- VNet - Hosted in dedicated Virtual Networks in non-promiscuous mode that are further segmented for increased security and manageability.
- Access Controls - Role-based access that enforces segregation of duties and audit trails ensuring access is in accordance with security context and users can perform their jobs more efficiently and autonomously.
- Management Plan - Secure administrative tunnel with allowlisted IP addresses for secure connection to the servers for administrative purposes; the connection is disabled unless server administration is required.
- Perimeter Security - Routing rules hardened based on pre-established criteria for various permissible transactions across all resources.
- Encryption – TLS 1.1/1.2 encryption for data in transit for API access or access via the User Interface.
- Malware – Scanning and security fixes applied based on latest threat signatures.
- High Availability – Application support exists for real-time replication to provide high availability functionality.
- Cross Geo Redundancy - Multiple Availability Zones are setup and serves customers in real-time thereby providing seamless DR capability.
- Data Backup - Scheduled backups taken across multiple availability zones in encrypted and access controlled locations.
- Incident Management - Procedures are established for reporting incidents, and tracking it for timely communication, investigation and resolution.
- Security Operations - Situation awareness through the detection, containment, and remediation of any suspected or actual security incidents. Tactical rules and data sensors are configured to provide suitable early warnings and alerts.
- Product Backlog - Product backlog is defined and reviewed regularly with Product Management.
- Security fixes are prioritized and are bundled in the earliest possible sprint.
- Code Review - All code changes are locally tested and peer-reviewed before being merged into the Product.
- Version Control - Source Code is managed centrally with version controls and access restricted based on user roles. Records are maintained for code changes and code check-ins and check-outs.
- DevOps Team - Our agile sprints are powered by a team comprised of members with specialized skills including System Engineers, Developers, and Quality Assurance.
- Quality Assurance - Builds are put through stringent functionality tests, performance tests, stability tests, web vulnerability tests, and Ux tests before the build is certified as test complete and "Good to go".
- Segregation of Duties - Access to the production is restricted to very limited set of users based on the job roles. Access to the production environment for developers and Quality Assurance team members are restricted based on their job responsibilities and unique needs for specialized access.
- API security - Our accessible APIs and integration connections go through a stringent security testing process.
- Secure Build Product - End-to-end security in product lifecycle.
- RESTFul Architecture - Adoption of an architectural style that simplifies security. Based on the Representational State Transfer Technology, RESTful enables developers to safely expose web services with fine grained modularity breaking the source code into logically atomic components each with its unique security context.
- Defense in depth using API Gateway - To protect the authentication tokens in transit, the APIs terminate in the gateway only on endpoints that accepts HTTPS over TLS. The API gateway authorizes all API requests without exposing the components deeper in the platform such as Relational Databases and Business logic engines.
Governance, Risk & Compliance
- Information Security Team - The information security includes executive leadership members and sets the tone and drives the agenda for information security practices.
- Information Security Roadmap - Ensure that the information security road-map is well thought through factoring all customer, regulatory and contractual requirements and is adjusted for internal and external threat vectors.
- Information Security Expertise - Ensure that adequate expertise is available for all the information security initiatives. The Security team provides the required technical inputs and ensures that Sunbird leverages from the guidance of necessary security experts.
- Technical Security Compliance - Responsible for ensuring that information security requirements are adhered to in the application architecture.
- Risk Management - The information security team assesses security risks on an ongoing basis.
- The various feeder channels that are factored for risk management includes findings from audits, incidents, changing threat landscape, and changing contractual / regulatory.
- Training and Awareness - Requirements for responsible handling of data including any types of personal information are communicated to all employees as part of their induction into Sunbird. Further any changes to any of these requirements are communicated as and when it is rolled out and an annual refresher training is conducted for all employees.
- Key Resource Allocation - Ensure that adequate people and financial resources are made available to various initiatives for effective execution.
Securing the last mile - Last mile security is as critical as data center or platform security and security is a shared responsibility in a cloud model. We recommend the following best practices that you could follow at your end to security of your data at your side.
- Secure Authentication - You can enforce strong authentication mechanisms using integrated Active Directory or LDAP authentication services or tune-up the password rules from the admin console. You can customize the welcome message shown to your users on the login page.
- Access Administration - Establish processes to provide appropriate access to your users and remove accesses that are no longer valid. You should also change all default passwords.
- Role Based Access - Enforce differential access based on the users’ responsibilities to limit access based on the principle of least privileged access and prevent conflict of interest.
- Custom SSL - The products come with the option of implementing custom SSL certificates that let you secure the solution for a safe and personalized experience.
- Monitoring – The product allows you to configure an external syslog server, which allows remote monitoring of system messages and audit log of user activity. The application also provides a screen to review and export the audit log.
- Secure APIs - Update your APIs as and when we bring in new releases and notify you.
- IP Allowlisting - Establish authorized and exclusive connections by allowlisting your IP Addresses in our services, thereby limiting access to trusted users.