Cloud Platform Security Knowledge Base

Thales applications undergo regular application and network penetration testing by third parties, and Thales Data Protection On Demand adheres to this practice. The assessment methodology will include structured review processes based on recognized “best-in-class” practices as defined by such methodologies as the ISECOM’s Open Source Security Testing Methodology Manual (OSSTMM), the Open Web Application Security Project (OWASP), Web Application Security Consortium (WASC), and ISO 27001:2013 Information Security Standard.

A grey-box approach of the application security audit is adopted for the purpose of the audit. The following figure shows some of the security attack vectors that are being tested. Any issues found are resolved as part of the regular development cycle.

Thales software applications undergo regular application and network penetration testing by third parties.

The assessment methodology includes review processes based on recognized “best-in-class” practices as defined by such methodologies as the ISECOM's Open Source Security Testing Methodology Manual (OSSTMM), the Open Web Application Security Project (OWASP), Web Application Security Consortium (WASC), and ISO 27001:2013 Information Security Standard.

When a potential security incident is detected, a defined incident management process is initiated by authorized personnel. Corrective actions are implemented in accordance with defined policies and procedures.

Prior to the actual service update the following tasks are performed:

• Provisioning Testing: This is done on the updated service in a controlled environment and done by the Thales Service Operations team. With the conclusion of these tests the code has passed 3 rounds of testing successfully, each done by a different group: Unit testing done by the developer, Sprint Code Testing done by the QA group, and Service Update Provisioning Testing done by Service operations.
• A Planned Release Notification (PRN) is sent to all existing customers notifying them on the scope of the update and planned date of actual service update.
• Penetration testing: Penetration testing is done on a dedicated non-production system, but runs in the same environment as the operational service.
• At the last stage, all data is backed up from the operational service, which allows Thales to rollback immediately in case of any unexpected challenges.

We conduct monthly reviews of all patches for servers and network equipment.

Yes, Thales performs a number on internal service controls in line with our ISO27001 and SOC2 scopes that including but not limited to: Security of Internal Networks and Information, Technology-based controls, Physical Access & Environmental Controls, Problem Management, Change Management, Separation of duties, System Software Change Management.

The private data center is provided with multi-vendor and neutral-network connections to major Internet Service Providers (ISPs), and is located near major Internet hubs.

Network connections to the data centers are provided using secure links with high-capacity bandwidth over fiber connections to ensure minimum latency of authentication requests turn-around. All fiber-based connections enter the data center buildings via secure concrete vaults.

The internal network infrastructure of the PoP is built upon a high speed fiber based network to ensure high-capacity throughput. This infrastructure uses multiple connections through highly secured network firewalls and routers to deliver full redundancy, as well as optimal traffic delivery.

• Data centers are network carrier neutral
• Multiple fiber channels at each data center
• Use of multiple Internet Service Providers to ensure continuous and high-bandwidth Internet ac

Power is delivered to the data centers using an underground utility power feed, which is then supplemented and backed up by on-site redundant (N+1) diesel generators with local diesel fuel storage.

Power is delivered into the rooms via redundant (N+1) CPS/UPS systems to ensure ongoing supply, with power delivered to the PoP equipment racks using redundant power distribution units (PDUs). This ensures continuous and high-bandwidth Internet access.