Overview
Information security is of paramount importance to our customers. Security is a core functional
requirement to protect data from accidental or deliberate compromise, theft, leakage, and deletion.
Sockeye combines enterprise-class security features with systematic monitoring of our applications,
networks, and business processes to ensure customer data is always protected.
Physical Security
Standards
Sockeye has partnered with Microsoft Azure as our primary provider of Infrastructure as a Service and
Platform as an International Service vendor. Microsoft Azure datacenters meet ISO/IEC 27001/27018,
SOC 1, SOC 2, CSA, PCI DSS, HIPPA, and country-specific standards like Australia IRAP, UK G-Cloud,
and Singapore MTCS.
“Technical deployment was a piece of cake with Sockeye!”
– IT Director, AV Nackawic
Facilities
Azure runs in geographically distributed Microsoft facilities. Each facility runs 24/7/365 with multiple
measures to protect operations from power failure, physical intrusion, and network outages. All facilities
comply with industry standards (such as ISO 27001) for physical security and availability and are managed,
monitored, and administered by Microsoft operations personnel.
Physical Access
Azure’s physical infrastructure and data center facilities are protected by industry-standard access
mechanisms. Access is limited to the minimum required operations personnel. Datacenter access, and the
authority to approve datacenter access, are controlled by Microsoft operations personnel in alignment with
datacenter security practices and audited in accordance with established frameworks such as SOC 3.
Power Redundancy and Failover
Azure data centers meet the Uptime Institute’s Tier IV data center standards. Each facility has multiple
sources of electrical power and power availability is enabled by facility-wide UPS and on-site generators.
In the event of local/regional blackouts or disaster, the data center can provide uninterrupted power to
systems for several days without refuelling generators. Physical security controls are designed to “fail
secure” during power outages or other environmental incidents.
Identity and Access Management
Access Privileges & Roles
Access to data and features within Sockeye is governed by configurable access rights, with various user
permission levels.
User Authentication
Sockeye’s built-in authentication uses secure encryption for all network communications and follows
OWASP best practices for secure credential storage by never storing passwords, instead using one-way
hashes (bcrypt encryption) combined with credential salting for authentication.
Single sign-on (SSO)
For Enterprise accounts, single sign-on (SSO) is available to authenticate users in your systems
without requiring them to enter additional login credentials for your Sockeye account. Sockeye supports
Security Assertion Markup Language (SAML).
Two-factor authentication (2FA)
For Enterprise accounts using the built-in Sockeye authentication, 2-factor authentication (2FA) is
available via Azure Multi-Factor Authentication for generating passcodes.
Configurable Password Policy
For Enterprise accounts using the built-in Sockeye authentication, configurable password policy rules are
available.
IP Restrictions
For Enterprise accounts, Sockeye can be configured to only allow access from specific IP address ranges you define.
Application and Data Security
Training and Secure SDLC
At least annually, engineers participate in secure code training covering OWASP’s Top 10 security flaws,
common attack vectors, and secure software development life-cycle practices.
QA
Our application QA and regression-testing process includes steps for identifying, testing, and triaging
security vulnerabilities.
Application Security Controls
Sockeye utilizes ASP.NET framework security features to limit exposure to OWASP Top 10 security flaws.
These include features to reduce exposure to Cross Site Scripting (XSS), Cross-Site Request Forgery (CSRF),
and SQL Injection (SQLi), among others.
Separate Environments
We maintain testing and staging environments physically and logically separate from the production
environment.
Dynamic Vulnerability Scanning
We contract with a third-party service to continuously dynamically scan our applications against the
OWASP Top 10 security flaws.
Static Code Analysis
The source code repositories for Sockeye are regularly scanned for security issues via static analysis
tooling.
Backups and Data Loss Prevention
Automated nightly backups are created for all production databases. Backup storage is on separate Azure
servers in a different geographical region from production databases. Backlog logs are monitored daily
and backup database integrity is verified weekly.
Encryption in Transit
Communications between users and Sockeye servers are encrypted using industry best practices HTTPS
strong encryption (256-bit RSA) and Transport Layer Security (TLS).
Encryption at Rest
At rest encryption is used for backup data storage.
Monitoring, Logging, and Network Security
Network Protection and Monitoring
Sockeye’s application network is protected by redundant firewalls, best-in-class router technology, secure
HTTPS transport over public networks, regular audits, and network Intrusion Detection and/or Prevention
technologies (IDS/IPS) which monitor and/or block malicious traffic and network attacks. Sockeye servers
are configured to minimize attack surfaces, with all non-essential services disabled or removed.
Automatic Scanning and Vulnerability Tests
In addition to internal scanning and testing, we contract a 3rd-party security service to perform external
scans for network or server vulnerabilities, both at the OS level and application level. Upon discovery,
new risks are ranked in accordance with the National Vulnerability Database Common Vulnerability Scoring
System. Remediation is prioritized according to the risk and can be fully tested and deployed within hours
if necessary.
Logical Access
Only Sockeye employees can access Sockeye servers and all access is restricted by an explicit need-to-
know basis, utilizes least privilege, and is frequently audited and monitored.
Security Patches and Bulletins
All applicable security updates are applied as soon as practical, typically daily, and we review and
implement all relevant Microsoft security bulletins.
Server Access Logging
Server access event logs are reviewed regularly to check for unauthorized access attempts, with corrective
measures prescribed as needed. Unauthorized access attempts include port-scan attacks, evidence of
unauthorized login attempts, and other anomalous occurrences not related to specific applications on the
host.