Security
TABLE OF CONTENTS
PURPOSE
Last updated 2 February 2024.
This section aims to inform the general public of AKTEK’s choices of technologies, practices, and procedures to meet the industry standard regarding security, compliance, and risk management.
AKTEK reviews its policies annually and updates the relevant documentation where needed.
SECURITY MEASURES
The following list of non-exhaustive topics provides a general categorization of security measures.
While standards and implementations evolve, AKTEK maintains the following practices as a base against which the development of its product and supporting systems should be measured.
DATA MANAGEMENT
Encryption
AKTEK uses industry-standard cryptography and encryption mechanisms to perform traffic encryption in transit and data encryption at rest. Encryption keys' specifications, rotation, and lifecycle are maintained as a part of a management service. This management ensures that no human error enters this ecosystem and alleviates the need for manual management of keys.
AKTEK uses TLSv1.2 to support HTTPS protocol for internet and intranet communication with and between services. A certificate management service provides the necessary keys and supporting cryptography stack, including a robust cipher suite and industry-standard protocols.
Backup
AKTEK maintains a schedule to produce backups of all the databases that support its product and related systems. This schedule aligns with the product’s Recovery Point Objective (RPO).
The resulting backup files are encrypted in an object storage service that supports versioning and is not accessible for everyday operations. The expired backups are deleted by an automated process that ensures no residual files are left behind.
Periodic tests are conducted to confirm that the backups remain usable and can be restored promptly.
Subject requests
AKTEK implements a Data Protection Policy, which aims to provide a framework to address inquiries from individuals who are the subject of personal data held by AKTEK. This is to ensure AKTEK meets State and International regulatory guidelines.
Please consult the policy for what constitutes a subject access request, or email us directly at datacontroller@aktek.io.
Secure SDLC
SDLC stands for Software Development Life Cycle.
At AKTEK, we implement processes that support secure software systems' secure development and delivery.
We follow the Shift-Left strategy, which focuses on integrating security requirements early in a feature or program development.
The requirements include:
- Developers follow secure coding techniques and design paradigms.
- New features or modifications are subject to a change management process in which a set of approvals must be attained by relevant personnel.
- Per-stage automated security tests are performed, and respective reports are produced to be reviewed by the senior developers or security engineers where necessary. These tests include but are not limited to:
- SAST - Static Application Security Testing: to ensure no vulnerable design patterns or code makes it through to the next stage.
- Secret Scanning: to prevent accidental credentials and/or secrets from being pushed to a code base.
- DAST - Dynamic Application Security Testing: to cover common test scenarios that constitute the base for malicious activities.
- SCA and SBOM: Software Composition Analysis to ensure that no open source libraries in use currently violate AKTEK’s development policies, and Software Bill of Material to maintain a list of the dependencies that a program that is part of AKTEK’s systems may be using.
- Container Scanning: to ensure that a program ends up in a secure container by scanning all the programs and libraries in that container.
- Deterministic pipelines guarantee that running the same pipeline in the same conditions will produce the same output every time. This maintains consistency and ensures that any change can be audited or traced back to its origin.
System and infrastructure security
AKTEK uses official and certified operating system images to host its software systems.
This includes Amazon Machine Images (AMIs), Ubuntu Server, and Red Hat Enterprise Linux (RHEL).
Depending on the use case, the team may operate one of the abovementioned systems.
System administration becomes integral to preparing the infrastructure to deliver AKTEK’s services.
This precludes measures that govern securing a specific Linux distribution while maintaining the flexibility to host applications. Such measures include but are not limited to:
- Defining system users and permissions.
- Performing regular updates and patch management.
- Adhering to the existing Mandatory Access Control (MAC) systems rules and auditing requirements.
- Maintaining a level of segregation between various applications hosted on the same machine.
- Monitoring the system’s health and ensuring resources don’t get exhausted.
Access Control
AKTEK follows the Least Privilege security principle when implementing access control procedures.
That is, each entity, whether a real person or an automated program carrying out a designated function, is only granted the necessary privileges to enable the completion of the expected set of tasks.
While different providers implement different identity and authorization frameworks, AKTEK uses a central identity provider to allow its workforce to access relevant systems.
Engineers working at AKTEK adhere to a standard procedure that defines password security, multi-factor authentication requirements, and the life cycle of permanent or temporary credentials.
All personnel must use password managers, and such a requirement is audited by the mobile device management (MDM) software in use.
A record of currently granted access is maintained and reviewed monthly to ensure proper authorizations are in place and that no privileges are granted where they are not required.
Additionally, AKTEK uses an automated system to record the IP addresses of its employees or contractors whenever they access its systems and uses IP-based geo-location to identify anomalies in the access patterns.
Network Analysis
AKTEK implements a set of procedures to establish a defense-in-depth network security strategy.
Network segregation, achieved through subnetting and routing tables, is a core requirement to host any AKTEK service and access it.
Such a measure prevents traffic not intended to access a set of resources from reaching the wrong network.
Furthermore, firewalls and Access Control Lists (ACLs) only provide explicit permissions for the allowed protocols while actively denying all other traffic by default.
This configuration allows our engineers to obtain fine-grained control over what type of communication is permitted and accepted by each service.
AKTEK also employs an Intrusion Detection System (IDS) that scans the network’s flow logs between various sectors and observes anomalies.
Reports from this system are sent to a dedicated channel in AKTEK’s communication platform, and the responsible personnel are notified to take action depending on the severity of the finding.
The infrastructure team maintains network diagrams, plans, and configurations to serve as the documentation that reflects the current network design at any given time.
Third-Party Management
Vendors and third-party providers are integral to any cycle of operations in a SaaS-based product.
AKTEK adopts a risk-based approach in assessing the need to delegate part of its workloads to one vendor or another.
The management of the duties and responsibilities between AKTEK and its vendors is governed by an internal policy that outlines a set of processes including but not limited to:
- Critical third-party vendor inventory management procedures.
- Vendor security and privacy requirements.
- Relevant risk scenarios associated with a specific vendor.
This policy, a list of signed agreements with the vendor, and the vendor’s commitments to known compliance frameworks through attestations and certifications are reviewed at least annually.
Deviations are noted and communicated where necessary.
COMPLIANCE
AKTEK is SOC 2 TYPE II compliant and implements the controls according to the standards set forth by the American Institute of Certified Public Accounts (AICPA).
RISK MANAGEMENT
Teams working at AKTEK maintain a risk register according to the responsibilities of each team.
A matrix showing the likelihood and impact of each scenario is used to calculate the risk score of a particular incident.
The management oversees the results and tracks the actions implemented by the risk treatment plans for each team.
AKTEK uses its compliance automation platform to update its risk register and its library of relevant scenarios applicable to the business.
Independent Auditors use the same platform to assess the effectiveness of this methodology.
BUSINESS CONTINUITY, DISASTER RECOVERY, AND INCIDENT RESPONSE
AKTEK defines a set of procedures in its Business Continuity and Disaster Recovery (BC/DR) policy that constitute a framework to handle incidents in the event of a disaster and ensure that functions marked as business critical are prioritized.
A relevant set of documentation complementing this policy has been developed, including but not limited to the following:
- Root cause analysis (RCA) forms to identify and interpret the cause of an outage.
- Incident logs to record incidents and details surrounding their circumstances.
AKTEK also defines the team structure responsible for responding to incidents, their communication methods, and the roles of each member.
Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) have been defined for each asset, and periodic tests are conducted to verify that recorded values fall within the set objectives. Furthermore, tabletop exercises are performed, some of which may involve clients or end users depending on the requirements. A document describing each exercise and its outcomes is held for reference.
AKTEK’s infrastructure designs implement high availability by requiring that a system be hosted on any plural odd number of servers and fault tolerance by spreading its servers across different geographic areas, especially in cloud environments, in line with data governance requirements.
VULNERABILITY REPORTING
AKTEK conducts periodic system scans, vulnerability scans, and penetration tests following a schedule that ensures several scans and at least one penetration test per year.
Following the industry’s standards, AKTEK delegates its penetration testing activities to an independent third party. AKTEK’s security committee defines the scope of each penetration test to cover the critical scenarios that may threaten its product’s security posture. This is done by performing thread modeling before the commencement of the penetration tests.
System scans aim to identify vulnerabilities in the systems hosting AKTEK’s software programs. The findings are remediated according to SLAs that consider the type of the finding and its severity relevant to the system. Each finding is assigned a priority label and status tracked in AKTEK’s change management system until its closure.
While AKTEK does not advertise a public vulnerability bounty program, we encourage all parties to submit their findings, regardless of the scope, to our security and infrastructure team to review at security@aktek.io.
CONTACT US
If you have any questions, comments, or requests regarding AKTEK's Security, please contact us at security@aktek.io.