Vector Risk approaches the security of customer data from two viewpoints: security features built into Microsoft Azure, and security features built into the Vector Risk service itself.

Microsoft is one of the world’s largest cloud service providers. As the world’s pre-eminent software company Microsoft has vast experience in protecting computer networks against all kinds of threats including but not restricted to virus and denial of service attacks, and data theft. Download the Azure Security, Privacy, and Compliance whitepaper to learn more or take a look at the essential security features listed in the Azure Security sections below.

In developing its cloud risk service, Vector Risk recognized early on that the key benefits to consumers of the service could only be gained in a multi-tenancy model, whereby all users share the same hardware and simultaneously access a single active instance of the software. We knew that the issues of security and privacy would be uppermost in our customers’ minds so we included industry best practice security features in every aspect of the design. The key tenets we followed were:

• Segregation. We established a Vector Risk Security Database to hold all credentials. The database contains organisations. Each organisation is segmented into environments. Each environment is assigned to a level (production, staging, test or training). Users are assigned to environments and there is a hierarchy of permissions.
  
  
• Access. The Vector Risk service can be accessed via a downloadable GUI or via direct system links to Vector Risk’s secure  web services (HTTP over TLS). In all cases the underlying cloud service (and the customer’s data and results) are only accessible through these web services (the GUI simply accesses these same services with credentials supplied by the user at login). The web services use HTTP headers to pass the credentials (also known as basic authentication). 
  
  
• Data Security. A customer’s data must be fully protected from outside access, encrypted where necessary (for example counterparty names), and protected from inside the customer’s organisation by a hierarchy of permissions. In addition the data should be physically protected (in a secure data center and country with strong privacy laws), with frequent backups. Users have no direct access to any of the databases.

Vector Risk Security Features - Details

• Architecture. The diagram below shows the components of the Vector Risk service. Remember, a user may access the system via the GUI or via the web services. The GUI only accesses the rest of the system via the web services, all of which are secured by credentials held in the Security Database.
  
  
  

• Internet Protocol. IPV4
  
  
• Network Protocols. Users HTTPS to Microsoft Azure cloud. Data transfers protected by TLS 1.2.
  
  
• Logins and Passwords. Credentials are hashed and salted using industry best practice techniques.
  
  
• Roles. Users are assigned roles on a per-environment basis. Roles determine if a user can view, load data, change configurations, change user permissions and administer the system. Users are assigned roles through the application GUI.
• Audit Logs. An audit trail is kept that includes all logon and logoff events, privileged operations, unauthorised access attempts, security related system alerts and failures, system user and group additions; deletions and modification to permissions.
  
  
• Counterparty Names. All sensitive information that traverses networks between the client and Azure are encrypted using the AES algorithm. The GUI unencrypts the data so that the user sees it in screens and reports as plain text