Novohit General Security & Continuity Features

Novohit General Security & Continuity Features

Definitions

Introduction

For all Novohit instances, whether on private On-premises servers or in the Cloud, Novohit has the following security features.
Novohit has internal corporate governance with policies and procedures based on the best security practices in the market. This allows recurrent management of security and continuity of our operation and of the data generated in our platforms. Security schemes are transversal to all of Novohit's processes and platforms:
  1. Development
  2. Testing
  3. Implementation
  4. Support
  5. Data

Continuity

Service Level Agreement (SLA) guaranteed by:
  1. Hardware & Physical Infrastructure:
          i. Cloud Option: The redundancy feature of Private Cloud platforms.
             For more details Go to: 
          ii.On-Premises Option: Validation of the quality of the certified hardware, with disk redundancy, electrical redundancy and network redundancy.
  2. SBUM (Support, Backups, Updates, & Monitoring) Service in four different Time Zones:
          i. Continuity operation services are available 24/7.
          ii. Technical Continuity of the platform, the redundant continuous backup scheme and the Emergency Rapid Response Service, enabling a new independent instance with only operational data.
  3. Daily verification of the backups made both manually and automatically by the system.
  4. Critical Event Simulation:
          i.Weekly validation of the secondary datacenter.
          ii.Manual installation of private cloud platform in secondary datacenter using automatic backups.
         iii.Platform updates will be announced with reasonable time.

Security

Secure Coding

The communication between users and theINTERNAL PLATFORM and MASS APPLICATIONS has Extended Validation SSL Certificates, meaning that it certifies that the URL connection and the proprietor are validated by the Certificate Authority.
Our certificates use a public key size of 2048 bits and an encryption level of 256 bits with an algorithm signature of SHA256withRSA, currently the highest level of encryption in the market. This is the main method of the certificate's strength. If a larger key size is required, it can be implemented upon request.
The security of our communication depends on the configuration of the server and eventually of the Browser. Firstly, the Novohit standard is as follows: as standard configuration, the Novohit server configuration only supports the versions of the secure communication protocols, i.e. negotiation with TLS 1.3 secure protocol and as backup the TLS 1.2 secure protocol.
While non-standard protocols are insecure TLS 1.0, TLS 1.1 SSL 2, and SSL3, obsolete browsers without TLS 1.3 or TLS 1.2 support will not be able to connect as they will not comply with the mentioned security standards unless you request it in writing according to your company's requirements.
Additionally, a Grade A rating is guaranteed in the SSLabs Qualys report for the platforms which can be independently audited at https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html

Access Control

Access to Novohit is through a URL (Universal Resource Locator) to an FQDN (Fully Qualified Domain Name). For access to Novohit applications, Novohit needs Authentication: a login process with credentials authentication (username and password) with session management through Cookies. All connections are redirected using the HTTPS protocol with RSA 2048 bits encryption (SHA256withRSA) and TLS 1.3 and TLS 1.2 communication protocols (more details in Secure Encryption).
Once access is granted, each user will only be able to see the menu options assigned to his or her role and will only be able to execute the transactions assigned to his or her user. The Client will be able to configure Users, Roles, and Accesses and they will be trained by Novohit.

Two-Factor Authentication (2FA Multi-Factor Authentication)

Optionally, global two-factor authentication can be implemented. For any use of the INTERNAL PLATFORMapplications, authentication is required.

Session Expired

Due to safety purposes, session will automatically log off after a period of inactivity to avoid unintended accesses.

Secure Passwords

Verifying Password Algorithms: Minimum amount of characters, unpronounceable; mix of letters, symbols, and numbers; and expiration.

WAN Access Control to the INTERNAL PLATFORM or MASSIVE APPLICATIONS

Novohit has the native capability to restrict Login to users by IP or LAN/WAN segment.

Control via VPN to the INTERNAL PLATFORM

An additional layer can be implemented to limit access exclusively to those on a VPN. This VPN can be provided by Novohit with OpenVPN protocol. VPN can be implemented at the individual device level or at the Active Network Equipment level (recommended). VPN limitation is only recommended for INTERNAL PLATFORM. Note: this option requires case-by-case evaluation and active collaboration of the Customer for joint support in case of failures or issues on local equipment.

Access Control to MASS APPLICATIONS

It is possible to limit access to Web applications (MASS APPLICATIONS) for Hotel Reservations or Ecommerce through authentication mechanisms. This will depend on the scope required on a case-by-case basis.

Novohit Support Staff Internal Access Control (PAM - Privileged Account Management - technical accounts)

The following is a description of the controls that Novohit personnel have available to the different applications used in:
  1. Development
  2. Testing
  3. Implementation
  4. Support
  1.  Keyless access through individual certificates or passwords with two-factor authentication (2FA).   
  2. Remote Device Management for corporate mobile devices and work computers.
  3. Remote Credential Management to validate access to the different Support, Development and Collaboration platforms used internally.
Our development, collaboration and internal communication platforms comply with these security standards:
  1.  All of our INTERNAL PLATFORMS require two-factor authentication using Novohit provided devices that have centralized Device Management policies.
  2. We use the MTProto protocol for an internal chat with 256-bit symmetric AES encryption, RSA 2048 encryption, and Diffie-Hellman secure key exchange.
  3. Our corporate emails are encrypted with TLS, parsed and certified. They have DMARC, DKIM and SPF authentication signatures for the novohit.com domain.
  4. Our tools for connecting to cloud platforms use point-to-point encryption, over TLS 1.2 infrastructure.
Novohit has established protocols and procedural audits for external communications:
  1. It does not use personal social networks such as Whatsapp, Facebook Messenger, Instagram, etc. for legal, administrative or support communications. While commercial communications that may arise by these means through corporate accounts are limited to inviting the contact to redirect their communication through corporate email.
  2. Only use the official corporate accounts of professional networks Twitter and LinkedIn for official communications. Any other communications that may arise through these media are limited to inviting the contact to redirect their communication through corporate email.
  3. It does not used personal e-mails.

Third party Control

In accordance with Novohit's corporate governance, periodic reviews (at least once a year) are made to third party services in order to ensure that they comply with the same standards listed in this document.

OWASP, WASC, NIST

Novohit meets the following parameters:
Image

Hardened Linux, BFP, APF.
Automatic updates of OS services, with emphasis on Kernel and Security (OpenSSL) services or libraries.
No XSS - HttpOnly: Validation of data sent by the browser, validation of client's IP, generation of random tokens for forms, verification of HTTP_REFERER.
Image

Post over Get: Proper use of Web Protocols that guarantee higher levels of security.

Active monitoring of application status, Software and Operating System environment status and Hardware health (see Audit).
Safeguarding of APIs and URLs for access to Sensitive or Private data calls
Limitation of open ports

Credential Management
Third Party Review


Novohit has in the Roadmap to include the following parameters:
  1. Universal Logging scheme at the level of all transactions.
  2. Eliminate components with known vulnerabilities.

Event Logging

Novohit provides logging at the following levels and cases: OPERATIONAL DATA:
Customer personnel with appropriate credentials can access OPERATIONAL DATA transaction logs from the INTERNAL PLATFORM for the following transactions:
  1. Date, hour, minute, second and user of creation of an OPERATING DATA record.
  2. Date, hour, minute, second and user of last modification of an OPERATING DATA record.
  3. PMS Reservation modification log (Date, hour, minute, second, user and type of change).
  4. Modifications of SPACE reservations Log (Date, hour, minute, second, user and exchange rate).
  5. Transactions that comply with the conditions of the Novohit Notifications and Alarms function (see Predefined Alarms), with the possibility of adding Alarms/Conditions.
  6. Transaction log between Novohit and Woocommerce (POS - Ecommerce).
  7. Transaction log between Novohit and Siteminder (Channel Manager).
  8. Transaction log between Novohit and STR.
  9. Transaction log between Novohit and specific interfaces.
  10. Transaction log between Novohit Audits.
  11. Transaction log between Novohit and Credit Card transactions.

Secure elimination and destruction of information

We classify the erasure of OPERATING DATA as follows:
  1. Deletion of OPERATING DATA during the Contract Period:
    1. Deletion of OPERATIONAL DATA allowed through the Novohit platform:
      1. The Client's operative personnel who are empowered to do so may only delete certain fields of the personal data from the client or supplier catalogs, according to the internal data protection management policies. Complete records may not be deleted, especially if they are already associated with other related transactions (e.g. purchases, etc).
    2. Deletion of OPERATING DATA NOT allowed:
      1. The deletion of any data or Database records that resulted from an actual transaction is not allowed
  2. Deletion of OPERATING DATA after the Contract Period:
    1. All data that is no longer required for the operation of the business due to the end of the contractual period may be completely deleted upon written confirmation from the Customer.
Novohit uses the following methods of OPERATIONAL DATA deletion: once the Customer has confirmed the deletion of data by official means, Novohit performs the following steps:
  1. Destruction of the main instance (main DataCenter), and of the secondary instance (secondary DataCenter), with scrub method, which immediately relocates the space back to the hypervisor of the private cloud platform being impossible to recover the information by any means.
  2. Destruction of the Backups and Electronic Ballots of the Self-Service Portal using the shred command.
CONTRACT DATA will not be destroyed.

Auditing and Monitoring

Active Monitoring: In addition to the Novohit Software Alerting scheme, the Zabbix-based SBAM service monitoring scheme collects metrics on the usage of resources and transactions at the instance level and alerts on specific metrics with integrated notifications alerting our staff so that we can track the operational health of the instance:
  1. Memory Status, Storage, CPU, Busy Bandwidth.
  2. Status of critical Operating System, Web Server and Reporting Engine services.
  3. Checksums of critical files for security validations.
  4. Brute-force/DDoS (exceeding acceptable thresholds, network attacks) alerts
  5. Validation of Configurations Files.
  6. Vulnerability scans processed by LLD (Low-level-discovery) rules
  7. Detection and maintenance of open ports and Discovery.
  8. SSL status and detection of unsecured pages.
  9. SNMP traps
  10. Pre-processing of log files to detect security situations:
    1. Unsuccessful logins
    2. successful logins of users with high privileges
    3. Increased privileges

Random Audits

  1. Biannual reporting of secure encryption with HTTPS through the independent entity SSLabs from Qualys auditable at any time and independently for INTERNAL PLATFORM and MASS APPLICATIONS.
  2. Penetration Testing and Vulnerability Scans with tools from independent entities with the application of Hot Fixes immediately upon discovery of the breach on all Novohit instances.

Privacy

Novohit does not track INTERNAL PLATFORMS.

Technical Features, Security and Continuity of the Novohit Cloud Managed Platform

    • Related Articles

    • Technical Features, Security and Continuity of the Novohit Cloud Managed Cloud Service

      Definitions Go to: https://help.novohit.com/portal/en/kb/articles/universal-commercial-terms-novohit Introduction The Novohit Managed Cloud has the following features, which are an additional layer to the Novohit General Security and Continuity ...

    • Recommended Novohit Compatible Browsers

      This list is frequently updated. Novohit is generally compatible with any Modern browser on any device and operating system. Some specialized Novohit Apps such as POSv4 use newer Web technologies which, in general, are more compatible on ...

    • General Information Automatic Printers

      Novohit allows the automation of printing processes, whether for Bank Check Printers, POS Orders in Restaurants with thermal printers, Production Printers and Work Orders in Retail warehouses with thermal printers, Electronic Boletas with thermal ...

    • Novohit Backup - Data Backups

      Novohit performs incremental backups every day after the audit, these incremental backups are stored on our secure Cloud servers for an indefinite period of time. In case of hard disk failure or local server failure, we make the backup available to ...

    • Remote Support via Novohit Assist

      On some occasions, our staff may request access to the PC, mobile or Touch work on a computer to perform specific configurations on the PC device to verify that the local connections are adequate. For this, Novohit uses Novohit Assist, a ...