Security at Bluefile
Bluefile is architected from the ground up to protect your data in accordance with the highest industry standards for security and privacy.
Protect Your Documents with Confidence:
We feel that our security is paramount to ensuring that people feel safe and confident in their decision to trust BlueFile.
This document outlines the policies, behavior, and philosophy that BlueFile follows to create a security-first culture. Our architecture is secure, relying on best-practices and a deep understanding of technology. This allows us to move quickly and confidently. We focus on emerging threats and new technologies, creating an intuitive, secure network for all. Leveraging the power of Amazon Web Service’s (AWS) built-in security protocols and best-practices, reliable encryption schemes, well-informed and empowered developers, and a suite of cutting edge methodologies.
Our team is essential for us to provide our signature service that we take pride in. To ensure that we are able to meet our customers’ needs, we have incorporated multiple technologies and approaches to give us the insight and assurance we require.
Security measures alone cannot protect against the risk of a lack of secure environment. To address this, we are working to build a community of ethical coders who prioritize code quality, including security. By including everyone in the process, we can foster the notion that quality and ownership also mean secure code.
In states where it is legal, employees must provide their consent for a background check prior to joining the organization.
BlueFile takes great care during the onboarding process to ensure that only company employees have access to company data, and that access is granted in a least-privileged way. When an employee joins, an account is created for them in a centralized personnel directory and they are assigned the RBAC roles necessary for their job. All subsequent access requests must go through a secure approval process and be documented.
Training & Awareness
All BlueFile employees are required to undertake annual security awareness training. This training covers the necessary duties each employee has to complete in order to ensure the security of BlueFile products and services. Additionally, BlueFile regularly reviews existing and emerging security threats and provides guidance on how employees can identify them. The security operations team is kept up-to-date with new threats by subscribing to newsletters and news feeds.
We document and make public all of our internal security policies to all BlueFile employees. This transparency and shared understanding has enabled us to cultivate a culture that values security.
A comprehensive offboarding policy ensures our permission structure is reliable and transparent, even when roles or permissions change. Upon an employee’s departure, all company data is moved to a secure online storage drive and any accounts associated with them are removed. Furthermore, during our access control reviews, we ensure that no previously offboarded employees are present in our systems.
We ensure that our customers’ needs are met through comprehensive internal and external risk assessments. We take security seriously and regularly review our security posture from the highest levels to ensure compliance and accuracy. Our team is available to answer questions, provide Q&A’s, and hold meetings to discuss our security landscape, upon request.
BlueFile designs its products and services to be agile and dependable. We have established a set of guidelines that allow us to maintain an up-to-date understanding of the latest Cloud Architecture trends. By applying these principles, we are able to reduce the risk of potential failure and remain confident in the security of our products and services. We use a variety of tools to ensure that our systems are always up-to-date, from automated systems that check for new developments in the industry, to manual checks to make sure that we are not missing out on anything. By staying ahead of the curve, we can ensure that our products and services remain secure, reliable, and efficient.
Leveraging AWS cloud services for our infrastructure eliminates the need for us to have to secure our own hardware on-site. We can rely on Amazon’s exceptional physical security, which is both secure and cutting-edge, to manage all of our vitally important infrastructure. With Amazon’s cloud services, our infrastructure is safeguarded against potential threats and risks, and we can rest assured knowing that our business-critical data is kept secure. Additionally, these cloud services provide us with a cost-effective and efficient way to manage our infrastructure, as they require minimal maintenance and upkeep.
Infrastructure as Code
We develop with the “Infrastructure as Code” principle. This approach of distributed, rigorous infrastructure development and control through peer review ensures authenticity and reliability. By using Terraform, we can distribute configurations at scale with high confidence. We give the same care and attention to our infrastructure changes as we do to our code, and it is part of our software development life cycle.
Defense in Depth
We employ a “defense in depth” strategy to achieve our security posture. This approach compensates for the fact that no single mitigation can protect against all information security threats. Our security layers include, but are not limited to:
- A software solution for an intrusion detection system
- The Principle of Least-Privilege
- Frequent patch management
- Regimented network segmentation
This section will cover these and other layers in more detail.
All services and products provided by BlueFile are hosted on AWS data centers. These data centers are highly scalable and secure, and AWS utilizes state-of-the-art security standards and best practices, which we are pleased to take advantage of!
Secure Baselines & Server Hardening
AWS simplifies the process of creating a secure environment based on industry standards. It enables and enforces configurations such as encryption, resource permissions, and logging. Additionally, AWS provides tools to harden our systems and prevent external access to BlueFile’s servers and services.
Our “Infrastructure as Code” methodology makes this secure environment a repeatable process. This allows us to make large changes to infrastructure and minor security updates in an iterative manner, while enforcing baselines at every step.
AWS also provides services that allow us to audit our own environments to confirm integrity.
All traffic is generally encrypted at rest and in transit, using the industry standard AES-256 encryption method as well as the latest version of Transport Layer Security (TLS).
“Shift Left” Security
At BlueFile, we follow the “shift left” philosophy. In other words, we strive to incorporate security into the Software Development Life Cycle (SDLC) as early as possible. This approach helps us detect and prevent potential vulnerabilities before they enter the codebase. Combined with our focus on Infrastructure as Code, our developers can reduce our attack surface during the peer review stage.
By using containers and containerization for our infrastructure, we are able to consistently and reliably deploy images that share dependencies, configurations, and content. This uniformity allows for parity among all of our products, such that individual containers & applications have set permissions and functionality.
Software Development Standards
By establishing common goals through mutual agreement and objective understanding, we can create a code quality baseline that has a focus on security. By making standards universal, documented, and audited at the code level, we can detect when unnecessary risk is taken with a feature or user behavior. To minimize data retention, we employ Infrastructure as Code to guarantee that Bold Penguin’s essential elements are included in our quality standards.
Peer Code Review
All BlueFile products and services source code is stored in GitHub code repositories. Changes to the code must be submitted via a Pull Request, which is reviewed by at least one other developer. We have various stages of software development with gates that require input from other developers. After the code passes automated checks for quality and security, it must be manually approved by another developer.
Internal Penetration Testing
Scanners, Code Quality, and Code Reviews are essential for building a secure environment. However, they do not effectively replicate the actions of a malicious actor. We employ adversary emulation and black box penetration testing strategies, in accordance with internal protocols and external standards such as ATT&CK and SANS.
We maintain an internal timeline to determine areas of our product that could potentially be exploited by attackers, and then act in an adversarial capacity to further enhance the security of our product.
Still Have A Question?
BlueFile leverages Information Security to strengthen its products and personnel. For more information, including a comprehensive overview of our policies, please use the contact methods listed below. Note that any sensitive information will require responsible disclosure, and an NDA may be necessary.