Intranet cloud security

Application Security

Security Training

Every 12 months our engineering and support departments participate in secure code training.

QA

Dedicated security engineers who are part of our QA and Architecture departments perform reviews and test our code base for security vulnerabilities.

Isolated Environments

Development, testing, and staging environments are separated physically and logically from the production environment. Customer data is never used in our development, testing, or staging environments.

Static Code Analysis

Our source code is regularly scanned for security issues and automatically refactored to best practices.

Penetration Testing

In addition to our internal security testing, we partner with NCC to perform extensive penetration tests across the application.

Vulnerability Scanning

Our internal security team performs regular vulnerability scanning of the application and infrastructure.

---

Software Security Features

Authentication Options

Interact supports multiple authentication options including Local Directory (username and passwords are stored within Interact) and SAML 2.0 SSO (e.g. ADFS, Okta, OneLogin).

SSO

Single Sign-On (SSO) allows you to authenticate users in your own systems without requiring them to enter additional login credentials. Interact shall only grant access to users that have been authenticated by you.

Secure Credential Storage

Interact supports a full suite of password management tools including sophisticated password complexity rules, password history lengths and more. Passwords are securely encrypted, hashed, and salted within the application.

Security Frameworks

We use .Net security framework controls to limit exposure to exposure to Cross Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and SQL Injection (SQLi) and many others.

---

Product Security Features

Access Control

Access to data within Interact is governed by access rights. Access privileges can be configured and managed through the use of memberships and can be used to define granular access rights.

IP Restrictions

Interact can be configured to allow access from specific IP address ranges by an administrator.

Content Moderation & Approval

Interact’s fine-grain permission structure allows administrators who can author content within varied Content Areas and Categories. Interact can be configured in such a way that users must request approval before publishing their content.

Auto Logout

Interact can be configured to automatically log users out after a period of inactivity.

Auditing

Creation and modification of data stored within Interact are recorded along with access logs for future auditing.

Exclusion by Default

Upon creating new entities (e.g. Content Areas, Teams, Homepages) or enabling new features, users are excluded by default. This limits human error and mistakes by requiring the creating owner to specify who can access the entity and its contained content.

---

Encryption

At Rest

Interact encrypts customer data to AES-256 while at rest.

In Transit

Transfer of data between Interact and the customer is encrypted using HTTPS and TLS.

---

Employee Security

Background Checks

Interact performs an extensive background check on all employees including five-year employment history, address history, and education verification.

Criminal Record Check

Employees with authorized access to production environments are required to undergo a criminal record check. UK employees are subject to the Disclosure Scotland process. While US employees are subject to a seven-year historical search of the County Criminal Courthouse Records.

NDA

All employees are required to sign Non-Disclosure and Confidentiality agreements.

---

Compliance

Interact is certified and audited to the ISO 27001:2013 standard and we have modeled our Information Security Management System and controls on this standard.

Our hosting partner, Amazon Web Services, holds multiple security certifications and accreditations. See https://aws.amazon.com/compliance/services-in-scope/ for more details.

---

Security Management

Framework

Interact has an established information security management framework describing the purpose, principles, and basic rules for how we maintain trust. We regularly review and update security policies, provide security training, perform application and network security testing (including penetration testing), monitor compliance with security policies, and conduct internal and external risk assessments.

Training

Interact employees attend a Security Awareness Training at least once every 12 months. Our Security Team provides security awareness updates and refreshers throughout the year to various teams and departments.

Policies

Interact has developed a comprehensive set of security policies which are made available to all employees. Policies are enforced through a blend of training, events, and auditing.

---

Infrastructure Security

Location

Interact has multiple territories where information can be domiciled – including the EU, Australia, and the USA – with multiple instances of Interact in each geo-location. Each territory has distinct local legal requirements and interconnectivity agreements in place which ensure that your content inherits the benefits of its host country. Customers can choose to locate their data in the EU-only, US-only, or Australia-only. Data always resides within its provisioned geo-location (EU and the USA) and cannot be transferred outside of its allocated area.

Monitoring

Interact and AWS (our hosting provider) utilize a wide variety of automated monitoring systems to provide a high level of service performance and availability. Monitoring tools are designed to detect unusual or unauthorized activities and conditions at ingress and egress communication points. These tools monitor server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts. The tools have the ability to set custom performance metrics thresholds for unusual activity.

Physical Security

AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

Architecture

Interact is designed with multiple layers of protection, covering data transfer, encryption, network configuration, and application-level control, all distributed across a scalable secure infrastructure.

Intrusion Detection

Intrusion Detection Systems (IDS) are deployed throughout the Interact infrastructure. The systems are configured to identify malware infections, attacks, system compromises, policy violations, and other exposures.

Logical Access

Access to the Interact production network is restricted to a small number of employees and is frequently monitored and audited.

---

Security Policies

Information Security Policy

Policies that cover customer and Interact information include: device security, authentication requirements, acceptable usage of resources, data storage requirements, security access, and issue handling.

Physical Security Policy

Guidelines detailing how we maintain a safe and secure environment for people and property at Interact.

Change Management Policy

Policy for code review and managing changes that impact security by Interact developers to source code, system configuration, and production releases.

Incident Response Policy

Guidelines for responding to potential security incidents, including assessment, communication and investigation procedures.

Physical production access

Our procedures for restricting access to the physical production infrastructure, including management review of employees.

Support Policy

Access policies for our Service Desk on viewing, providing support or taking action with customer data.

Copies of all Interact policies are available on request.