Dataveiligheid is geen functionaliteit, het is de kern van FastPortal



Onze (data)beveiligingsmaatregelen

Kwaadwillende mensen zijn overal en ze gaan niet alleen achter grote bedrijven aan. Als kleine of middelgrote dienstverlener bent u in bezit van heel veel waardevolle vertrouwelijke informatie van uw cliënten. Het is uw verantwoordelijkheid dat u dit veilig bewaart. Dat is een grote uitdaging – kijk maar naar de grote bedrijven en overheden die gehackt zijn. FastPortal maakt uw bedrijf veiliger.

Databeveiliging gaat verder dan alleen sterke wachtwoorden. Het betekent ook dat u moet begrijpen dat er altijd iemand naar binnen kan komen. Daarom moet u weten wanneer er een incident is geweest, de schade kunnen beperken tot een minimum, snel controle over systemen kunnen herpakken, klanten onmiddellijk en zo volledig mogelijk op de hoogte brengen en een strategie invoeren om te voorkomen dat een zelfde soort inbraak weer gebeurt.

Op deze pagina leggen wij enkele van onze beveiligingsmaatregelen uit. Databeveiliging is een doorlopend proces en er is altijd ruimte voor verbetering, maar wij geloven erin dat we op dit moment vooroplopen.

Momenteel is deze tekst alleen in het Engels beschikbaar. Indien u meer informatie wenst over onze (data)beveiliging, kunt u altijd contact opnemen.

Software

Software security is about making sure the software we use and build is secure. This is one part knowing what is going on in the world of data security and two parts working on your butt off to not cut corners and always aim for security first.

We are really proud of our encryption system. Without revealing too much, we will give you a rundown of what happens behind the scenes when you upload a file, but first we need to explain what happens when you sign up and then log in: REMEMBER: all this is done in the background. You can use FastPortal without worrying about any of this.

  1. You complete all the sign-up fields and selects a password. This is sent securely to FastPortal using HTTPS/SSL. See Wikipedia for more information.
  2. The application generates an RSA public and a private encryption key for you. This is a really cool technology that allows you to give your public key to anyone in the world. They can then encrypt their message to you with this public key and transmit it to you. And only the matching private key (that you keep secret) can ever unlock the message. See Wikipedia for more.
  3. The application then creates yet another encryption key, this time derived from your password. (There are really neat ways to modify even a fairly weak password into a fairly strong encryption key.) See Wikipedia for more information.
  4. Now the application takes the very strong, unguessable private encryption key from step 2 and encrypts it using the quite strong password-derived encryption key from step 3. See Wikipedia for more information.
  5. Then we store your public key and securely encrypted private key in our database
  6. After all this, we delete your password, private key & password-derived key from memory and never, ever, store it anywhere in its un-encrypted form.

We now have a situation where FastPortal knows your public key, so we can always send you a message or file that can only be opened with your private key. And only you have access to this private key, using the password only you know. Let’s explain how, by describing what happens when you log in:

  1. You enter your username and password. These are sent securely to FastPortal using HTTPS/SSL. See Wikipedia for more information.
  2. We check if your password is correct.
  3. If your password is correct, we run it through the same password-derived key algorithm we used when you signed up. This generates the exact same AES key as it did before.
  4. We use the AES key from step 3 to decrypt your private key and we store this private key in memory only for as long as you are logged in and active.

Now it is time for you to upload a file to FastPortal. What happens?

  1. You log in to FastPortal (or a whitelabel instance) using SSL. See Wikipedia for more information.
  2. You select a document to upload and click “Upload”
  3. It is encrypted in your browser and transferred to us using the HTTPS protocol. See Wikipedia for more information.
  4. We receive the file and immediately encrypt it using a generated unique 256 bit AES key. (This is military grade stuff!) See Wikipedia for more information.
  5. This key is then encrypted using your public key that we generated and stored when you signed up.
  6. We store this encrypted key that can only be used to unlock this unique file in our database.
  7. The encrypted file is stored.
  8. We delete all unencrypted files & keys from memory.

If you have been paying close attention, you might have realized we didn’t actually use the private key anywhere during uploading. That is correct! This means that “anyone”, like FastPortal, a colleague or client can securely transmit messages or files to you. What they can’t do, however, is open it. Let’s explain the very last steps:

  1. You log in to FastPortal (or a whitelabel instance) using SSL. See Wikipedia for more information.
  2. You select a document to download and click “Download”.
  3. The application retrieves the encrypted file from our secure datacenter.
  4. Since you are logged in, the application also has your private key in memory at this time. (Remember, step 4 in the sign in process?)
  5. We use your private RSA key to decrypt the encryption key that is unique to this file. (We stored this in step 6 of the upload process.)
  6. Finally, the application can use this AES encryption key from step 5 to decrypt the file.
  7. Once again the file is encrypted (this time using HTTPS/SSL) and transferred to us using the HTTPS protocol. See Wikipedia for more information.

Told you it was cool! And how long does all this take? Microseconds! You won’t even realize it’s happening.

We do not try to reinvent the wheel. FastPortal is built on established software frameworks used by small and large corporations and businesses around the world. This is extremely important, because it allows us to use dependency managers to check for updates, get security audits from respectable third parties and hire experienced staff or contractors at a moment’s notice. These frameworks also take care of many of the underlying processes that are likely to contain little oversights that slip into components like string sanitation, SQL query binding, HTTP request management, etc.
FastPortal does not handle credit card or other payment info. We rely on proven Payment Service Providers to cover these aspects. Safely storing and manipulating this data is a very specific job that we like to leave to the professionals.
We use a dependency manager to keep track of all the software that FastPortal relies on to function. Whenever a developer of a component releases an update we are notified within the day. We use this knowledge to determine if we want to: A. Install the update B. Ignore the update C. Implement the security fixes in this particular release a different way
We ask established and respectable third party developers to check our work. They come with a fresh pair of eyes and a large swath of knowledge. Though there is no set frequency, this is done regularly enough to catch lingering security concerns in time.
FastPortal always works with an SSL connection. All data transmitted between your browser and our servers is encrypted end to end. You can verify the connection is secure by checking for the little lock icon in the address bar of your browser.

Hardware

This is all about the machines. Servers, desktops, laptops, tablets, routers, smart phones and even keyboards.

FastPortal runs on Amazon Web Services, Digital Ocean and RackSpace. All of these suppliers have been selling hardware infrastructure for years and are regarded very highly. Check their individual security pages for more information:

Public wifi is a dangerous thing. Even if you think you are using McDonalds or Starbucks WiFi, it could be the guy next to you who set up a fake network to catch your traffic. SSL/HTTPS will protect you from a lot, but it is not enough. FastPortal never uses public WiFi to transmit customer data.
It seems like a little thing, but wireless keyboards are not secure. The internet is full of explainer videos on how to create a keystroke-sniffer for Microsoft keyboards. These things work on simple batteries and easily fit in a jacket pocket or backpack. That means anyone who can get within 5-10 meters of a wireless keyboard can record the keystrokes. That includes passwords, usernames, creditcard numbers, etc.

People

Security is not (only) about secure code, installing updates and locking doors. People matter just as much. It is all about having proper processes in place for dealing with sensitive information and following them religiously. Some would call it paranoia.

We invest time and energy in keeping up to date with the latest insights in data security. This means following the news not only in the mainstream, but also in those parts of the internet you typically don’t find accountants and lawyers. And then comes the hard part: putting that knowledge to use. Though a lot of the measures are extremely frustrating and slow us down, we do them anyway. See the sections on this page for examples. And even then stuff can go wrong. If Google, Apple & Microsoft can have security situations, anyone can. That is perhaps the most important thing to understand. Nearly always the damages after such a breach are aggravated due to not realizing in time that you were breached, poor communication, trying to hide it happened or a lack of willingness to shut everything down until a fix is found. So we promise that if such a breach ever happens:

  1. We will tell you what happened in as much detail as we can, as soon as we can.
  2. We will work around the clock to fix it.
  3. If the problem is serious enough, we will disconnect all or part of FastPortal from the internet until we have fixed the problem.
If we ever need to access customer data, the second step is always to create a separate partition on our computers and encrypting this with a proper algorithm (the first step is asking permission!). Data is then only ever stored on that partition. After we are done, we delete the partition and securely wipe the hard disk that contained it. Also:

  • If we ever need to share files between each other we use FastPortal or encrypted USB-sticks.
  • During travel and out of office hours, laptops are always powered down fully so that no keys remain in memory.

All these measures have a single purpose: if someone ever stole one of our computers or gained access to our email accounts, they cannot readily get to customer data.

We use LastPass. There are many others, but we think LastPass is really good. This means all our passwords look like p#PE@z6@@02290yI or  2dlY^%swMxhmpw!#.  Of course, you could just hammer away on your keyboard to create something random-ish, but if you store it in a Word Document on your desktop that doesn’t help much. Beyond securely storing passwords, LastPass (and other password managers) are able to warn you if a site you use was compromised or if you are using weak or duplicate passwords.
We do not use email to send passwords, credit card numbers or customer data. Email is not secure.
If you – or anyone else – find a security vulnerability in FastPortal, we would appreciate it if you contact us. Please see our page on responsible disclosure for more information.