Scout Security FAQ
Each customer has a dedicated instance in Azure, thus ensuring data confidentiality and segregation.
Each interaction captured from these applications is used to generate insights that will help you understand how you spend your working hours and identify patterns in your work.
Audit logging is enabled for all access to the systems. Moreover, unauthorized logins are flagged and reported by the SRE team as P1 issues.
Data is stored in the Azure instance spun up for each customer.
Since the data is entirely encrypted, Soroco cannot read your interaction data in any form.
Customer data is directed to their dedicated Scout instance in Azure.
Soroco is responsible for patching all components.
Certificates & Keys
Scout encrypts stored data using AES-256 keys, and transports data using HTTPS / TLS 1.2
Customer data is stored using AES256 bit encryption.
Yes, dedicated encryption keys are used for every customer deployment.
The Scout team directly associated with the project is responsible for managing the keys for Soroco’s Cloud implementation of Scout.
Yes, Scout manages the key management process through the Hashicorp vault.
Encryption of AES 256-bit strength is used across the service.
Scout supports Azure key management and Hashicorp Vault.
Customers provide a PKI for the webservice SSL layer, all other keys are provided.
No. Keys and certificates cannot be shared across environments.
Scout supports both Role based forms and SSO based authentication. Role based access controls are configurable for each module and action in Scout.
Each customer has a dedicated instance in Azure. Directories are unique to each customer
Yes, the Scout platform supports SAML 2.0 and OpenID (OAuth) based SSO.
Scout out-of-the box does not support federated SSO.
Scout has integrated Identity and Access Management (IAM) – the IAM service manages User Identities. The IAM module in Scout also supports SSO integration with the customer’s existing solutions by utilizing SAML/OpenID.
Scout has a default session timeout of 30 minutes, configurable per customer.
Scout verifies a user’s identity before they are allowed to set passwords.
Scout runs monthly Infrastructure and annual product scans.
The following process is defined for vulnerability remediation –
- Create remediation lists and create corresponding issues in ticketing system
- Analyze the vulnerabilities and determine solution options
- Implement the remediation action in test environment
- Initiate change requests as per the Change Management Procedure
- Implement the remediation as per the remediation plan
- Update the hardening guideline/ standard build/procedure where necessary
- Remediation assessments (re-scans) are planned and conducted to review the closure
Yes, regular penetration testing is conducted as per the Vulnerability management program.
For the Soroco Cloud based offering, Soroco is responsible for end-to-end patching of Infrastructure, Operating system, and Application components.
Yes – findings are tracked and rescans are performed till no findings are identified.
Yes – penetration tests of critical applications or networks are conducted at least every 12 months or after significant changes.
Yes, audit log reports are periodically shared with the customer.
Scout logs the following information:
- Events from the data agent are logged, micro services are logged, OS and network parameters are logged. Health of the services and Scout job status are also logged.
- All the logs are kept for a duration of three months in Scout by default. This is configurable based on client IT policies.
- Logs are stored on the server and are only accessible via the physical access to the Scout server by the administrator. This would ensure that logs cannot be accessed by anyone other than designated personnel. Administrator activities in reference to accessing of these logs is also captured. Additionally, the logs are also encrypted at rest, which further ensures that non-authorized users cannot access the logs.
Yes. Soroco Security Incident Management Procedure.
Yes. In an event of a security incident in Soroco Cloud provided service, Soroco is responsible for communication of the same to customer, action to quarantine the environment, assess the impact of the breach, work on an RCA and take further step for hardening the environments.