Nakisa Security
Safely Delivering
Our Solutions to You
Our Commitment: Your Security is Our Priority.
Nakisa’s promise to all our clients is to be their most trusted software partner, and we work on building that trust from day one. We take your data security seriously – maintaining a high-security environment is at the core of our practices, and we want to be transparent about our approach so you can be confident in our partnership.
Our security foundation is built using the most established, industry-leading practices and technology services providers. Plus, our team of experts rigorously adheres to the highest industry standards, to protect your data and systems at every stage of the process.
This overview provides cybersecurity, risk management, and IT professionals as well as decision-makers with visibility into Nakisa’s best practices and information on how we extract, store, use and protect your data so you can perform your daily operations with peace of mind.
What is Nakisa
Nakisa delivers Software-as-a-service solutions so that your company can easily and quickly solve some of its toughest technological challenges.
The Nakisa technology eliminates the need to purchase, install, and maintain servers to host Nakisa’s solutions, and at the same time, you will receive seamless upgrades and the fastest path to be able to use the latest features and innovations.
Our SaaS solutions give you access to cloud benefits while maintaining the security and data privacy benefits of an on-premise deployment as well as offering better global performance, and reduced dependency on your internal IT department.
By partnering with leading cloud service providers, you benefit from a secure home for your data. Our global cloud providers employ state-of-the-art physical security controls and are regularly audited by independent auditors to ensure the highest level of compliance supported by industry frameworks and standards.
All our solutions are built on a secure platform with data encryption, role-based access control, and audit capabilities to ensure compliancy requirements. Our native cloud platform uses the latest technology for storage, network protection and application security.
Security Cockpit.
Certifications & audits
As the security and privacy of your data is our priority, we take every step necessary to assure our clients of this commitment. This includes voluntarily undergoing the lengthy process of independent third-party certification based on industry standards.
As part of Nakisa SOC 1 Type II & SOC 2 type II audit report which is released on an annual basis by a global 3rd party auditing firm, Nakisa has implemented and adheres to strict information protocols including the security, availability, processing integrity, confidentiality, and privacy of our partners data.
The above SOC reports, penetration test reports, and other certifications are available in December of each year to our partners and prospects upon request. To request for any of our certifications or reports, click here.
GDPR ready
As a SaaS provider, Nakisa has comprehensively evaluated GDPR requirements and implemented numerous privacy and security practices to ensure that our cloud solutions are GDPR ready.
These practices include:
- Search for records within the app, with support provided if you need the removal of certain information.
- Providing our clients with configurable privacy and compliance settings such as using their own SSO, controlling who can access the application and what kind of information, and more.
- Providing sufficient data transfer methods to our clients
- Maintaining records of processing activities
- Training employees on security and privacy practices
- Conducting privacy impact assessments
Our Third-Party Security Measures
Nakisa’s datacenter providers employ a variety of security mechanisms, covering both physical access and virtual access. Our datacenter providers are all certified by independent auditors and third-party organizations so that we can provide our global clients with the best security measures available.
Nakisa’s service providers comply with the following standards:
C5 [Germany]
Cyber Essentials Plus [UK]
DoD SRG, FedRAMP, FIPS IRAP [Australia]
ISO 9001, ISO 27001, ISO 27017, ISO 27018
MLPS Level 3 [China]
MTCS [Singapore]
PCI DSS Level 1, SEC Rule 17-a-4(f), SOC 1/2/3.
Encryption of data at rest and in transit
Users accessing Nakisa solutions via the internet are protected by Transport Layer Security (TLS) and Hypertext Transfer Protocol Secure (HTTPS). All data including backups are fully encrypted by using AES 256 for data at rest (See Encryption key management) and TLS 1.3 for Data in transit.
Encryption key management
Encryption of data at rest is possible by leveraging a solution from our global cloud service provider and is managed by software, avoiding exposure to any human. To ensure maximum security, the keys are not managed by any one person. They are only visible to the client instance and can be used to decrypt data within the instance only. Also, note that the key management is compliant with FIPS 140-2 which provides independent assurances about the confidentiality and integrity of our key management.
Please note that as part of our application architecture, we make sure your databases are logically separated from other client’s, thus increasing the security of your data.
User authentications and profiles
Nakisa’s authentication and authorization setup uses industry best practices and standards and allows clients to either leverage their own single sign-on or use Nakisa Identity & Access Management. Nakisa offers role-based access which means that the clients can decide on how to grant access to each of their users.1
Single sign-on support
This single sign-on (SSO) login standard has significant advantages over logging in using application specific username and password: no need to remember and renew passwords for each application, no weak passwords among others, and one credential for all applications to unify your personal password management, supporting your company’s password policy. The SSO is supported by configuring SSO via SAML2 which will authenticate, and fetch roles and user population credentials. The fetched list of groups will be assigned to the logged-in user from LDAP. The users will be validated through a SAML token, securely exchanged between the Identity Provider (IdP) server and the Nakisa application server. SAML allows for a seamless SSO experience between the client’s internal identity and access management solution and Nakisa solutions.
Nakisa Identity and Access Management
For clients who decide to use Nakisa’s authentication system rather than SSO, Nakisa Identity and Access Management solution (NIAM) is available. It is a simple solution that allows organizations to easily manage their user’s provisioning and authentication to Nakisa’s SaaS solutions through a single platform. NIAM enables you to provide access to your users through an enterprise-grade identity and access management solution while ensuring the right roles and profiles are assigned. Each role has different access privileges that can be individually assigned and limited not only by scope but also by duration. Whether you are providing access to partners or employees from multiple subsidiaries across the world, you will be able to offer the same seamless experience your users expect, while effectively managing the sensitive aspect of data access. Please get in touch with your Nakisa Account manager for more details about this solution.
How do Nakisa engineers access the systems to provide support?
Under Nakisa’s Access Management policy, when an issue is raised via our support ticketing system, our support team will ask for client approval for temporary access to investigate and resolve the issue for the specific environment/s. This access is granted for only a limited amount of time, enough to resolve the ticket with auto closure enabled by the system when access is approved.
In addition to our annual third-party SOC audit, and as part of Nakisa’s Access Management policy, internal audits are performed regularly:
- High privileged and user accounts review is performed at least twice a year.
- Logs are reviewed monthly.
- Monitoring tools are in place with notification to appropriate individuals for abnormal events/activities.
- Periodic access authorizations and requests review.
Cloud infrastructure access and authorization
To ensure secure access to our cloud infrastructure, Nakisa has in place an Access Control List (ACL) that ensures that only pre-approved cloud engineers can perform certain tasks, defined by their roles. To access the cloud infrastructure, we utilize multi-factor authentication (MFA) which requires approval from different managers and heads of departments, with final required approval from our Chief Security Officer.
In addition to our annual third-party SOC audit, and as part of Nakisa’s Access Management policy, internal audits are performed regularly to review such accesses and corresponding logs.
Application logs & auditing
Application logs enable you and your auditors to review all the activities performed by the users as well as the system to ensure data integrity. We enable our clients and their auditors to leverage our ITGC capabilities and to log all types of activities and data transfers in the system.
You can easily review and download all the logs which demonstrate all types of activities by the users such as system access, data and configuration modifications as well as system activities such as automatic jobs and other data communications between Nakisa solutions and any other solutions integrated, directly from the Nakisa applications.
Dedicated, encrypted site-to-site integration through Nakisa Cloud Connector (NCC)
Nakisa uses industry best practices and standards to integrate our SaaS solutions with your internal ERP systems or any other data source so that you can leverage your data with our solutions.
The Nakisa Cloud Connector (NCC) enables integration between your ERP of choice and Nakisa SaaS applications with security and data integrity at its core. To ensure data transfers are secure, NCC uses a two-way encrypted channel for all communication between ERP servers and Nakisa Cloud (using TLS over TCP), removing the need for back-channel VPN tunnels. The connector uses an ERP gateway to access the backend servers, enabling IT professionals to configure and leverage existing ERP infrastructure and security frameworks. Dedicated endpoints are provided for each client, completely isolating their communications with their on-premises ERP infrastructure.
We also provide you with the information needed to enable your IT team to whitelist Nakisa solutions to ensure the security of communication and data transfer.
Secure Software Development Life Cycle (SSDLC)
Security is at the core of our software design. We’ve adopted numerous best practices and leverage OWASP framework for our software development to ensure security by design, right from the start.
Code Review
All changes to our code are tested by our Quality Assurance (QA) team and criteria are established for performing code reviews, web vulnerability assessments and advanced security tests. We conduct manual and automated code reviews before checking-in code. After code checks, the QA teams perform regression and functionality tests. In addition, we also use in-house and third-party solutions such as Veracode to conduct vulnerability assessments and security tests on our application. Vulnerability tests are carried out prior to each release and as often as needed, where we test the solution from A to Z. Upon development, we deploy in a lower environment to enable stakeholders to test the solution prior to deployment in the production system. All such activities are recorded as part of our change management policy (please note that our auditors validate our enforcement of changes as part of SOC 2 audits).
Quality assurance
Each product release is put through a stringent functionality test, performance tests, stability tests, and UX tests before they are released. We validate the releases in internal builds followed by lower environments before pushing them to the production system following our change management policy.
Vulnerability assessment & penetration testing
We use various tools for analyzing the code and checking for security vulnerabilities such as Veracode and OWASP prior to any release. Our strategy is to prevent security vulnerabilities first, then use industry-standard validation tools and techniques to validate that prevention worked. Issues identified through the vulnerability assessments, penetration tests and network vulnerability scanning are prioritized based on criticality and risk.
Vulnerability scans including SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), Container and Dependency Scanning, Penetration Testing are carried out in every release and as often as needed. Following the best practices of OWASP we aim to identify and remove standard and advanced web application security vulnerabilities, including, but not limited to, the following:
- Cross-site request forgery (CSRF)
- Cross-site scripting (XSS)
- Improper input handling (SQL injection, XML injection,…)
- HTTP response splitting
- Authentication and authorizations
We leverage a global 3rd party auditing firm to perform penetration testing on our solution and the report on such tests can be provided to you upon request. We also provide the ability to all our SaaS clients to conduct penetration testing on the lower environment of the solution, enabling you to evaluate Nakisa’s cloud security and measures yourselves. In order to conduct a penetration test, please discuss your penetration testing needs with your Nakisa Client Success Manager.
Malware protection
Nakisa Cloud only uses non-Windows operating systems, and all systems follow a hardening baseline policy for security management. Note that our deployment architecture is based on DMZ and there is no end-user access available to server resources at OS level. Any user-uploaded documents are not stored in the server file system and do not get accessed at the server level. In addition, intrusion Detection Systems and Intrusion Protection System (IDS/IPS) and Firewall layers secure inbound and outbound access on system ports and it monitors and reports login attempts, account creations and periods of system non-availability. All Nakisa employees use systems that have antimalware, supporting real-time scanning and security and automatic updates are enabled on devices.
Security Monitoring
We have various security measures and systems in place that continuously monitor for malicious activity, attacks, and unauthorized behaviour from various perspectives. Our team can mitigate any potential attacks by following the internal procedure set for such events. We share our security systems, architectures, and tests results with our SOC 2 auditing firm, and you can review such measures upon requesting the SOC report.
Business continuity and disaster recovery & backups
We have various security measures and systems in place that continuously monitor for malicious activity, attacks, and unauthorized behaviour from various perspectives. Our team can mitigate any potential attacks by following the internal procedure set for such events. We share our security systems, architectures, and tests results with our SOC 2 auditing firm, and you can review such measures upon requesting the SOC report.
Nakisa’s disaster recovery plan provides that in the event of a disaster defined as a natural or human-made condition that could render your subscription services inaccessible for a period of more than one day (“Disaster”), Nakisa is able to resume services in accordance with this Subscription Services Agreement within one day from the event. RTO (Recovery Time Objective) for Nakisa cloud solutions is within one day and RPO (Recovery Point Objective) is the last daily backup.
As part of Nakisa’s compliance process and SOC auditing, disaster recovery capabilities and plans are tested on an ongoing basis. Disaster recovery simulation events are conducted by creating an event which results in the loss of an imaginary client’s data and access to their system. This test requires Nakisa to declare a disaster and trigger our DR action plan as our Support & Cloud Services teams are not able to bring the system back up. A data restore is triggered on a newly built infrastructure and restores the latest backup within our contractual timeframe.
Disaster recovery on the cloud is done by leveraging our cloud service provider’s resource availability on-demand. By using our cloud service provider’s specific APIs, a failed resource is restarted automatically in the case of a crash and a backup is used to restore the system. Restoration and disaster recovery are achieved by using the most recent or desired backup file and restoring all backed-up data.
With respect to our client’s production environment, Nakisa shall provide the following data back recovery points.
- Client data backups are stored in the same region as the client instance but in different data center locations to ensure recoverability in the event of a natural disaster.
- The backups will be periodically tested as part of the BCP (Business Continuity Planning) testing.
- The backup logs will be reviewed for errors and abnormal durations, and we look for opportunities to improve backup performance.
- Corrective actions will be taken when backup problems are identified to reduce risks associated with failed backups.
Note that a calendar week commences on a given Sunday 12:00 a.m. to the following Saturday 11:59 p.m., ET.
Backup Types
Daily
Weekly
Monthly
Available Recovery Points
Any of the last 7 daily backups
Any of the last 4 weekly backups
Any of the last 3 monthly backups
Data Sovereignty & transparency
We provide transparency into the geographical regions where our clients’ data is stored, and our clients can select the desired location from a list of possible regions.
Incident management
Nakisa has an incident management policy in place which follows the industry standard depending on the priority of the incident and its effect on our clients, which is reviewed at least annually by an independent global auditing firm. Also, as per the SOC 2 compliance and Nakisa’s Incident Management policy, a support case is triggered after each security incident, which provides details on the incident and flags the appropriate level of urgency to address and resolve it. Resources are assigned as needed to each incident based on support triage to identify the root cause and proceed to resolution. In the event of a security incident, the entire environment will be disconnected thus removing the ability of anyone to access the system.
Service level agreement for security incidents and mitigations (SLA)
In case of any potential or active security incident of which Nakisa is made aware, we address the security ticket following a priority level assessment – low, medium, high, or critical – based on the security incident’s impact on our clients. We provide different mitigation timelines in addition to daily updates and root cause analysis documentation that captures the required details and indicates the preventative actions that will be taken in the future.
Physical perimeter security
Datacenter physical security begins at the Perimeter Layer. This layer includes several security features including, but not limited to, 24/7 security guards, fencing, surveillance cameras, and intrusion detection technology. This includes scrutiny of the access, controlling the entry, monitoring for unauthorized entry, etc. All physical access to the inside perimeter layers is highly restricted and stringently regulated and logs are available for periodic review.
Capacity management & load balancing
We leverage a global third-party provider’s services to offer on-demand and automatic capacity expansion as well as distribute traffic from our clients across multiple zones to support high availability. While ensuring no one server is overworked which could result in degraded performance or unavailability (See Availability section for more details), you can instantly expand or reduce the capacity needed without technical support or additional investment in the infrastructure.
Cloud availability
We provide up-time of at least 99.5% for our Cloud (SaaS) clients with high availability. Using the latest cloud technologies enables us to increase resources on the run and ensure continuous system operations if systems face issues. This means our clients do not have to deal with poor system performance or major downtime.
Monitoring
We have various security measures and systems in place that continuously monitor for malicious activity, attacks, and unauthorized behavior from various perspectives. Our team can mitigate any potential attacks by following the internal procedure set for such events. We share our security systems, architectures, and tests results with our SOC 2 auditing firm, and you can review such measures upon requesting the SOC report.
System and performance monitoring
We have various security measures and systems in place that continuously monitor for malicious activity, attacks, and unauthorized behavior from various perspectives. Our team can mitigate any potential attacks by following the internal procedure set for such events. We share our security systems, architectures, and tests results with our SOC 2 auditing firm, and you can review such measures upon requesting the SOC report.
Maintenance
All scheduled and planned updates to Nakisa applications during which Subscription Services may not be available to our clients take place during our standard maintenance window over the weekend to minimize user disruption. The client will be notified of any other planned downtime seventy-two hours in advance. Nakisa will be diligent to minimize the risk of undue disruption to normal business operations. In case of emergency maintenance where Nakisa needs to make the Subscription Services unavailable to perform a maintenance operation outside of any Scheduled Downtime period, the clients will be notified of an Emergency Maintenance as soon as possible.
Nakisa Support Service Level Agreement (SLA)
While our configuration management process and proactive monitoring prevent most issues from affecting you, we are prepared to respond when an event causes downtime of your system. We are pleased to solve any issues based on our industry standard response times, however we understand that some issues require immediate attention. Thanks to our escalation policy, you can rest assured that the required resources will be allocated for a timely resolution when needed. We also perform regular tests of our disaster recovery capabilities to ensure that when unplanned downtime happens, we are ready to respond efficiently and promptly.
Frequently asked questions
Robust information security policies are set in place and are enforced company-wide, as well as with contractors, and are available to our SOC 1 and SOC 2 auditors through Nakisa portals. We review these internal policies annually and communicate changes to our employees/contractors via internal communication portals. More details on the above policies are provided in our SOC reports.
Here are a few of our internal policies that ensure our team handles our clients’ data with the utmost security:
- Change Management Policy
- Risk Management Methodology
- Access Management Policy
- Information Security Policy
- Risk Management policy
- Information Asset Management Policy
- Incident Management Policy
- Data Retention and Disposal policy
- Data Protection Policy
- Data Retention and Disposal
- Information Security Awareness Policy
Nakisa has been working on FIPS compliance for more than a decade to keep its network secure and protect its highly valuable customer data by phasing out any non-compliant components with the ones that comply with the latest FIPS 140 standards. As such recently Nakisa has a dedicated release to update its Cloud Connector to stay compliant with FIPS 140-2 standards for cryptography modules. Nakisa is also offering free dedicated support to help its customers update their infrastructure to stay secure and compliant with the latest FIPS cryptography standards. Read more about our FIPS compliancy here.
Nakisa’s environments are not publicly accessible and can only be accessed via a Virtual Private Cloud (VPC). Additional protection is provided by ACL (access control list) firewall rules that only allow traffic from specified ports to and/or from specific destination. Access is exclusively via HTTPS and is done using a reverse proxy to protect the environment from the outside world.
Data is encrypted in transit using standard secure web protocols and at rest using cloud service providers volume encryptions. The encryption method and key management infrastructure is administered by our cloud service providers.
Nakisa works with trusted cloud service providers to constantly monitor the security of the environment, and we will take necessary corrective action to mitigate risk of intrusions. We leverage monitoring and detection tools to identify potential threats and follow our incident management processes to triage alerts and take the necessary actions.
We follow a diligent change management policy with procedures for segregation of duties. Security is a major component that could drive a change in our solutions to ensure that risks are treated in accordance with their evaluation. Security also evaluates changes and is a stakeholder part of the change management process.
The high-availability, scalable, elastic environment provided by our cloud service providers provides automated, online, encrypted backup functionality to ensure that all data is redundantly stored and secured.
As per the Nakisa Incident Management policy, a support case is triggered after each security incident, whether it is identified through our monitoring and detection tools or by a user. This support case provides details on the incident and flags the appropriate level of urgency. Resources are assigned as needed to each incident based on support triage.
To request for any of our certifications or reports, click here.
Considering Nakisa solutions? Reach out to our team today to get all your security questions answered!
If you are an existing client, please contact your Account Manager for more details.