Security Information
Reveal Group takes security very seriously and our enterprise-class security features ensure that your data is always protected. The following security information covers all the services provided by Reveal Group – Reveal OpsIQ, Reveal RoboReview, Reveal RoboDesigner, Reveal RoboManager, Professional Services & Managed Services. Note: Reveal RoboManager is provided in collaboration with our partner Shibumi and information specific to this product has been highlighted.
Cloud Security
Compliance Monitoring & Reporting
Facilities
Reveal Group hosts the following services (Reveal OpsIQ, Reveal RoboReview, Reveal RoboDesigner, Managed Services, Corporate Services) in Microsoft Azure. Reveal RoboManager is hosted by Shibumi in AWS. All our Azure and AWS data centers have been certified as ISO 27001 and SOC 2 compliant. Learn more about Compliance at Azure and AWS. Infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data. Learn more about Data Center Controls at Azure and AWS.
On-Site Security
On-site security includes a number of features such as security guards, fencing, security feeds, intrusion detection technology, and other security measures. Learn more about physical security at Azure and AWS.
Data Hosting Location
Reveal Group leverages Azure and AWS data centers in the United States and Australia.
Network Security
Security Team
Our globally distributed Security Team is on call 24×365 to respond to security alerts and events.
Protection
Our network is protected at the edge by Cloudflare, a global leader in cloud network security, performance and reliability. Our network intelligence technologies continuously monitor our systems, blocking known malicious traffic and attacks, identifying and flagging anomalous usage patterns across both our public and internal networks.
Architecture
Our network security architecture consists of multiple security zones. More sensitive systems, like database servers, are protected in our most trusted zones. Other systems are housed in zones commensurate with their sensitivity, depending on function, information classification, and risk. Depending on the zone, additional security monitoring and access controls will apply. DMZs are utilized between the Internet, and internally between the different zones of trust.
Network Vulnerability Scanning
Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.
Third-Party Penetration Tests
In addition to our extensive internal scanning and testing program, Reveal Group employs third-party security experts to perform annual penetration testing of our network and services.
Security Incident Event Management
Our Security Incident Event Management (SIEM) system gathers extensive logs from important network devices and host systems. The SIEM alerts on triggers that notify the Security team based on correlated events for investigation and response.
Intrusion Detection and Prevention
Service ingress and egress points are instrumented and monitored to detect anomalous behavior. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats. This includes 24×365 system monitoring.
DDoS Mitigation
Reveal Group has a multi-layer approach to DDoS mitigation, combining core technology from Cloudflare with additional tools provided by our infrastructure hosts.
Logical Access
Access to the Reveal Group production network is restricted on a need-to-know basis, utilizes least privilege and requires multi-factor authentication (MFA). All access attempts are logged and access control management is integrated into the security incident event management (SIEM) system. For more details aboiut our Unified Cloud-Native Security Management, please refer to Organizational Security.
Security Incident Response
In case of a system alert, events are escalated to our 24×365 team who follow predefined Incident Response Procedures.
Encryption
Encryption in Transit
All communications with Reveal Group systems (UI’s and API’s) are encrypted via industry-standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and Reveal Group is secure during transit. Transactional emails leverage opportunistic TLS to encrypt and deliver email securely.
Encryption at Rest
Data is encrypted at rest using AES-256 key encryption.
Availability & Continuity
Uptime
Reveal Group targets at least 99.5% uptime for all our online services, excluding scheduled maintenance windows. A summary of our uptime statistics is publicly available via our system status webpage, which includes system availability details, scheduled maintenance, service incident history, and relevant security events.
High Availability
All Reveal Group systems are architected with multiple redundant components at each tier, to avoid any single points of failure and maintain high availability (HA).
Backups
Full database backups are taken at least daily and incremental backups are taken every 15 minutes. Data is replicated in real-time, both within and across data centers within a region, to guarantee durability in the event of a site loss. Other systems, such as email and file storage, are backed up daily.
Disaster Recovery
Our Disaster Recovery (DR) planning ensures that our services remain available and are easily recoverable in the case of a disaster. This is achieved by architecting a robust technical environment and testing to validate that everything works as anticipated.
Application Security
Secure Development Life Cycle (SDLC)
Secure Code Training
Our engineers receive secure code training covering OWASP Top 10 security risks, common attack vectors, and Reveal Group security controls.
Framework Security ControlsReveal Group leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.
Quality Assurance
Our code base undergoes regular QA and review, to identify, test, and triage security vulnerabilities in code.
Separate Environments
Testing and staging environments are logically and physically separated from the Production environment. Production data is not used in our development and testing environments. Occasionally, we may need to push production data to a staging environment to investigate a support issue that may only be reproduced with specific data. Upon completion of the investigation, these data are purged from the environment.
Vulnerability Management
Dynamic Vulnerability Scanning
Third-party security tools continuously and dynamically scan our core applications against the OWASP Top 10 security risks. Our security and engineering teams collaborate to test and remediate any discovered issues.
Static Code Analysis
Our source code repositories are scanned for security issues via our integrated static analysis tooling.
Third-Party Penetration Testing
In addition to our extensive internal scanning and testing program, Reveal Group employs third-party security experts to perform annual penetration testing of our network and services.
Product Security
Authentication Security
Authentication Options
Native authentication is used for Reveal OpsIQ, Reveal RoboDesigner and Reveal RoboReview. Single sign-on (SSO) (SAML) is available for Reveal RoboManager enterprise customers.
Password Policy
Native authentication features strong password policies. Compliant passwords must be a minimum 8 characters, including numbers, special characters, lower and uppercase characters. We also check passwords against a database of all publicly disclosed data breaches and these values are disallowed. Users may request an account password reset via a secure, self-service workflow.
Service Credential Storage
Reveal Group follows secure credential storage best practices by never storing passwords in human-readable format, and only as the result of a secure, salted, one-way hash.
Additional Product Security Features
Role-Based Access Controls
Access to data within Reveal Group applications is governed by role-based access control (RBAC), with detailed object permissions and row-level security access filters for reporting data.
Sensitive Data Loss Prevention (DLP)
Reveal Robo Review checks files for potentially sensitive data and masks it before being uploaded from the user’s browser. This ensures that the sensitive data never leaves your network and prevents it from being stored by Reveal Group. Where sensitive data is not explicitly labeled, the UI searches using standard regular expressions (regex) for the most common sensitive data types. The list of supported items is continuously under review, with a specific focus on localizations to support clients in Australia, Europe and North America. For further details on DLP, please visit our Support Center.
Due to the inherently complex nature of release files and the methods employed to detect sensitive data types, DLP is provided on a best endeavors basis.
Organization Security
Controls
Hardening
All Reveal Group machines are fully hardened to meet acknowledged security best practices. For example, remote management protocols are managed by just-in-time access policies. Privileged access requires additional authentication and is fully audited. To reduce the potential attack surface, unused ports and services are disabled. Internet-facing components sit behind load balancers and operate on a private software-defined network, so they have no public IP addresses.
Conditional Access
Our automated cloud-based threat protection and deployment systems enforce a comprehensive set of policies across all Reveal Group managed machines. Access to our internal systems is tied to conditional access policies, to guarantee that authenticated users must use compliant devices to access company resources.
Unified Cloud-Native Security Management
As a cloud-native organization, Reveal Group has architected our systems to operate without a physical infrastructure footprint. We leverage state-of-the-art tools to integrate audit and logging information across our entire cloud tenancy. Azure Sentinel allows us to manage our security via a single pane of glass. It intelligently aggregates and correlates auditing, logging, alerts and incidents, while also hunting for breaches, patterns and anomalies using machine learning algorithms. Data sources include logs from networks, servers, devices and applications, plus feeds from Office 365, Active Directory, Azure, Advanced Threat Protection, Cloud App Security and other systems.
Security Awareness
Policies
Reveal Group has developed a comprehensive set of security policies covering a range of topics. These policies are shared with and made available to all employees and contractors with access to Reveal Group information assets.
Training
Reveal Group employees receive Security Awareness Training during their onboarding. Periodic refresher sessions are scheduled for all employees thereafter. The Security team provides additional security awareness updates via email and internal events.
Employee Vetting
Background Checks
Reveal Group performs background checks on all new employees in accordance with local laws. These checks are also required to be completed for contractors. The background check includes criminal, education, and employment verification.
Confidentiality Agreements
Non-Disclosure and Confidentiality clauses are included within the standard agreements signed by all Reveal Group employees and contractors.
Compliance
Compliance
SOC 2 Type II
We use best practices and industry standards to achieve compliance with industry-accepted general security and privacy frameworks, which in turn helps our customers meet their own compliance standards. Our infrastructure partners, Microsoft Azure and AWS, undergo regular SOC 2 Type II audits. These reports are available upon request and under NDA. The latest SOC 2 Type II report can be requested here.
ISO 27001
Reveal Group is broadly compliant with ISO 27001 and is currently working towards formal accreditation.
Cloud Security Alliance
Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing. Reveal Group has completed a publicly available Consensus Assessment Initiative Questionnaire (CAIQ), based on the results of our due diligence self-assessment.
Privacy
Learn more about privacy at Reveal Group here.
Resources
We have a number of resources that we can provide upon request.
Request Resources
The following resources may require an NDA on file.
– Certificate of Insurance
– SOC 2 Type II Reports
– Reveal SaaS Technology FAQ
– Reveal RoboManager Data Dictionary
– Reveal RoboDesigner Data Dictionary
– Reveal RoboRoboReview Data Dictionary
– Reveal OpsIQ Data Dictionary
– CSA CAIQ (Reveal Group)
– CSA CAIQ (Shibumi)
– Annual Penetration Test Summary