Security - Thomas Telman

Security

Physical Security 


Thomas Telman servers are co-located in some of the most respected datacenter facility providers in the world. We leverage all of the capabilities of these providers including pysical security and environmental controls to secure our infrastructure from physical threat or impact. Each site is staffed 27/7/365 with on-site physical security to protect against unauthorized entry. Security controls provided by our datacenter facilities includes but is not limited to:

 

  •  24/7 Physical security services

  • Physical entry restrictions to the property and the facility

  • Physical entry restrictions to our co-located datacenter within the facility

  • Full CCTV coverage externally and internally for the facility

  • Biometric readers with two-factor authentification

  • Facilities are unmarked as to not draw attention from the outside

  • Battery and generator backup

  • Generator fuel carrier redundancy 

  • Secure loading zones for delivery of equipment

Infrastructure Security

The infrastructure is secured through a defense-in-depth layered approach. Access t the management network infrastructure is provided through multi-factor authentification points which restrict network-level access to infrastructure based on job function utilizing the principe of least privilege. All access to the ingress points are closely monitored, and are subject to stringent change control mechanisms.
Systems are protected through key-based authentification and access is limited by Role-based Access Control (RBAC). RBAC ensures that only the users who require access to a system are  able to login. We consider any system which houses customer data that we collect, or systems which house the data customers store with us to be of the highest sensitivity. As such, access to these systems is extremely limited and closely monitored.
Additionally, hard drives and infrastructure are surely erased before being decommissioned or reused to ensure thet your data remains secure.
Access Logging
Systems controlling the management network of our hosting providers log to a centralized logging environment to allow for perfomance and security monitoring. This logging includes system actions as well as logins and commands issued by system administrators.

Security Monitoring

The security team utilizes monitoring and analytics capabilities to identify potentially malicious activity within our infrastructure. User and system behaviors are monitored for suspicious activity, and investigations are perfomed following our incident reporting and response procedures.

Snapshots and Backup  Security

Snapshot and Backups are stored on an internal non-publicly visisble network on NAS/SAN servers. We can directly manage the regions where our snapshots and Backups exist wich allows us to control where our data resides within our hosting partners datacenters for security and compliance purposes.

Backups / Disaster Recovery 

  • We plan to retain 14 full backups of all our databases for up to 3 months: 1/day for 7 days, 1/week for 4 weeks, 1/month for 3 months

  • Backups are replicated in at least 2 different data centers

  • Hardware failover: we will implement local hot standby replication when the customer volume and revenue support it.

  • Disaster recovery: in case of complete disaster, with a data center entirely down we will use the backups to run in another data center

Application Security

The thomas Telman platform is deployed in data centers and offers the following security features.

Password Security

  • Customer passwords are protected with industry-standard PBKDF2+SHA512 encryption (salted + stretched for thousands of rounds)

  • Thomas Telman staff do not have access to passwords, and cannot retrieve them, the only option is to resit it

  • Login credentials are always transmitted securely over HTTPS

System Security

  • All Thomas Telman servers are tunning hardened Linux distributions with up-to-date security patches

  • Installations are ad-hoc and minimial to limit the number of services that vulnerabilities.

  • Only a few trusted Thomas Telman engeneers have clearance to remotely manage the servers - and access is only possible using SSH key pairs (password authentification disallowed)

  • Firewalls and instrusion counter-measures help prevent unauthorized acccess

  • Automatic Distributed Denial of service (DDoS) mitigation is implemented in the data centers.


Communications

  • All web connections to client instances are protected with state-of-the-art 256-bit SSL encryption

  • Oour servers are kept under a strict security watch, and always patched against the latest SSL vulnerabilities, enjoying Grade A SSL ratings at all times.

  • All our SSL certificates use robust 2048-bit modulus with full SHA-2 certificates chains


Software Security

The thomas Telman platform is built on Odoo. Odoo is open source, so the whole codebase is continuously under examination bay users and contributors worldwide. Community bug reports are therefore one important source of feedback regarding security. Developpers are encouraged to audit the code and report security issues.
The R&D processes have code review steps that include security aspects, for new and contributed pieces of code.


Secure by design

The application are designed in a way that prevents introducing most common security vulnerabilities:

  • SQL injections are prevented by the use of a higher-level API that does not require manual SQL queries

  • XSS attracks are prevented by the use of high-level templating system that automatically escapes injected data

  • The framework prevents RPC access to private methods, making it harder to introduce exploitable vulnerabilities