We use a security monitoring solution to get visibility into our application security, identify attacks and respond quickly to a data breach. We also use technologies to monitor exceptions, logs and detect anomalies in our applications. We collect and store logs to provide an audit trail of our applications activity. Security events are logged and notifications are sent in case of critical attacks to allow for fast remediation.
As with most cloud services, access to the Cross4Cloud platform requires a login ID and password. Single sign-on (SSO) can be implemented by our enterprise customers. We recommend making use of the additional protections (such as 2FA) that are offered by SSO vendors. Advanced role-based access control (RBAC) is offered on all our customer accounts and allows our users to define roles and permissions.
Utilizing industry best practices and Transport Layer Security, all information sent to or from our infrastructure is encrypted while it is in transit (TLS). Data-at-rest encryption is applied to all storage devices. So, it is impossible to misuse a decommissioned device. Every year, the encryption keys used for at-rest encryption are changed.
Cross4Clouds' network architecture consists of multiple security zones with different tiers confined to their own zones. In particular, internet-facing endpoints are in their own zone and do not have direct access to the database tier or other internal services. For AWS environments, AWS GuardDuty is used to actively monitor all cloud trail and VPC flow logs for any anomalies or security incidents. AWS Security Hub is used to check all the infrastructure policies and configuration against best practices and raise alerts.
All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS). Any device storing any data is subjected to data-at-rest encryption. Thus, a decommissioned device cannot be misused. The encryption keys for at-rest encryption are rotated annually.