security at fusion signage
Fusion Signage Pty Ltd ACN 644 714 081
Security is important to us. Read on to understand how we keep your data safe.
1. product security
Authentication and Access
Fusion Signage allows customers to authenticate using SAML single sign-on (SSO). User accounts can be provisioned using SCIM. If SSO is not used then standalone user accounts can be created on Fusion Signage’s content management system. Passwords are encrypted using industry standard practices in alignment with OWASP recommendations.
User roles and groups are available to Pro Licence holders to manage user access to specific functions within the content management system.
Multi-factor authentication (MFA) / two-factor authentication can be added to user accounts for an additional layer of security. Fusion Signage strongly recommends that customers use MFA.
Uptime
Fusion Signage targets an uptime of 99.9%.
2. network and servers
Hosting and Storage
Fusion Signage is a cloud-based service hosted by AWS in Sydney (ap-southeast-2) region. We are deployed in multiple availability zones for high availability. All media files are stored in AWS S3 in the same region. No customer data is stored outside Australia.
Documentation on AWS compliance can be found at https://aws.amazon.com/compliance/programs/.
Encryption
All data is encrypted at rest using AES-256 encryption.
Fusion Signage web endpoints are served over HTTPS. Our content management system uses TLS 1.3. Screen endpoints support both TLS 1.1 and 1.2 to ensure backwards compatibility for older devices.
Back-up and Recovery
Fusion Signage’s database is backed up every 5 minutes and can be restored to that point in time in the event of database corruption or loss of data. We keep 30 days of backups.
We use infrastructure as code to build our cloud infrastructure to ensure we can recreate our services consistently in the event of a major disaster.
Monitoring
All Fusion Signage online services are behind a web application firewall which proactively blocks detected threats or bad actors.
Access and application logs are kept for 90 days.
3. secure development
Development Practices
Fusion Signage engineers deploy new code to production several times a day and follow a Secure Development Lifecycle methodology. New features must pass a design review which includes threat modelling before development commences. New code must pass a code review before it can be merged to our codebase. The code review includes automated tests and security checks which must pass before the code can be merged.
We use CI/CD pipelines to ensure consistent and safe code deployments.
SAST and SCA
Fusion Signage code is scanned by Static Application Security Testing (SAST) and Software Composition Analysis (SCA) tooling on every commit to source control. These scans must pass before code can be merged.
Third-party libraries are kept up to date by an automated process that submit code reviews daily to upgrade libraries if a new version is released or if a vulnerability is discovered.
Testing Environment
All code is deployed to a testing environment that is isolated from production to provide a space for safe manual testing of new code and features.
4. incidents
Fusion Signage services are monitored by automated systems which raise alarms if unusual or out of band activity occurs.
Engineers conduct fortnightly reviews of service metrics and logs to identify out of band behaviour or unusual activity.
5. vulnerability disclosure
Fusion Signage welcomes disclosures of vulnerabilities. Please review our Vulnerability Disclosure Policy for more information.
6. special thanks
Fusion Signage thanks the following people for keeping Fusion Signage secure:
-
Kunal Mhaske https://www.linkedin.com/in/kunal-mhaske-59928a170/
for more information please get in touch at contact@fusionsignage.com.au