Beamery Security Overview
Traditionally organisations have looked to the public cloud for cost savings, or to augment private data centre capacity. However, organisations are now primarily looking to the public cloud for security, realising that providers can invest more in people and protection of data is among our primary design criteria. Security drives our organisational structure, training priorities and hiring processes. It’s central to our everyday operations and disaster planning, including how we address threats. It’s prioritised in the way we handle customer data. This document outlines Beamery’s approach to security and compliance
Beamery has created a vibrant and inclusive security culture for all employees. The influence of this culture is apparent during the hiring process, employee onboarding, as part of ongoing training and in company-wide events to raise awareness.
Beamery servers are hosted at Tier IV or III+, SSAE-16, PCI DSS, or ISO 27001 compliant facilities. We are cloud platform agnostic and our data center facilities are powered by redundant power, each with UPS and backup generators.
Our cloud data center facilities feature a secured perimeter with multi-level security zones, ambiguous facade, 24/7 manned security, CCTV video surveillance, multifactor identification with biometric access control, physical locks, and security breach alarms.
All Production Network systems, networked devices, and circuits are constantly monitored and logically administered by Beamery staff. Physical security, power, and internet connectivity are monitored by the facilities providers.
Beamery leverages data centres in the United States, and Europe. Customers can choose (with data centre Add On) to locate their Service Data in the US-only or Europe-only.
Dedicated Security Team
Our UK based Security Team is on call 24/7 to respond to security alerts and events.
Our network is protected by redundant firewalls, best-in-class router technology, secure HTTPS transport over public networks, regular audits, and network Intrusion Detection and/or Prevention technologies (IDS/IPS) which monitor and/or block malicious traffic and network attacks.
Our network security architecture consists of multiple security zones and layers. More sensitive systems, like database servers, are protected in our most trusted zones. Other systems are housed in zones commensurate with their sensitivity, depending on function, information classification, and risk. Depending on the zone, additional security monitoring and access controls will apply. DMZs are utilized between the Internet, and internally between the different zones of trust.
Network Vulnerability Scanning
Beamery utilises network security scanning to provide deep insight for quick identification of out-of-compliance or potentially vulnerable systems.
Third-Party Penetration Tests
In addition to our extensive internal scanning and testing program, Beamery periodically (at least annually) employs third-party security experts to perform a broad penetration test across the Beamery Production Network.
Security Incident Event Management (SIEM)
Our Security Incident Event Management (SIEM) system gathers extensive logs from important network devices and host systems. The SIEM alerts on triggers which notify the Security team based on correlated events for investigation and response. It also acts as platform for post mortem analysis.
Intrusion Detection and Prevention
Major application data flow ingress and egress points are monitored with Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS). The systems are configured to generate alerts when incidents and values exceed predetermined thresholds and uses regularly updated signatures based on new threats. This includes 24/7 system monitoring.
Threat Intelligence Program
Beamery participates in several threat intelligence sharing programs. We monitor threats posted to these threat intelligence networks and take action based on our risk and exposure. The MISP project allows us to feedback threats to the greater community for classification.
In addition to our own capabilities and tools, we contract with on-demand DDoS scrubbing providers to mitigate Distributed Denial of Service (DDoS) attacks. This is augmented by CDN providers that reduce inbound load from malicious actors.
Access to the Beamery Production Network is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the Beamery Production Network are required to use multiple factors of authentication. Only deployment engineers have access to this environment.
Security Incident Response
In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.
Encryption in Transit
Communications between you and Beamery servers are encrypted via industry best-practices HTTPS and Transport Layer Security (TLS) over public networks. TLS is also supported for encryption of emails.
Encryption at Rest
At a platform level it is ensured all data is encrypted with AES256. Data is broken into subfile chunks for storage; each chunk can be up to several GB in size. Each chunk is encrypted at the storage level with an individual encryption key. All Beamery customers benefit from the protections of encryption at rest for offsite storage of attachments and full daily backups.
Availability & Continuity
Beamery maintains a publicly available system-status webpage which includes system availability details, scheduled maintenance, service incident history, and relevant security events.
Beamery employs service clustering and network redundancies to eliminate single points of failure. Our strict backup regime ensures Service Data is actively replicated across primary and secondary DR systems and facilities. Our co-location databases are stored on efficient Flash Memory devices with multiple servers per database cluster.
Our Disaster Recovery (DR) program ensures that our services remain available or are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing. Our Disaster Recovery Plan is available upon request to firstname.lastname@example.org.
Data Disposition / Decommissioning / Retention
Every Decommissioned Disk is subject to a series of data destruction processes (the “Disk Erase Policy”) before leaving our cloud providers premises either for reuse or destruction. Decommissioned Disks are erased in a multi-step process and verified complete by at least two independent validators. The erase results are logged by the Decommissioned Disk’s serial number for tracking. Finally, the erased Decommissioned Disk is released to inventory for reuse and redeployment. If, due to hardware failure, the Decommissioned Disk cannot be erased, it is securely stored until it can be destroyed. Each facility is audited regularly to monitor compliance with the Disk Erase Policy.
At least annually, engineers participate in secure code training covering OWASP Top 10 security flaws, common attack vectors, and Beamery internal security controls.
Our QA department reviews and tests our code base. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code.
Testing and staging environments are separated physically and logically from the Production environment. No actual Service Data is used in the development or test environments.
The Beamery change management process is designed to avoid unintended service disruptions and to maintain the integrity of service to the customer. Changes deployed into production environments are:
- Reviewed Peer reviews of the technical aspects of a change are required.
- Tested Changes being applied are tested to help ensure they will behave as expected and not adversely impact performance.
- Approved All changes must be authorized in order to provide appropriate oversight and understanding of business impact.
Secure development (SDLC)
Dynamic Vulnerability Scanning
We employ a number of third-party, qualified security tools to continuously dynamically scan our applications against the OWASP Top 10 security flaws. We maintain a dedicated in-house product security team to test and work with engineering teams to remediate any discovered issues.
Static Code Analysis
The source code repositories for Beamery - both our platform and mobile applications, are continuously scanned for security issues via our integrated static analysis tooling.
Security Penetration Testing
In addition to our extensive internal scanning and testing program, each quarter Beamery employs third-party security experts to perform detailed penetration tests on different applications within our family of products.
Responsible Disclosure / Bug Bounty Program
Our Responsible Disclosure Program gives security researchers an avenue for safely testing and notifying Beamery of security vulnerabilities through our partnership with HackerOne.
Product security features
For admins/agents in , we offer Beamery sign-in. For Beamery Support, you may also enable SSO, and Google Authentication. For end-users in , we support Beamery sign-in. For Beamery Support, you may also enable SSO and social media SSO (Facebook, Twitter, Google) for end-user authentication.
Single sign-on (SSO)
Single sign-on (SSO) allows you to authenticate users in your own systems without requiring them to enter additional login credentials for your Beamery Support instance. Both JSON Web Token (JWT) and Security Assertion Markup Language (SAML) are supported. Note: SAML is only available for Professional and Enterprise accounts and JWT is only available for Team accounts and above.
Configurable Password Policy
Beamery Support provides the following levels of password security: low, medium, and high, as well as set custom password rules for agents and admins. Beamery allows you to set one password security level for end-users, and a different one for admins and agents. Only admins can change the password security level. Note: Configurable Password Policy is only available for Professional and Enterprise accounts.
Two-factor authentication (2FA)
If you are using Beamery sign-in on your Beamery Support instance, you can turn on 2-factor authentication (2FA) for agents and admins. Beamery supports SMS and apps like Authy and Google Authenticator for generating passcodes. 2FA provides another layer of security to your Beamery account, making it more challenging for somebody else to sign in as you. Learn more about 2FA
Secure Credential Storage
Beamery follows secure credential storage best practices by never storing passwords in human readable format, and only as the result of a secure, salted, one-way hash.
API Security & Authentication
The Beamery Support API is SSL-only and you must be a verified user to make API requests. You can authorize against the API using either basic authentication with your username and password, or with a username and API token. OAuth authentication is also supported. Learn more about API security
Additional product security features
Access Privileges & Roles
Access to data within Beamery is governed by access rights, and can be configured to define granular access privileges. Beamery has various permission levels for users (owner, admin, agent, end-user, etc.).
Beamery offers geo-blocking on IP address to stop known bad actors from communicating with our services. Equally we can add security concerns you might bring to us for blacklisting.
In Beamery, you can configure your instance so users are required to sign-in in order to view ticket attachments. If not configured, the attachments are accessible via a long and random token ticket ID.
All communications with Beamery servers are encrypted using industry standard HTTPS. This ensures that all traffic internally and externally is secure in transit. Additionally for email, our product supports Transport Layer Security (TLS), a protocol that encrypts and delivers email securely, mitigating eavesdropping and spoofing between mail servers.
Email Signing (DKIM/DMARC)
Beamery offers DKIM (Domain Keys Identified Mail) for signing outbound emails from Beamery when you have setup an external email domain on your Beamery. Using an email service that supports these features allows you to stop email spoofing.
For added security, Beamery tracks the devices and locations used to sign in to each user account in order to identify and notify users of activity that is deemed suspicious.
Compliance certifications and memberships
Beamery is compliant with the principles of ISO 27001:2013 and is in process of achieving certification.
__U.S.-EU Privacy Shield __
Beamery has certified compliance with the U.S.-EU Privacy Shield set forth by the United States Department of Commerce, as viewable on their list.
Learn more about privacy at https://www.beamery.com/policy/privacy.
Using Beamery in a GDPR Compliant Process
View our whitepaper on GDPR compliance
Beamery has developed a comprehensive set of security policies covering a range of topics. These policies are shared with, and made available to, all employees and contractors with access to Beamery information assets.
All new employees attend a Security Awareness Training which is given upon hire and annually thereafter. All engineers receive annual Secure coding Training. The Security team provides additional security awareness updates via email, blog posts, and in presentations during internal events.
Clean Desk Policy (CDP)
Employees are required to ensure that all sensitive/confidential information in hardcopy or electronic form is secure in their work area at the end of the day and when they are expected to be gone for an extended period. Computer workstations must be locked when workspace is unoccupied. Computer workstations must be shut completely down at the end of the work day. Any Restricted or Sensitive information must be removed from the desk and locked in a drawer when the desk is unoccupied and at the end of the work day. File cabinets containing Restricted or Sensitive information must be kept closed and locked when not in use or when not attended. Keys used for access to Restricted or Sensitive information must not be left at an unattended desk. Laptops must be either locked with a locking cable or locked away in a drawer.
Beamery performs background checks on all new employees in accordance with local laws.
All new hires are screened through the hiring process and required to sign Non-Disclosure and Confidentiality agreements.
3rd Party Services
We have internal controls over data access and authorisation to ensure that vendors receive only data required to supply services and the data transfer process is secure
Selection and Contractual Requirements
Prior to selecting a 3rd party provider, Beamery will specify CIA requirements for data as per the guidelines in the CIA section of this document
We will identify the control measures in place at the vendor that are designed to meet CIA requirements
We will assess whether the vendor is capable of meeting these selection requirements going forward, and will ensure that these are guaranteed by contractual requirements.
We leverage several 3rd party monitoring providers that allow us to ensure our external facing infrastructure is operating optimally. These providers primarily serve the function of alerting us to changes in internal topography and never have access to public data.