In the digital age, cyber attacks are inevitable. At FlowTrack, we are taking a “zero trust”, “minimal infrastructure” approach to managing risk and information security.
This document describes our guiding principles and aspirations in managing risk and the building blocks of our security model.
FlowTrack policy requires that:
(a) FlowTrack's security program and operations should be designed and implemented with the following objectives and best practices:
(b) Security shall remain a top priority in all aspects of FlowTrack's business operations and product development.
“Zero Trust” is a data-centric security design that puts micro-perimeters around specific data or assets so that more granular rules can be enforced. It remedies the deficiencies with perimeter-centric strategies and the legacy devices and technologies used to implement them. It does this by promoting “never trust, always verify” as its guiding principle. This differs substantially from conventional security models which operate on the basis of “trust but verify.”
In particular, with Zero Trust there is no default trust for any entity — including users, devices, applications, and packets—regardless of what it is and its location on or relative to the corporate network. In addition, verifying that authorized entities are always doing only what they’re allowed to do is no longer optional; it’s now mandatory.
Cyber attacks are inevitable. When it comes to preparing for potential attacks, FlowTrack security operations take the approach that assumes a compromise can happen at any time, to any device, with little to no indicators. This is also an extension of the “zero trust” model. When building security operations, we carefully perform risk analysis and threat model, to identify potential single point of compromise and to avoid having the “keys to the kingdom”.
In other words, compromise of any single system or user or credential, should not easily lead to a broad or full compromise of the entire infrastructure or operations. For example, if an attacker gains access to a admin credential (e.g. App Server Admin User), it should not directly lead to the compromise of all systems and data in the environment.
The FlowTrack platform leverages a multi-service architecture. This means that the system has been decomposed into numerous components that can be built and deployed individually. Before these components get deployed to our production environments, we thoroughly test and validate the changes in our lower environments which are completely isolated from production. This allows us to test upcoming changes while ensuring there is no impact to our customers.
Once a build has been validated in our lower (non-production) environments, we then deploy it to our production environment where the change will be available to FlowTrack customers and end-users.
Changes to our infrastructure (database schema changes, storage buckets, load balances, DNS entries, etc.) are also described in our source code and deployed to our environments just like the applications. This architectural approach to managing infrastructure is referred to as infrastructure as code and is a key requirement for fully automated deployments with minimal human touch.
It is of the utmost importance that FlowTrack provides for confidentiality (privacy), integrity and availability of its customer's data. Your data is protected with end-to-end encryption, combined with strong access control and key management. We also have controls on our internal employees to access our business customers data directly in production. So your data remains safe and private at all times. We will never use or share our business customers data without your prior consent.
We all know by now that "Passw0rd" makes a terrible password. Access control is so important we must get it right. That's why we leverage tried-and-true technology such as Bastion Host with multi-factor authentication, and short lived temporary authorizations from our Certificate Authority that signs users personal Keys and logs each request , both for our internal staff to access business resources and for our customers to access FlowTrack platform and services.
You can’t protect what you can’t see.
As the famous strategist, Sun Tzu, once said, “Know thy self, know thy enemy. A thousand battles, a thousand victories.” It all starts with knowing ourselves. This applies to the infrastructure, environments, operations, users, systems, resources, and most importantly, data. It is important to inventory all assets, document all operations, identify all weaknesses, and visualize/understand all events.
This includes conducting various risk analysis, threat modeling, vulnerability assessments, application scanning, and penetration testing. Not only that, this requires security operations to keep an eye on everything, and someone should also "watch the watchers".
At first, this would require significant manual effort and may seem impossible to keep up-to-date. Our goal is to automate security operations, so that this can be achieved programmatically as our operations evolve to become more complex.
Additionally, FlowTrack security team will actively monitor threat intelligence in the community, with feeds from NH-ISAC and CISA stay abreast of the attacker activities and methodologies.
As much as possible, FlowTrack security will translate policy and compliance requirements into reusable code for easy implementation and maintenance. This allows us to truly be able to enforce policy and compliance in a fast and scalable way, rather than relying solely on written policies and intermittent manual audits. For example, end-point device policies may be translated into DockerFiles or Bash run scripts and compliance may be enforced through the agent. Access Control policies for production environments are translated into AWS IAM JSON policies and implemented via CloudFormation code.
Automation makes it truly possible to centralize security operations, including not only event aggregation and correlation, but also the orchestration and management of previously siloed security controls and remediation efforts.
Security benefits from transparency, and should operate as an open-book. This allows the entire organization to take responsibility for and accountability of adopting security best practices. Similar to code reviews and pull requests in the development process, FlowTrack security team makes security standards and practices available to all employees for feedback prior to adoption.
We emphasize on the usability and practicality of security. A security solution or process is not effective, if it is not being used, no matter how good it may be. Having impractical security would only generate noise, provide a false sense of security, and incur unnecessary cost. Nothing is perfect, but we embrace an agile mindset to test and try, and to continuously improve.
Security != Compliance. We cannot have one without the other.
FlowTrack developed a security architecture on top of its main infrastructure environment AWS.
Detailed architecture diagrams of the in-scope networks, endpoints, applications as well as the security operations are developed and maintained Internally.
FlowTrack strives to leverage containers as the primary building blocks for our platform because:
A set of metrics / KPIs have been defined to assist in the measuring, reporting and optimizing the security program and the controls in place.
A security scorecard is produced every with updates to key metrics of the FlowTrack information security program, to measure its adoption and effectiveness.
The reports and scorecards are maintained by FlowTrack.
FlowTrack strives to provide a high quality of service to all of its customers. This is accomplished through a security architecture that encompasses all of FlowTrack's operations and provides high data confidentiality, integrity, and availability.
An overview of FlowTrack's architecture can be found in Security Architecture. FlowTrack uses a highly scalable cloud architecture to provide system quality at all times.
All systems are monitored and measured in real time as described in Application Service Event Recovery.
FlowTrack uses DevOps methodology as described in Software Development Process to ensure a smooth delivery process of all systems and applications.
Status for external facing, customer applications and systems is published at .
Fincosa LLC, 220 Calle Manuel Domenech #2012, San Juan, PR, 00918, USA