Security and compliance

<< Click to Display Table of Contents >>

Navigation:  » No topics above this level«

Security and compliance

Overview

As businesses are increasingly interested in shifting their operations toward the cloud, security and compliance requirements have become more and more demanding and critical.

This article describes how Automation Service implements strict governance and security requirements so that data privacy and overall system security are not a concern for customers wanting to use Automation Service services.

 

Security, our first priority

Automation Service has been designed with security as its top priority. By using technologies and controls that enable an isolated environment for each customer, Automation Service delivers a virtual private cloud where customer data is not shared.

 

This private cloud has further security controls and mechanisms implemented, such as identity and access management; data encryption; and policies and procedures to make sure data privacy for customers, such as the deletion of data upon termination of the subscription, security controls to allow access to data only to authorized personnel, and physical and environmental measures to protect data.

 

What is  virtual private cloud?

Automation Service features a separate cloud platform for each customer, where all the environments (e.g, testing and production) for that platform are secure.

Each Automation Service customer uses a different set of assigned services and resources, where customer data is not shared.

Such set of assigned services and resources is located in the geographical location chosen by the customer.‚Äč

Having separate services and resources along with data isolation allows for more predictable performance behavior and a base for strict compliance in terms of data privacy.

 

Bizagi Software Development Cycle

Automation Service uses Automation Server in its runtime environments.

Automation Server implements a software development cycle which enforces industry-standard high security controls, to enable the Bizagi system (and whole service) to successfully counter potential hacking and mitigate overall security risks.

The software development cycle relies on the Secure Development Lifecycle methodology published by Microsoft, while also following guidelines proposed by security expert communities such as NIST, OWASP, or Cloud Secure Alliance.

By following comprehensive guidelines, such as OWASP Top 10, Bizagi's development team can identity and resolve vulnerabilities in the early stages of the software development cycle.

Within a secure development strategy, Bizagi adopts several other best practices such as:

A four-eye principle in place to assure that code development gets validated.

New features being analyzed by following the Octave Allegro risk methodology and by conducting Threat modeling.

Specific platform guidelines for mobile applications taken into consideration, as officially issued by Apple, Android and Microsoft.

Automatic tools being employed to perform: dynamic application security testing, and static code analysis (using AppSpider and Veracode respectively).

Manual penetration testing conducted regularly by Bizagi's Security team, to identify any potential vulnerability that would be difficult to detect automatically.

In addition to the above, customers and other organizations such as Cert.org, have over the past run security checks to assess whether Bizagi has adequate security compliance levels for enterprise-class solutions.

 

Compliance

Automation Service is powered by Microsoft Azure and managed by Bizagi. It introduces a cloud-centric architecture which leverages the best services and techniques to offer a secure, reliable and high performance cloud environment.

Microsoft Azure has been widely recognized for its compliance with different local and global standards and regulations, including ISO/IEC 27017, SOC 1 and SOC 2, PCI/DSS, NIST-800-171, FedRamp, HIPPA/HITECH, and EU Model clauses.

 

 

ISO/IEC 27001

ISO 27001 is recognized worldwide as one of the premier international information security management standards.

Bizagi's security policies and procedures are based on this standard, while also considering applicable addenda to address cloud privacy.

 

Security controls

Automation Service implements security controls and measures for data integrity, confidentiality and availability.

For more information on each of these security control and measures, refer to the links below:

Network security

PaaS environment security

Identity and access management

Data encryption

Physical security

Monitoring and operations