Impero security

Introduction

Impero A/S, hereafter referred to as ‘the organization’, is a Danish company founded in 2013 and headquartered in Aabyhoej, Denmark. We develop and deliver a software-as-a-service solution for risk and compliance management. The software is hereafter referred to as ‘Impero’ or ‘the solution’.

Impero A/S operates with distributed teams consisting of team members in Denmark, France, Germany, UK, and Hungary.

Due to the distribution of our teams and the many activities offsite we take a strong stance toward security and focus on securing both devices and data through mobile device management as well as the enterprise resources hosted by Microsoft Azure and Microsoft O365.

Security is the most crucial part of our solution and is, as such, reflected in our people, processes, and ways of working. This white paper clarifies how we provide security to our customers and protect their data.

Organizational security

Our people

Employee Background Checks

During the hiring process, each employee undergoes a process of background verification. Their criminal records, previous employment records (if any), and educational backgrounds are scrutinized thoroughly. The employee will not be granted access to sensitive information until this background check has been successfully performed.

Security Awareness

Upon induction, each employee signs a confidentiality agreement and an acceptable use policy. The employee then undergoes training in information security, privacy, and compliance.

Impero A/S provides training on specific aspects of security the employee may require in their role. Additionally, we continuously train and educate our employees within extensive areas including information security and privacy as well as ensure their awareness of the organization’s security practices.

External Consultants and Third Parties

Any external consultant or third-party requiring access to the organization’s will be enrolled in our security awareness program.

Secure by design

Security is crucial to Impero’s developmental lifecycle. As such, any code deployed to our production environment will be subject to a range of security measures beforehand.

• Our developers have in-depth knowledge of and conform to OWASP
• All code is subject to code review
• A series of unit and integration tests must run successfully before deployment
• Release candidates are thoroughly tested by our test team
• Segregation of duty is enforced in several areas, e.g. development do not have access to the production environment
• Our frontend and backend codebases are coded in high level type safety languages; Typescript and Rust, which both help reduce the number of software defects
• Linkage between committed code and related user stories in our development management solutions ensures full traceability.

Encryption

Encryption in Transit

Impero adheres to the highest recommended standards of encryption. All data transiting between the Impero servers and client browsers is encrypted using TLS 1.2 with only the most secure ciphers enabled with AES encryption and SHA-256 signatures as minimum requirement.

Encryption at Rest

Impero stores data in both a Postgres relational database and in the Azure blob storage, applicable to uploaded files. Both are encrypted using the AES-256 cipher by our hosting provider Azure.

Password Storage

Passwords are not stored in the database. A hashed, salted version of the password is saved instead using the Argon 2 cryptographic hash algorithm. In addition, a pepper (server-side secret, site-wide) is used to generate the hash. The pepper is stored on a separate server from the database.

Web application security

Authentication

Impero’s users may, depending on company policy, authenticate using the following methods:

• Login + password
• Login + two-factor authentication (password + SMS)
• Single sign-on SSO (based on OpenID Connect)

Passwords are subject to complexity requirements. Should an organization elect to use to use two-factor authentication, the application will send a randomly generated code expiring within 60 seconds.

Session management

The application saves information in cookies. Cookies are only accessible via an encrypted connection and the cookie containing the session identifier is not available from browser-side scripts.

A server-side session registry ensures that users only access the application using a single browser per session thus mitigating the risk of users neglecting to close a session on a public terminal. Additionally, sessions without activity are invalidated after 60 minutes and the user will need to log in again.

XXS Attacks

For most user interfaces, Impero relies on the React rendering library, a JavaScript library. This protects the application from most XXS attacks. Some legacy parts of the application use server-side templating system with built-in escaping in addition to client-side escaping.

SQL Injection

Impero uses an SQL query builder generating parametrized SQL queries. Handwritten SQL is also thoroughly reviewed and parametrized. 

External security validation

Web Application Security Assessment

Security assessments are conducted periodically by a leading external provider. The assessment covers all relevant security aspects within both the solution as well as the deployed environment. Any potential findings are reviewed and mitigation plans are initiated. Following mitigation, a verification test is performed.

Among others, these assessments ensure that Impero has the adequate safeguards within the areas of:

• SQL Injection
• Broken Authentication
• Sensitive Data Exposure
• XML External Entities (XXE)
• Broken Access Control
• Cross-site Scripting (XXS)
• Insecure Deserialization
• Using Known Vulnerable Components
• Logging and Monitoring

Security Compliance Audits

An ISAE 3000 statement on the IT general computer controls operated by Impero is prepared annually by an external audit partner. As part of the internal controls performed by Impero, a review of relevant audit statements covering the Microsoft Azure resources. Among these statements is the SoC2 report that covers, but is not limited to, the following:

• Backup and restoration
• Infrastructure
• Firewall
• Patching
• Antivirus
• Physical security
• Business continuity management

Hosting

Hosting is provided by the Microsoft Azure cloud. This includes both the web application as well as any additional services such as logging and all stored data.

Network security

Impero is hosted on virtual machines provided by Microsoft Azure, using different operating systems. All servers have systems for automatically applying security patches and rebooting, if necessary.

Impero servers sit behind a secure firewall where only necessary ports are open. In the network behind this firewall, all traffic is end-to-end encrypted – including connections to the database. Servers use a secure configuration with only necessary services enabled as well as rely on SSH keys for remote login whenever the operating system is compatible.

Monitoring & logging

Impero stores logs, for various purposes, at server-, web server software-, and application-level. These logs may be used to track customer issues or identifying malicious activity. Additionally, Impero relies on Microsoft Azure’s monitoring features and in particular its Security Center.

Device and access management

Prior to gaining any access to company resources, Impero requires all devices enrolled in the company’s MDM solution. The MDM solution ensures the devices comply with the security standards set forth by Impero and enforces continued monitoring. Impero’s security policies are comprehensive and include requirements such as:

• Encryption at rest on all devices
• Up to date anti-malware software and antivirus
• Compliance with password policy
• Use of long pin and locking when idle for all smart devices

Access to company resources is granted on the principle of least privilege and role-based permission and always reflect job responsibility. Access rights are subject to recertification.

For additional risk mitigation purposes, Impero enforces multi-factor authentication in order to access company resources including the Microsoft Azure environments.

Responding to security incidents

Impero has established policies and procedures addressing to possibility of security incidents and appropriate responses. There are additional procedures in place concerning violations of information security policies, software malfunctions or security weaknesses and appropriate responses hereto.

Get in touch

Impero is constantly striving to have the optimal security posture. We are constantly searching for improvements to our development practices and security processes so that we may continue to the most secure solution possible and keep our customers’ data safe.

Please reach out to us via support@impero.com, should you have any queries regarding our security practices, as we are happy to provide further information.