Thousands of customers across the globe trust us with their data privacy and security. We back ourselves up with robust data security and privacy practices that form an integral part of our product engineering and service delivery teams. We follow the security principles based on OWASP standards right from design to delivery. Security is at the heart of how we build our products, secure your data and provide high availability all time.
We follow multi-fold model of security practices which has following components
1. Highly Resilient Architecture
2. Secured Product Build.
3. Secure APIs
4. Organizational Security
5. Physical Security
6. Infrastructure Security
7. Data Security
8. Identity and access control
9. Operational Security
10. Incident Management
11. Vendor Management
12. Customer controls for security
We understand the value of data. With our robust system of data safeguards, we allow you to focus on the data rather than on its security. We user Digital Ocean cloud service provider one of the leaders in cloud services and cloud platforms.
We’ve role-based access through IAM that enforces segregation of duties, twofactor authentication and end-to-end audit trails ensuring access is in accordance with security context
We use SHA-256-bit encryption with RSA for data at Rest and FIPS 140-2 compliant TLS encryption for data in transit.
Product Road mapping
Product roadmap is defined and reviewed periodically by the Product Owner. Security fixes are prioritized and are bundled in the earliest possible sprint.
Our DevOps sprints are powered by a multi-disciplinary Squad of members including the Product Owner, and Quality Assurance.
All changes are tested by the Quality Assurance team and criteria are established for performing code reviews, web vulnerability assessment, and advanced security tests.
Builds are put through a stringent functionality tests, performance tests, stability tests, and UX tests before the build is certified "Good to go".
Source Code is managed centrally with version controls and access restricted based on various teams that are assigned to specific sprints. Records are maintained for code changes and code check-ins and check-outs.
Segregation of Duties
Access to the production is restricted to very limited set of users based on the job roles. Access to the production environment for developers and Quality Assurance team members are restricted based on their job responsibilities.
We enable participation in the API economy in a secure manner through Kylas API clients and integration apps.
Accomplished by implementing a strong authentication mechanism on our API calls, dynamic throttling based on API requests and further simplifying security using a robust yet simple RESTful Architecture.
Adoption of an architectural style that simplifies security. Based on the Representational State Transfer Technology, RESTful enables developers to safely expose web services with fine grained modularity breaking the source code into logically atomic components each with its unique security context. RESTful further enables robust authentication powered by standards like OAuth and JWT.
Defense in depth using API Gateway
To protect the authentication tokens in transit, the APIs terminate in the gateway only on endpoints that accepts HTTPS over TLS. JWT token is used to authorize all API requests to the target API gateway, without exposing the components deeper in the platform such as Relational Databases and Business logic engines.
Securing API requests
Web-tokens are further used to secure JSON and HTTPS based transmission for secure assertion of identity claims between two applications. This addresses Key entropy, latency, reduced attack surface and improves traceability.
The number of API calls is throttled (Rate limited) to mitigate application layer DDOS and Brute Force attacks.
API Lifecycle Security
With Security embedded in the API lifecycle, Kylas provides framework for developers to create, control, consume our APIs. The framework enables serverless computing for developers enabling auto scaling, mitigate obsolescence yet be oblivious about the compute and storage requirements underneath.
We have an Information Security Team (IST) in place which takes into account our security objectives and the risks and mitigations concerning all the interested parties. We employ strict policies and procedures encompassing the security, availability, processing, integrity, and confidentiality of customer data.
Employee Background Checks
Each employee undergoes a process of background verification. We hire reputed external agencies to perform this check on our behalf. We do this to verify their criminal records, previous employment records if any, and educational background. Until this check is performed, the employee is not assigned tasks that may pose risks to users.
Each employee, when inducted, signs a confidentiality agreement and acceptable use policy, after which they undergo training in information security, privacy, and compliance. Furthermore, we evaluate their understanding through tests and quizzes to determine which topics they need further training in. We provide training on specific aspects of security, that they may require based on their roles.
We educate our employees continually on information security, privacy, and compliance in our internal community where our employees check in regularly, to keep them updated regarding the security practices of the organization. We also host internal events to raise awareness and drive innovation in security and privacy.
Dedicated Security and Privacy teams
We have dedicated security and privacy teams that implement and manage our security and privacy programs. They engineer and maintain our defense systems, develop review processes for security, and constantly monitor our networks to detect suspicious activity. They provide domain-specific consulting services and guidance to our engineering teams.
Internal Audit and Compliance
We have a dedicated compliance team to review procedures and policies in Kylas to align them with standards, and to determine what controls, processes, and systems are needed to meet the standards. This team also does periodic internal audits and facilitates independent audits and assessments by third parties.
All workstations issued to Kylas employees run up-to-date OS version and are configured with anti-virus software. They are configured such that they comply with our standards for security, which require all workstations to be properly configured, patched, and be tracked and monitored by Kylas’ endpoint management solutions. These workstations are secure by default as they are configured to encrypt data at rest, have strong passwords, and get locked when they are idle. Mobile devices used for business purposes are enrolled in the mobile device management system to ensure they meet our security standards.
We control access to our resources (buildings, infrastructure and facilities), where accessing includes consumption, entry, and utilization, with the help of access cards. We provide employees, contractors, vendors, and visitors with different access cards that only allow access strictly specific to the purpose of their entrance into the premises. Human Resource (HR) team establishes and maintains the purposes specific to roles. We maintain access logs to spot and address anomalies.
At Data Centers
At our service providers’ data centers are located at secure locations and our service provider takes responsibility of the building, cooling, power, and physical security.
We monitor all entry and exit movements throughout our premises through CCTV cameras deployed according to local regulations. Back-up footage is available up to a certain period, depending on the requirements for that location.
Our network security and monitoring techniques are designed to provide multiple layers of protection and defense. Our cloud service providers use high-grade network firewalls to prevent our network from unauthorized access and undesirable traffic. Systems supporting testing and development activities are hosted in a separate network from systems supporting Kylas’ production infrastructure.
All the components of our platform are redundant. We use a distributed grid architecture to shield our system and services from the effects of possible server failures. If there's a server failure, users can carry on as usual because their data and Kylas services will still be available to them.
Our service providers additionally use multiple switches, routers, and security gateways to ensure device-level redundancy. This prevents single-point failures in the internal network.
Our cloud providers (Digital Ocean https://www.digitalocean.com/) use technologies from well-established and trustworthy service providers to prevent DDoS attacks on our servers. These technologies offer multiple DDoS mitigation capabilities to prevent disruptions caused by bad traffic, while allowing good traffic through. This keeps our websites, applications, and APIs highly available and performing.
All servers provisioned for development and testing activities are hardened (by disabling unused ports and accounts, removing default passwords, etc.). The base Operating System (OS) image has server hardening built into it, and this OS image is provisioned in the servers, to ensure consistency across servers.
Intrusion Detection and Prevention
Our Service providers' intrusion detection mechanism takes note of hostbased signals on individual devices and network-based signals from monitoring points within our servers. Administrative access, use of privileged commands, and system calls on all servers in our production network are logged.
At the Internet Service Providers (ISP) level, a multi-layered security approach is implemented with scrubbing, network routing, rate limiting, and filtering to handle attacks from network layer to application layer. This system provides clean traffic, reliable proxy service, and a prompt reporting of attacks, if any.
Secure by design
Every change and new feature are governed by a change management policy to ensure all application changes are authorized before implementation into production. Our Software Development Life Cycle (SDLC) mandates adherence to secure coding guidelines, as well as screening of code changes for potential security issues with manual review processes.
Our robust security framework based on OWASP standards, implemented in the application layer, provides functionalities to mitigate threats such as SQL injection attacks, Cross site scripting and application layer DOS attacks.
Our framework distributes and maintains the cloud space for our customers. Each customer's service data is logically separated from other customers' data using a set of secure protocols in the framework. This ensures that no customer's service data becomes accessible to another customer.
The service data is stored on our servers when you use our services. Your data is owned by you, and not by Kylas. We do not share this data with any third-party without your consent.
In transit: All customer data transmitted to our servers over public networks is protected using strong encryption protocols. We mandate all connections to our servers use Transport Layer Security (TLS 1.2/1.3) encryption with strong ciphers, for all connections including web access, API access, our mobile apps, and IMAP/POP/SMTP email client access. This ensures a secure connection by allowing the authentication of both parties involved in the connection, and by encrypting data to be transferred. Additionally, for email, we use MailGun, Gmail, and Outlook API services leverages opportunistic TLS by default. TLS encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol.
We have full support for Perfect Forward Secrecy (PFS) with our encrypted connections, which ensures that even if we were somehow compromised in the future, no previous communication could be decrypted. We have enabled HTTP Strict Transport Security header (HSTS) to all our web connections. This tells all modern browsers to only connect to us over an encrypted connection, even if you type a URL to an insecure page at our site. Additionally, on the web we flag all our authentication cookies as secure.
Sensitive customer data at rest is encrypted using 256-bit Advanced RSA encryption.
We employ technical access controls and internal policies to prohibit employees from arbitrarily accessing user data. We adhere to the principles of least privilege and role-based permissions to minimize the risk of data exposure.
Access to production environments is maintained by a central directory and authenticated using a combination of strong passwords, two-factor authentication, and passphrase-protected SSH keys.
Logging and monitoring
We monitor and analyze information gathered from services, internal traffic in our network, and usage of devices and terminals. We record this information in the form of event logs, audit logs, fault logs, administrator logs, and operator logs. These logs are automatically monitored and analyzed to a reasonable extent that helps us identify anomalies such as unusual activity in employees’ accounts or attempts to access customer data. We store these logs in a secure server isolated from full system access, to manage access control centrally and ensure availability.
Detailed audit logging covering all update and delete operations performed by the user are available to the customers in every Kylas service.
Our cloud service providers run incremental backups every day and weekly full backups. Backup data in the DC is stored in the same location and kept encrypted.
To ensure the safety of the backed-up data, our service provider use a redundant array of independent disks (RAID) in the backup servers. All backups are scheduled and tracked regularly. In case of a failure, a re-run is initiated and is fixed immediately.
From your end, we strongly recommend scheduling regular backups of your data by exporting them from the respective Kylas services and storing it locally in your infrastructure.
Disaster recovery and business continuity
Application data is stored on resilient storage that is replicated across data centers. Data in the primary DC is replicated in the secondary in near real time. In case of failure of the primary DC, secondary DC takes over and the operations are carried on smoothly with minimal or no loss of time. Both the centers are equipped with multiple ISPs.
Our cloud service providers have power back-up, temperature control systems and fire-prevention systems as physical measures to ensure business continuity. These measures help us achieve resilience. In addition to the redundancy of data, we have a business continuity plan for our major operations such as support and infrastructure management.
We have a dedicated incident management team. We notify you of the incidents in our environment that apply to you, along with suitable actions that you may need to take. We track and close the incidents with appropriate corrective actions. Whenever applicable, we will identify, collect, acquire and provide you with necessary evidence in the form of application and audit logs regarding incidents that apply to you. Furthermore, we implement controls to prevent recurrence of similar situations.
We respond to the security or privacy incidents you report to us through our support channels, with high priority. For general incidents, we will notify users through our blogs, forums, and social media. For incidents specific to an individual user or an organization, we will notify the concerned party through email (using their primary email address of the Organization administrator registered with us).
Depending on specific requirements, we notify the customers too, when necessary. As data processors, we inform the concerned data controllers without undue delay.
We evaluate and qualify our vendors based on our vendor management policy. We onboard new vendors after understanding their processes for delivering us service and performing risk assessments. We take appropriate steps to ensure our security stance is maintained by establishing agreements that require the vendors to adhere to confidentiality, availability, and integrity commitments we have made to our customers. We monitor the effective operation of the organization’s process and security measures by conducting periodic reviews of their controls.
So far, we have discussed what we do to offer security on various fronts to our customers. Here are the things that you as a customer can do to ensure security from your end: