safety and security

accounting online PolandSecurity considerations for mksiegowa.pl

As in any software used in a Cloud, so in the case of mKsiegowa.pl it is necessary to apply some basic rules to protect your data against unauthorized access.

mKsiegowa.pl is a mature web application started in 2011 in Software-as-a-service (Saas) model. From the very beginning mKsiegowa.pl was designed to be a secure application as nature of the service mandates safe way of storing sensitive accounting and customer data of our clients. This document summarizes key security considerations that makes mKsiegowa.pl a safe place to store data.

Security awareness 

Security breaches occur very often as a result of human error or carelessness. As in any internet service security should be ensured as a combination of technical prevention and education of users and internal staff.
From the very beginning we have developed:
  • Security policy for mKsiegowa.pl users
  • Frequently Asked Questions related to security
  • Internal security policy that is mandated for all mKsiegowa.pl employees and contractors. The internal security policy is a combination of non-disclosure items in contracts, trainings, procedures and technical systems (antivirus, password protection, secure communication, mandatory backups, etc.) to avoid any information leakage.
  • Regular reviews of internal procedures related to security.

Authentication

Authentication is a first line of defense. mKsiegowa.pl must determine the identification of any user that has access to the system. This is managed during user registration to the system.

Protection ensured by 3 key elements entered during registration:

  • Instance name (list of instance names is never disclosed to the public)
  • Unique User name per instance
  • Strong password forced by the system

All passwords are hashed and never stored in the system in a manner that would allow a direct recovery. If a user forgets the password, it can be changed by the user only by sending a new generated password by email. Email address therefore is mandatory for a user during registration process or new user entry in the system.

User id and password are always encrypted when transported over network. The entire logon transaction is encrypted with SSL.

Access control

Once a user is authenticated in the system there is an access control mechanism implemented to make sure the user have access only to data and functions he should have access to. This is ensured by access control functionality.
Program administrator can create security profiles from over 150 access rights to particular system functionality.
Deep penetration testing has been performed to ensure that every access control has been tested and prevents unauthorized access. For instance when a user does not have access to any particular functionality, the system is protected from access to an unauthorized page by entering its URL directly in the browser.

System backup

Unexpected situations happen from time to time (caused for instance by hardware of software failures) and every professional IT system should be protected against them using automatic backups.
mKsiegowa.pl has duplicated automatic backup system that secures user data on the following levels:
  • All content is stored on duplicated discs (RAID) to prevent general system failures
  • User data is back-up every night to prevent software errors or allow long-term data recovery in case of software malfunction. All user data is stored in the following scheme:
    • Daily backups available for last 7 days
    • Weekly backups available from last month
    • Monthly backups available for last year
    • Annual backups available during active subscription plan and 3 years after terminating the subscription

Session management

In simple words, session management is necessary to allow the internet browser to remember that a user has authenticated to the system using the user id and password.
The following mechanisms are used to protect against session id attacks:
  • Session encryption is used against interception attack (session hijacking)
  • Random session id is generated to protect against session id prediction
  • Long session id render brute-force attack practically impossible
  • Session time-out is used to reduce the time window that a hacker would have to break into a session; time-out can be setup in the application
  • On log out the session id is over-written

Data validation on input

Well-designed web applications prevent attacks from data input. Attacker can be adding malicious code to data fields thus bypassing security mechanisms. This is known as Command Injection (like SQL injection for instance) or Cross-Site scriptin (XSS).
mKsiegowa is preventing such attacks by input validation:
  • Constraining input – decide what is allowed in the field
  • Validate input – restrict type, length, format and range to make sure all data is appropriate for its meaningful purpose
  • Sanitize input – all data input is reduced to a pure format avoiding Buffer Overflow attack for example
  • Reject “known bad” input

Data Center protection

mKsiegowa.pl is hosted in a professional data center in Gdańsk owned by IQ.PL. High availability Dell Servers are used to host the web application.
Tier 3 protection infrastructure is used to secure the whole data center. Tier 3 protection exceeds 99,982% system availability standards by:
  • Duplicated servers
  • Duplicated storage
  • Duplicated power supply
  • Duplicated internet connection

Maintenance procedures

There are several procedures implemented @ mKsiegowa.pl to ensure high availability of the service. This includes:
  • Separate development from administration functions (developers don’t have access to the production server)
  • Security issue log is used to register and analyse security related events
  • Regular security audits are performed
  • Several levels of testing of new software releases
  • Usage of a system to log software errors and improvements; careful tracking of all implemented fixes
  • Separate test environment is used for software testing (apart from dev environment)
  • Test function separated from developer function (always maker/checker model is used for testing)
  • Use of automated scripts for regression testing (iMacros)
  • Clean desk policy to prevent customer data (both paper & electronic) from leakage
  • mKsiegowa staff have controlled access to production servers
Please contact us if you have any specific queries.