Security and Compliance
Overview
This page aims to give some guidance on the areas you should consider as you integrate the service you are building on PhixFlow into your risk management, audit and compliance programs.
See also PhixFlow Security Design Features - this describes how PhixFlow is designed to be secure. This may be useful to completing security assessments that apply to this service.
Risk Assessments
We recommend your risk assessment process includes the following:
User types – staff, contractors, associates.
Dialogue with end-users as well as technology staff, to identify and understand the risks and existing counter-measures.
Device types and who owns and manages them.
Locations where the system will be accessed from e.g. homes, offices, public areas.
Treatment of any high priority risks identified by applying good or best practices in network and firewall configuration, intrusion detection and prevention strategies, server hardening, configuration, deployment, application monitoring and usage guidelines.
General Recommendations for Using PhixFlow Securely
Implement least privilege access by:
Only placing users in groups appropriate for the tasks they need to do.
Review accounts used by PhixFlow solutions for access to databases and email accounts ensuring they only have the level of access needed.
Limit the number of administrators or accounts with full access.
Do not use the system for testing or development as it is common for additional user accounts to be required, and authorisation to be relaxed to enable testing.
Hardening
The following table lists the areas that require hardening and recommendations
Area to Harden | Recommendations |
Operating Systems | Refer to the PhixFlow system planning guide and Vendor recommendations |
Apache Tomcat application server | Refer to the PhixFlow system planning guide and vendor recommendations |
PhixFlow Database server | Refer to the PhixFlow system planning guide and database vendor recommendations |
PhixFlow Application | Refer to the PhixFlow Installation guide for installation with least-privilege access and removal of installation files and users. |
PhixFlow Solutions Configuration | Review the permissions implemented on any applications. |
Intrusion Detection & Prevention (ID/IP)
If your company currently uses intrusion detection monitoring tools, the following information may be helpful.
Whitelist/Blacklist | Pattern | Description |
Blacklist | .php, .exe, .asp, .aspx, | PhixFlow does not use any of these file extensions |
Blacklist | ..\ – <! </script> | Requests with these character combinations are not required |
Whitelist | ? & : | PhixFlow uses these characters in the URL |
Deploying PhixFlow for Mobile Access
PhixFlow mobile uses the same web application as for web access, which employs responsive design and HTML5 to deliver user interfaces that are compatible with a large number of mobile phones, tablets and netbooks. This approach ensures that no confidential data is stored by PhixFlow on the device itself, and the security policies with regard to user accounts and access are centrally managed exactly as for web access.
Deploying any application for mobile access does present some additional risks. These include loss, theft or shared use of mobile devices and tablets. Other risks include incorrect data input as users can sometimes make mistakes performing data input on very small interfaces.
Because of this, a further risk assessment should be carried out prior to deploying PhixFlow involving users and technology staff, and then risk treatment agreed to reduce the likelihood or impact of any significant risks. This process is something PhixFlow consultants can facilitate or assist with if required, especially if screens and processes need to be reviewed and optimised for mobile devices.
We recommend that in addition to following the guidelines on web access, that all mobile devices used to access PhixFlow applications containing confidential data be protected from unauthorised access by applying the following controls:
Centrally Managed Mobile Devices
We recommend that all mobile devices should be centrally managed to ensure updates are applied and security vulneraries are patched in accordance with the customer's security policy.
We recommend that the remote management allows lost or stolen devices to remotely wiped of all data and settings.
Auto-lock / PIN Unlock
We recommend all devices have an auto-lock feature that requires a PIN or passcode to unlock it.
Restrict Use in Public Places
We recommend that customers have a policy in place that limits the viewing of large amounts of confidential data on tablets and laptops in busy areas such as trains, hotel bars and cafes.
Review Read-only Access
When data does need to be entered or viewed in public places, we recommend that customers review screens, process and access controls to reduce the volume of data.