Moesif also acknowledges that no environment can guarantee absolute security. We recommend not sending any sensitive data such as ePHI (electronic Protected Health Information) or PCI DSS (Payment Card Industry Data Security Standard). Our open-source SDKs support masking any sensitive API data before it even leaves your application.
Management API tokens are also signed using the HMAC SHA-256 algorithm and can be limited to specific resource scopes and can have a specified token expiration date. Please follow the principle of least privilege and add only the minimum scopes that you need for the access token. If you need a short lived token to perform certain maintenance tasks, create a token that expires in hours or days.
Moesif creates unique keys for each use case. Those keys are not reused for unrelated purposes.
The Collection API, Management API, and moesif.com web portal all use SSL using Transport Layer Security (TLS) 1.2 and the latest SHA-256 algorithm for encrypting all network traffic which Moesif’s SSL implementation received an “A” on Qualsys’ SSL Labs. All of our open source SDKs and agents are configured to use HTTPS.
Encryption at Rest
Moesif encrypts customer data while at rest of both production data and backups using 256-bit AES encryption. Linux volumes are encrypted using dm-crypt and encryption keys are stored in Azure Key Vault. Data is stored only in the cloud on the Microsoft Azure platform which further provides fault-tolerance and strong access control to physical machines. However, we don’t simply rely on Azure for security and implement our own access control.
Snapshots of critical data stores are made multiple times per day and redundantly archived in Azure Blob Storage. These backups are regularly tested. Moesif also backup all streaming data to ensure no data loss will happen for any events that occur after a snapshot.
Data Storage Location
Moesif customer data at rest currently resides in the United States of America.
The Moesif platform runs on hardened hosts with tightened security groups, role-based access controls, and isolated virtual networks on the Microsoft Azure platform. A business reason must exist before employees or management is granted to a portion of the production infrastructure. Development environments do not have access to production data stores or virtual networks. Employees engaged in customer service can access a web portal with access to customer data similar in structure to the Moesif end user portal. Access to this system requires 2FA and is logged.
Moesif uses Azure Active Directory for RBAC with 2FA required. Moesif disables SSH authentication via passwords for production Linux machines.
Moesif has security policies in place for company laptops and workstations which include Full Disk Encryption and auto lock of workstation when left unattended. Mobile devices are protected with Mobile Device Management (MDM).
To prevent phishing scams or other cyber attacks, Moesif has deployed DMARC which builds on existing mechanisms like DKIM and SPF to detect and prevent email spoofing. Moesif also keeps logs on such spoofing attempts.
Our critical accounts (AWS, Azure, Google, GitHub, etc) enforce mandatory 2FA for all employees and management. SMS 2FA is discouraged over other 2FA medians. If a service allows non SMS based 2FA to be enforced, we make it mandatory. Moesif does everything it can to use company provided password managers and never share passwords across accounts.
Credit card and payment information is held by our payment providers, Stripe and Chargebee. Moesif does not store any payment information. If you signed up via a partnership program that integrates billing such as GitHub or AWS, your payment information may be held at that partner instead of our own payment providers.
Moesif uses Auth0 service for user authentication. Auth0 is a service dedicated to secure authentication for companies like Moesif. They never store passwords in plaintext in data stores, and ensure all passwords are hashed and salted via bcrypt. More information on Auth0’s security can be found here.