Protecting customer data is one of our most important responsibilities. We’re committed to being transparent about our security practices and helping you understand our approach. Highlights of our security program are provided below.
Our Security Governance Team (SGT) is a governing body consisting of cross-functional management representatives led by the Chief Information Security Officer (CISO). The SGT meets on a regular basis to advise, prioritize, and enable the Information Security Program.
The risk-driven Information Security Program includes administrative, technical, and physical safeguards to align with applicable requirements, standards, and best practices. We maintain information security policies that are regularly reviewed, updated, and approved on a predefined schedule.
We conduct industry-standard security risk assessments periodically to identify, analyze, monitor, and respond to risk. Our multi-faceted approach also includes using multiple sources of input such as vulnerability assessments, penetration testing, and other forms of security reviews to capture the holistic state of our security posture. Risk treatments are strategically planned and prioritized with key stakeholders to ensure alignment with security and business objectives. Cross-functional collaboration with the SGT is integral for the effective review and management of information security risk.
Employee Background Checks
Before onboarding new staff, we perform reference checks. Where local labor law or statutory regulations permit, we may also conduct criminal, credit, immigration, and security checks. The extent of these background checks is dependent on the position and country.
Security Training For All Employees
All employees and contractors undergo security training as part of the orientation process and receive ongoing security training throughout their tenure. During orientation, new employees must read and agree to our Acceptable Use Policy (AUP) and Code of Conduct, which highlights our commitment to keep customer information safe and secure. Depending on their job role, additional training on specific aspects of security may be required. For instance, the information security team instructs new engineers on topics like secure coding practices, product design and automated vulnerability testing tools. We also cover topics like phishing, ransomware, social engineering etc. topics.
For Varyence employees, access rights and levels are based on their job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. All our personnel are required to use multi-factor authentication and strong passwords. Access to production infrastructure is strictly controlled using two-factor authentication. Privileged access to both corporate and production resources is subject to a review process, and manual recertification is performed, at a minimum, on a quarterly basis.
For external collaboration with our customers, we support guest access to our directory using multi-factor authentication. Access attempts are logged for review.
We administer a vulnerability management process that involves periodic third-party scans for security threats using a combination of commercially available tools, intensive automated and manual penetration efforts, quality assurance processes, software security reviews and external audits. Once a vulnerability requiring remediation has been identified, it is logged, prioritized according to severity, and assigned an owner. The owner then tracks the issue and follows up until they can verify that the issue has been remediated. We also offer certain bug bounties for disclosed vulnerabilities from external parties.
An effective malware attack can lead to account compromise, data theft, and possibly additional access to a network. We take these threats to our networks and customers very seriously and use a variety of methods to prevent, detect and eradicate malware. We leverage Anti Malware solutions on all corporate laptops and servers. A Safe Link service is used to check links before users click on them, to prevent malware from being installed through infected websites.
Monitoring And Alerting
Varyence invests heavily in the automation of monitoring, alerting and response capabilities so that potential issues are continually addressed—in addition to our complete automation of our build procedures. Engineers and administrators are alerted to anomaly occurrences—particularly application attacks, error rates, and abuse scenarios. Automatic responses and alerts to appropriate teams are triggered by these and other anomalies so that investigation and correction can occur. The occurrence of malicious or unexpected activities causes automated systems to bring in the right people to ensure issues are rapidly addressed. There are also numerous automated triggers designed into systems so that unforeseen situations can be detected and will be immediately addressed. Functions, traffic blocking, process termination and quarantine are activated at predefined thresholds so that protection of our platform against a broad variety of undesirable situations is assured.
Data Center Security
Varyence primarily uses Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS) in the USA for our cloud infrastructure. We do not move customer data between cloud regions outside of the USA.
The physical security of the cloud infrastructure data centers features a layered security model, including safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics, and the data center floor features intrusion detection. Data centers are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders. Access logs, activity records, and camera footage are available in case an incident occurs. Data centers are also routinely patrolled by experienced security guards who have undergone rigorous background checks and training. All hardware is tracked and disposed of in a secured manner. To keep things running 24/7 and ensure uninterrupted services, data centers feature redundant power systems and environmental controls.
Encrypting Data In Transit And At Rest
Varyence customer data, and our own data, is encrypted when it’s on a disk using AES-256bit encryption. Data in transit over the Internet or traveling between data centers is encrypted using TLS 1.2 or higher. Only standardized encryption protocols and algorithms are used. Database passwords are stored securely using a one-way hash.
Varyence uses Azure KMS for encryption key management. Rotation of keys depends upon the sensitivity of encrypted data. In general, TLS certificates undergo annual renewal. Currently, Varyence is unable to use customer-supplied encryption keys.
Recovery And Highly Available Solution
Varyence designs the components of our platform to be highly redundant. Customer data is replicated synchronously in real time over multiple geographically distributed data centers to minimize the effects of regional disruptions such as natural disasters and local outages. In the event of hardware, software, or network failure, automatic failover allows our customers to continue working in most cases without interruption.
Additionally, backup strategies are in place and run on a regular basis using established frequencies and schedules in a way that ensures restoration can be easily performed. Backups are encrypted and monitored so that successful execution is assured. In the event of any exceptions, alerts are generated. Any failure alerts are escalated, investigated and resolved. Data is backed up regularly to its local region. Periodic testing is carried out for successful recoverability.
Customer data is logically separated using RBAC in our databases or isolated databases depending on customer needs. We maintain separate production, staging and development environments.
Employee Access To Customer Data
We apply the principle of least privilege in all operations to ensure confidentiality and integrity of customer data. All access to systems and customer data within the production network is limited to those employees with a specific business need. A best effort is made to troubleshoot issues without accessing customer data; however, if such access is necessary, access is enabled on a temporary basis and then revoked.
All actions taken to make changes to the infrastructure or to authenticate directly to production systems are logged for auditing purposes. In order to protect customer data, only authorized team members have direct access to production servers and databases.
Every Varyence employee is provided with a list of approved secure password managers that can be used to generate, store, and enter unique and complex passwords. The use of a password manager helps avoid password reuse, phishing, and other behaviors that reduce security. All access to the production servers and data is protected using network isolation and strong authentication mechanisms. A combination of strong passwords and two-factor authentication (with number matching) is used to shield mission critical systems.
Data Retention & Destruction
Data retention policies are in place for disposal of customer NPI and PII data within 90 days of a request by a current or former customer or in accordance with Customer’s agreement(s).
Secure Software Development Lifecycle
Standard best practices are used throughout our software development cycle from design to implementation, testing, and deployment. All code is checked into a permanent version-controlled repository. Code changes are always subject to peer review and continuous integration testing to screen for potential security issues. All changes released into production are logged and archived, and alerts are sent to the engineering team automatically. Access to Varyence source code repositories requires strong credentials and two-factor authentication (with number matching).
Secure By Design
All features are reviewed by a team of senior engineers as soon as they are conceived. Members of the Varyence team have substantial experience working with and building secure technology systems. We plan all functionalities with security in mind to protect the platform against security threats and privacy abuses. We leverage modern browser protections to prevent Cross-Site Scripting (XSS), Clickjacking and other code injection attacks resulting from the execution of malicious content in the trusted web page context.
Once features are implemented, we perform internal security testing to verify correctness and resilience against attacks. We follow the leading Open Web Application Security Project (OWASP) Testing Guide methodology for our security testing efforts. Discovered vulnerabilities are promptly prioritized and mitigated. In addition, we regularly engage top-tier third-party security companies to independently verify our applications.
Our products are constantly optimized through a delivery approach to software development that is modern and continuous. For SaaS products, seamless updates can be deployed without downtime associated with the releases. Web messages and/or product update posts are used to communicate major feature changes.
Network and Application Firewalls are in place allowing only explicitly authorized ingress traffic.
Threat Detection Systems are in place to detect and block anomalous traffic patterns and malicious actions against the environment.
THIRD PARTY VENDOR MANAGEMENT
We rely on several third-party vendors to deliver our service. Prior to onboarding third-party suppliers, Varyence conducts an assessment of the security and privacy practices of third-party suppliers to ensure they provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once Varyence has assessed the risks presented by the third-party supplier, the supplier is required to enter into appropriate security, confidentiality, and privacy contract terms.
REGULATORY COMPLIANCE & PRIVACY
Varyence customers have varying regulatory compliance needs. Our clients operate across regulated industries. Our SGT team continuously monitors and responds to changes.
For further inquiries regarding our security policy, please contact us at security AT varyence.com.