Overview
DataFinch Technologies hosts all application services within the Windows Azure platform. Using Azure's services enable us to fully meet or exceed HIPAA standards for infrastructure security and reliability.
User Identity Management
User identities within the DataFinch infrastructure are controlled my Microsoft Active directory. Access to production servers and customer data is limited to the 3 most senior engineers within DataFinch. All DataFinch employees must authenticate against Active Directory in order to log into any production application, including Catalyst.
Customer and employee passwords must meet complexity requirements and also must be reset every 45 days. Currently DataFinch utilizes single factor authentication but is exploring options for multi-factor.
Access Control
Staff currently has access to physical office space, data centers and computer resources based on their role within the company—That is, we currently utilize role based access control mechanisms.
Secure Audit
Currently every action within Catalyst is logged and tied to a specific user. We capture information about user logins, data changes and what data have been accessed by each user account.
Encryption & Key Management
The DataFinch infrastructure currently is encrypted using AES_128_CBC, with SHA1 for message authentication and RSA as the key exchange mechanism. Encryption keys are stored under lock and key within the DataFinch offices and backed up to safety deposit boxes. Encryption keys are currently managed by the Chief Technology Officer and Director of IT. Our public key has never been revoked and GoDaddy provides the trust chain.
Security
Windows Azure uses industry-leading best practices for its design and operational security.
- 24 hour monitored physical security. Datacenters are physically constructed, managed, and monitored to shelter data and services from unauthorized access as well as environmental threats.
- Monitoring and logging. Security is monitored with the aid of centralized monitoring, correlation, and analysis systems that manage the large amount of information generated by devices within the environment and providing timely alerts. In addition, multiple levels of monitoring, logging, and reporting are available to provide visibility to customers.
- Patching. Integrated deployment systems manage the distribution and installation of security patches. Customers can apply similar patch management processes for Virtual Machines deployed in Azure.
- Antivirus/Antimalware protection. Microsoft Antimalware is built-in to Cloud Services and can be enabled for Virtual Machines to help identify and remove viruses, spyware and other malicious software and provide real time protection. Customers can also run antimalware solutions from partners on their Virtual Machines.
- Intrusion detection and DDoS. Intrusion detection and prevention systems, denial of service attack prevention, regular penetration testing, and forensic tools help identify and mitigate threats from both outside and inside of Azure.
- Zero standing privileges. Access to customer data by Microsoft operations and support personnel is denied by default. When granted, access is carefully managed and logged. Data center access to the systems that store customer data is strictly controlled via lock box processes.
- Isolation. Azure uses network isolation to prevent unwanted communications between deployments, and access controls block unauthorized users. Virtual Machines do not receive inbound traffic from the Internet unless customers configure them to do so.
- Azure Virtual Networks. Customers can choose to assign multiple deployments to an isolated Virtual Network and allow those deployments to communicate with each other through private IP addresses.
- Encrypted communications. Built-in SSL and TLS cryptography enables customers to encrypt communications within and between deployments, from Azure to on-premises datacenters, and from Azure to administrators and users.
- Private connection. Customers can use ExpressRoute to establish a private connection to Azure datacenters, keeping their traffic off the Internet.
- Data encryption. Azure offers a wide range of encryption capabilities up to AES-256, giving customers the flexibility to implement the methods that best meets their needs.
- Identity and access. Azure Active Directory enables customers to manage access to Azure, Office 365 and a world of other cloud apps. Multi-Factor Authentication and access monitoring offer enhanced security.
Infrastructure
DataFinch Technologies platform design is broken down into 4 main areas (web application, web api, mobile clients, and database).
Web Application
The web application is used to setup and reporting for all Catalyst clients. All traffic is encrypted with industry standard SSL.
Web API
The web api is used by all Catalyst mobile clients to sync data to and from the devices. All traffic is encrypted with industry standard SSL.
Mobile Client
Our mobile clients are used in the field to render treatment and collect data.
Database
The database holds database all securely data and inaccessible from the Internet. Industry standard backups are store within Windows Azure platform.