Overview

At Annex Cloud, our top priority is keeping our customers' data secure. We employ rigorous security measures at the organizational, architectural, and operational levels to ensure that our customers data, applications, and infrastructure remain safe.

Organizational Security

All employees receive security, privacy, and compliance training the moment they start. Though the extent of involvement may vary by role, security is everybody’s responsibility at Annex Cloud.
This commitment to security extends to our executives. Our security programs drive executive alignment across our organization, and ensures that security awareness and initiatives permeate throughout our organization.

organization-secuirity
data-encryption

Annex Cloud uses the Advanced Encryption Standard (AES) algorithm with a key size of 256 bits to keep the data secure at rest.
Secure Sockets Layer (SSL) / Transport Layer Security (TLS) protects user access via the internet, helping to secure network traffic from passive eavesdropping, active tampering, or message forgery. File-based integrations can be encrypted via PGP or a public/private key pair generated by Annex Cloud, using a customer-generated certificate. JWT token authentication is also supported for REST API integrations to the Annex Cloud API.

Logical Security

Annex Cloud security access is role-based, supporting SAML for single sign-on, and native Annex Cloud login.

SAML allows for a seamless, single-sign-on experience between the customer’s internal web portal and Annex Cloud. Customers log in to their company’s internal web portal using their enterprise username and password and are then presented with a link to Annex Cloud, which automatically gives customers access without having to log in again. Annex Cloud also supports Azure SSO, Ping Identity and any SAML2.0 compliant SSO and identity management service.

signal-sign-btn
ac-native-login

For customers who wish to use our native login, Annex Cloud only stores our Annex Cloud password in the form of a secure hash as opposed to the password itself. Unsuccessful login attempts are logged as well as successful login/logout activity for audit purposes. Inactive user sessions are automatically timed out after a specified time, which is customer configurable by user.
Customer configurable password rules include length, complexity, expiration, and forgotten password challenge questions.

Operational Security

Physical Security

Annex Cloud applications are hosted in state-of-the-art cloud centers designed to protect mission-critical computer systems with fully redundant subsystems and compartmentalized security zones..
Annex Cloud is hosted and managed within Cloud Platform in multiple regions around the world. Cloud Platform handles physical and infrastructure using top-notch security and compliance standards. Cloud Platform is designed with no single point of infrastructure failure.

The compliance standards of our cloud provider meets include:

  • .ISO 27001 & ISO 27018
  • .SOC1, SOC2, SOC3
  • .FedRAMP
  • .HITRUST

Production resources containing customer data are only accessible by authorized Annex Cloud personnel, no wireless networks are used in production, and the production networks require multi-factor VPN for all administrative access.

Network Security

Annex Cloud has established detailed operating policies, procedures, and processes designed to help manage the overall quality and integrity of the Annex Cloud environment. We’ve also implemented proactive security procedures, such as perimeter defense and network intrusion prevention systems (IPSs) using SIEM vendors.
Network IPSs monitor critical network segments for atypical network patterns in the customer environment as well as traffic between tiers and service.

We also maintain a global Security Operations Center 24/7/365.

  • .Server Security includes vulnerability testing, virus scans, File Integrity Monitoring
  • .SIEM in place for continuous logging
  • .SOC team in place for continuous monitoring
  • .Incident response processes in place
physical-secuirity

Annex Cloud has implemented an enterprise Secure Software Development Life Cycle (SSDLC) to help ensure the continued security of Annex Cloud applications.
This program includes an in-depth security risk assessment and review of Annex Cloud features. In addition, both static and dynamic source code analyses are performed to help integrate enterprise security into the development lifecycle. The development process is further enhanced by application security training for developers and penetration testing of the application.

  • .Application Security a core focus – a full S-SDLC process in place with SAST and DAST
  • .Regular manual penetration testing for all endpoints
  • .Web Application Firewall (WAF) with the latest modsec and OWASP rules
app-secuirity

Role-based access control

Role-based access control (RBAC) limits access to data stored in the cloud-based on the roles of particular users within a company. RBAC provides employees with access rights only to the information they need to do their jobs and prevents them from accessing information that doesn’t pertain to them. An employee's role in an organization determines the permissions that an individual is granted and ensures that lower-level employees can't access sensitive information or perform high-level tasks. In the role-based access control data model, roles are based on several factors, including authorization responsibility and job competency. As such, companies can designate whether a user is an end-user, an administrator, or a specialist user. In addition, access to saas software can be limited to specific tasks, such as the ability to view, create, or modify data.

There are a number of benefits to using RBAC to restrict unnecessary access based on people's roles within an organization, including:

  • .Improving operational efficiency
  • .Enhancing compliance
  • .Giving administrators increased visibility
  • .Decreasing the risk of breaches and data leakage

Annex Cloud contracts with third-party expert firms to conduct independent internal and external network, system, and application vulnerability assessments.

Application

We contract with a leading third-party security firm to perform an application-level security vulnerability assessment of our applications. The firm performs testing procedures to identify standard and advanced web application security vulnerabilities, including, but not limited to, the following:

  • .Security weaknesses associated with Flash, Flex, AJAX, and ActionScript
  • .Cross-site request forgery (CSRF)
  • .Improper input handling (such as cross-site scripting, SQL injection, XML injection, and cross-site flashing)
  • .XML and SOAP attacks
  • .Weak-session management
  • .Data validation flaws and data model constraint inconsistencies
  • .Insufficient authentication or authorization
  • .HTTP response splitting
  • .Misuse of SSL/TLS
  • .Use of unsafe HTTP methods
  • .Misuse of cryptography

External vulnerability assessments scan all internet-facing assets, including firewalls, routers, and web servers for potential weaknesses that could allow unauthorized access to the network. In addition, an authenticated internal vulnerability network and system assessment is performed to identify potential weaknesses and inconsistencies with general system security policies.