eBail Security Information
Our security objective with eBail is to provide a fast, secure, well-monitored, DDOS-protected application that exceeds industry standards.
Our certified IT team not only monitors eBail and applies the latest security updates, but proactively performs in-house security training, audits, and penetration tests to actively identify potential security threats. There are 3 Sections to this article:
High Compliance Standards
We employ a defense in depth approach starting with our application perimeter where in addition to end-to-end encryption, we use field-level encryption, we protect specific data throughout system processing in addition to HTTPS security, so only certain applications at your origin can see the data.
We run web application firewalls to counter any exploits, ban suspicious traffic, actively learn traffic patterns, and alert any discrepancies based on a specified set of security rules.
After the traffic has been filtered using web application firewalls we then actively apply Distributed Denial Of Service(DDOS) protection. We provide always-on detection and automatic inline mitigations that minimize application downtime and latency.
All employees use multi-factor authentication, components are highly available, physically, and logically separated. When it comes to application integrity and data security at eBail we don’t play around.
eBail’s Workload Information
We go above and beyond to operate our workload securely
eBail’s IT department applies overarching best practices to every area of security. We define operational excellence at an organizational and workload level and apply them to all areas.
We stay up to date with industry recommendations and implement evolving threat intelligence in our threat model to control security objectives. By automating security processes, testing, and validating we can scale our security operations with our workloads.
We Identify and prioritize risks using a threat model:
We use a threat model to identify and maintain an up-to-date register of potential threats.
We Identify and validate control objectives for risk mitigation:
Based on our compliance requirements and risks identified from our threat model, we derive and validate the control objectives and controls that need to apply at any point in time.
We Keep up to date with security threats:
We can quickly recognize attack vectors by staying up to date with the latest security threats and implementing appropriate controls.
We keep up to date with security recommendations:
We remain in a forward security posture evolving on our workloads by following the latest industry security recommendations.
We evaluate and implement new security services and features regularly:
Automate testing and validation of security controls in pipelines:
We use established security mechanisms that are tested and validated as part of our build, pipelines, and processes.
We implement automation to test and validate all security controls continuously. We scan items such as machine images and infrastructure for security vulnerabilities, irregularities, and drift from an established baseline at each stage.
We use continuous integration and continuous deployment (CI/CD) pipelines to test for security issues whenever possible. We keep tooling updated to mitigate evolving threats.
eBail Account Management and
Workload Separation
We keep tight controls over the entire access hierarchy:
We organize workloads in separate accounts and group accounts based on function, compliance requirements, or a common set of controls rather than mirroring our organization’s reporting structure. We isolate production workloads from development and test workloads.
Separation of workloads using accounts:
We use account-level separation between workloads to isolate production environments from development and test environments. We also use a strong logical boundary between workloads that process data of different sensitivity levels, as defined by external compliance requirements.
Central managed, monitored, and controlled account access:
We use centrally managed accounts to manage our workloads. This helps us manage accounts, set controls, and configure services across accounts. We use service control policies (SCPs) to apply permission guardrails for prevention, detection, and remediation at the organization, organizational unit, and account level, role, and resources.
We configure services and resources centrally:
In order to prevent member accounts from disabling logging. We centrally aggregate data for rules that have been defined enabling us to audit our workloads for compliance and react quickly to changes.
Here is an example of the results from our last scans(We run over 80 external checks and over 125 internal checks!)
Nothing was found for website technologies.
Nothing was found for vulnerabilities of server-side software.
Nothing was found for client access policies.
Nothing was found for robots.txt file.
Nothing was found for use of untrusted certificates.
Nothing was found for enabled HTTP debug methods.
Nothing was found for secure communication.
Nothing was found for directory listing.
Nothing was found for passwords submitted unencrypted.
Nothing was found for Cross-Site Scripting.
Nothing was found for SQL Injection.
Nothing was found for Local File Inclusion.
Nothing was found for OS Command Injection.
Nothing was found for error messages.
Nothing was found for debug messages.
Nothing was found for code comments.
Nothing was found for missing HTTP header – Strict-Transport-Security.
Nothing was found for missing HTTP header – Content Security Policy.
Nothing was found for missing HTTP header – X-Frame-Options.
Nothing was found for missing HTTP header – X-XSS-Protection.
Nothing was found for missing HTTP header – X-Content-Type-Options.
Nothing was found for missing HTTP header – Referrer.
Nothing was found for domain too loose set for cookies.
Nothing was found for mixed content between HTTP and HTTPS.
Nothing was found for cross domain file inclusion.
Nothing was found for HttpOnly flag of cookie.
Nothing was found for Secure flag of cookie.
Nothing was found for login interfaces.
Nothing was found for secure password submission.
Nothing was found for sensitive data.
Nothing was found for Server Side Request Forgery.
Nothing was found for Open Redirect.
Nothing was found for PHP Code Injection.
Nothing was found for JavaScript Code Injection.
Nothing was found for Ruby Code Injection.
Nothing was found for Python Code Injection.
Nothing was found for Perl Code Injection.
Nothing was found for Remote Code Execution through Log4j.
How Is Your Data Physically Stored And Secured With eBail?
We use TLS 1.2 and 256-bit AES encryption, all data is encrypted in transit and at rest. All servers have been hardened with over 400 checks to meet Center for Internet Security compliance standards. We implement strong identity and access management. All communications with databases are done over private networks and do not traverse the public internet.
CCTV
Physical access points to server rooms are recorded by Closed Circuit Television Cameras (CCTV). Images are retained according to legal and compliance requirements.
DATA CENTER ENTRY POINTS
Physical access is controlled at building ingress points by professional security staff utilizing surveillance, detection systems, and other electronic means.
INTRUSION DETECTION
Electronic intrusion detection systems are installed within the data layer to monitor, detect, and automatically alert appropriate personnel of security incidents.
COMPREHENSIVE SECURITY AND COMPLIANCE CONTROLS
eBail’s security is run on systems that regularly achieve third-party validation for thousands of national compliance requirements that are continually monitored to help increase security while reducing operational burden. eBail’s IT environment is run on servers that contain verified compliance artifacts(i.e. ISO 27001, CIS, PCI DSS), in accordance with applicable laws and regulations.
DATA BACKUP & REMEDIATION
Data is stored in different disaster zones to avoid catastrophic failures from earthquakes, fires, or flooding. We also run an hourly(every 6 hrs), daily, weekly, and monthly data backup frequency and retention policy. This is how we ensure your data is both safe and secure.
eBail’s IT Security Design Principles
eBail employs a number of principles that help harden the security workload:
IMPLEMENT STRONG IDENTITY AND ACCESS MANAGEMENT
We implement the principle of least privilege and enforce separation of duties with the appropriate authorization for each interaction with eBail resources. We centralize identity management, use service control policies, and aim to only provide temporary credentials.
MONITOR, INVESTIGATE, AND REMEDIATE WITH ENVIRONMENT AUDIT TRACEABILITY
We monitor, alert, and audit actions and changes to our environment in real-time. We integrate log and metric collection with systems to automatically investigate and take steps towards remediation.
SECURITY AT ALL LAYERS
We apply a defense-in-depth approach with multiple security controls. We apply security to all layers edge of the network, VPC, load balancing, CIS/PCI DSS hardened internet-connected instances and compute service, operating systems, application, and code.
AUTOMATES SECURITY BEST PRACTICES
Automated software-based security mechanisms improve our ability to securely scale rapidly. eBail has an implementation of controls that are defined and managed as code in version-controlled templates, and automated patching.
All credentials are kept separate, are encrypted, and stored as protected secret text, are not exposed within the code base, and are rotated every 30 days programmatically.
PROTECT DATA IN TRANSIT AND AT REST
All network traffic SSL/TLS handshakes happen at the point of entry to the network to ensure end-to-end HTTPS data transfer on all internal traffic to the server level. We classify data into sensitivity levels and use mechanisms, such as encryption, tokenization, and access control where appropriate.
SAFEGUARD YOUR DATA
Using mechanisms and tools to reduce or eliminate the need for direct access or manual processing of data. This reduces the risk of mishandling or modification and human error when handling sensitive data. Data is uploaded by the customer and is securely distributed and backed up without human intervention OR traversing the internet.
PROACTIVELY PREPARE FOR SECURITY EVENTS
In the event of an incident, we have incident management and investigation policies and processes that align with eBail’s compliance requirements. We run internal audits with incident response simulations and use tools with automation to increase the speed of detection, investigation, and recovery.
We continue to update our internal security policies. If you have any questions please reach out to contact@ebail.app