On 17th November 2021 we completed the final external assessment as required by the ISO 27001 standard and have received our certification by The British Standards Institute (BSI).
“Security is imperative to us at Signagelive and is fundamental to everything we do. We are trusted with our customers data and it is part of our mission to ensure it is protected by best practice policies and procedures across the entire business”
Segregation of development, testing and production environments
Signagelive is a multi-tenant solution and client data is segregated by a “Signagelive Network”, this is the master object which controls security and where the Players, Media, Schedules, Reports, Licences associated to the devices etc will be stored. It would be possible to have multiple “Signagelive Networks” if you wished to further separate your devices and who can access to this via the online portal.
Production and non-production systems are separated at the network level by IP address filtering (Security groups) within our data centres, as we use public cloud infrastructure we cannot guarantee that compute instances for production and non-production are not running on the same host server as that is determined by the IaaS provider, however, their orchestration algorithms attempt to ensure customers virtual assets are distributed amongst physical assets.
The Signagelive Customer data is separated within the Signagelive databases by customer keys, and we implement validation of all incoming and outgoing data in accordance with OWASP Secure Coding best practices ensuring that the caller has permission to the data and has sent well-formed data requests.
Privileged access to all environments via secure VPN that requires 2FA
Throughout the company, we operate with the principle of least privilege. Therefore only key personnel with our Development Team have access to the server infrastructure. We use a VPN to connect to the infrastructure. The VPN requires 2FA. We use a Remote Desktop / SSH management tool for simplification of access to our servers, this requires a username and password. That password is not cached locally on workstations and must be retrieved from our password manager. Our password manager requires 2FA.
Each administrator has a unique username and password for accessing the servers once a VPN connection is established. To access the AWS and Rackspace Admin Consoles all users are assigned unique user accounts with the minimum required privileges to perform their role. These are all protected with 2FA.
Root Admin accounts are distinct from normal accounts only accessible by the CTO and are protected by 2FA
Anti Virus scanning of infrastructure and media files
We have ESET Antivirus tools installed on all of our servers.
We run weekly Tenable Vulnerability scans across all our servers and remediate vulnerabilities in a timely manner depending on the severity. In the event of such activity, we can patch all our servers on a regular basis and as part of every release cycle.
Signagelive conducts 4 monthly Penetration Tests of the Cloud Platform to align with major updates to the Signagelive platform. All aspects of the platform are tested however critical items such as account access, horizontal user-level escalation, and access to unauthorised data and functions are validated with high priority.
Out of band Penetration Tests are performed if there are significant changes to the Signagelive environment, for example, changes to Authentication procedure or new APIs used by the platform. Penetration Tests are conducted by Signagelive’s CREST Approved Partner Nettitude.
We have weekly scans using Tenable to check for network and OS vulnerabilities.
In addition to quarterly penetration tests the Signagelive environment is scanned weekly by Qualys. We use the Qualys application to perform Web Application Scanning, and Tenable for weekly Vulnerability Scanning; so we are continually benchmarking and checking again the vulnerability scans that we do and based on this throwing issues then we fix.
Web Application Scans check for (amongst other things):
• OWASP Top 10 Vulnerabilities
• Cross-Site Scripting
• Cross-Site Request Forgery
Vulnerability Scans check for (amongst other things):
• Open ports
• SSL Certificates – checks ciphers, dates etc
• Unexpected access points
• Unauthorized software
Internal IT - Encrypted laptops, secure password management, 2FA, SSO, Robot software approval and auditing processes
Throughout Signagelive we operate with the principle of least privilege. Signagelive employees are only allowed to access our systems with company-provided and managed devices, and these devices are controlled centrally by JumpCloud (Windows) and / or Google Workspace (mobile devices).
Review our End user agreement
Signagelive user accounts are protected by a secure login.
At Signagelive we appreciate the importance of customer information and also understand it’s crucial that we safeguard customers data and protect it from being used in an inappropriate way.
Our practice respects the use of your Personal Information.
If you’re using OneLogin, Okta, AzureAD or PingFederate then you can use the integration with Signagelive to manage your various user accounts from a single login.