07-04-2021

Keeping information confidential

encryption-light

We understand that the information of our clients is highly confidential. That is why we take the safety of Alloq very seriously and do everything we can to keep data out of the wrong hands. Let’s look at the measures we’ve taken so far.

Restriction of access

The most obvious — and the one we’re all too familiar with — is authentication. Yep, you have to log into Alloq, too. We can connect to your identity provider, enabling you to log in using your company credentials, like your Microsoft Azure Active Directory account. Furthermore, Alloq uses authorization;. all users get specific permissions so they only have access to the features and data they need.

A reliable method to keep unwanted guests out is to discriminate IP addresses. This allows us to distinguish whether someone is trying to access Alloq from your office or not. When we set up Alloq for you, we’ll ask the IP range of your office. We’ll configure Alloq so it only allows connections from that IP range. All other traffic is blocked. This means the application is only accessible from your office. If you use a VPN (virtual private network) to connect to your office, that connection allows you to use Alloq as well. This way you can continue working even if you’re commuting or working from home.

Dedicated environment

Sometimes data leaks are caused when the application mistakes one user for another. When this happens, the wrongly identified user may see information that belongs to someone else, or another company. Showing data to the wrong users — with or without malicious intent — are also data leaks.

To make sure this can’t happen with Alloq, every business gets its own dedicated container cluster. This is tech talk for an environment in which all bits and parts of the Alloq application lives in isolation. This means other Alloq applications (because they’re essentially clones) cannot access the data from other clones. Without a shared database, we can’t “misplace” data. Your Alloq environment and the data it holds are yours alone and only your users can see it.

Quality assurance

To assure the quality of Alloq, we have practices in place that mitigates human error. Between writing code and updating the application, we have to walk through a multitude of steps.

Our first line of defence are automated tests. These are run often, but more importantly, they’re also executed before new code is approved. They verify whether the code works as expected, and make sure code changes won’t degrade existing functionality. If a test fails, we have to fix it before we can move on to the next step.

Once all automated tests pass, a scanner checks our code for bugs, vulnerabilities, and code that doesn’t meet our standards. This tool is updated regularly to account for the latest security issues. Again, we have to fix all issues before we can continue to the next step.

Unfortunately, tools can’t detect all issues, so all code changes are reviewed by another software engineer. These are to catch potential security issues and to make sure the code is comprehensible and scalable.

Once all of the above is done, the code is approved. We typically release it on our test environment. This is our internal environment on which we can deploy as often we want. We use it to test our work again and to demonstrate the latest changes to stakeholders. Though not a formal test, it’s a great moment to detect any remaining issues.

Lastly, our work is reviewed by stakeholders on another environment. Their tests are thorough and usually touch many, if not all, aspects of the application.

If all is well, and we get formal consent, we’re ready to go to production. One engineer has to prepare the production release and another must approve it. We typically follow a schedule to make sure we’re not releasing Alloq when it’s in use. If anything goes wrong at any of the above, we go back to step one. Every issue we resolve results in a code change that needs to be reviewed all over again.

Security audits require a very specific skillset and take way more time to do. It takes too long to do those for every code change. Instead, we let a security specialist hack Alloq. Or so they try. We’ve had experts from FoxIT and VI Company run security audits and they haven’t been able to hack their way into Alloq or extract data from it.

Concluding

We’re proud of our high standards and we will continue to improve to ensure Alloq is as safe and resilient as can be. We’re on top of security news, the latest techniques and tools, and test the application daily.