All data and files imported in Genetec ClearID™ are encrypted, and all communication with the platform is secure. These encryption and security measures ensure that sensitive data, files, and communications are only seen by users with the appropriate access.
Cryptography standards
- Data encryption
- All personal information managed by ClearID is automatically encrypted using Advanced
Encryption Standard 256 bits (AES-256) with symmetric keys that are dynamically
generated. This automatic encryption ensures that each blob of data like an identity is
given a unique AES key.
For extra protection, the AES key is also encrypted with a public key unique to the account’s private key. All the cryptographic keys used by ClearID are securely managed using the Azure Key Vault, which supports FIPS 140-2 Level 2 validated HSMs.
- Data integrity
- A digital signature (SHA 512 with RSA) is generated to detect any attempts to modify data and ensure the integrity of the data and actions in the system. Analyzing and uniquely identifying all data using a complex algorithm prevents attackers from deleting, modifying, or adding content to data stored in ClearID.
- Communication encryption
- Communication in the platform is secured using Hypertext Transfer Protocol Secure (HTTPS) protocol and Transport Layer Security (TLS) certificates to ensure that only trusted parties have access to data managed by ClearID. This communication encryption ensures the confidentiality of the information and reduces the possibility of malicious attempts to intercept or alter communication in transit.
Network and information security
As a trusted provider of security solutions for government agencies and high-profile public and private organizations worldwide, we take compliance with local laws very seriously. This compliance includes the laws related to data security and protection of privacy in the territories where we sell our products and services.
- Secure development and operations
- Our development and operations teams have been certified ISO 27001:2013. Our dedicated security team administrates and reviews architecture and design requirements, ensuring that we meet the highest industry standards and regulations, including General Data Protection Regulation (GDPR). Every change in ClearID undergoes a strict series of automated security tests and regular penetration tests performed by industry leaders in Information Security.
- Zero-trust architecture
- Customer data is segmented over a series of microservices. Each microservice has one specific role in the system and the service has access only to the minimum data required to perform that task. There is no central repository of data that can be attacked. The information is distributed across siloed, independent repositories. The data center network is considered unsafe in our zero-trust architecture. All data transmitted and received between microservices is encrypted and digitally signed.
- Service monitoring
- We subscribe to various security threat feeds and services, including Check Point,
Microsoft, Mandiant, and Hyphen. Based on the nature of evolving threats, we adapt our
controls as often as necessary. Production environments are constantly monitored using the following monitoring services:The goal is to detect transient errors, data center issues, performance degradation, and ISP outages, before users notice any impact to their system.
- Perform a series of synthetic transactions every 5 minutes to emulate users from different locations in the world.
- Constantly measure a series of metrics from the servers to detect any anomalies, such as a high number of web request failures.
- Automatically raise the alarm to our development and operations team, who take immediate action to correct the issue and mitigate any impact in the production environment.
User authentication
By default, ClearID uses Azure Active Directory B2C and Azure AD B2B for user authentication. Organizations can also federate their existing Active Directory (AD) user identities through Microsoft Azure Active Directory, or any system that supports the OpenID Connect standard, to provide a single sign-on (SSO) experience and ensure that the system meets the corporate policies requirements for user authentication.
The authentication system is based on a passive authentication model with OAuth 2.0 and OpenID Connect, which allows the identity server (AD or others) to present the connection page immediately. Identity administrators can define how users are authenticated. For example, passwords, tokens, biometrics, or a combination of these techniques.
By using Active Directory, organizations can enforce a large variety of user and password validation rules and expiration requirements. A few examples of requirements include multi-factor authentication, deactivating a user credential after several failed logon attempts, and many other configuration options.