IT security

 

Preface


The BeWorkHappy cloud is completely hosted on Amazon web services inside a so called virtual private cloud (VPC). This makes it possible to isolate external access to exactly two entry points: one for world access via HTTP(S) and one VPN channel for internal maintenance access. All entry points to the cloud are secured via AWS security groups (which resemble firewalls in a traditional environment) with only the necessary ports accessible from outside (for instance port 80/443).


World access


All BeWorkHappy websites are encrypted via HTTPS with only the most secure ciphers and protocols in place (TLS 1.0-1.2 only, no SSLv3!, Forward Secrecy in place). The SSL certificates used are either signed by the LetsEncrypt.org certificate authority or wild-card certificates signed by Comodo SSL. Qualys SSL Labs rates our websites as a straight A (for details about the rating please visit https://www.ssllabs.com/ssltest/analyze.html?d=www.beworkhappy.be ).


Encryption of stored data


All documents uploaded to the BeWorkHappy cloud are encrypted with industry standard ciphers on two layers:


  1. Encryption of block devices: all underlying disks are encrypted with AES 256 key size, SHA256 hash
  2. In addition each document is encrypted with a tenant specific master key (AES 256 key size, RSA 4096 key size). This ensures that each tenant has only access to its own documents and no accidental data leak can occur.

Passwords


Passwords of users are never stored in plain-text anywhere but rather their hash values are stored and compared upon log-in.