Introduction
At Paradigm Hosting services we approach security of our customer’s data and access to the server resources extremely seriously.
Our Paradigm Hosting division uses the following security measures for the server and Paradigm application when setting up and administering a customer’s hosted server. The premise is to allow nothing and then build exceptions where we are authorised by the customer to allow access.
Customer’s that host their own servers should also implement these measures to ensure proper security. Starting at the Windows Server platform, working outwards toward the actual connection method and Paradigm application security, we can implement the following:
1. User security in Paradigm
Although Paradigm allows multiple companies data to reside in a single Paradigm database, this data is secured via Paradigm’s security module.
Paradigm’s framework and security modules are extremely customisable and powerful. They have the following features:
User access can be restricted and controlled by:
- By User Role
- Users can be linked to several Roles to “build” their overall access.
- By Data Type
- Customer Documents, Supplier Documents, Inventory Transactions, Tasks, Master Files, All other data types within Paradigm.
- By Reports
- Dashboards, Pivot Tables, Charts, Reports.
- By Filtering
- Further filtering of records per user can be done in addition to the access restrictions i.e. A user can only see his own records or specific records within a company, branch, warehouse etc.
- Levels of Restriction
- Company, Menus, Records, Fields.
- By Status
- All permissions and visibility of data can change as the status of each of the data types changes.
Example (Applicable throughout Paradigm’s functionality):
Access to a customer document could proceed as follows:
Status 1: User A creates and edits a document.
Status 2: Locked to originating user, but content still visible, open to others.
Status 3: Invisible to originating user, visible to others.
Status 4: Complete, locked, visible to originating user and others.
2. Database Security
Option: By default.
Method: Security is managed by only enabling specific users to use MS Studio and providing all users with individual user names and passwords with specific access rights.
Description: Managed via SQL Security integrated with Windows Active Directory.
3. Paradigm Hosting
Paradigm Hosting uses 5-Level Security with TS-Plus Remote Desktop Client Software.
Level 1
Option: Default Paradigm setup.
Method: Windows Server Active Directory (AD).
Description: Utilising Windows AD services, we can lock down a user to file level access.
Detail: If a user should only be able to edit one, single Word document, AD security will be configured accordingly.
Level 2
Option: By customer request.
Method: Access to the Server.
Description: TS-Plus offers two extra layers of physical security to keep your users' connections safe. There are 3 options available, namely, the connection can be locked to the ID of a USB key, to a computer name, or both.
Detail: If locked to a USB key, the user can initiate a connection from any qualifying windows computer by inserting the USB key and using the connection program placed there by the administrator. If locked to a computer name, the user can only successfully connect from the computer whose name has been registered with the server for that user's portable customer connection. If both security options are used, the user is limited to connecting from their specific device and only if the correct pre-configured USB key is in place.
Level 3
Option 3.1: By customer request.
Method: Activating Mutual SSL Authentication.
Description: Mutual SSL authentication or certificate-based mutual authentication refers to two parties authenticating each other through verifying the provided digital certificate so that both parties are assured of the others' identity.
Detail: In technology terms, it refers to a customer (web browser or customer application) authenticating themselves to a server (website or server application) and that server also authenticating itself to the customer through verifying the public key certificate/digital certificate issued by the trusted Certificate Authorities (CAs). Because authentication relies on digital certificates, certification authorities such as Verisign or Microsoft Certificate Server are an important part of the mutual authentication process.
Option 3.2: By customer request.
Method: TS- Plus Add-on: RDS-Knight
Description: Available in two Editions:
1. RDS-Knight Security Essentials
The essential security package that focuses on keeping remote connections in a safe place for all users with three fundamental protective measures. It is the efficient “turn-key” security solution that every RDS Administrator needs.
2. RDS-Knight Ultimate Protection
Based on the Essentials Edition: it provides two additional protective features intending to lock down RDS Servers and protect them against any breach that could lead an organization to a failure. Each of these measures can be applied differently per user and per group. It is the essential shield for securing large environments, running on Servers with multiple connections.
Detail: When it comes to exposing Remote Desktop Protocol to direct connections, you need a solid secure server to protect your systems against remote attackers. Due to the innovative techniques available for modern cyber-criminals and use-after-free vulnerability in the Microsoft solution, hackers from across the globe can easily access login credentials anywhere at all, carry out ransomware attacks and run arbitrary code on the targeted systems.
Level 4 – by default
Option: By default.
Method: Full Inspection Software Firewall, Intrusion Detection and Prevention.
Description: Our Firewall policies are simple: Only allow what should be allowed. Reject everything else by protocol, by port.
Detail: In short, every single connection source is physically inspected and approved by us. Although tedious, we leave nothing to chance. Our Firewalls warns us of any unknown attempts, and the policy is to reject, until we action the warning to enable.
Level 5 - by customer request
Option: By customer request.
Method: Database Encryption.
Description: Encryption is the process of obfuscating data using a key or password.
Detail: (TSL1.2) – Ideal option. This can make the data useless without the corresponding decryption key or password. Encryption does not solve access control problems. However, it enhances security by limiting data loss even if access controls are bypassed. For example, if the database host computer is misconfigured, and a hacker obtains sensitive data, that stolen information might be useless if it is encrypted.
(TDE) – Optional, and resource intensive. Transparent Data Encryption (TDE) encrypts SQL Server Warehouse data files, known as encrypting data at rest. You can take several precautions to help secure the database such as designing a secure system, encrypting confidential assets, and building a firewall around the database servers. However, in a scenario where the physical media (such as drives or backup tapes) are stolen, a malicious party can just restore or attach the database and browse the data. One solution is to encrypt the sensitive data in the database and protect the keys that are used to encrypt the data with a certificate. This prevents anyone without the keys from using the data, but this kind of protection must be planned. TDE performs real-time I/O encryption and decryption of the data and log files. The encryption uses a database encryption key (DEK), which is stored in the database boot record for availability during recovery. The DEK is a symmetric key secured by using a certificate stored in the master database of the server or an asymmetric key protected by an EKM module. TDE protects data "at rest", meaning the data and log files. It provides the ability to comply with many laws, regulations, and guidelines established in various industries. This enables software developers to encrypt data by using AES and 3DES encryption algorithms without changing existing applications.