Introduction

The UK Government has set out 14 Cloud Security Principles. As a software-as-a-service company, Makerble is steward of confidential information. This article outlines how we address those principles.

For more information on the Cloud Security Principles, visit: https://www.ncsc.gov.uk/collection/cloud/the-cloud-security-principles

We take data security seriously. We follow industry best practice and have a comprehensive security framework to ensure your data is protected throughout its lifecycle in our cloud environment. This article provides information on the way we address each principle.

1. Data in Transit Protection

• The Makerble Platform uses encryption at rest and in transit for all data transfers.

• We employ industry-standard protocols TLS/SSL to safeguard data communication between you and our platform, as well as within our internal network.

2 . Asset Protection and Resilience

• Data that clients store on The Makerble Platform is securely stored in Microsoft Azure.

• As an organisation we use a password management tool (Passbolt) with OpenPGP encryption to securely store credentials and manage them.

• Data on The Makerble Platform is stored in Ireland in the Microsoft Azure regional data centre.

• Data stored on The Makerble Platform uses AES (Advanced Encryption Standard) encryption to store confidential information. This ensures that sensitive data is protected both in transit and at rest, maintaining the highest level of security.

• Data sanitisation and equipment disposal, including data storage devices such as hard drives, SSDs, and RAM, are completely handled by Azure. Azure's certified processes ensure that all data is securely erased and storage media are sanitised or destroyed at the end of their lifecycle.

3. Separation Between Customers

• The Makerble Platform implements logical mechanisms to segregate customer data. Within our software architecture, we use isolation mechanisms to prevent unauthorised access to customer data. This involves writing code that ensures each user can only access their own data and cannot inadvertently or maliciously access another user's information.

• We perform penetration tests and code reviews every 6 months to ensure the effectiveness of these isolation mechanisms

4. Governance Framework

• Makerble has defined security policies, procedures and controls that undergo regular review as part of our security governance framework.

• We are applying for Cyber Essentials Plus certification to further demonstrate its security posture and expect to have this in place by 31 December 2024.

5 . Operational Security

• Makerble prioritises operational security through a multifaceted approach. We conduct regular penetration testing and use third-party scanning tools such as SYNK and DeepSource to proactively identify vulnerabilities within our systems. 

• We continuously monitor for software updates from our software providers and apply patches promptly to maintain system integrity.

• Across The Makerble Platform we use the Cloudflare Web Application Firewall (WAF) to protect against a wide range of cyber threats.

6. Personnel Security

• Employees undergo a comprehensive security awareness programme as part of their onboarding process. We use an internal project management system to introduce them to key security policies and best practices. This is followed by a periodic assessment every 3 months to ensure employees retain their security awareness and ability to follow best practice.

7. Secure Development

• The teams working on The Makerble Platform follow secure development practices by adhering to the guidelines outlined in the Ruby on Rails Security Guide. This comprehensive framework helps us build robust and secure applications.

• We conduct rigorous code reviews (adhering to OWASP Top 10 Best Practice Standards) to identify and address potential security vulnerabilities before deployment. By integrating security considerations into our development process, we maintain our standards of data protection and system integrity.

8. Supply Chain Security

• As an organisation we acknowledge the shared responsibility model inherent in the cloud computing platforms we use such as AWS and Azure. While these providers offer robust infrastructure and security features, we recognise that the overall security of our systems requires collaboration. As such we work with our cloud service providers to implement their recommendations and make the most of their security tools and services.

9. Secure User Management

• As an organisation we have identified the specific levels of access to software that each employee requires. This ensures that our employees only have access to the data and permissions that are relevant, based on their role.

• We are committed to continually improving our user management capabilities. We are currently implementing Authentik to manage IAM (Identity and Access Management).

10. Identity & Authentication

• Across our organisation and in relation to The Makerble Platform, we safeguard client data through the use of robust identity and authentication protocols. For example, access to The Makerble Platform is restricted through a multi-layered approach that includes:

  • Strong Credentials: Users login using a unique email address and a complex password that meets industry best practices for length and character composition. 

  • Multi-Factor Authentication (MFA) Enabled by Default: To further enhance security, Makerble offers Multi-Factor Authentication (MFA) for all user accounts and organisations. This means every login attempt requires not only a username and password but also a second verification factor, which is a code received via SMS.

• In addition to this we enforce strong credentials and Multi-Factor Authentication across the software used by our employees.
  

11. External Interface Protection

• We use a VPN to control access to our systems. The software applications used by our team are restricted so that they can only be accessed securely via the VPN.

• For further reading on robust attack protections, please refer to Microsoft's article on discovering and mitigating evolving attacks against AI guardrails.

12. Secure Service Administration

• The Makerble Platform runs on Azure which follows enterprise-grade security for administration. Details of compliance are outlined here: https://learn.microsoft.com/en-us/azure/compliance/

• Building on the point in Principle 10, every Makerble employee uses MFA and follows our standardised security practices in relation to the software applications they use in their role. 

13. Audit Information

• As an organisation Makerble prioritises transparency and adheres to your right to audit our data processing practices. Our privacy policy outlines your right to request an audit of our security measures. We will promptly provide all relevant information within our control, subject to legal and confidentiality obligations.

• To further enhance security and threat detection across the organisation, we are implementing a Security Information and Event Management (SIEM) system. This builds on the existing security infrastructure we have with Cloudflare.

14. Secure Use of Service

• The Makerble Platform is designed with security in mind, incorporating secure defaults wherever possible. We have adopted a Privacy By Design approach which is outlined in more detail here: https://about.makerble.com/privacy-by-design 

• For more information on our approach to data security, please read: https://about.makerble.com/data-security-privacy-1 

• To further support our security efforts, we recommend reading Microsoft's comprehensive guide on Security as a Service. 

If you have questions about our approach to data security, contact our Data Protection Officer by emailing [email protected]