CoreView security overview

  • Last update on September 30th, 2024

In this article, you will find an overview of our security implementations, including our hosting infrastructure, data encryption practices, access control measures, and continuous vulnerability management. 

Additionally, we cover employee security training, business continuity planning, key certifications, and protective measures such as firewalls and regular penetration testing.

 

Certifications

Our application adheres to the following certifications:

  • ISO 9001: Quality Management System
     
  • ISO 27001: Information Security Management
     
  • ISO 27018: Protection of Personal Data in the Cloud
     
  • SOC 2 Type 2 and Type 3: Service Organization Control for Security, Availability, Processing Integrity, Confidentiality, and Privacy

Additionally, we have plans to achieve IRAP certification in 2025.

 
 

Infrastructure and data management

  • Our application is hosted on Microsoft's Azure cloud platform, with data centers located in:
    • Europe
    • United States, US (GCC)
    • Canada
    • Australia
    • United Kingdom.
       
  • We ensure logical partitioning of customer tenants to maintain data separation and security.
     
  • To guarantee continuous monitoring and security, our platform is observed around the clock using a combination of:
    • Microsoft Sentinel
    • Azure Monitoring
    • Azure Application Insights
    • Zabbix
    • Graphana
    • and Sysdig.
       
  • For real-time updates on our system's status, please visit our public status dashboard at https://status.coreview.com
 
 

Data

  • We ensure that all data is encrypted both in transit and at rest using 256-bit AES encryption.
     
  • Only metadata is collected, using Graph API and service accounts with the Global Reader role. These accounts are secured through Conditional Access policies, restricting access to specific IP addresses.
     
  • For US Government customers, data is hosted in the Microsoft Azure Government Computing Cloud (GCC).
 
 

Access control

  • Our application is hosted in Azure, leveraging Microsoft's physical data center controls.
     
  • Privileged access by CoreView personnel is strictly based on job necessity, facilitated through a set of security facilities combined with jumpboxes with exclusive access to specific IP addresses.
     
  • All activities are logged in a SIEM platform, with video recordings of sessions retained for 10 years.
 
 

Operator access

  • Operators use Single Sign-On (SSO) with Microsoft accounts, ensuring no credentials are stored in CoreView.
     
  • Multifactor authentication is enforced for added security.
     
  • For advanced management mode, service account details are securely stored in Azure Key Vault.
 
 

Vulnerability management

  • We conduct ongoing and continuous monitoring of virtual machines, networks, and services using Microsoft Defender for Cloud.
     
  • Static code analysis is integrated into our Continuous Integration process.
     
  • Code quality is maintained through a rigorous Pull Request process, reviewed by a dedicated team of Senior Software Engineers.
     
  • We check software package vulnerabilities using Trivy.
 
 

CoreView employees

  • All staff are required to complete annual security and compliance training.
     
  • Background checks are conducted during the hiring process.
     
  • End-user computers are protected with various tools like Microsoft Intune, DLP, Microsoft Defender, and firewalls.
     
  • We conduct constant simulations of phishing, social engineering, and other cybersecurity threats to maintain a high level of security awareness.
     
  • Only a set of specific employees, that have signed a specific agreement with CoreView, are authorised to access data-centers directly in case of Incidents. 
 
 

Business continuity

  • We have a documented Business Continuity Plan that is tested every 12 months.
     
  • Disaster Recovery and Backup/Restore procedures are regularly updated and tested as part of our Industry Standards Certification process.
     
  • Automated patching is managed through Azure Update Manager, ensuring no impact on live services.
     
  • We maintain a Service Level Agreement (SLA) of 99.9%.
 
 

Proactive security activities

  • We use Microsoft Web Application Firewall for continuous attack protection.
     
  • Regular penetration testing is conducted by a third-party security company at least once a year.
     
  • Keys and passwords are rotated constantly to enhance security.