Ateliere is a professional provider of software solutions, and the security of our cloud applications is of the utmost importance for us.
Ateliere’s approach to security covers the key steps we take and controls we implement across a number of security domains, both in securing our own environments and the processes we have in place to ensure we create products that are secure as possible for our customers and users.
We aim to be transparent and legally compliant in our security practices and we want to meet all customer requirements for security and exceed requirements for industry security standards and certification.
In order to attain a mature security posture and mitigate identified risks, Ateliere implements controls to be aligned with the Motion Picture Association of America (MPAA) Content Security Program and the OWASP Top Ten Proactive Controls. Its continuous evaluation and effectiveness is in close relation with the current evolving digital ecosystem.
The MPAA Content Security Program provides a framework for assessing facilities’ ability to protect a client’s content. The program, which Ateliere adheres to, focuses on three areas: management system, physical security, and digital security, drawn from relevant ISO standards, security standards, and industry best practices.
As requested by MPAA our dedicated security teams designed procedures and policies for asset and content protection which are regularly updated and reviewed.
We practice a layered approach to security for our networks. We implement controls at each layer of our environments, dividing our infrastructure by zones, environments, and services. We have zone restrictions in place that include limiting office/staff, customer data and DMZ network traffic. We also have environment separation to limit connectivity between production and non-production environments, and production data is not replicated outside of production environments. Access into production networks and services is only possible from within those same networks – e.g. only a production service can access another production service.
We control access to our sensitive networks through the use of routing, firewall rules, and software defined networking, with all connections into those networks encrypted.
A well-defined process for provisioning user access for all systems and services is in place. All user accounts must be approved by management prior to having access to data, applications, and infrastructure or network components.
We care deeply about the resiliency of our products and we appreciate that disruptions can happen. So we have build a processes to plan for disruptions, and handle disruption with minimal impact to our customers when they do occur. Our business continuity (BC) and disaster recovery (DR) programs capture the various activities done to meet those objectives.
We operate a comprehensive backup program at Ateliere. This includes also our internal systems, where our backup measures are designed in line with system recovery requirements.
We are proactive on security on our product therefore we conduct regularly vulnerability scan, penetration testing and security audits.
Ateliere has a comprehensive approach to handle security incidents. We consider a security incident to be any instance where there is a negative impact to the confidentiality, integrity or availability of customers’ data, Ateliere’s data, or Ateliere’s services.
We have a clearly defined internal framework that covers the steps we need to take at all stages of incident response to ensure our processes are consistent, repeatable and efficient. These include coverage of incident detection and analysis, incident categorization, containment, eradication and recovery.
Ateliere is constantly working to reduce the severity and frequency of vulnerabilities in our products, services and infrastructure and ensure that identified vulnerabilities are fixed as quickly as possible. To facilitate this, we have implemented a multi-faceted and continually evolving approach to vulnerability management that utilizes both automated and manual processes to identify, track, and remediate vulnerabilities across our applications and infrastructure.
We closely follow OWASP recommendation for development and we have implemented a multi-tier protection framework for OWASP Top 10 vulnerability threats related to Web and Mobile.
The OWASP Top Ten Proactive Controls is a list of security concepts that are included in every Ateliere software development project and we have designed procedures and mechanisms to ensure these requirements are attained.
- Define Security Requirements
- Leverage Security Frameworks and Libraries
- Secure Database Access
- Encode and Escape Data
- Validate All Inputs
- Implement Digital Identity
- Enforce Access Controls
- Protect Data Everywhere
- Implement Security Logging and Monitoring
- Handle All Errors and Exceptions
Firstly, we have under development dedicated steps to implement protection in our code for these vulnerabilities.
Secondly, we have also implemented security protection in front of our services that will further reduce the risk of being affected by these threats such as DDOS, WAF, network segmentation and access lists, etc.
For further in depth details please consult the MPAA Content Security Program guideline by accessing the below link: Content Security Program guidelines here and Top 10 Proactive Controls in detail here, OWASP Top Ten | OWASP Foundation
We take security of our cloud applications seriously. Our team is happy to answer any questions you may have about our security policies and practices.
Please get in touch here.