Security Overview
Advanced security hardening features and single tenant options are available upon request.
Please contact your account manager or [email protected] if you have any questions.
Introduction
Braided Meetings is an innovative new meeting tool. It is the world’s first ever meeting tool that provides a real-time, synchronous, inclusive environment allowing everybody in a team to contribute equally. Braided Interviews uses the same methodology to create inclusive recruitment interviews. It is particularly valuable for organisations seeking to ensure that their recruitment processes are neuroinclusive.
Both were invented and designed by the team at Braided Communications Ltd, building on a tool called Space Braiding that they had previously developed. That tool was designed to help astronauts on future deep space missions to the moon and Mars retain effective communication with Earth.
Technical Development
Braided Communications appointed specialist software development house Bad Dinosaur Ltd (https://baddinosaur.co.uk) to build the Braided suite of products. Based in Edinburgh the company has earned an excellent reputation in its almost 10 year history. Bad Dinosaur created and maintains the Braided tools on behalf of Braided Communications Ltd. Bad Dinosaur is a Cyber Essentials Plus accredited company.
Microsoft Azure
Braided is hosted at ‘UK South’ within the Microsoft Azure cloud environment, which provides comprehensive, multi-layered security. Additional locations are available upon request.
The security environment of Azure is described here.
With an eBook containing more detail available here.
Key features of the Azure security environment include:
- All VM instances and runtime software are regularly updated to address newly discovered vulnerabilities
- Communication of secrets (such as connection strings) between the application and other resources (such as SQL Database) remain within Azure and do not cross any network boundaries
- All secrets are encrypted when stored
- All communication over the App Service connectivity features, such as hybrid connection, is encrypted.
- All connections with remote management tools (for example Azure PowerShell, Azure CLI, Azure SDKs, REST APIs) are all encrypted
- 24-hour threat management protects the infrastructure and platform against malware, distributed denial-of-service (DDoS), man-in-the-middle (MITM), and other threats.
Within the Azure cloud environment Braided Meetings uses the following resources:
- App Service
- SQL Server
- SQL Database
Azure App Service
This is where the web application itself is hosted. The App Service is a fully managed Platform as a Service (PaaS) environment. This means that the cloud provider, Microsoft, is responsible for all physical security and for maintaining and upgrading relevant software and hardware. This is described in detail here.
Encryption in transit: The App Service is configured to use SSL/TLS v1.2 encryption, the current industry standard. This means that all requests to and responses from the web app are encrypted.
Azure SQL Server and Database
The SQL services are also managed PaaS environments, which means that Microsoft is responsible for database management functions such as upgrading, patching, monitoring and backups.
Encryption at rest: The database, database backups and logs are encrypted at rest with Transparent Data Encryption (TDE) using a service-managed key.
The database backup policy applied is:
- Full backups every week
- Differential backups every 24 hours
- Transaction log backups approximately every 10 minutes
- Storage redundancy
- Configured to use geo-redundant storage (GRS), which copies backups synchronously three times within a single physical location in the primary region by using LRS. Furthermore, the data is then copied asynchronously three times to a secondary region, which is paired to the primary region. In the event of an outage, the backups can be restored from the secondary region.
Infrastructure Access
Access to the database server is controlled by network access rules. Public internet access is disabled and access is restricted to specific IP addresses. In addition SQL authentication, which requires a username and password, is activated.
Cloudflare
Cloudflare is deployed for DNS management and to speed up content delivery. It does also provide another layer of protection, especially regarding DDoS. More information is available here.
Web Application
The web application is written in C# and the tech stack is available upon request.
User Access
End user passwords have a minimum length policy enforced of 10 characters. The maximum failed login attempts before lockout is 5 and the lockout time is 5 minutes.
User passwords are stored as a hash in the database. The .NET Framework uses PBKDF2 with HMAC-SHA1 to create the hash.
At customer request, we are able to support single sign on (SSO) via Microsoft Active Directory.