Security Assessments and Compliance
Authgear’s physical infrastructure is hosted and managed within Google’s secure data centers around the globe and utilizes the Google Cloud Platform (GCP) technology. Independent and thorough assessments on security, privacy and compliance controls are regularly conducted by Google to ensure they are up to industry standards. In fact, Google's data center operations have been accredited under:
- ISO 27001
- ISO/IEC 27017
- ISO/IEC 27018
- SOC 1/2/3
- PCI DSS
- CSA STAR
On the other hand, Stripe, a PCI DSS Level 1 compliant payment gateway, is our choice for securing and processing card payments.
Payment Card Industry Data Security Standard (PCI DSS) Compliance
Authgear does not fall into that category, as we do NOT store any financial data nor process payments.
Security Measures from Data Centers
These facilities are one of the safest residence for your data, with a world-wide industry-leading security team works 24/7 monitoring and constantly improving the security measures. Data is distributed across multiple machines in different locations with various backups replicated to avoid a single point of failure. Backup data is chunked for random distribution to add an extra layer of security, making it not human-readable.
Physically, secure perimeter defense systems, comprehensive camera coverage and 24/7 guard teams are deployed to prevent any unauthorized access. Plus, data center staffs are trained to be security minded, and their access to the facilities is immediately revoked once they do not have a need for these privileges.
Regular tracking and monitoring are applied to hard drives at these facilities as well, and when one has reached the end of it life, it will be destroyed through a thorough, multi-step process.
Robust disaster recovery measures are applied in place. In the event of a fire or other physical disruption, data is shifted automically to other data centers, allowing the users to work uninterrupted.
Power failure is also considered, with backup generators installed in response to that.
Climate and Temperature Control
Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are designed to maintain atmospheric conditions at optimal levels. Monitoring systems and data center personnel ensure temperature and humidity are at the appropriate levels.
Firewalls are utilized to restrict access to systems from external networks and between systems internally. By default, all access is denied and only explicitly allowed ports and protocols are allowed based on business need. Each system is assigned to a firewall security group based on the system’s function. Security groups restrict access to only the ports and protocols required for a system’s specific function to mitigate risk.
Spoofing and Sniffing Protections
Managed firewalls prevent IP, MAC, and ARP spoofing on the network and between virtual hosts to ensure spoofing is not possible. Packet sniffing is prevented by infrastructure including the hypervisor which will not deliver traffic to an interface which it is not addressed to. Authgear utilizes application isolation, operating system restrictions, and encrypted connections to further ensure risk is mitigated at all levels.
Port scanning is prohibited and every reported instance is investigated by our infrastructure provider. When port scans are detected, they are stopped and access is blocked.
System configuration and consistency are maintained through standard up-to-date images, configuration management software, and by replacing systems with updated deployments. Systems are deployed using verified and safe images that are updated with configuration changes and security updates before deployment. Once deployed, existing systems are decommissioned and replaced.
Operating system access is limited to Authgear staffs only and requires username, key and multi-step authentication. Operating systems do not allow password authentication to prevent password brute-force attacks, theft, and sharing.