Data Security & Confidentiality

SECURITY AND
COMPLIANCE
Data Security & Confidentiality
At core to all we do with Data Assets
Your business data represents your intellectual capital, competitive differentiator
and the lifeblood of your organization.
While we work with your business Data, we recognise how important is the security of data for your business, customers and other stakeholders. Operating in data-intensive services, at Data Nectar we follow matured procedures to safeguard the data and information against security threats as well as to comply with data protection regulations.
Security vulnerabilities
That we take care of from design to deployments
SQL Injection Security Misconfiguration Broken Authentication Cross-site Scripting (XSS) Sensitive Data Exposure Insecure Deserialization XML External Entities (XXE) Components with known Vulnerabilities Broken Access Control Insufficient Logging & Monitoring Web Application Firewall (WAF) Antivirus and Patch Management
01
SQL Injection
SQL injection is a way of exploiting security where untrusted data is injected or manually entered into an input sent to an application or database Security measures:

  • Stored procedures and parameterised queries to avoid SQL Injection attacks.
  • IP blocking, captcha.
  • Whitelisting input validation as secondary defence.
02
03
Broken Authentication
Authentication is a critical aspect of the security process and if its mechanisms are not implemented properly it could allow hackers to compromise passwords or session ID's.

  • Multi-factor authentication to prevent credential sniffing, brute force, and stolen credential reuse attacks.
  • Weak-password checks and align password length, complexity and rotation policies.
03
05
Sensitive Data Exposure
Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data

  • Implementation of secure connections which are made over HTTPS protocol only. SSL Domain Level certificates are installed on the server side for encrypted connection.
  • If required extended validation (EV) certificates can be added as additional security. Moreover TLS that is the successor to the Secure Sockets Layer (SSL) ensures that no third party may eavesdrop or tamper with any message.
04
07
XML External Entities (XXE)
XXE refers to a specific type of Server-side Request Forgery (SSRF) attack, whereby an attacker can cause Denial of Service (DoS) and access local or remote files and service.

  • Disabling XML external entity and DTD processing in all XML parsers in the application.
  • Implementation of server-side input validation, filtering, or sanitization.
05
09
Broken Access Control
Broken access control occurs if a user is able to access unauthorized resources. These resources could be restricted pages, database, directories etc

  • Application of access level security mechanism to averse the risks on authorization and authentication.
  • Sensitive operation logging.
  • For more sensitive functionalities like accessing administrative pages, IP address restriction can be implemented to enforce only users from a certain network are permitted to access the resources, irrespective of their login status.
06
11
Web Application Firewall (WAF)
A WAF helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet.

  • By deploying a WAF in front of a web application, a shield is placed between the web application and the Internet.
  • Any connection made to the application or servers goes in and out through a WAF.
07
02
Security Misconfiguration
Improper server or web application configuration leads to various flaws like incorrect folder permissions, Setup/Configuration pages enabled.

  • Server configuration to prevent unauthorized access, directory listing etc.
  • Disabling administration interfaces and debugging.
08
04
Cross-site Scripting (XSS)
Cross-site scripting occurs when an attacker is able to insert malicious code into a vulnerable web page

  • Escaping user input, Sanitizing user inputs method to clean potentially executable characters.
  • Input validation for adding special characters into webpage data entry fields.
09
06
Insecure Deserialization
Insecure deserialization occurs when untrusted data is used to abuse the logic of an application or even execute arbitrary code upon it being deserialized.

  • Implementation of safe architectural pattern, not to accept serialized objects from untrusted sources and log deserialization exceptions and failures .
  • Applying restriction and/or monitoring incoming and outgoing network connectivity from containers or servers that deserialize.
10
08
Components with known
Vulnerabilities
Vulnerabilities in third-party libraries and software are extremely common. If a component is exploited, it can cause a serious data loss.

  • Identification of all components with vulnerability.
  • Obtain components from official sources over secure links.
  • Remove unused dependencies, unnecessary features,components, files and documentation.
11
10
Insufficient Logging & Monitoring
  • Exploitation of insufficient logging and monitoring is the bedrock of nearly every major incident. Attackers rely on the lack of monitoring and timely response to achieve their goals without being detected.
  • Activity logging for all login, access control failures and server-side input validation failures with enough user context to identify suspicious or malicious accounts.
  • Implementation of regular monitoring and alerts to detect suspicious activities to respond quickly.
12
12
Antivirus and Patch Management
  • Most of the virus or malware attacks happen because systems running different versions of application and OS are not regularly patched.
  • Automation of patch maagnement process using tools which provides centralized updates for all the different security patches available and not present.
Cloud Operation & Monitoring
Continuous monitoring and proactive actions are key to keep the cost in control while delivering the users a consistent experience at scale.

Before deployment, all codes are checked for security vulnerabilities followed by routine scans for network and systems vulnerabilities. That includes but not limited to following key actions:
  • Code reviews and penetration tests
  • Data and Cloud Infrastructure Security assessment & reports
  • DevOps process review and implementation
  • Data Security control framework review and testing
  • Alert implementations, risk communication & risk mitigation practices for internal and external/client’s systems.
  • Regular performance reporting for key cloud resources and suggestions on reducing cost as applicable
REGIONAL DATA PROTECTION REGULATIONS
Data Nectar works closely with clients & partners across geographies in line with relevant processes and actions to assure compliance to regional data compliances regulations. While we work as a data processor or subprocessor, under DPA(Data Processing Agreement) signed with clients, we adhere to prevailing regulatory guidelines set out by GDPR and other regional data security & regulation frameworks.