Skip to content

Security Considerations

In the realm of Software as a Service (SaaS), security is not merely a priority but an absolute necessity. Managing digital identities with Identity Stack entails adhering to the highest standards of security and data protection to guarantee our clients' data safety. This article delineates the key security measures implemented for Identity Stack.

Conforming to National Standards

Identity Stack is designed around the National Standard for Identity Assurance Levels (NSIS) framework, meaning our platform complies with the national standard for verifying and managing digital identities. By aligning our product with the NSIS, we ensure that our service operates within a recognized and trusted framework, enhancing our solution's reliability and credibility.

Hosting and Access Management

Identity Stack's data is securely hosted within a European data center, leveraging the robust infrastructure provided by Azure. This hosting choice ensures the resilience, availability, and protection of our clients' data.

Our security strategy incorporates a passwordless architecture to further bolster our defenses. This progressive approach significantly mitigates password-related security breaches, a common vulnerability in digital systems.

Additionally, access to resources within Identity Stack is rigorously regulated by Privileged Identity Management (PIM). This system grants access based on a need-to-use principle and for a specific duration, minimizing unauthorized entry. This strategy of scoped and time-bound access enhances our security framework, further protecting our clients' data.

Adapting to the Political Landscape

Engineered with a cloud-agnostic design principle, Identity Stack can migrate to a local data center — like one in Denmark — if the political landscapes shift during developments such as Schrems II. This feature increases our flexibility and adaptability to rapidly changing regulatory environments without disrupting our services.

In our pursuit of transparency and regulatory compliance, we conducted a comprehensive Data Transfer Impact Assessment (TIA) specifically for Azure. This in-depth evaluation explores potential risks and mitigation strategies related to data transfer within our system. We are committed to maintaining our clients' trust and are prepared to share the assessment results upon request.

Compliance and Audits

To underscore our commitment to the highest levels of security, we are in the process of acquiring an ISAE 3402 audit statement. Expected to be finalized by the summer of 2023, this audit serves as an independent appraisal of our control environment.

The ISAE 3402 audit doesn't just provide a one-time validation of our security measures. Instead, it propels us to continuously evaluate and enhance our security controls. This process is integral to our mission to provide a secure and reliable service.

Moreover, the audit statement will serve as a testament to our dedication to stringent security measures, offering our clients an added layer of assurance about our commitment to safeguarding their data. Ultimately, we view the acquisition of this audit statement as a crucial step in our continuous journey towards maintaining and enhancing our security posture.

Prioritizing Data Privacy

Identity Stack employ robust measures to protect user data privacy, including encryption both in transit and at rest. To further safeguard users' privacy, all person-attributable data is pseudonymized, reducing the risk of personal data exposure.

Our approach to data privacy is not static. As a SaaS provider handling user data, we recognize that data privacy standards and practices evolve. Therefore, we commit to staying abreast of the latest developments in data privacy and updating our practices accordingly. By doing so, we aim to always stay ahead of the curve in data privacy, ensuring our users' data remains secure and private.

Focusing on Technology

At the heart of Identity Stack's security architecture is the security-by-design methodology. This approach ensures that security is integrated into every phase of our software development and maintenance lifecycle, rather than being an afterthought or a separate process. This proactive stance towards security allows us to identify and mitigate potential vulnerabilities before they can be exploited, thereby reinforcing the robustness of our platform.

Identity Stack is built using standard, non-proprietary components. This design choice not only promotes interoperability and transparency but also facilitates regular updates, thereby allowing us to swiftly address any emerging security threats. By leveraging industry-standard components, we ensure that our platform's security measures are compatible with widely-accepted best practices, further enhancing the reliability and trustworthiness of our solution.

In addition to standard components, we utilize industry-standard security protocols to protect data in transit and at rest. These protocols encompass everything from encryption methods to authentication procedures, all of which are designed to safeguard our clients' data. Furthermore, we adhere to the principle of least privilege access in our system. This principle dictates that users and processes should only have the minimum access rights necessary to perform their tasks, thereby limiting potential avenues for unauthorized access or data breaches.

Through our security-by-design approach, the use of standard non-proprietary components, and the implementation of industry-standard security protocols and least privilege access, we continuously strive to uphold and enhance the security of Identity Stack.

Additional Measures

To further enhance our security, Multi-Factor Authentication (MFA) is enforced for all Identity Stack employees. This adds an extra layer of security, making it more difficult for unauthorized individuals to gain access to our systems.

Moreover, Identity Stack is built on top of Azure's Platform as a Service (PaaS) components. As part of this arrangement, Microsoft is responsible for the regular updates and patches to the underlying infrastructure, ensuring our platform stays current with the latest security measures.

Furthermore, as part of our ISAE 3402 preparations, all employees are required to undergo a yearly security training program. This initiative helps foster a security-conscious culture and ensures our team understands and adheres to the best practices in data security.

Finally, we are vigilant about potential threats and vulnerabilities. We periodically update and review our risk register to stay abreast of the evolving security and threat landscape. This proactive approach allows us to identify potential security vulnerabilities and develop strategies to mitigate those risks.

Wrapping Up

In the rapidly advancing digital landscape, securing digital identities is of utmost importance. At Identity Stack, our commitment lies in adopting holistic security measures that place a high emphasis on data privacy and protection.

Cloud security is a collaborative responsibility between the provider and the client. At Identity Stack, we fully acknowledge and accept this responsibility. We understand the importance of implementing the same security principles and governance we uphold in-house in the public cloud as well.

The transition towards Software as a Service (SaaS) applications marks a significant milestone in the journey of digital transformation. This evolution offers considerable benefits but also brings forth novel security challenges. With a forecast that 27% of corporate data traffic may bypass conventional perimeter security, moving directly from mobile and portable devices to the cloud, it's evident that innovative security measures are needed to adapt to an increasingly cloud-centric world [1].

In tackling these challenges, we proactively ensure that the four primary areas of risk and vulnerability - visibility, compliance, threat prevention, and data security - are continuously addressed.

In essence, at Identity Stack, our service goes beyond mere functionality - we offer peace of mind. We fully recognize the trust our clients vest in us when they opt for our product, and we are unwavering in our commitment to safeguard that trust by delivering a level of security and data protection that is second to none.

Released under the MIT License.