Cohabit Technologies builds software and operates an IT server environment to provide our service to you, the user. To keep your company's data secure and maintain data privacy, we follow IT security best practices. In this article, we will cover some of the relevant techniques.
User Session Security
Cohabit Technologies protects user sessions using a variety of methods, including but not limited to strong passwords, two-factor authentication and time limits.
Strong Passwords
Strong passwords help protect user accounts from unauthorised access. Strong passwords contain a combination of letters, numbers, and special characters, and have minimum length requirements making them harder to attack with automated techniques such as brute force attacks. Cohabit Technologies enforces programmatic password complexity rules that we change from time to time at our discretion to make your passwords better.
Time Limits
Cohabit Technologies enforces a hard session timeout limit after which inactive users are forcibly logged out of the system. This protects against users leaving their computer unattended and prevents other security issues in the event a user's computer were lost or stolen.
Two-factor Authentication
Two-factor authentication (2FA) is a security measure that requires users to provide two forms of identification to access their accounts, combining something the users knows (the password), with something have physically have access to (their phone). Cohabit Technologies uses 2fa for extra peace of mind when securing or recovering access to individual user accounts. Even in cases, where a cyber criminal were able to trick a user into sharing their credentials, the attacker would also need to steal the users second factor authentication, which is orders of magnitude harder to do.
Encryption
Encryption is the process of converting plain text or data into a coded or encrypted form to prevent unauthorised access. Cohabit Technologies use encryption to protect data in transit, that is while being transmitted from your computer to Managed App servers, and at rest, which is when we store it on disk. We also use a special form of encryption called hashing or tokenisation.
Encryption At Rest
This encryption ensures that even in the unlikely event that an attacker gains physical access to the storage device, they cannot read or modify the data without the encryption key. Cohabit Technologies encryption keys are stored separately and securely in a virtual key vault that is not co-located with the devices this encryption key is used for.
Encryption In Transit
Encryption in transit refers to the encryption of data as it is transmitted over a network, such as the internet. Cohabit Technologies uses a modern version of the transport layer security protocol (TLS) to encrypt all network traffic to and from our servers. Even, if an attacker intercepts your data as it traverses a public network, they cannot read or modify it without the encryption key. We use encryption in transit to protect all access to Cohabit Technologies' APIs, which includes all property, lease, or more generally all user data.
Hashing / Tokenisation
Not all encryption is created equal. While i.e. encryption at rest uses an encryption key to both encrypt and decrypt data, hashing or tokenisation is a one way street type of encryption. Once data has been hashed or tokenised it can never be unencrypted again, even with access to the original key. These hashes or tokens are useful to protect particularly sensitive information, such as passwords or credit card information. While Cohabit Technologies does store hashed passwords on our servers, we never store credit card tokens, which are sent directly to our external payment gateway for processing.
System Access & Monitoring
Cohabit Technologies has a dedicated operations team that is responsible for providing Cohabit Technologies as a service. We continuously monitor our systems and networks for access and threats, and undergo regular external penetration testing exercises.
Access Controls
Cohabit Technologies provides access to your data and critical system functions to internal staff on an as needed basis only. These access privileges are immediately revoked when no longer required and all access privileges are regularly reviewed. We have policies in place to ensure access to your data and critical system functions cannot be gained easily; all authorizations have to be granted by a line manager, and independently confirmed by a second team member.
Intrusion Detection
Cohabit Technologies continuously monitors our server environment and networks for threats. This includes analysis of network traffic, user sessions, and identifying traffic from unusual network locations or device configurations. Step-up security may be enforced on user sessions to protect our systems (and your data) from access by third parties.
Penetration Testing
Cohabit Technologies conducts regular penetration tests of our systems that are conducted by certified external security professionals. We regularly update our systems based on these recommendations to ensure our security measures remain relevant against an always changing external environment.
We welcome questions about the security of our system so please don't hesitate to contact us on hello@cohabit.com.au for further information.