Brightidea Security

Brightidea’s applications are hosted by Amazon Web Services (AWS). AWS’s global data center infrastructure is designed to ensure the highest level of performance and availability. AWS engages with external certifying bodies and independent auditors to provides considerable information regarding policies, processes, and controls resulting in certifications, audit reports, or at testations
 of compliance such as SOC 2, ISO 27001, ISO 27017 and CSA.

Our data center facilities feature a secured perimeter with multi-level security zones, 24/7 manned security, CCTV video surveillance, multi-factor authentication mechanisms for access control and security breach alarms.
 Learn more about AWS’s Data Center Controls.

All Brightidea Infrastructure, network systems, and devices are constantly monitored and logically administered by Brightidea staff. Physical security,
power, and internet connectivity are monitored by the individual facility providers.

Brightidea leverages AWS Regions within the United States and the European Union.

Our Security Team is on call 24/7 to respond to security alerts and events.

Our network is protected by redundant network and web application firewalls, best-in-class router technology, secure HTTPS transport over public networks, regular audits, and Intrusion Detection and/or Prevention technologies (IDS/IPS) which monitor and/or block malicious traffic and network attacks.

Our network security architecture consists of multiple security zones. More sensitive systems, like database servers, are protected in our most trusted zones. Other systems are housed in zones commensurate with their sensitivity, depending on function, information classification, and risk. Depending on the zone, additional security monitoring and access controls will apply. DMZs are utilized between the Internet, and internally between the different zones of trust.

Network penetration testing and vulnerability scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.

In addition to our extensive internal scanning and testing program, each year Brightidea employs independent third-party security experts to perform penetration testing across Brightidea’s Production Network.

Our Security Incident Event Management (SIEM) program monitors logs from important network devices and host systems and alerts on triggers which notify the Security team for investigation and response.

Application data flow ingress and egress points are monitored with Intrusion Detection Systems (IDS) and/or Intrusion Prevention Systems (IPS). The systems are configured to generate alerts when incidents and values exceed predetermined thresholds and uses regularly updated signatures based on new threats. This includes 24/7 system monitoring.

Brightidea uses industry leading anti-malware solutions to protect against threats including malware, viruses, Trojans, and spyware. New anti-malware patterns and updates are applied frequently to ensure protection against the latest threats.

Brightidea has implemented data loss prevention tools that ensure control of USB and peripheral ports and to detect and prevent potential data breached and data ex-filtration by monitoring, detecting, and blocking sensitive data in motion and at rest.

Brightidea participates in several threat intelligence sharing programs. We monitor threats posted to these threat intelligence networks, and act based on our risk and exposure.

Brightidea’s infrastructure is designed using a variety of AWS services and features such as AWS Web Application firewall & Shield to help mitigate Distributed Denial of Service (DDoS) attacks.

Access to Brightidea networks is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored. Multi-factor authentication is required for accessing our production networks.

In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.

Communications between you and the Brightidea application servers are encrypted via HTTPS and Transport Layer Security (TLS1.2 or higher) over public networks. TLS is also supported for encryption of emails.

All client data is encrypted at rest using the industry-standard AES-256 algorithm. Brightidea uses AWS Key Management Service to manage keys. Keys are rotated annually.

Brightidea maintains a publicly available system status webpage which includes system availability details, scheduled maintenance, service incident history, and relevant security events.

Brightidea employs service clustering and network redundancies to eliminate single points of failure. Our backup program ensures Service Data is actively replicated across primary and secondary systems and facilities.

Our Business Continuity (BC) and Disaster Recovery (DR) programs ensure that our services remain available or are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Business Continuity and Disaster Recovery plans, and regularly scheduled testing.

The Brightidea application support login using your Brightidea username/password combination. We use an industry leading and battle-tested algorithm to securely hash and salt all passwords. You may also enable login using third-party social media (Google, Twitter) end-user authentication.

Our data center facilities feature a secured perimeter with multi-level security zones, 24/7 manned security, CCTV video surveillance, multi-factor authentication mechanisms for access control and security breach alarms.
Learn more about AWS’s Data Center Controls.

Single sign-on (SSO) allows you to authenticate users in your own systems without requiring them to enter additional login credentials for your Brightidea application using Security Assertion Markup Language (SAML). Learn more about SSO.

Brightidea provides default password rules as well as the ability to set custom password complexity rules.

Brightidea follows secure credential storage best practices by never storing passwords in human readable format, and only as the result of a secure, salted, one-way hash.

Before users can access Brightidea data through your app, they must first authenticate and authorize against Brightidea. Once completed, your app will have the permissions and the resource to make API requests for data on behalf of the users. You must use the OAuth 2.0 standard to interact with the Brightidea Authentication page. Learn more about Brightidea API.

Access to data within Brightidea’s applications is governed by access rights and can be configured to define granular access privileges. Brightidea has various permission levels for users. Learn more about Roles.

Brightidea’s applications can be configured to only allow access from specific IP address ranges you define. Learn more about IP Restriction.

All communications with Brightidea servers are encrypted using industry-standard HTTPS over public networks. This ensures that all traffic between you and Brightidea is secure during transit. Additionally, for email, our product supports Transport Layer Security (TLS), a protocol that encrypts and delivers email securely, mitigating eavesdropping and spoofing between mail servers.

Brightidea has developed a comprehensive set of security policies covering a range of topics. These policies are shared with, and made available to, all employees and contractors with access to Brightidea information assets.

All new employees attend a Security Awareness Training which is given upon hire and annually thereafter. All engineers receive annual Secure Development Training. Additional security awareness updates are provided via email, blog posts, and in presentations during internal events.

Brightidea performs background checks on all new employees and contractors in accordance with local laws. The background check includes criminal, education, and employment verification.

All new hires are screened through the hiring process and required to sign Non-Disclosure and Confidentiality agreements.