At NextLevel™ Mediation, the security, confidentiality and privacy of your data are our top priority. Accordingly, we've implemented multiple levels of security to ensure our customers’ information is secure.
Encryption at Rest
D2S Portal information and data is stored on Microsoft Azure database SQL servers which encrypt all stored data. The encrypted stored data (Encryption at Rest) is the encoding (encryption) of data when it is persisted or not actively being used. The Encryption at Rest designs in Azure use symmetric encryption to encrypt and decrypt large amounts of data quickly according to a simple conceptual model:
- A symmetric encryption key is used to encrypt data as it is written to storage (AES 256)
- The same encryption key is used to decrypt that data as it is readied for use in memory
- Keys are stored in a secure location with identity-based access control and audit policies. Data encryption keys are often encrypted with asymmetric encryption to further limit access
Encryption at rest is designed to prevent the attacker from accessing the unencrypted data by ensuring the data is encrypted when on the Azure server/cloud storage devices.
Encryption in Transit
Encryption in transit is a mechanism of protecting data when it is transmitted across networks. With D2S Portal, data is secured by HTTPS Transport-level encryption. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS)
Attack Countermeasures
Unlike many other tactics used by bad actors, brute force attacks don’t rely on vulnerabilities within websites & web applications. Instead, these attacks rely on users having weak or guessable credentials to extract them. The objective of a brute force attack is to gain access to a resource otherwise restricted to other users. This attack uses a list of words and common passwords instead of going in randomly, building a “dictionary” of possible passwords and iterating through them.
NextLevel™ Mediation uses the following security measures to prevent these types of attacks
- Requirement for strong passwords
- Use of security access tokens with finite lifetimes
- Use of refresh tokens
- Limiting the number of login attempts
Authentication
Authentication is needed when an application needs to know the identity of the current user. Typically, these applications manage data on behalf of that user and need to make sure that this user can only access the data for which he is allowed. NextLevel™ Mediation implements Identity Server 4.0 which implements the OpenID Connect and OAuth 2.0 protocols. OpenID allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
Data Redundancy and Backup
NextLevel™ Mediation uses Microsoft Azure cloud services. Locally redundant storage (LRS) copies your data synchronously three times within a single physical location in the primary region. Zone-redundant storage (ZRS) copies your data synchronously across three Azure availability zones in the primary region.
Role Based Access Control
The D2S Portal uses Role-Based Access Control (RBAC). The system restricts access to important data based on the need to know and least privilege security principles. The least privilege security principle means giving a user account or process only those privileges which are essential to perform its intended function. These access rights are granted by assigning the appropriate RBAC role to groups and applications at a certain scope. For example, a user with the role of Client or Attorney, cannot access information about the opposing client or attorney involved in a mediation. On the other hand, a mediator has access to both. Once a user signs on and is authorized by the Identity Server, he/she is given an secure access token and a specific role in the system.
Security Center
Security Center helps us prevent, detect, and respond to threats with increased visibility into and control over the security of our Azure resources. It provides integrated security monitoring and policy management across your Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of security solutions.In addition, Security Center helps with security operations by providing us a single dashboard that surfaces alerts and recommendations that can be acted upon immediately.