This guidance is in addition to the Security Video and describes Primero application, deployment security and processes and how it applies to Primero.
Security is the practice of securing your data from third-parties and can be done using various hardware and software. In this guidance document we will walk through the most common tools and processes.
Protecting data is important to ensure the sensitive information you carry on your computer or mobile device doesn’t land in the wrong hands and become compromised. This is especially true for sensitive nature of Primero data. Primero is designed with the understanding that is stores extremely sensitive data. The application has mechanisms for ensuring data confidentiality and sharing of information based on a consent and need. The system is designed for stability and durability. Primero strives to ensure no harm and risk and invest in data security and the required security protocols. Primero complies to various physical, administrative and software controls and regulations for data security and collection. There are many precautions the Primero team has taken into account in building the system to limit all vulnerabilities.
Some security precautions are implemented explicitly as application behavior. Primero is being developed following security recommendations set out by the OWASP.
- Encryption is the process of encoding data in a way that only authorized parties can access it and those who are not authorized cannot. Primero has encrypted exports where all data that is exported from the system is encrypted.
- User access is protected by passwords with an enforced minimum strength. User management tools revoke access to users which have exited the organization or have been deemed as untrustworthy.
- Role-based user access is tightly provisioned and we go through a series of steps and multi-factor authentication to ensure that the correct user is provisioned access. Complex authorization hierarchies ensure that users have explicit rights to access specific system functions that are relevant to their role. All data that is collected in the system is presented only to the users with an explicit business reason for seeing this data. Case workers only see information about the cases that they manage. Different roles (such as supervisors, FTR officers, different kinds of service providers) have access only to the portion of an individual case that is relevant to their work.
- All sharing of information between users within the system as well as the ability to export data outside of Primero is regulated by the consent provided by the client.
- Two-factor authentication is authentication where users are required present two (or more) factors. For example, using a passcode to unlock a phone and then logging into Primero using your user credentials is two-factor authentication.
- Primero enforces session management where after long periods of inactivity indicating that a user is no longer interacting with the system the system will sign the user out.
- Audit logs track system interactions and trace any abuse or unusual interactions and data requests.
Primero is designed, developed and deployed as a full service platform. This includes both the web and mobile applications as well as the operating system hosting them. Primero is being positioned for distribution as a service, running on the Microsoft Azure cloud. This allows us to leverage Azure cloud hosting tools and SLAs to ensure greater consistency of deployment and security.
We rely on Chef, a devops automation tool, to deploy Primero. This guarantees that Primero servers are always in a known state which is integral to identifying and remediating system security issues.
- Primero has in-transit encryption and is only accessible via HTTPS. It supports only the TLS 1.2 protocol. Out of the box, Primero servers use Let’s Encrypt domain-validated certs, although any TLS certificate can be used. Optionally, Primero supports client-side HTTPS certificates, that allow access to the server only from validated machines.
- Azure-hosted Primero instances use encrypted data partitions, or at-rest encryption.
- Web server hardening such as Limited repeated access from the same IPs to public facing pages to prevent DoS attacks. Incorrect password timeouts limit efficacy of brute force attacks. Allowing only explicit access to site via DNS to prevent opportunistic IP attacks. We regularly review our web server configuration and deprecate supported ciphers.
- Runs on Ubuntu 16.04 LTS with nightly system security updates. Ubuntu and system hardening such as strict user, file, and service ownership restrictions enforced through Linux user permissions.
- Data durability such as nightly snapshots of encrypted data volumes in Azure. Nightly backups are retained for 10 days.
- System resource and log monitoring on the Azure platform. Email alerts about suspicious activity.
In 2014, Primero underwent a comprehensive security assessment and 3rd party security code review and penetration testing. A threat model was established for the product that has guided subsequent security work. The threat model is reviewed and updated with each major development effort.
UNICEF ICTD and Quoin collaborate in performing regular security scans of the system using Fortify on Demand, a 3rd party penetration testing tool.
As the primary developer for Primero, Quoin regularly reviews public security vulnerability alerts for the open source components of Primero. Software engineers:
- Monitor the CVE threat repository,
- Monitor Github’s dependency alert service
- Closely monitor the Ruby, Ruby on Rails, and CouchDB websites for security alerts
- Follow recommendations from the OWASP open security project.
In addition, a security review based on the threat model and on common OWASP guidelines is performed for each significant development effort. The vulnerabilities are evaluated and prioritized based on potential risk. Security remediation work is queued up as part of Primero’s ongoing global support.
Updated versions of Primero are regularly tested by a dedicated UNICEF QA team and released for deployment.
Additional Security Tools and Processes
- Firewalls are application-layer protection barriers that preventing unknown programs and processes from accessing the system that come from network connections.
- Antivirus is a computer program used to prevent, detect and remove malicious activity.
- Software patches, maintenance and updates are ongoing hardware and software modifications to continually improve the system. Primero runs nightly system security updates.
- System backups and disaster recovery protocols are in place case of malicious intrusion or system malfunctions.
- Recommendation of using an MDM or MAM solutions for mobile device protection and management such as remote data wipe for lost or stolen devices.
- Choosing secure vendors who maintain a high level of data security, trust and reliability.
But there are also precautions that you should take as a user of Primero such as not sharing sensitive information such as your logins and passcodes, keeping your computers and mobile devices safe and away from being at risk of theft or misplacement.
Primero takes data security seriously and ensures there are various physical, administrative and software controls in place to provide secure case management, family tracing, and incident monitoring capabilities.