BlueFile is architected from the ground up to protect your data in accordance with the highest industry standards for security and privacy.
BlueFile ensures that all customer data is encrypted both at transit and at rest. We use tools such as AWS Key Management Service (KMS) to manage encryption keys using hardware security modules for maximum security in line with industry best practices.
All employees must complete continuous security training for topics to stay up-to-date on the best security practices. We also ensure that all employees use strong passwords and multi-factor authentication when logging into their accounts.
BlueFile also maintains a rigorous vendor risk management program to ensure third parties also maintain expected levels of security controls.
We take your privacy seriously here at BlueFile. Please review our privacy policy here: https://app.bluefile.com/PrivacyPolicy
Want to report a security concern? You can contact us for more information or report issues to security@bluefile.com
We feel that our security is paramount to ensuring that people feel safe and confident in their decision to trust BlueFile.
This document outlines the policies, behavior, and philosophy that BlueFile follows to create a security-first culture. Our architecture is secure, relying on best-practices and a deep understanding of technology. This allows us to move quickly and confidently. We focus on emerging threats and new technologies, creating an intuitive, secure network for all. Leveraging the power of Amazon Web Service’s (AWS) built-in security protocols and best-practices, reliable encryption schemes, well-informed and empowered developers, and a suite of cutting edge methodologies.
We take great pride in fostering a robust culture of security within BlueFile, prioritizing the protection of our users’ data and ensuring a trustworthy digital environment.
At the core of BlueFile is a steadfast commitment to ethics. We prioritize ethical considerations in every aspect of our service, ensuring trust, transparency, and responsible practices for the benefit of our users.
In jurisdictions where it is permissible, employees are required to grant consent for a background check before joining BlueFile.
BlueFile takes great care during the onboarding process to ensure that only company employees have access to company data, and that access is granted in a least-privileged way. When an employee joins, an account is created for them in a centralized personnel directory and they are assigned the RBAC roles necessary for their job. All subsequent access requests must go through a secure approval process and be documented.
All BlueFile employees are required to undertake annual security awareness training. This training covers the necessary duties each employee has to complete to ensure the security of BlueFile products and services. Additionally, BlueFile regularly reviews existing and emerging security threats and guides how employees can identify them. The security operations team is kept up-to-date with new threats by subscribing to newsletters and news feeds.
We document and make public all of our internal security policies to all BlueFile employees. This transparency and shared understanding has enabled us to cultivate a culture that values security.
A comprehensive offboarding policy ensures our permission structure is reliable and transparent, even when roles or permissions change. Upon an employee’s departure, all company data is moved to a secure online storage drive and any accounts associated with them are removed. Furthermore, during our access control reviews, we ensure that no previously offboarded employees are present in our systems.
We ensure that our customers’ needs are met through comprehensive internal and external risk assessments. We take security seriously and regularly review our security posture from the highest levels to ensure compliance and accuracy. Our team is available to answer questions, provide Q&A’s, and hold meetings to discuss our security landscape, upon request.
BlueFile designs its products and services to be agile and dependable. We have established a set of guidelines that allow us to maintain an up-to-date understanding of the latest Cloud Architecture trends. By applying these principles, we are able to reduce the risk of potential failure and remain confident in the security of our products and services. We use a variety of tools to ensure that our systems are always up-to-date, from automated systems that check for new developments in the industry, to manual checks to make sure that we are not missing out on anything. By staying ahead of the curve, we can ensure that our products and services remain secure, reliable, and efficient.
Leveraging AWS cloud services for our infrastructure eliminates the need for us to have to secure our own hardware on-site. We can rely on Amazon’s exceptional physical security, which is both secure and cutting-edge, to manage all of our vitally important infrastructure. With Amazon’s cloud services, our infrastructure is safeguarded against potential threats and risks, and we can rest assured knowing that our business-critical data is kept secure. Additionally, these cloud services provide us with a cost-effective and efficient way to manage our infrastructure, as they require minimal maintenance and upkeep.
We develop with the “Infrastructure as Code” principle. This approach of distributed, rigorous infrastructure development and control through peer review ensures authenticity and reliability. By using Terraform, we can distribute configurations at scale with high confidence. We give the same care and attention to our infrastructure changes as we do to our code, and it is part of our software development life cycle.
We employ a “defense in depth” strategy to achieve our security posture. This approach compensates for the fact that no single mitigation can protect against all information security threats. Our security layers include, but are not limited to:
This section will cover these and other layers in more detail.
All services and products provided by BlueFile are hosted on AWS data centers. These data centers are highly scalable and secure, and AWS utilizes state-of-the-art security standards and best practices, which we are pleased to take advantage of!
AWS simplifies the process of creating a secure environment based on industry standards. It enables and enforces configurations such as encryption, resource permissions, and logging. Additionally, AWS provides tools to harden our systems and prevent external access to BlueFile’s servers and services.
Our “Infrastructure as Code” methodology makes this secure environment a repeatable process. This allows us to make large changes to infrastructure and minor security updates in an iterative manner, while enforcing baselines at every step.
AWS also provides services that allow us to audit our own environments to confirm integrity.
All traffic is generally encrypted at rest and in transit, using the industry standard AES-256 encryption method as well as the latest version of Transport Layer Security (TLS).
Application Security
At BlueFile, we follow the “shift left” philosophy. In other words, we strive to incorporate security into the Software Development Life Cycle (SDLC) as early as possible. This approach helps us detect and prevent potential vulnerabilities before they enter the codebase. Combined with our focus on Infrastructure as Code, our developers can reduce our attack surface during the peer review stage.
By using containers and containerization for our infrastructure, we are able to consistently and reliably deploy images that share dependencies, configurations, and content. This uniformity allows for parity among all of our products, such that individual containers & applications have set permissions and functionality.
By establishing common goals through mutual agreement and objective understanding, we can create a code quality baseline that has a focus on security. By making standards universal, documented, and audited at the code level, we can detect when unnecessary risk is taken with a feature or user behavior. To minimize data retention, we employ Infrastructure as Code to guarantee that Bold Penguin’s essential elements are included in our quality standards.
All BlueFile products and services source code is stored in GitHub code repositories. Changes to the code must be submitted via a Pull Request, which is reviewed by at least one other developer. We have various stages of software development with gates that require input from other developers. After the code passes automated checks for quality and security, it must be manually approved by another developer.
Scanners, Code Quality, and Code Reviews are essential for building a secure environment. However, they do not effectively replicate the actions of a malicious actor. We employ adversary emulation and black box penetration testing strategies, in accordance with internal protocols and external standards such as ATT&CK and SANS.
We maintain an internal timeline to determine areas of our product that could potentially be exploited by attackers, and then act in an adversarial capacity to further enhance the security of our product.