How secure is IntelliMails?

Many SaaS products claim they are secure simply because they use SSL. The reality is that a SaaS solution requires many measures to be truly secure.

Here is an overview of advanced security measures we implement to deliver world-class security. Some of those notes are fairly technical in nature and may only make sense to security experts.

Please understand that (as a security-minded organization) we will decline all requests for confidential details such as detailed network maps, penetration testing reports, etc.

 

User Accounts

  • Passwords are subject to the following rules:
  • At least 8 characters – including at least 3 of the following 4 types of characters: a lower-case letter, an upper-case letter, a number, a special character (such as !@#$%^&*).
    1. This provides a high level of security as per OWASP recommendations.
  • Passwords are hashed and salted.
    1. This avoids Rainbow attacks
  • All password changes require a full password reset:
    1. Users must prove they have access to their email account in order to change their password.
    2. User email address changes are disallowed for security reasons.
  • Only allow logins from specific IP ranges.
  • Require logging email addresses to match a certain pattern / domain names.
  • Single Sign On (SSO) is available upon request

 

Web Pages

  • All web traffic is protected by SSL:
  • All web pages implement a configurable automated sign out after some period of inactivity:
  • The default value is 1 hour, but is entirely configurable by users.
  • All web pages implement security headers to prevent vulnerabilities, including:
    1. The nosniff value for header X-Content-Type-Options.
    2. The sameorigin value for header X-Frame-Options.
    3. The block value for header X-XSS-Protection.
    4. The Content-Security-Policy header.
    5. The Strict-TransportSecurity header.
    6. The Access-Control-Allow-Methods header.
    7. The Access-Control-Allow-Headers header.
  • The web application only uses one domain for all request:
  • Except for specific fonts / Javascript libraries (listed by the Content-Security-Policy header).
  • In addition, anti-forgery tokens are used and verified for all form POSTs.
  • This greatly reduces any potential for cross-site request forgery CSRF attacks.
  • All web services are implemented using Azure‘s Web App PAAS offering:
  • This ensures automatic deployment of the latest security patches.
  • This provides advanced security and compliance with standards such as ISO27001, SOC 1, SOC 2, and more.
  • All other cookies are session-only cookies (i.e. are destroyed when users close their browser).

 

 Data Storage

  • All data is stored in Microsoft Azure:
  • All workspace data is stored in Azure’s SQL PAAS offering.
  • This ensures automatic deployment of the latest security patches.
  • This provides advanced security and compliance with standards such as ISO27001, SOC 1, SOC 2, and more.
  • All backups are stored in Azure storage accounts with no public access

 

Application Security

  • IntelliMails implements security roles  such as full admin, limited admin, user etc.:
  • This allows implementations to control access to various resources.
  • Data retrieval logic prevents users other than full admins from retrieving team charts.
  • Access to your data is only granted to our employees on a need-to-know basis.

 

 Source Code

  • Source code is regularly audited for potential vulnerabilities and possible threats – both manually and using automated programs.
  • Source code includes hundreds of security-related unit tests – to verify aspects such as data filtering, user authentication, role enforcement, etc.
  • Security unit and integration tests include positive, negative, fuzzing, edge, and invalid inputs.
  • All code uses an entity framework to access the database, preventing all risks of SQL injection.
  • All code uses a library for encoding strings when generating web pages, preventing all risks of script injection.
  • All developers must complete extensive security training.

 

 Compute

  • All computations are performed in Azure‘s Web App offering:
  • This ensures automatic deployment of the latest security patches.
  • This provides advanced security and compliance with standards such as ISO27001, SOC 1, SOC 2, and more.

 

 Data Policy

  • Your data will never be shared with or sold to any other third-party
  • We will never share or sell your data
  • We will never share or sell an aggregate or a transformed version of your data