Scout Security FAQ

Scout Security FAQ page 01

Data Center

How is data related to a particular client kept confidential / separate from data associated with another client?​
Each customer has a dedicated instance in Azure, thus ensuring data confidentiality and segregation.​

Each interaction captured from these applications is used to generate insights that will help you understand how you spend your working hours and identify patterns in your work.
Audit logging is enabled for all access to the systems. Moreover, unauthorized logins are flagged and reported by the SRE team as P1 issues.​
Data is stored in the Azure instance spun up for each customer.​

Since the data is entirely encrypted, Soroco cannot read your interaction data in any form.
Customer data is directed to their dedicated Scout instance in Azure
Soroco is responsible for patching all components.​

Certificates & Keys​

How is data security managed in Scout?​
Scout encrypts stored data using AES-256 keys, and transports data using HTTPS / TLS 1.2
Customer data is stored using AES256 bit encryption.
Yes, dedicated encryption keys are used for every customer deployment.
The Scout team directly associated with the project is responsible for managing the keys for Soroco’s Cloud implementation of Scout.
Yes, Scout manages the key management process through the Hashicorp vault.​
Encryption of AES 256-bit strength is used across the service.​
Yes.
Scout supports Azure key management and Hashicorp Vault.
Customers provide a PKI for the webservice SSL layer, all other keys are provided​
No. Keys and certificates cannot be shared across environments.​

Authentication

What kinds of authentication and access control procedures are in place?
Scout supports both Role based forms and SSO based authentication. Role based access controls are configurable for each module and action in Scout.​
Each customer has a dedicated instance in Azure. Directories are unique to each customer​
Yes.
Yes, the Scout platform supports SAML 2.0 and OpenID (OAuth) based SSO.​
Scout out-of-the box does not support federated SSO​.
Scout has integrated Identity and Access Management (IAM) – the IAM service manages User Identities. The IAM module in Scout also supports SSO integration with the customer’s existing solutions by utilizing SAML/OpenID.​
Scout has a default session timeout of 30 minutes, configurable per customer.
Scout verifies a user’s identity before they are allowed to set passwords.​

Vulnerability management​

What is the frequency of vulnerability scans performed by Scout?
Scout runs monthly Infrastructure and annual product scans.​
The following process is defined for vulnerability remediation -
Yes, regular penetration testing is conducted as per the Vulnerability management program.
For the Soroco Cloud based offering, Soroco is responsible for end-to-end patching of Infrastructure, Operating system, and Application components.​
Yes – findings are tracked and rescans are performed till no findings are identified.​
Yes – penetration tests of critical applications or networks are conducted at least every 12 months or after significant changes.

Logging

Does each customer have a regular log of access to their data?​
Yes, audit log reports are periodically shared with the customer.​
Yes.
Yes.
Yes.
Scout logs the following information:​

Incident Management​

Is there a documented Information Security Incident Management procedure in place?​
Yes. Soroco Security Incident Management Procedure​.
Yes.
Yes.
Yes. In an event of a security incident in Soroco Cloud provided service, Soroco is responsible for communication of the same to customer, action to quarantine the environment, assess the impact of the breach, work on an RCA and take further step for hardening the environments.​

See Scout in action.
Schedule your demo now!

Request demo