Scout Security FAQ

Scout Security FAQ page-01

Data Center

How is data related to a particular client kept confidential / separate from data associated with another client?​
Each customer has a dedicated instance in Azure, thus ensuring data confidentiality and segregation.​

Each interaction captured from these applications is used to generate insights that will help you understand how you spend your working hours and identify patterns in your work.
Is there any monitoring /escalation process in place for non-authorized access to systems?​
Audit logging is enabled for all access to the systems. Moreover, unauthorized logins are flagged and reported by the SRE team as P1 issues.​
Where is the customer data stored?
Data is stored in the Azure instance spun up for each customer.​

Since the data is entirely encrypted, Soroco cannot read your interaction data in any form.
How are data transfers of different customers managed?
Customer data is directed to their dedicated Scout instance in Azure
Which entity is responsible for patching all components that make up the cloud service? For which components is Soroco responsible?
Soroco is responsible for patching all components.​

Certificates & Keys​

How is data security managed in Scout?​
Scout encrypts stored data using AES-256 keys, and transports data using HTTPS / TLS 1.2
How strong is the data encryption and data integrity?​
Customer data is stored using AES256 bit encryption.
Are different encryption keys used for different customers?​
Yes, dedicated encryption keys are used for every customer deployment.
Who is responsible for managing the cryptographic keys?​
The Scout team directly associated with the project is responsible for managing the keys for Soroco’s Cloud implementation of Scout.
Does the team responsible for managing the cryptographic keys follow key management procedures including Key recovery, Key updates, Key backup and restore?​
Yes, Scout manages the key management process through the Hashicorp vault.​
What type of keys, in terms of strength, are used across the service?
Encryption of AES 256-bit strength is used across the service.​
If PKI Certificates are used for externally facing websites, do the PKI Certificates use a fully qualified Domain Name for the Subject common name (CN) (e.g., CN=www.customer.com, wildcard certificates not in use)?
Yes.
What is the key management process supported by the application?​
Scout supports Azure key management and Hashicorp Vault.
Can customers provide their keys or is Bring Your Own Keys (BYOK) supported?​
Customers provide a PKI for the webservice SSL layer, all other keys are provided​
Can the same encryption key/certificate be shared between production and non-production environments?
No. Keys and certificates cannot be shared across environments.​

Authentication

What kinds of authentication and access control procedures are in place?
Scout supports both Role based forms and SSO based authentication. Role based access controls are configurable for each module and action in Scout.​
How does the authentication process segregate the access to data across different customers?
Each customer has a dedicated instance in Azure. Directories are unique to each customer​
Are all actions taken by any individual with root or administrative privileges, logged each time it occurs?​
Yes.
Does Scout support Single Sign-On (SSO), and if so, which standards?
Yes, the Scout platform supports SAML 2.0 and OpenID (OAuth) based SSO.​
Does Scout support federated Single Sign-On (SSO), and if so, which standards?
Scout out-of-the box does not support federated SSO​.
How are identities of customers using the Cloud service managed?​
Scout has integrated Identity and Access Management (IAM) – the IAM service manages User Identities. The IAM module in Scout also supports SSO integration with the customer’s existing solutions by utilizing SAML/OpenID.​
Are users required to re-authenticate to unlock a session (desktop, database, or application) that has been inactive for more than 30 minutes?​
Scout has a default session timeout of 30 minutes, configurable per customer.
Is a user's identity verified before communicating an initial/temporary password or initiating a password reset by an automated or manual process?
Scout verifies a user’s identity before they are allowed to set passwords.​

Vulnerability management​

What is the frequency of vulnerability scans performed by Scout?
Scout runs monthly Infrastructure and annual product scans.​
What is the vulnerability remediation process followed in Scout?
The following process is defined for vulnerability remediation -
Is regular penetration testing conducted in the system?
Yes, regular penetration testing is conducted as per the Vulnerability management program.
Which entity is responsible for patching all components that make up the cloud service? For which components is Soroco responsible?
For the Soroco Cloud based offering, Soroco is responsible for end-to-end patching of Infrastructure, Operating system, and Application components.​
Are findings from vulnerability scans tracked and are rescans performed until no findings are identified?
Yes – findings are tracked and rescans are performed till no findings are identified.​
Are penetration tests of critical applications or networks with Internet connectivity conducted at least every 12 months and after significant changes?​
Yes – penetration tests of critical applications or networks are conducted at least every 12 months or after significant changes.

Logging

Does each customer have a regular log of access to their data?​
Yes, audit log reports are periodically shared with the customer.​
Are all actions taken by any individual with root or administrative privileges, logged each time it occurs?​
Yes.
Are logs continually reviewed, in real time, by a dedicated person/team​?
Yes.
Are logs protected from tampering and unauthorized access and retained for at least 1 year​?
Yes.
What ability does the product have to log User Activity Auditing and Administrator Activity Auditing​?
Scout logs the following information:​

Incident Management​

Is there a documented Information Security Incident Management procedure in place?​
Yes. Soroco Security Incident Management Procedure​.
Are incident response procedures for information security incidents defined and documented (e.g., network outages, abuse of access privileges)?​
Yes.
Are information security/business continuity incidents documented?​
Yes.
Is there a process to notify customers of information security incidents / business continuity incident that affects customer data or services?
Yes. In an event of a security incident in Soroco Cloud provided service, Soroco is responsible for communication of the same to customer, action to quarantine the environment, assess the impact of the breach, work on an RCA and take further step for hardening the environments.​

See Scout in action.
Schedule your demo now!