Security

As a cloud solutions provider for over 20 years, we guarantee world-class security for our customers

Cloud security

Data Center Physical Security

Facilities
CatalystOne hosts service data in Microsoft Azure data centers that
have been certified as ISO 27001, PCI DSS service level 1 and/or
Soc 2 compliant.
Learn more about Azure Data Centers here.

Azure infrastructure services include backup power, HVAC
systems, and fire suppression equipment to help protect servers and
ultimately your data.
Learn more about data center controls here.

On-Site security
Azure on-site security includes features like security guards, fencing, security feeds, intrusion detection technology, and other security measures.
Learn more about Azure physical security. 

Data Hosting Locations
CatalystOne uses Azure Data centers in Ireland and Netherlands.

Azure-Cloud-Server

Security controls

Our Security Team is on call 24/7 to respond to security alerts and events.  

Our network is protected through the use of Azure Security Services including Azure Defender for Cloud, integration with our Cloudflare edge protection networks, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.

Network security scanning provides us with deep insight for quick identification of noncompliance / suspicious behaviors and potentially vulnerable systems.

In addition to our extensive internal scanning and testing programme,  CatalystOne not only conducts continuous internal penetration tests, but also employs third-party security experts to perform a broad penetration test of the CatalystOne application on an annual basis +.

Our Security Incident Event Management (SIEM) system gathers extensive logs from important network devices and host systems. The SIEM alerts on triggers that notify the Security team based on correlated events for investigation and response.

With the use of world class security tools, we are able to detect and prevent intrusion attempts automatically. Alerts are sent automatically to the Security and Operations Team who analyze and remediate where necessary. These tools include 24/7 monitoring and alerting. 

CatalystOne works proactively against threats to privacy and security, where our inhouse Threat Intelligence Team conducts continuous research and analysis. In addition, CatalystOne receives threat intelligence from several 3rd parties that are relevant to our environment.

CatalystOne has architected a multi-layer approach to DDoS mitigation. A technology partnership with Cloudflare provides network edge defenses, while the use of Azure scaling and protection tools provides deeper protection.

Access to the CatalystOne Production Network is restricted on an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Cloud Delivery Team. Employees accessing the CatalystOne Production Network are required to use multiple factors of authentication.

In case of a system alert, events are escalated to our 24/7 teams providing Cloud Delivery, Application Support, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.

Encryption

security-icon
Encryption in Transit

All communications with CatalystOne UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and CatalystOne is secure during transit. Additionally for email, our product leverages opportunistic TLS by default. Transport Layer Security (TLS) encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol.

Encryption at Rest

Service Data is Encrypted at rest in Azure using AES-256 key encryption.

Availability & Continuity

CatalystOne maintains a publicly available status.catalystone.com webpage which includes system availability details, scheduled maintenance and releavant security events.

CatalystOne employs service clustering and network redundancies to eliminate single points of failure. Our strict backup regime with geo-replication of data allows us to deliver a high level of service availability, as Service Data is replicated across availability zones.

Our clustered architecture ensures a high level of service availability, utilizing multiple data centers to deliver the service to our customers. Data is geo-replicated between geographical locations, and infrastructure can be deployed quickly if necessary. The CatalystOne Disaster Recovery process is verified yearly. 


Security processes within CatalystOne

GDPR-Compliant-HR-system-CatalystOneTo ensure that our product and services meet the highest security standards, we undergo an annual
ISAE3000 type 2 attestation and follow the CIS Critical Security Controls. An ISO27001.2013 audit is scheduled for second half of 2022. 

Information Security Awareness and Communication

We believe that a good security culture is paramount to a secure organisation. The CatalystOne Security Strategy states how security is every employee's responsibility, with guidance and support from the Security Team. We believe that excellent security is the result of not only highly skilled IT security professionals but also a strong security culture within the organisation.

To create such a strong security culture, we have created a Security Awareness Programme with its main objective to continuously educate, support, and guide our employees about possible threats and risks when it comes to Information Security. This is something we’re passionate about because we firmly believe that our employees are part of a joint effort of keeping CatalystOne secure. 

Cloud-Security-CatalystOne

 

In CatalystOne we have a team dedicated to security awareness, training, and communication. This choice is based on our belief that knowledge about information security is something that is of concern to every single employee.

 

CatalystOne conducts a thorough Vendor Security Risk Assessment on every vendor, subprocessor and supplier, prior to any utilization.

For any vendors already in use, the Security Team runs an annual audit to ensure that the security controls, contacts, and policies in place are still acceptable.

For any new vendors, a full risk assessment is sent to the vendor's security team to understand their datacenter location, security controls, privacy policies, and internal processes ++.

CatalystOne conducts a thorough annual internal audit  based on the following (this list is not exhaustive):

  • All security processes
  • All security policies
  • All 3rd party tools
  • All subprocessors
  • All partners
  • SDLC
  • CIS Critical Security Controls
  • Access Management
  • End of Line
  • Vulnerability management
  • Patch management
  • Security Awareness
  • Incident Management
  • Risk Management

Application Security

Secure Development (SDLC) 

Secure Code Training
Annual secure code training for all engineeers, based on OWASP Top 10 security risks.

Framework Security Controls
CatalystOne leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.

Quality Assurance
Our Quality Assurance (QA) department reviews and tests our code base. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code.

Separate Environments
Testing and staging environments are logically separated from the production environment. No Service Data is used in our development or test environment.

Vulnerability Management

Dynamic Vulnerability Scanning:
CatalystOne utilize world class third-party security tools to continuously and dynamically scan our core applications against common web application security risks, including, but not limited to the OWASP Top 10 security risks. We maintain a dedicated in-house product security team to test and work with engineering teams to remediate any discovered issue.

Software Composition Analysis
We scan the libraries and dependencies used in our products to identify vulnerabilities and ensure the vulnerabilities are managed accordingly. 

Third-Party Penetration Testing

In addition to our extensive internal scanning and testing programme,  CatalystOne runs continuous internal penetrations tests and employs third-party security experts to perform a broad penetration test on the CatalystOne application.

Product Security

Authentication Security

Asset 20sso-login
Authentication Options

CatalystOne has several different authentication methods, native CatalystOne authentication and/or Enterprise SSO (SAML 2.0).

Icon-2

Configurable Password Policy
CatalystOne native authentication allows our customers to define the complexity rules for passwords to support their business rules.

2FA-login

2-Factor Authentication (2FA)
CatalystOne native authentication offers 2FA via email or SMS.

Icon-1

Service Credential Storage
CatalystOne follows secure credential storage best practices by never storing passwords in human-readable format, and only as the result of a secure, salted, one-way hash.

Additional Product Security Features

Asset 14chief-access
Role-based Access Control
Access to data within CatalystOne is governed by role-based access control (RBAC) and can be configured to define granular access priveleges, empowering our customers to create user-groups, assign members and permissions to control who sees what and
who is able to perform which tasks.

  Asset 17deletion-acc

Audit-logs
CatalystOne offers several audit-logs within the application to provide insight into what is happening in the application, examples being logins and configuration changes.

 

Asset 13IP-Access
Email Signing (SPF, DKIM/DMARC)
CatalystOne offers SPF, DKIM and DMARC for signing outbound emails from CatalystOne.



Asset 19all_major_browsers

Device tracking
CatalystOne tracks the devices used to sign in to each users account. When someone signs into an account from a new device, it is added to the device list in that user's profile. That user can get an email notification when a new device is added, and should follow up if the activity seems suspicious. Suspicious sessions can be terminated through the agent UI.


HR Security

Security Awareness

Policies
CatalystOne has developed a comprehensive set of security policies covering a range of topics. These policies are
shared with and made available to all employees and contractors with access to CatalystOne information assets.

illu-GDPR

Employee Vetting
CatalystOne performs background checks on all new employees in accordance with local laws

Training
All employees attend a Security Awareness Training, which is given upon hire as part of their onboarding, and continuously throughout the years thereafter. All engineers receive annual Secure Code Training. The Security team provides additional security awareness updates via email, blog posts, and in presentations during internal events.

Confidentiality Agreements
All new hires are required to sign Non-Disclosure and Confidentiality agreements


Governance, Risk and Compliance (GRC)

GRC within CatalystOne is about defining and specifying the security principles we follow. This includes managing risk to promote the achievement of objectives, and ensuring that we comply with all policies and legal requirements.

Asset 1

In CatalystOne, we work actively with GRC, ensuring that Information Security is at a balanced level within each department in order to reach our objectives.

In GRC, governance is necessary for setting direction (through strategy and policy), monitoring performance and controls, and evaluating outcomes. It considers the areas in which we operate and the ever-changing risks we face as a company. Compliance ensures that we adhere to the rules set through legal requirements and our internal policies.

GRC allows us to operate more efficiently, share information more effectively, better report activities, and avoid wasteful overlaps.

Contact us for Security details

If you'd like to know more about how we keep our customers' data safe, please feel free to contact us.