Security Best Practices
Government agencies and businesses of all sizes and industries trust Progress with their applications and data. Composed of a Web Content Management System and Sitefinity Insight, customers deploy and manage their CMS on premises or in the cloud while accessing Sitefinity Insight as a SaaS application. To provide this we focus on four security areas—security by design, cloud operations security, customer data protection and standards compliance.
Security by Design
- Employee security training and certifications
- Security principles rooted in core company policies
- Designated security team
- Proactive monitoring of security bulletins (e.g. SANS, CERT and NIST)
- Scanning third-party dependencies for vulnerabilities
- Regular static code analysis (e.g. Veracode)
- Mandatory code and security reviews (OWASP and CWE/SANS)
- Comprehensive vulnerability and security incident management
- Regular risk assessments of security policies, procedures, controls and standards
- Regular code and data backups
Cloud Security Operations
Trusted and reliable infrastructure, high availability, proactive monitoring of all system components and secure encryption is at the heart of day-to-day Sitefinity Insight operations.
- Proactive cloud monitoring of all system components
- Trusted and reliable cloud infrastructure – Microsoft Azure (ISO/IEC 27018, SOC 2 and more certifications)
- Very high data resiliency and cloud service availability (check status page)
- Data transfer encryption (TLS 1.2) – all unencrypted connections to the cloud are automatically rejected
- All communication between Sitefinity Insight components and its users is conducted over secured and encrypted channels
- Comprehensive visual logs – load, performance, availability, errors, etc. – allow for better detection of suspicious activity and odd trends or spikes with the most important data visualized, in near real-time, on large screens accessible to all development team members
- User authentication over OAuth 2.0 protocol
- Secure encryption keys managed by dedicated personnel
- Strict incident management process followed by a thorough retrospective to prevent future occurrences
- Extensive code reviews by a software architect, team lead and a security expert in Customer Data Access
Customer Data Protection
- Supports requirements of the General Data Protection Regulation (GDPR) by:
- Allowing the locating and deleting of personal data
- Using secure APIs for integrated solutions
- Securely handling Personal Identifiable Information (PII)
- Providing a built-in tracking consent widget
- Providing Sitefinity Insight data center hosted within Europe
- Customer consent required before customer data is accessed (e.g. to fix reported issue)
- Least privilege principle with audit trail, filtering and firewalls
- Strict data access policies and controls (e.g. access, scope, time restrictions)
- Customer data is stored and isolated on shared or fully dedicated storage
- Internal controls ensure customer data is never replicated or used in non-production environments
- Regular and highly secure data backups using Azure Storage
Standards Compliance
Progress is a publicly traded company (NASDAQ: PRGS) and as such it is required to comply with and is audited under the Sarbanes–Oxley Act.
SOC 2
The Sitefinity platform is certified by an independent third party to comply with the service organization control standards (SOC 2) developed by the Association of International Certified Professional Accountants (AICPA). Compliance with SOC 2 is a testament that Progress has established a comprehensive set of internal procedures and controls to ensure the security, confidentiality and availability of its cloud services and software development infrastructure increasing the level of trust and confidence organizations have when choosing to rely on Progress services and products.
The Progress SOC 2 certification report for the Sitefinity platform covers the following areas of internal controls:
- Security – helps protect against unauthorized access, use or modification
- Availability – ensures service is available for operation and use as committed or agreed upon
- Confidentiality – ensures confidential information is well protected
Both Sitefinity Insight and the CMS are covered by SOC 2 controls, but the scope differs because Sitefinity Insight is a cloud service while the CMS is a downloadable product that can be hosted anywhere. Hence, we have created two main areas for certification:
- Cloud operations – covers Sitefinity Insight for the areas of security, availability and confidentiality
- App Services – covers the Sitefinity CMS application development process for IT controls