We take the security of Confers very seriously. This section covers the basics, but you can always ask us a question. We offer additional information to Chief Information Officers on request and following signing of an NDA.
Secure data transit
The Confers software as a service uses HTTPS everywhere, all data transmitted between the browser and server is encrypted using a strong protocol version and cipher suite, any requests to unsecure urls are permanently redirected to a secure equivalent. This includes the main web servers, related micro-services and any content served through CDNs.
Confers scores an A+ score on the Qualys SSL Labs SSL Test for its web servers. This means all data sent on the network between a user’s computer and our servers are encrypted using the highest standards of encryption and our servers patched for all known SSL vulnerabilities.
Confers servers are hosted in a secure data centre in Germany with 24/7 monitoring and a redundant network with minimum network availability of 99%. Access to the physical servers are restricted to Data Centre engineers and video monitored. The servers include software firewalls blocking all ports except 80, 443 and 22. SSH access to the servers is restricted to key-based access only and additionally restricted to allow a limited set of IP addresses to connect. Only Confers authorized engineers have remote access to login to the servers using SSH RSA key based access. Password access to servers is disabled, only key based access is allowed and these keys are kept secure.
Server software updates are applied regularly to ensure the latest security patches have been applied. Additionally Confers employs server monitoring techniques to respond quickly to any connectivity issue or service downtime.
Uploaded content and file hosting
Uploaded files and generated files relating to media content are hosted on Amazon S3 Ireland buckets and served via secure Cloudfront CDN links for global distribution. Amazon S3 is designed for durability of 99.999999999% of objects stored with 99.99% availability over a given year. Uploaded and processed files on S3 are renamed using uuid4, making the links to the files virtually impossible to guess, but are also encrypted in storage server side for extra security. Uploaded content that is hosted on S3 can only be viewed via the web application. The links to view content expire after a certain time period for additional security of private content.
Confers uses MySQL databases located on the same server. Remote access to the database is disallowed. The database will refuse any remote connections and the software firewall will also block access to the database connection port. Access to the database requires a username and password and requires the connection to originate from the same machine. Confers user passwords are stored salted and hashed on an individual basis in the database. We never store or transmit any plaintext passwords in emails.
Application security and authorization
The web application backend is PHP based and utilises several python based micro-services for content processing. Every effort has been made to be as secure as possible to be protected from common exploits such as SQL injection and cross-site request forgery. The web application uses a permission system to check both whether a url should be allowed to run based on the current session user permissions and whether the user has access to the data being requested. The assignment of permissions to users within a portal is in complete control of the portal owner, who can decide exactly which level of access is required for each user.
IP address restriction is available on a per-portal level, this allows for the ability to deny access to the portal except for whitelisted IP address/range. This is only recommended for customer portals which are intended solely for private internal use.