Security Overview

As a provider of a cloud-based SaaS offering, CrewBeacon is committed to providing highly secure and reliable software solutions. We encourage and maintain a culture dedicated to understanding, preventing, and reacting to threats against our customers, our staff, and our data systems. We have adopted a structured and documented risk-based approach to cybersecurity, and our teams utilize proven and state-of-the-art security technologies and techniques to protect all systems, data, and information from unauthorized access.

Shared Responsibility Model

We provide services designed for our customers to access and manage on their own behalf. It is important to understand that the security of the entire system is a shared responsibility between CrewBeacon, its customers, and all individual users of our application.

Our platform is built on Amazon Web Services (AWS) infrastructure, which is compliant with a wide variety of industry-accepted security standards (read more here). It is also important to understand that CrewBeacon participates in its own shared responsibility model with AWS (read more here).

AWS is responsible for the facility operations, physical security, physical infrastructure, network infrastructure, virtualization infrastructure, and hardware lifecycle management.

CrewBeacon is responsible for the security, availability, and lifecycle of the SaaS application. This includes operating systems hardening, design of network routing and resource ACLs, secure coding and deployment practices, proper database schema design and implementation, and proper backup retention and business contingency work flows.

You are responsible for the safety and security of your own user account(s), the design and implementation of your own control environment including the management and support of users and their respective permissions, your own operational work flows, governance over the type and amount of data that is input into the platform, and the global configuration and management of your client account.

Platform Architecture Overview

CrewBeacon largely utilizes open source technologies, where possible, to design and deliver world-class enterprise software products.

Web Application

The web-based Management Portal is designed for back-office client personnel. Our web-based technologies are built on the LAMP stack, utilizing Linux server instances, Apache web server, MariaDB database engine, and PHP server-side scripting language.

Additionally, the internal Mobile API services that allow the Mobile Application to communicate with the Management Portal are also architected in this same manner.

Mobile Application

The Mobile Application is specifically designed for the field crews. The application is built for Android and iOS devices, and can be found publically within Google Play and Apple App Store, respectively.

How is my data protected?

Network Security

• All network traffic to and from our service is encrypted in-transit using the latest TLS protocol versions. Less secure SSL protocols and older versions of TLS are turned off and not allowed.
• The network segment that drives our SaaS offering is housed in its own completely segregated environment, even from the rest of CrewBeacon operations infrastructure.
• All resources are firewalled to a minimal number of access points using AWS Security Group policies built specific to the corresponding network route or function.
• Inbound user traffic is routed through the CloudFlare network (read more here) which serves as a threat proxy, CDN, and provides additional layers of reporting, performance, and security capabilities such as DDoS mitigation.
• CloudFlare TLS settings are set to "strict" mode, ensuring valid and properly signed certificates end-to-end as well as protection against MITM attacks on origin traffic (read more here).

Application Security

• User accounts can be configured with granular permissions.
• Password policy and complexity settings are configurable to your security standards.
• Passwords are stored hashed and salted.
• Session tokens are used to identify properly authenticated user sessions.
• Session IDs are additionally bound to initial IP address before being trusted.
• Inactivity timeouts are enforced.

System Security

• Server roles are tiered
• All operating systems are maintained according to industry best practices.
• All recommended patch levels are monitored and applied frequently.
• Unnecessary users, services, and components are disabled.
• All systems are constantly monitored.

Data Security

• All client data is encrypted at-rest. Everywhere.
• AWS RDS service is used to manage database servers, and database instances are configured with automatic encryption.
• All database replication operations, as well as snapshots and backups, are encrypted.
• All databases are un-routable to the Internet, and are hardened to only be accessed from authorized internal resources (both network-based and user-based ACL enforcement).
• Key management is governed using native AWS key services.

Software Development Life Cycle (SDLC)

SDLC processes are used to help control the way code is safely and properly introduced into live production environments.

The CrewBeacon approach aims to (1) mitigate risks of introducing unstable, unsecured, and/or undesired code into live systems, and (2) ensure that development teams and testers never require access to live client data to perform their jobs effectively.

• Environments are logically isolated from one another into separate distinct branches (Development, QA, and Production).
• All code, database, and media assets are completely separated between branches, ensuring that developers and testers never require access to client data.
• Code is evaluated for business impact, security impact, and soundness prior to release into production environments.
• Bugs, Enhancements, Epics, and Icebox project backlogs are documented in a central repository and visible to developers, testers, operations, and management.