Security & Privacy at Alara
1. Foundational Principles: Alara's security policies are based on limiting access to those with a legitimate business need, implementing layered security controls (defense-in-depth), applying these controls consistently across the enterprise, and iteratively improving controls for effectiveness, auditability, and friction reduction.
2. Governance: Alara’s Security and Privacy team establishes policies and controls, monitors compliance, and validates security and compliance through third-party audits. We maintain a SOC 2 Type II attestation and HIPAA certification.
3. Data Protection:
Data at Rest: All data stores with customer data are encrypted at rest using AWS Key Management System. Sensitive data is encrypted before it reaches the database, which means physical or logical access to the database is not enough to read the most sensitive information.
Data in Transit: Alara uses TLS 1.2 or higher for data transmission over potentially insecure networks, along with HSTS to maximize security. Server TLS keys and certificates are managed by AWS.
Secret Management: Encryption keys are managed via AWS Key Management System, stored in Hardware Security Modules to prevent direct access. Application secrets are encrypted and stored securely, with strict limitations on access.
4. Vulnerability Scanning: Alara requires vulnerability scanning at key stages of its Secure Development Lifecycle, including static analysis, software composition analysis, malicious dependency scanning, dynamic analysis of running applications, network vulnerability scanning, and external attack surface management.
5. Endpoint Protection: All corporate devices are centrally managed and equipped with mobile device management software and anti-malware protection. Alara uses a risk-based approach to vendor security, and secures remote access using AWS IAM. Additionally, Alara provides comprehensive security training to employees, and the security team shares regular threat briefings.
6. Identity and Access Management: Alara uses Azure AD & AWS Cognito for identity and access management, enforces the use of phishing-resistant authentication factors, and grants employees access to applications based on their role. Employees are automatically deprovisioned upon termination of their employment.