By default within CaseAware, MySQL data fields do not have encryption turned on at the data-base level due to performance concerns related to the increased searching time when data has to be decrypted in order to return the result.
If a CaseAware client chooses to turn this encryption on, CaseAware does provide the ability to enable encryption at the field level for NPI (SSN, Loan Number, DOB) without impacting performance. MySQL 8.0, which is in testing, will provide the ability to enable encryption at rest, so database files themselves will be encrypted directly by MySQL, rather than at the field level. |
Data Encryption within CaseAware
Do you have any plans to encrypt the database?
We have been asked about full data base encryption but we do not have ‘full data-base encryption’ on our roadmap at this time and here's why:
We have been asked about full data base encryption but we do not have ‘full data-base encryption’ on our roadmap at this time and here's why:
We consulted with top InfoSec experts on this topic to explore the risk/reward regarding full database encryption and they shared the below list of compensating controls that, if followed, align with best practices and would conform with the most stringent requirements. We ensure that all of these controls are in place. Some of them are application specific and exist in CaseAware (access controls, etc) and others are hardware/environment specific and we have those same controls in our GOLD hosted environment. Firms who elect on premise hosting most likely would want these controls in place anyway due to overall security, so they may already exist in your environment.
COMPENSATING CONTROLS
We are committed to helping the firms in the industry remain successfully and sustainable. Our strategy is to make changes that are going to impact the largest group; and also we want to make sure the changes are truly necessary (versus providing equivalent compensating controls).
- Data Loss Prevention
- Web Application Firewall
- Network Intrusion Prevention System
- Network segmentation (separation of the presentation, application, and data layers – 3 Tier Architecture)
- Database activity monitoring
- Server Antivirus and Antimalware
- 24x7 SOC – Security Monitoring
- Access controls – controlled database privileges
- Privileged Access Management
- DBA access monitoring
- Stored procedures
- Periodic Privileged Access Reviews (e.g., local admin, enterprise admin, DBA, etc.)
- Information Security Training
- Customer unique database (however, one database with logical data segregation is very common)
We are committed to helping the firms in the industry remain successfully and sustainable. Our strategy is to make changes that are going to impact the largest group; and also we want to make sure the changes are truly necessary (versus providing equivalent compensating controls).
FAQs
Is the a360inc hosted solution considered a cloud environment?
CaseAware is not a Cloud or Multi-Tenant application. Each client has their own virtual server where the data is logically separated on our hardware in CyrusOne's Tier 4 datacenter managed by our team of technology experts.
Why is this relevant?
Many servicers inquire if their vendors (law firms) host their applications in the cloud or use a multi-tenant application. The reason they ask, is because if you do use a cloud or multi-tenant environment they want to know if the third party maintains unique encryption keys per tenancy and/or external application for the data in transit and storage.
CaseAware is not a Cloud or Multi-Tenant application. However - We have responded to several servicer audits for our Gold/Hosted clients, with our existing approach (encryption at the disk/array level as described above) and it has been widely acceptable and a sufficient level of encryption of data.
What are some of the things that a360 has in their environment that could possibly work for firms who want to continue to host on premise?
For encryption at rest, a360 uses NetApp Encryption with the recovery keys stored in Keeper Keystore AWS-HSM*. Individual fields may also be encrypted such as SSN, Loan number, and DOB at the clients request. All application processing and database action is in one server per client.
*AWS-HSM: AWS CloudHSM enables you to generate and use your encryption keys on a FIPS 140-2 Level 3 validated hardware. CloudHSM protects your keys with exclusive, single-tenant access to tamper-resistant HSM instances in your own Amazon Virtual Private Cloud (VPC).
CaseAware is not a Cloud or Multi-Tenant application. Each client has their own virtual server where the data is logically separated on our hardware in CyrusOne's Tier 4 datacenter managed by our team of technology experts.
Why is this relevant?
Many servicers inquire if their vendors (law firms) host their applications in the cloud or use a multi-tenant application. The reason they ask, is because if you do use a cloud or multi-tenant environment they want to know if the third party maintains unique encryption keys per tenancy and/or external application for the data in transit and storage.
CaseAware is not a Cloud or Multi-Tenant application. However - We have responded to several servicer audits for our Gold/Hosted clients, with our existing approach (encryption at the disk/array level as described above) and it has been widely acceptable and a sufficient level of encryption of data.
What are some of the things that a360 has in their environment that could possibly work for firms who want to continue to host on premise?
For encryption at rest, a360 uses NetApp Encryption with the recovery keys stored in Keeper Keystore AWS-HSM*. Individual fields may also be encrypted such as SSN, Loan number, and DOB at the clients request. All application processing and database action is in one server per client.
*AWS-HSM: AWS CloudHSM enables you to generate and use your encryption keys on a FIPS 140-2 Level 3 validated hardware. CloudHSM protects your keys with exclusive, single-tenant access to tamper-resistant HSM instances in your own Amazon Virtual Private Cloud (VPC).
HoursM-F: 8:30AM - 5:30PM CST
|
Telephone(844) 933-0555
|
|