Scout Security FAQ

Data Center

Each customer has a dedicated instance in Azure, thus ensuring data confidentiality and segregation.

Each interaction captured from these applications is used to generate insights that will help you understand how you spend your working hours and identify patterns in your work.

Is there any monitoring /escalation process in place for non-authorized access to systems?

Audit logging is enabled for all access to the systems. Moreover, unauthorized logins are flagged and reported by the SRE team as P1 issues.

Where is the customer data stored?

Data is stored in the Azure instance spun up for each customer.

Since the data is entirely encrypted, Soroco cannot read your interaction data in any form.

How are data transfers of different customers managed?

Customer data is directed to their dedicated Scout instance in Azure.

Which entity is responsible for patching all components that make up the cloud service? For which components is Soroco responsible?

Soroco is responsible for patching all components.

Certificates & Keys

How is data security managed in Scout?

Scout encrypts stored data using AES-256 keys, and transports data using HTTPS / TLS 1.2

How strong is the data encryption and data integrity?

Customer data is stored using AES256 bit encryption.

Are different encryption keys used for different customers?

Yes, dedicated encryption keys are used for every customer deployment.

Who is responsible for managing the cryptographic keys?

The Scout team directly associated with the project is responsible for managing the keys for Soroco’s Cloud implementation of Scout.

Does the team responsible for managing the cryptographic keys follow key management procedures including Key recovery, Key updates, Key backup and restore?

Yes, Scout manages the key management process through the Hashicorp vault.

What type of keys, in terms of strength, are used across the service?

Encryption of AES 256-bit strength is used across the service.

If PKI Certificates are used for externally facing websites, do the PKI Certificates use a fully qualified Domain Name for the Subject common name (CN) (e.g., CN=www.customer.com, wildcard certificates not in use)?

Yes.

What is the key management process supported by the application?

Scout supports Azure key management and Hashicorp Vault.

Can customers provide their keys or is Bring Your Own Keys (BYOK) supported?

Customers provide a PKI for the webservice SSL layer, all other keys are provided.

Can the same encryption key/certificate be shared between production and non-production environments?

No. Keys and certificates cannot be shared across environments.

Authentication

What kinds of authentication and access control procedures are in place?

Scout supports both Role based forms and SSO based authentication. Role based access controls are configurable for each module and action in Scout.

How does the authentication process segregate the access to data across different customers?

Each customer has a dedicated instance in Azure. Directories are unique to each customer

Are all actions taken by any individual with root or administrative privileges, logged each time it occurs?

Yes.

Does Scout support Single Sign-On (SSO), and if so, which standards?

Yes, the Scout platform supports SAML 2.0 and OpenID (OAuth) based SSO.

Does Scout support federated Single Sign-On (SSO), and if so, which standards?

Scout out-of-the box does not support federated SSO.

How are identities of customers using the Cloud service managed?

Scout has integrated Identity and Access Management (IAM) – the IAM service manages User Identities. The IAM module in Scout also supports SSO integration with the customer’s existing solutions by utilizing SAML/OpenID.

Are users required to re-authenticate to unlock a session (desktop, database, or application) that has been inactive for more than 30 minutes?

Scout has a default session timeout of 30 minutes, configurable per customer.

Is a user's identity verified before communicating an initial/temporary password or initiating a password reset by an automated or manual process?

Scout verifies a user’s identity before they are allowed to set passwords.

Vulnerability management

What is the frequency of vulnerability scans performed by Scout?

Scout runs monthly Infrastructure and annual product scans.

What is the vulnerability remediation process followed in Scout?

The following process is defined for vulnerability remediation –

Create remediation lists and create corresponding issues in ticketing system
Analyze the vulnerabilities and determine solution options
Implement the remediation action in test environment
Initiate change requests as per the Change Management Procedure
Implement the remediation as per the remediation plan
Update the hardening guideline/ standard build/procedure where necessary
Remediation assessments (re-scans) are planned and conducted to review the closure

Is regular penetration testing conducted in the system?

Yes, regular penetration testing is conducted as per the Vulnerability management program.

Which entity is responsible for patching all components that make up the cloud service? For which components is Soroco responsible?

For the Soroco Cloud based offering, Soroco is responsible for end-to-end patching of Infrastructure, Operating system, and Application components.

Are findings from vulnerability scans tracked and are rescans performed until no findings are identified?

Yes – findings are tracked and rescans are performed till no findings are identified.

Are penetration tests of critical applications or networks with Internet connectivity conducted at least every 12 months and after significant changes?

Yes – penetration tests of critical applications or networks are conducted at least every 12 months or after significant changes.

Logging

Does each customer have a regular log of access to their data?

Yes, audit log reports are periodically shared with the customer.

Are all actions taken by any individual with root or administrative privileges, logged each time it occurs?

Yes.

Are logs continually reviewed, in real time, by a dedicated person/team?

Yes.

Are logs protected from tampering and unauthorized access and retained for at least 1 year?

Yes.

What ability does the product have to log User Activity Auditing and Administrator Activity Auditing?

Scout logs the following information:

Events from the data agent are logged, micro services are logged, OS and network parameters are logged. Health of the services and Scout job status are also logged.
All the logs are kept for a duration of three months in Scout by default. This is configurable based on client IT policies.
Logs are stored on the server and are only accessible via the physical access to the Scout server by the administrator. This would ensure that logs cannot be accessed by anyone other than designated personnel. Administrator activities in reference to accessing of these logs is also captured. Additionally, the logs are also encrypted at rest, which further ensures that non-authorized users cannot access the logs.

Incident Management

Is there a documented Information Security Incident Management procedure in place?

Yes. Soroco Security Incident Management Procedure.

Are incident response procedures for information security incidents defined and documented (e.g., network outages, abuse of access privileges)?

Yes.

Are information security/business continuity incidents documented?

Yes.

Is there a process to notify customers of information security incidents / business continuity incident that affects customer data or services?

Yes. In an event of a security incident in Soroco Cloud provided service, Soroco is responsible for communication of the same to customer, action to quarantine the environment, assess the impact of the breach, work on an RCA and take further step for hardening the environments.

Scout Data Privacy FAQ ➜

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Scout Security FAQ