Information Security
Cloud Security
We maintain our cloud security posture aligned with industry security standards and best practices to ensure that we follow the best to stay protected. Have a look at our groundwork on cloud security:
Data Segregation
All the application and database servers are hosted in a private subnet and are not exposed to the internet. In other words, there will be no public IP to these machines. The application and database server will be hosted in a separate subnet ensuring the highest level of security measures are in place.
Security by Design
42Gears services are hosted on trusted platforms such as Amazon Web Services (AWS), Google Cloud Platform (GCP), and MongoDB Atlas. These data centers are equipped with an array of robust security features, including security guards, fencing, security feeds, and advanced intrusion detection technology.
Data Encryption
We employ a minimum of 128-bit symmetric encryption and a 1024-bit authenticated key agreement to ensure the confidentiality and integrity of your data. Additionally, we have implemented the HTTP Strict Transport Security (HSTS) header across all our web connections. This further strengthens the security of your data by enforcing secure communication protocols and preventing certain types of attacks.
Data Retention, Recovery and Backup
To safeguard data and configurations of all our applications, we have implemented a robust data retention, recovery, and backup system. Regular backups are consistently created to ensure the safety and availability of your data. These database backups are generated at scheduled intervals and securely uploaded to an AWS bucket. This guarantees that your data is protected and readily recoverable in the event of any unforeseen circumstances.
Infrastructure Security
42Gears Cloud relies on the robust security framework provided by Amazon Web Services (AWS) and adheres to the AWS Shared Responsibility Model. For detailed information, please refer to the AWS Shared Responsibility Model. Within the 42Gears cloud infrastructure, data is meticulously segregated on multiple layers to maintain logical separation.
Product Security
Here at 42Gears, we have a dedicated product security team to test and resolve product security issues. Our engineering team obeys a secure software development lifecycle policy. Our product security focuses on the security of data processed by, or in relation to our products. Security is embedded in all aspects of our innovation, products, systems, and services.
Secure Development
From being a concept to the production and amid, we prioritize security throughout the entire product development lifecycle.
Security Resources
We recommend all connections to the servers using SSL/Transport Layer Security (TLS 1.2) encryption with strong ciphers for all connections including web access, API access, and mobile apps.
Annual Testing & Security Scan
We conduct regular Vulnerability Assessment and Penetration Testing, following the OWASP (Open Web Application Security Project) Standards. Our external pentest is performed by CyRAACS, a reputable cyber security company in India. Furthermore, we engage third-party vendors to annually assess our applications.
Product Security Team
Our Product Security team comprises highly skilled professionals whose primary objective is to identify and mitigate potential vulnerabilities and threats throughout the product's lifecycle.
Security Advisories
42Gears is focused on ensuring the security of our products. We are committed to rapidly addressing issues as they arise, and providing recommendations through security advisories and security notices. Security advisories are fixes or workarounds for vulnerabilities identified with 42Gears products. Click here for detailed information on security advisories.
Deprecations and Removals
42Gears does not market, sell, deploy, or provide updates to versions of products that have reached the end of life (EOL). Although the product works, old versions of software inherently have security vulnerabilities that attackers can exploit. Your best defense is to be on software that can receive updates and is free of known vulnerabilities. Click here for detailed information on the dates and/or versions by which 42Gears capabilities have already or will, within the next few months, reach their EOL.
Organisational Security
At 42Gears, every employee is actively engaged in our security culture. We promote a security-conscious mindset throughout the organization through ongoing training and awareness programs. This ensures that our team members understand their roles and responsibilities in maintaining a secure environment and protecting sensitive data.
Employee Background Checks
With the utmost priority placed on the security and well-being of our organization, we have established a robust policy mandating employee background verification. This policy serves as a crucial safeguard, enabling us to thoroughly assess the backgrounds of all employees. By implementing this mandatory procedure, we are committed to ensuring a secure and trustworthy work environment, instilling confidence among our stakeholders and protecting the interests of our organization.
Security Awareness
We consistently provide essential Information Security awareness training throughout the organization at regular intervals. In addition, we assess their knowledge through tests and quizzes to identify areas where further training is needed. To promote awareness and foster innovation in security and privacy, we also organise internal events.
Internal Audits and Checks
To proactively identify and mitigate potential threats, we conduct weekly audits on malware reports. These audits involve a comprehensive examination of potential malware and security vulnerabilities, allowing us to promptly address any emerging risks.
In addition to the weekly audits we perform internal security audits on a defined frequency on our servers. These audits ensure that our servers adhere to the highest security standards and that all necessary security measures are in place to protect sensitive data and prevent unauthorized access.
Network Security
Our Network architecture ensures that sensitive data is protected through best business practice security policies and procedures. This includes hardened Firewall configuration rules, network logical segmentation, proactive monitoring, active vulnerability assessments, load balancing, digital certificates, etc.
Our network security and monitoring measures are strategically crafted to deliver robust layers of protection and defence. By employing firewalls, we effectively thwart unauthorised access and undesired traffic from compromising our network. Additionally, we fortify our systems by implementing network segmentation, which acts as a safeguard to shield sensitive data from potential threats.
Physical & Infrastructure Security
We have active and passive security control measures in place to protect employees, technology, information, and infrastructure against unauthorized access, sabotage, damage, and criminal activity.
We ensure stringent control over access to our resources, including buildings, infrastructure, and facilities. To achieve this, we employ access cards that regulate consumption, entry, and utilisation. Different access cards are assigned to employees, contractors, vendors, and visitors, restricting their access solely to the purpose of their presence on the premises.
Data Security
We enforce strong data protection standards to guarantee appropriate data handling at all classification levels, from processing and storage to transfer and destruction. We ensure that the appropriate encryption controls are in place for data at rest in the cloud.
Our Software Development Life Cycle (SDLC) serves as a guiding framework, enforcing adherence to secure coding guidelines. Moreover, we employ a range of robust measures to screen code changes for potential security vulnerabilities. These measures include utilising code analyser tools, vulnerability scanners, and conducting thorough manual reviews to ensure the utmost security.
Secure Client Installation on Mobile Devices
Common app marketplaces, such as Windows Store, Apple App Store, and Google Play Store have their own security processes and models to ensure secure client installation on mobile devices. 42Gears follows the rules each store has set up for publishing SureMDM agent application, Nix.
Secure Client Communication
42Gears uses Secure Sockets Layer (SSL) to secure communication between endpoints and the MDM server. The endpoints include mobile devices based on platforms such as Android, iOS and Windows. 42Gears SureMDM communicates with iOS devices using the Apple Push Notification Service (APNs). SureMDM uses a certificate to communicate to the Apple MDM services, which the admin must download from the Apple Push Certificates Portal. For Android devices, 42Gears uses Google Cloud Messaging, and for Windows devices, 42Gears uses Windows Push Notification Services (WNS).
Identity and Authentication
- Device Enrollment Authentication
42Gears SureMDM can integrate with any OAuth endpoint for this authentication. This allows 42Gears to use identity services like ADFS, Azure AD, G Suite, and Microsoft 365 for device enrollment. - Portal Login Authentication
By default, 42Gears SureMDM offers its own indigenous user management. But it can also integrate with any SAML2-based identity service to offer seamless Single Sign-On. Azure AD, Okta, and OneLogin are a few such identity services. - Two-Factor Authentication
SureMDM can protect admin accounts from password theft by enabling two-factor authentication for owners and co-account owners through Google Authenticator, email, and/or phone numbers. Once two-factor authentication is enabled, IT admins will be required to provide an additional form of identity proof while logging in, such as a time-sensitive one-time password (OTP).
Payment
Payment Gateways
We work with a few commercial payment gateways, such as Stripe, PayPal, and Chargify. Once customers select a payment gateway, they are transferred to systems that are controlled by these service providers to complete the payment. Such payment gateways render payment services as data controllers and comply with all necessary obligations required for processing data under applicable data protection laws and their respective Privacy Notices. We do not store or collect your payment card details in any manner whatsoever.
The payment processors we work with are
Business Continuity & Disaster Recovery
42Gears uses a high-availability architecture to ensure that, in the event of a failure, service performance continues to meet client expectations. We are compliant in maintaining ISO 27001:2013 & SOC 2 Type II, which requires the production, maintenance, and testing of a Disaster Recovery Plan (DRP).