Integrify Security Overview

Data Encryption

Integrify Encryption in Transit

The connection uses TLS 1.2. The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.

Integrify Encryption at Rest (Optional)

Amazon RDS encrypted instances use the industry standard AES-256 encryption algorithm to encrypt your data on the server that hosts your Amazon RDS instance. Once your data is encrypted, Amazon RDS handles authentication of access and decryption of your data transparently with a minimal impact on performance. You don't need to modify your database client applications to use encryption.

Amazon RDS encrypted instances provide an additional layer of data protection by securing your data from unauthorized access to the underlying storage. You can use Amazon RDS encryption to increase data protection of your applications deployed in the cloud, and to fulfill compliance requirements for data-at-rest encryption.

Firewalls

Integrify uses load balancing firewalls to permit only customer approved IP blocks to access the application and only on necessary ports. Certificates (SSL) are also installed at this level to assure all communication between the firewall and the browser is secure.

Authentication

Integrify Database Authentication

User profiles stored in Integrify. Passwords are hashed using SHA1.  User Name and Password managed in Integrify.  Password pattern and length requirements as well as expirations settings can be used to enforce corporate password policies. (Availability: Cloud and OnPremise)

Integration with SSO/ADFS/SAML2.0

This option delegates authentication to your IDP using the standard HTTP POST SAML2.0 flow. Integrify will initiate an AUTHN request to your IDP and redirect the user to your authentication endpoint. Your IDP will authenticate the user and then cause the user’s browser to post a SAML Assertion with the user’s profile information to the Integrify ACS URL. Integrify will validate the SAML Assertion with the signing certificate provided by the IDP. If Valid, Integrify will provision the user  or update the user’s integrify profile if it already exists. Endpoints and attributes mappings will be exchanged as part of the setup (OnPremise and Private Cloud  with API only)

Windows Integrated Authentication (pass-through) and AD Sync Information

Users are logged into Integrify automatically based on their network user name. (Availability: OnPremise only)

Custom SSO

Users are authenticated via a third party application which makes a call to the Integrify External Authentication API.  This returns a token that is used in a URL that the application redirects the authenticated user to. (Availability: Cloud and OnPremise with API access)

Private Cloud Details

  • A virtual machine running a dedicated Integrify server license
    • Your dedicated Integrify instance is not shared with outer customers providing total isolation
  • Isolated SQL Server database running on Amazon's RDS
    • You will have direct access to the SQL Server database used by your Integrify instance allowing you to use third party reporting tools, manage lookup tables or link to other databases in your enterprise.
    • Data backed up nightly and retained for 3 days.
    • Instant hardware failover - if the hardware fails, your instance is immediately backed up
  • VPN connection to your network (optional)
  • Fully managed by Integrify - No hardware or software licenses or maintenance required
  • Your own unique URL
  • Ability to authenticate users and sync with Active Directory through SAML/SSO.
  • AWS RDS for Sql Server instance: http://aws.amazon.com/rds/sqlserver/
  • This is a managed service and access is available through SQL Server Management Studio. RDP access or access to the file system will not be available.
  • Multiple databases can be added to the instance and multiple schemas in each database.
  • NOTE: If you plan to do activities with the databases not related to Integrify, the other option is to buy your own database instance on Amazon - either a dedicated VM or RDS instance and let the Integrify server connect to it on the local network. This would keep performance up while keeping the server isolated from the Internet.

Architecture

Integrify-architecture-diagram.jpg

Database Access

Access can be provided to the Integrify DB and tables to client Administrators. It is not required, but available both OnPremise and in a Private Cloud.

Disaster Recovery

Backup Processes

In the Integrify Cloud (Standard or Private) snapshots are taken every 15 minutes,  with a snapshot being copied to a disaster recovery data center once a day. For OnPremise deployments, clients can follow their normal DB backup procedures.

Off-site Data Storage

Integrify utilizes AWS for Cloud deployments. For more detail see here: https://aws.amazon.com/backup-recovery/

Replication Process

Integrify utilizes AWS for Cloud deployments. For more detail see here: https://aws.amazon.com/backup-recovery/

Data Retention

No data is deleted from the Integrify database, through the Integrify system. Only soft deletes are able to be made. In the Integrify Cloud (Standard or Private) full backups are done daily, incremental backups are done every 15 minutes – with a daily backup distributed to a separate data center for disaster recovery. For OnPremise deployments, clients can follow their normal DB backup procedures. Integrify utilizes AWS for Cloud deployments. For more detail see here: https://aws.amazon.com/backup-recovery/

Application Updates

Update Management

If deployed OnPremise, customers utilize the Integrify OnPremise Manager for updates to the platform. If deployed in the Cloud (Private Cloud) Integrify manages Private Cloud instance as a managed service as part of the annual subscription. Private Cloud instances are single tenant with a SQL Server DB instance for each client. (Note: all Integrify clients whether single tenant or multi-tenant, have their own DB instance).

Monitoring

Integrify monitors performance of the Integrify cloud and pro-actively alerts Support Group members if needed. Integrify utilizes AWS to collect and track metrics, collect and monitor log files, set alarms, and automatically react to changes.

Platform Upgrades

For OnPremise deployments, Integrify makes updates to the platform available to the client to download and install. Clients can utilize the Integrify OnPremise Manager (https://help.integrify.com/hc/en-us/articles/213595937-Running-the-Integrify-OnPremise-Manager) to update their installation. Minor software updates are made available monthly and are inclusive. A client may skip several months and then install the next available update and it will include all prior skipped minor releases. In the Integrify Private Cloud, this is provided as part of your annual subscription as a managed service.

Integrify API

Integrify has several tasks types referred to as Plugins that enable to call out and call in data from a variety of interfaces. Our REST and SOAP Plugins enable calls to be made during process execution. This information can be utilized within the process/request itself and also be saved within Integrify and other custom data structures to be utilized later during other processes or actions.

Integrify also has an API Kit that enables triggering of actions programmatically through RESTful services. Nearly any action that can be triggered through our end user interface can also be triggered through RESTful services – such as initiating a process, executing a task, running a report and much more. Integrify API documentation can be found here: https://developer.integrify.com

 

Comments

Powered by Zendesk