Application Security & Privacy Framework
At Lovestock & Leaf, the privacy and security of applications we develop and 3rd party Software as a Service cloud solutions we implement is of critical importance. A key component of all of our business critical development projects is to map out the security risks involved in handling client data and to ensure that the necessary processes and software are implemented to protect data from unauthorised access or loss. The level of security required will depend on the specific requirements of the business and data sensitivity, however at a minimum we consider and adhere to as necessary the following application security protocols.
Encryption – Secure Socket Layers – (SSL)
As best practice for implementing security for web applications, SSL is always used as the base security layer, meaning that anything communicated over the web is encrypted with enterprise grade cryptographic protocols. By using SSL, all sessions to your application are encrypted and end-customers/users are directed to a secure HTTPS site. (e.g https://yoursite.lovestockleaf.com)
Compliance with Information Privacy Principles
Working as an agency on behalf of our clients, we are always cognisant of the overarching 10 point privacy principals detailed in the Australian Privacy Act 1988. These privacy principles summarise the requirements of the Privacy Act of 1988. The principles are to be followed by companies that collect personal information from their own customers. Any web solution we develop that collects such customer data therefore must consider how these elements apply and what security measures need to be put in place for the project at hand.
Remote Authentication/Single-Sign-On (SSO)
At L&L, we are specialists in designing and configuring remote authentication and SSO solutions to securely sign in users seamlessly from one application to another. Specifically, we develop solutions for integration of multiple SaaS applications as well as utilising API frameworks to securely pass data between separate applications.
3rd Party Hosting Service Compliance & Certification
Hosting services engaged by L&L to host and manage applications we have developed for our clients are subject to stringent security and privacy criteria. Depending on the level of data risk, decisions are made on hosts and data centres that are proven to be compliant with industry standards and protocols relating to the application security techniques and privacy considerations relating to data handling. A list of the relevant standards and programs that we look for in selecting a hosting provider for our clients is below:
- International Standards Organisation – ISO/IEC 27005:2011
- Statement on Standards for Attestation Engagements (SSAE) No. 16
- Authorised Privacy Body Certification such as the TRUSTe Program
- US hosted applications – compliance with the US/EU safe harbor agreement relating to standards for privacy protection (http://export.gov/safeharbor/)
Data Access & Retrieval
One of the key criteria we use in selecting a SaaS solution for our clients is to ensure that the client's data, although hosted externally can be retrieved upon request and easily exported from the application for ongoing data backup and client use.
Intrusion Detection / Prevention
Our network is gated and screened by highly powerful and certified Intrusion Detection / Intrusion Prevention Systems. All security alerts are then centrally logged and tracked by security professionals
All systems used by Lovestock & Leaf require at least two or more forms of authentation provided during the initialization of each session. This ensures an greater level of security through the prevention of
Zero Knowledge Encryption
Lovestock & Leaf can provide clients with solutions built with end to end encryption (both at rest and in transit). Zero knowledge encryption ensures complete privacy and security for end users and security compliance by ensuring that only the end user can decrypt their own data.
Lovestock & Leaf maintains full audit logs on all our services and systems to ensure complete auditability in the unlikely event of a security breach. Infrastructure audit logs are archived indefinetly offsite in a secure facility and secured using role based multi factor authentication to ensure the highest level of integrity.
All Lovestock & Leafs' services are protected using sophisticated firewalls which maintain a secure perimeter. This provides full firewall protection that conceals the architecture of the internal networks from the outside world including protection against attacks.