Web application Security
The authentication of our users and clients with our application is done via the Open ID connect / OAuth 2 protocol. These protocols are provided through the Identity Server framework which is a certified OpenID connect product.
Behind the protocol implementation through Identity Server we have an Identity backend that contains all the identities of our customers.
Each customer of EGSSIS software and their users must follow the following password policy to use our software:
- Two factor authentication is enforced for all user accounts of EGSSIS software via a password and an Authenticator app.
- All passwords have a minimum length of 12 characters.
- All passwords have at least one or multiple lower case alphabetic characters, uppercase alphabetic characters, non-alphabetic characters, and digits.
- All passwords are encrypted during transmission.
- A user account is blocked after 25 invalid login attempts.
- Account lockout duration is 15 minutes
- Password must be reset after 180 days, the user is reminded 28 days before expiration.
- Password history will remember 6 passwords
If you want, we can implement an Identity federation Hub integration where we allow your users to log on through Azure AD where we will make a trust between our identity solutions.
The only requirement we have there is that you also enforce the same requirements as our password policy.
Each client that uses our API must have a valid access token given from our Identity Service.
These clients will get a clientId, clientSecret and the correct scopes from us to be able to request such a token.
This is an implementation of the OAuth2 protocol also provided by the Identity Server product.
Data in transit
To reach our public facing apps is only possible over HTTPS.
All traffic is encrypted and protected by the latest supported TLS cyphers. (A+ rating on ssllabs, check acc-eventstore.egssis.com)
Data at rest
Database files and backups are encrypted thanks to the technology of microsoft SQL Server