Security & trust
As a trusted and long-standing Microsoft partner, our policies and principles align with the Trusted Cloud that Microsoft provides. The Trusted Cloud is based on four core pillars: Security, Privacy, Compliance and Transparency.
With these in mind, we developed this document to provide our customers with more in depth information about the details surrounding the policies and procedures we have in place to keep our customer data private and secure, how our solutions meet compliance standards and how we ensure that our team works hard to meet or exceed these security standards.
We hope you'll agree that we take security very seriously, and through your own risk assessment and due diligence you'll discover that we'll securely provide you with the partnership you need in your Project Management journey.
As our solutions leverage Microsoft products and platforms, we inherit by default the best-in-class cloud security and compliance offered through Azure and Office 365. From a solution perspective, it's important to note where responsibilities shift to us from Microsoft, as the provider for add-on solutions for Project Online and Office 365, as well as zones that will always remain in the control of the customer.
We use Windows Azure Platform as a Service (PaaS) so that we can build our solutions using the core hosting operating system provided by Azure with Azure SQL as the back end. With this model, we're able to maintain our solutions and keep our customers running without the concern of patching the Operating System or upgrading hardware. The Sensei Hubs are then provided through the Software as a Service (SaaS) model to our customers.
Understanding the above, we can now review the responsibility zones with our solutions built on Microsoft infrastructure. Specifically, we are reviewing the Beacon or Jumpstart solutions (our core solutions) with Sensei Reporting Hub, Integration Hub or App add-ins.
The team of hub architects that manage our solutions and your data have decades of extensive experience working with sensitive and business critical data and as such, have the utmost respect for the security of your data.
There are significant security advantages to our decision to use Microsoft Azure PaaS.
At the bottom of the stack, we depend on Microsoft to mitigate common risks. Because the Microsoft cloud is continually monitored by Microsoft, it is difficult to attack. In the middle of the stack, at the application layer and account and access management layer, we have similar risks to traditional on premises or IaaS deployments. We mitigate many of these risks by following best practices for security when using both the Azure App Service and Azure SQL Database. For more information on these best practices, see the Products section of this document.
Identity as the primary security perimeter
With the primary advantage of using cloud services being the ability to provide organisational data to a mobile workforce with a host of devices that may or may not be managed by your organisation, the old rules pertaining to network security perimeter no longer apply. It is critical to view Identity as the primary security perimeter.
We depend on you, as the client, to provide access to your environment's data for the correct functioning of the provided reporting and application solutions. This access is not taken lightly and when it comes to management of the credentials/tokens that we use to access your environment and data it is important to note that at any time of your choosing you can disable the service account/application trust that we use to access your environment and data. The control of these credentials always remains with the client.
Secure code policy
For semantic security, all developers who contributed code toward the project have been made aware of the OWASP security vulnerabilities precautions - and while many are not applicable to our solutions, regular code reviews and continuing education ensures a robust approach to security. The Microsoft Azure trustworthy foundation concept ensures application security through a process of continuous security improvement with its Security Development Lifecycle (SDL) and Operational Security Assurance (OSA) programs using both Prevent Breach and Assume Breach security postures.
- We only use official information and data for the work-related purpose intended
- We do not disclose any confidential information without appropriate approval
- We ensure that any confidential information cannot be accessed by unauthorised people
- We always exercise caution and sound judgment when disclosing personal information, and only disclose this information on a 'need to know' basis
- No former employees are provided access to confidential information
- Confidential information in our control:
- Is collected and used lawfully for specified and legitimate purposes
- Is subject to appropriate and adequate security arrangements
- Is not retained longer than required
- Is not stored on any personal or BYO devices
The General Data Protection Regulation (GDPR) effective 25 May 2018, sets a higher bar for privacy rights, security, and compliance. While it is a European regulation, the potential impact is quite broad. It applies to any organisation that offers goods and services to people in the EU or that collects, and analyses data tied to people in the EU, no matter where the organisations are located.
GDPR is a complex regulation that requires changes to how organisations collect, process, and manage personal data.
To comply with GDPR changes we have aligned the security features of the Sensei Reporting Hub with this initiative.
We've included some useful resources below in case you'd like to learn more about GDPR:
Read about GDPR directly from the legal source.
Learn about Microsoft's journey to GDPR - download the eBook here.
We are committed to transparency across all of our Hub Products and Services. We provide details around our policies, procedures, updates to our security methods and processes through two main outlets:
Our Trust Center (This site): Provides our clients with resources, answers to common questions and updates to our policies as they (and our solutions) evolve over time to meet the requirements of a changing cloud platform.
Cloud Security Alliance CCM reviews: We consistently update and review our responses to the CSA Requirements CCM, and new updates to our responses to the items listed in this framework are included in the Trust Center.
While the intent of this document is to cover all of our products and solutions, we are primarily focused on the Hub products, apps and our legacy solutions Beacon and Jumpstart which incorporate the aforementioned components. One of our core values is that we are a partner to our customers and for that reason, with our legacy solutions, we require that we retain continued access to the deployed solution so that we can continue to monitor system health, usage, and performance, as well as provide continual updates to the features and capabilities and content. This allows us to provide the premier Altus solution built on the Microsoft Cloud. For information on how we secure our client credentials and our policy on management of these credentials please refer back to the Security section above.
Sensei Reporting Hub and Integration Hub
These two applications are built in Azure and leverage Azure SQL for storage of data. The development of these two hubs utilised best practices for both platforms and include the following:
- Authentication through Azure Active Directory
- Restriction of access through least privilege security principles
- Protection of Keys through Azure Key Vault
- Restriction of incoming IP addresses