Security & Data Privacy
Alfresco in the cloud gives you enterprise-level security and compliance all the way to your end users’ devices, while still maintaining the simplicity and ease of access your users need.
Secured content on devices
Alfresco in the cloud’s encrypted data storage protects content stored for offline use and prevents unauthorized access to the stored content on lost or stolen devices. As a paid customer of Alfresco in the cloud, all your mobile devices are covered.
Even more security enhancements to ensure content is safe and secure on any device, such as Mobile Device Management (MDM), will be introduced soon.
Encryption of Data in Motion
All data uploaded to and downloaded from the Alfresco cloud is SSL encrypted using AES 256 encryption. It is therefore safe to use Alfresco from unsecured wireless connections or other public internet access points. SSL connections are further protected by the following technologies:
- HSTS – This ensures that connections are only ever via encrypted HTTPS, never HTTP. Alfresco has further added their domain to the preloaded HSTS list of sites maintained by Google which is used by all modern browsers.
- PFS – This further strengthens SSL to prevent later decryption of data even in the event that the SSL key is compromised. This precaution is considered essential to prevent third parties intercepting private communications.
Alfresco in the cloud is protected by multiple levels of firewall. These are of different designs and from different manufacturers. This provides a solid basis for network security.
All users must authenticate themselves using a password, or OAuth 2.0 for third-party applications accessing our APIs. Paid customers can also choose from options, such as integration with their Active Directory using SAML Single Sign On, to provide compliant authentication for all their users using their existing security credentials.
Access to the service is audited by our security infrastructure to help identify security breaches if they occur. Basic auditing of activity is also provided, with more advanced auditing functionality for administrators planned.
Permissions & Roles
Content in Alfresco is secured using granular permissions and role-based security to ensure authenticated users only access the content they’re authorized to.
Users can hide folders or files from specific users, or provide read-only access to certain content. All files and folders can have individual permissions set allowing for precise granular control of content.
Alfresco in the cloud’s security model clearly differentiates between users who belong to your organization and those who don’t, making it easy for administrators to control external access to content shared from their organization.
The service also allows a network to choose administrators who can control network settings and manage users. It takes just 2 clicks to remove users from a network. It’s really easy for organizations to control access to their network as users join and leave.
Alfresco provides 99.99% durability and 99.99% availability for all data stored, by taking advantage of Amazon Simple Storage Service (S3) technology. Alfresco takes extra measures to protect data against loss by replicating the encrypted content to another data center within Amazon Web Services.
In addition, standard and enterprise networks use 256-bit AES encryption to store all content at rest.
Redundant Offsite Backup
Alfresco in the cloud can maintain a 99.9% SLA with limited downtime or data loss in even the most extreme failure of the service, by replicating your data to another offsite data center. This ensures Alfresco never loses your data and provides redundancy across the service if a region is unavailable.
Alfresco in the cloud is provided by Alfresco Software Limited - a UK company that complies with EU data protection standards.
Alfresco in the cloud utilizes Amazon Web Services for data storage and Amazon is certified for SafeHarbor. The Safe Harbor framework is a program that provides a way for US companies to show that they adequately protect personal data according to EU standards. Any transfers of personal data that take place while using Alfresco in the cloud are permitted under the European Commission's Directive on Data Protection.
Further information about the Safe Harbor program is available on the U.S. Department of Commerce's Website.
SOC2 & ISAE 3000
Alfresco in the cloud is now independently reported to the SOC2 and ISEA 3000 Type II standards. SOC2 is an attestation report in accordance with the trust principles defined by the AICPA. The SOC2 report demonstrates Alfresco's security stance and is available upon request.
The Alfresco cloud is scanned for security vulnerabilities each and every day by market leader McAfee using their McAfee Secure service. This allows for rapid detection and rectification of security anomalies the moment they arise. Compliance with the programme allows us to display this logo.
All payment card handling is performed by Alfresco partner, Recurly. Recurly is PCI DSS compliant.
All Alfresco cloud services are hosted in the Amazon AWS cloud. This benefits Alfresco customers by leveraging Amazon's own compliance certifications which apply to the infrastructure used. A list of compliances is here https://aws.amazon.com/compliance.
Compliance and certifications are constantly under review at Alfresco. When new ones emerge or take increased market importance, you can be sure Alfresco will rapidly become compliant.
The Alfresco cloud is subject to regular penetration testing by a respected, third party security consultancy. Any problems discovered are rapidly rolled into the development process and fixed once the correct quality assurance is established. Regular vulnerability scans of the whole cloud environment are undertaken by in-house security staff. Again, any weaknesses exposed are remedied in short order.
Alfresco administrators a complete view of the cloud environment at any time. These systems are also tied into alerting mechanisms to attract the attention of staff at any time of the day or night. Quite often this is tuned to such a high level that incidents can be dealt with before they even become apparent to users.