Web-Based System Security
A Web-Based System is one where the SQL Server and the database is located on a server maintained in a different location and accessed via the internet. In most cases, the discussion below is based on Advisors Assistant Holdings, Inc. providing hosting services.
- Three factor login. When you click on the Advisors Assistant Icon on your desktop, a special code which is very long and unique to your database is sent to your database to authenticate your computer. Only then, can you log into your ID and strong password.
- Secure Facility. Servers are housed at Rackspace, which meets government requirements. SOC-1 Report is available.
- Proactive Patching. Our contract with Rackspace includes performing all software and hardware updates to make sure security patches are made in a timely manner.
- Commercial level firewall.
- Intrusion Detection Hardware and Software (in addition to the firewall appliance) backed up by live security team to monitor all traffic through the firewall. This is hardware and software specifically designed to detect changes in the patterns with which data is requested to detect changes and evaluate threats.
- Encryption: SSL Encryption is used throughout our software.
- All calls to the web site require a special unique token which is issued to each computer at login, and automatically authenticates each user request. It is changed every 15 minutes. This adds a level of security for each service request and simulates the hardware USB device that many banks use. If the correct token does not accompany the data request, the session is terminated.
- User Login Log: All logins, failed or successful are kept in a log and available to your database administrator.
- Failed Login Limitation: There is a limitation on login attempts which is configurable by your database administrator to prevent brute force login attempts.
- Our SQL Servers have no incoming ports open to the Internet to prevent probing.
- Commercial level Anti-virus Software.
- Not an Open Source database: We use fully commercially supported Microsoft SQL Server.
- Daily Backups: Data backups are made every night and maintained for 2 weeks. Optionally, users can download their own backup and retain them long term.
- Strong passwords are required. Your database administrator has the ability to set additional security such as password length, and force password changes every X days.
- Encrypted Personal Data: Certain personal identification data, such as Tax ID’s, Passport numbers, and drivers’ licenses are stored encrypted and access can be limited with our role based security model.
- Role based Database Security lets you tailor who can do what on a user by user basis, such as withholding access to certain data, changing, exporting, or deleting data. There are over 80 functions you can provide or withhold from users or user groups.
Computer-Based System Security
A Computer-Based System is one where the SQL Server and the database is resident either on the user’s local area network behind their firewall or, in the case of a single user, the database is located on the same computer as the Advisors Assistant program.
- Passwords: The user can and should make the election to use strong passwords by selecting this as the System Preference under the Passwords Tab. Though Advisors Assistant does not force the user to adopt strong passwords, logging in without them set will cause a “nag screen” to warn the user and require an extra click for each login until they are elected.
- Encryption: Passwords are stored encrypted using AES 256 Encryption. They are stored in such a way that they cannot be retrieved to check. SQL Server checks the password and sends back a match or not matched message. This is called one way hashing.
- Personal Identification fields are stored as AES 256 bit encrypted within the database.
- Any backups made, unless you turn the feature off, are AES 256 Encrypted.
- Any data you send to Advisors Assistant Holdings’ FTP site, is AES 256 Encrypted as long as you use the Advisors Assistant Encrypted File Transfer Program. Unless it is being worked on by a programmer, it is stored encrypted.
- Encryption and decryption of FILES sent to us is done by a special program in our office which does not reveal the encryption key. The program will only run on our private network and is stored on an encrypted drive.
- Logins Are Recorded: All logins, successful or failed are logged in a report that can be viewed by the system administrator.
More details are available in our Public Security Summary, which we keep up to date to answer common questions that arise during the regular cybersecurity reviews done by our partners and clients.