Joomag prioritizes data security and privacy through comprehensive security practices, ensuring safe, reliable service for its users. From PCI compliance and encrypted data transmission to disaster recovery planning and incident management, Joomag’s protocols are designed to protect customer data, maintain service availability, and uphold high security standards.
Authentication
All organizations handle some form of sensitive information, whether it's customer payment information, employee data, or strategic business intelligence. To protect this information and ensure it never enters the public domain, it's essential to secure company-sensitive data, and Joomag is no exception. Joomag does not store passwords in plain text; instead, passwords are encrypted and only password hashes are stored. This ensures that hackers can't gain access to sensitive data because hashed passwords cannot be decrypted. Joomag uses the Bcrypt approach to achieve a high level of security. Bcrypt incorporates a salt to protect against rainbow table attacks and is adaptive to remain resistant to brute-force attacks.
Joomag utilizes the Security Assertion Markup Language (SAML) for Single Sign-On (SSO) capabilities, enhancing user authentication across different systems. By employing SAML, users benefit from streamlined access, logging in once with a single set of credentials to access multiple services. This not only simplifies the user experience but also strengthens security by minimizing the number of times users need to enter their credentials, reducing the risk of password theft.
Third-Party Identity Providers
Modern websites allow access to their services via third-party identity providers such as Facebook and Google. Using third-party identity providers simplifies account creation, login, and information sharing across websites. Joomag uses the latest industry-standard OAuth 2.0 protocol to implement reliable connection services with third-party identity providers. Users with Publisher roles can utilize Google, LinkedIn, and Microsoft identity providers, while Readers can use Facebook and Twitter.
Application Security
Securing Internet-facing web services is critical for protecting client data. Joomag's security team drives an application security program to improve code security hygiene and periodically assess Joomag services for common application security issues, including CSRF, injection attacks (XSS, SQLi), session management, URL redirection, and clickjacking. Joomag uses Acunetix cloud services to test applications and services against various web vulnerabilities and to manage vulnerability resolution cases.
Network Security
Joomag defines enterprise network boundaries using firewalls to control which services are exposed to the Internet and to segment the production network from the rest of the computing infrastructure. This approach limits access to the production infrastructure based on business needs and ensures strong authentication for access. Only a team of experts has access to production servers and data. Additionally, Joomag uses Cloudflare Security Services to protect against denial-of-service attacks and other threats. Firewalls are configured to block all traffic by default and explicitly allow only specific traffic to known services.
HTTPS Protocol and Certificates
Joomag exclusively utilizes HTTPS for secure communications, ensuring all data transmitted between clients and servers is fully encrypted. To maintain the highest security standards, only TLS versions 1.2 and 1.3 are supported, providing robust protection against unauthorized access and ensuring data integrity during transit.
Logging
Joomag utilizes multiple logging systems in its production environment to capture information related to security, monitoring, availability, access, and other metrics about the Joomag platform. These logs are crucial for analyzing security events, detecting anomalies, and responding to incidents. Logs are analyzed using automated monitoring software and overseen by the security team to ensure continuous vigilance and quick response to potential threats.
Additional Security Measures
PCI Compliance
Joomag is not currently a PCI-certified Service Provider but is a PCI Level 3 Merchant and has completed the Payment Card Industry Data Security Standard’s SAQ-A, allowing the use of third parties to process credit card information securely. The environment hosting the Joomag platform maintains multiple certifications, including ISO 27001 compliance and SOC reports.
Data Encryption
Joomag supports the latest recommended secure cipher suites and protocols to encrypt all traffic in transit and at rest. The team monitors the cryptographic landscape closely and upgrades the service promptly in response to new cryptographic weaknesses.
Joomag utilizes LUKS (Linux Unified Key Setup) to encrypt data at rest. This method adds a robust layer of security, ensuring that stored data remains inaccessible without proper authentication. By employing LUKS, Joomag enhances the safeguarding of sensitive information, making it secure against unauthorized access and breaches
Incident Management & Response
In the event of a security breach, Joomag promptly notifies affected users of any unauthorized access to their data. Joomag has incident management policies and procedures in place to handle such events.
Disaster Recovery
Joomag's database is stored redundantly at multiple locations in its hosting provider’s data centers to ensure availability. The company has well-tested backup and restoration procedures, allowing recovery from major disasters. Joomag's database is automatically backed up nightly, and the SRE team is alerted in case of a failure. Backups are fully tested at least every 90 days to confirm that processes and tools work as expected.
.png)
