus increasing the security of your data.
User authentications and profiles
Nakisa’s authentication and authorization setup uses industry best practices and standards and allows clients to either leverage their own single sign-on or use Nakisa Identity & Access Management. Nakisa offers role-based access which means that the clients can decide on how to grant access to each of their users.
How can your users access the solution?
- Single sign-on support
- Nakisa Identity and Access Management
This single sign-on (SSO) login standard has significant advantages over logging in using application specific username and password: no need to remember and renew passwords for each application, no weak passwords among others, and one credential for all applications to unify your personal password management, supporting your company’s password policy. The SSO is supported by configuring SSO via SAML2 which will authenticate, and fetch roles and user population credentials. The fetched list of groups will be assigned to the logged-in user from LDAP. The users will be validated through a SAML token, securely exchanged between the Identity Provider (IdP) server and the Nakisa application server. SAML allows for a seamless SSO experience between the customer’s internal identity and access management solution and Nakisa solutions.
For clients who decide to use Nakisa’s authentication system rather than SSO, Nakisa Identity and Access Management solution (NIAM) is available. It is a simple solution that allows organizations to easily manage their user’s provisioning and authentication to Nakisa’s SaaS solutions through a single platform. NIAM enables you to provide access to your users through an enterprise-grade identity and access management solution while ensuring the right roles and profiles are assigned. Each role has different access privileges that can be individually assigned and limited not only by scope but also by duration.
Whether you are providing access to partners or employees from multiple subsidiaries across the world, you will be able to offer the same seamless experience your users expect, while effectively managing the sensitive aspect of data access.
Please get in touch with your Nakisa Account manager for more details about this solution.
How do Nakisa engineers access the systems to provide support?
Under Nakisa’s Access Management policy, when an issue is raised via our support ticketing system, our support team will ask for client approval for temporary access to investigate and resolve the issue for the specific environment/s. This access is granted for only a limited amount of time, enough to resolve the ticket with auto closure enabled by the system when access is approved.
In addition to our annual third-party SOC audit, and as part of Nakisa’s Access Management policy, internal audits are performed regularly:
- High privileged and user accounts review is performed at least twice a year.
- Logs are reviewed monthly.
- Monitoring tools are in place with notification to appropriate individuals for abnormal events/activities.
- Periodic access authorizations and requests review.
Cloud infrastructure access and authorization
To ensure secure access to our cloud infrastructure, Nakisa has in place an Access Control List (ACL) that ensures that only pre-approved cloud engineers can perform certain tasks, defined by their roles. To access the cloud infrastructure, we utilize multi-factor authentication (MFA) which requires approval from different managers and heads of departments, with final required approval from our Chief Security Officer. In addition to our annual third-party SOC audit, and as part of Nakisa’s Access Management policy, internal audits are performed regularly to review such accesses and corresponding logs.
Application logs & auditing
Application logs enable you and your auditors to review all the activities performed by the users as well as the system to ensure data integrity. We enable our clients and their auditors to leverage our ITGC capabilities and to log all types of activities and data transfers in the system. You can easily review and download all the logs which demonstrate all types of activities by the users such as system access, data and configuration modifications as well as system activities such as automatic jobs and other data communications between Nakisa solutions and any other solutions integrated, directly from the Nakisa applications.
Dedicated, encrypted site-to-site integration through Nakisa Cloud Connector (NCC)
Nakisa uses industry best practices and standards to integrate our SaaS solutions with your internal ERP systems or any other data source so that you can leverage your data with our solutions. The Nakisa Cloud Connector (NCC) enables integration between your ERP of choice and Nakisa SaaS applications with security and data integrity at its core. To ensure data transfers are secure, NCC uses a two-way encrypted channel for all communication between ERP servers and Nakisa Cloud (using TLS over TCP), removing the need for back-channel VPN tunnels. The connector uses an ERP gateway to access the backend servers, enabling IT professionals to configure and leverage existing ERP infrastructure and security frameworks. Dedicated endpoints are provided for each client, completely isolating their communications with their on-premises ERP infrastructure. We also provide you with the information needed to enable your IT team to whitelist Nakisa solutions to ensure the security of communication and data transfer.
SECURITY BY DESIGN
Secure Software Development Life Cycle (SSDLC)
Security is at the core of our software design. We’ve adopted numerous best practices and leverage OWASP framework for our software development to ensure security by design, right from the start.
All changes to our code are tested by our Quality Assurance (QA) team and criteria are established for performing code reviews, web vulnerability assessments and advanced security tests. We conduct manual and automated code reviews before checking-in code. After code checks, the QA teams perform regression and functionality tests. In addition, we also use in-house and third-party solutions such as Veracode to conduct vulnerability assessments and security tests on our application. Vulnerability tests are carried out prior to each release and as often as needed, where we test the solution from A to Z. Upon development, we deploy in a lower environment to enable stakeholders to test the solution prior to deployment in the production system. All such activities are recorded as part of our change management policy (please note that our auditors validate our enforcement of changes as part of SOC 2 audits).
Each product release is put through a stringent functionality test, performance tests, stability tests, and UX tests before they are released. We validate the releases in internal builds followed by lower environments before pushing them to the production system following our change management policy.
Vulnerability assessment & penetration testing
We use various tools for analyzing the code and checking for security vulnerabilities such as Veracode and OWASP prior to any release. Our strategy is to prevent security vulnerabilities first, then use industry-standard validation tools and techniques to validate that prevention worked. Issues identified through the vulnerability assessments, penetration tests and network vulnerability scanning are prioritized based on criticality and risk. We leverage a global 3rd party auditing firm to perform penetration testing on our solution and the report on such tests can be provided to you upon request. We also provide the ability to all our SaaS clients to conduct penetration testing on the lower environment of the solution, enabling you to evaluate Nakisa’s cloud security and measures yourselves. In order to conduct a penetration test, please discuss your penetration testing needs with your Nakisa Customer Success Manager.
Nakisa Cloud only uses non-Windows operating systems, and all systems follow a hardening baseline policy for security management. Note that our deployment architecture is based on DMZ and there is no end-user access available to server resources at OS level. Any user-uploaded documents are not stored in the server file system and do not get accessed at the server level. In addition, intrusion Detection Systems and Intrusion Protection System (IDS/IPS) and Firewall layers secure inbound and outbound access on system ports and it monitors and reports login attempts, account creations and periods of system non-availability. All Nakisa employees use systems that have antimalware, supporting real-time scanning and security and automatic updates are enabled on devices.
We have various security measures and systems in place that continuously monitor for malicious activity, attacks, and unauthorized behaviour from various perspectives. Our team can mitigate any potential attacks by following the internal procedure set for such events. We share our security systems, architectures, and tests results with our SOC 2 auditing firm, and you can review such measures upon requesting the SOC report.
BUSINESS CONTINUITY & OPERATIONS
Business continuity and disaster recovery & backups
Nakisa has comprehensive Business Continuity and Disaster Recovery (DR) Plans that are audited as part of the annual SOC 2 report. The information below explains the various continuity mechanisms implemented at the level of the processing centres that store the client’s data. Nakisa’s disaster recovery plan provides that in the event of a disaster defined as a natural or human-made condition that could render your subscription services inaccessible for a period of more than one day (“Disaster”), Nakisa is able to resume services in accordance with this Subscription Services Agreement within one day from the event. RTO (Recovery Time Objective) for Nakisa cloud solutions is within one day and RPO (Recovery Point Objective) is the last daily backup.
As part of Nakisa’s compliance process and SOC auditing, disaster recovery capabilities and plans are tested on an ongoing basis. Disaster recovery simulation events are conducted by creating an event which results in the loss of an imaginary client's data and access to their system. This test requires Nakisa to declare a disaster and trigger our DR action plan as our Support & Cloud Services teams are not able to bring the system back up. A data restore is triggered on a newly built infrastructure and restores the latest backup within our contractual timeframe.
Disaster recovery on the cloud is done by leveraging our cloud service provider’s resource availability on-demand. By using our cloud service provider’s specific APIs, a failed resource is restarted automatically in the case of a crash and a backup is used to restore the system. Restoration and disaster recovery are achieved by using the most recent or desired backup file and restoring all backed-up data.
With respect to our client’s production environment, Nakisa shall provide the following data back recovery points.
- Customer data backups are stored in the same region as the client instance but in different data center locations to ensure recoverability in the event of a natural disaster.
- The backups will be periodically tested as part of the BCP (Business Continuity Planning) testing.
- The backup logs will be reviewed for errors and abnormal durations, and we look for opportunities to improve backup performance.
- Corrective actions will be taken when backup problems are identified to reduce risks associated with failed backups.
Note that a calendar week commences on a given Sunday 12:00 a.m. to the following Saturday 11:59 p.m., ET.
|Backup Types||Available Recovery Points|
|Daily||Any of the last 7 daily backups|
|Weekly||Any of the last 4 weekly backups|
|Monthly||Any of the last 3 monthly backups|
We provide transparency into the geographical regions where our customers’ data is stored, and our clients have the ability to select the location from a list of possible regions.
Nakisa has an incident management policy in place which follows the industry standard depending on the priority of the incident and its effect on our clients, which is reviewed at least annually by an independent global auditing firm. Also, as per the SOC 2 compliance and Nakisa’s Incident Management policy, a support case is triggered after each security incident, which provides details on the incident and flags the appropriate level of urgency to address and resolve it. Resources are assigned as needed to each incident based on support triage to identify the root cause and proceed to resolution. In the event of a security incident, the entire environment will be disconnected thus removing the ability of anyone to access the system.
Service level agreement for security incidents and mitigations (SLA)
In case of any potential or active security incident of which Nakisa is made aware, we address the security ticket following a priority level assessment – low, medium, high, or critical – based on the security incident’s impact on our clients. We provide different mitigation timelines in addition to daily updates and root cause analysis documentation that captures the required details and indicates the preventative actions that will be taken in the future.
Physical perimeter security
Datacenter physical security begins at the Perimeter Layer. This layer includes several security features including, but not limited to, 24/7 security guards, fencing, surveillance cameras, and intrusion detection technology. This includes scrutiny of the access, controlling the entry, monitoring for unauthorized entry, etc. All physical access to the inside perimeter layers is highly restricted and stringently regulated and logs are available for periodic review.
Capacity management & load balancing
We leverage a global third-party provider’s services to offer on-demand and automatic capacity expansion as well as distribute traffic from our clients across multiple zones to support high availability. While ensuring no one server is overworked which could result in degraded performance or unavailability (See Availability section for more details), you can instantly expand or reduce the capacity needed without technical support or additional investment in the infrastructure.
We provide up-time of at least 99.5% for our Cloud (SaaS) clients with high availability. Using the latest cloud technologies enables us to increase resources on the run and ensure continuous system operations if systems face issues. This means our clients do not have to deal with poor system performance or major downtime.
System and performance monitoring
Nakisa uses various automated monitoring systems to provide a high-level overview of service performance and availability across our solutions and technology platforms. We use industry-standard tools to monitor your system’s key operational metrics and infrastructure and take proactive measures to resolve any potential downturns.
We have automatic alerts configured to notify us when early warning thresholds are crossed on metrics such as application resources, performance, and others. Our support team is available 24/7/365 to respond to any operational issues.
All scheduled and planned updates to Nakisa applications during which Subscription Services may not be available to our clients take place during our standard maintenance window over the weekend to minimize user disruption. The customer will be notified of any other planned downtime seventy-two hours in advance. Nakisa will be diligent to minimize the risk of undue disruption to normal business operations. In case of emergency maintenance where Nakisa needs to make the Subscription Services unavailable to perform a maintenance operation outside of any Scheduled Downtime period, the customers will be notified of an Emergency Maintenance as soon as possible.
Considering Nakisa solutions? Reach out to our team today to get all your security questions answered!
If you are an existing customer, please contact your Account Manager for more details.