Security and Privacy
We at RockStep Solutions recognize the importance of security and privacy and have built multiple protective layers for our customer’s data. Because of the proprietary and sensitive nature of the research data being managed by Climb, we consider the confidentiality of our customer’s data within Climb to be of the utmost importance. Therefore, we have designed and developed Climb, from the ground up, with privacy and security in mind.
Our commitment to protecting data is underscored by our “personal stake” in the software. Employees at RockStep Solutions undergo regular training about safeguarding data. We also put significant resources into reviewing and improving the security and privacy of Climb system components so we can maintain the high level of trust that our clients and customers expect.
What is Climb?
Climb is a flexible, mobile friendly animal colony management and laboratory workflow management product that supports scientific research. It includes configurable tasks and protocols, data validation, and workflow task time dependency definition. Additionally, audit trail logging supports regulatory compliance.
Workgroup Segregation of Data
Each Climb workgroup is provisioned
with a standalone database schema containing only that workgroup’s
data. Users login within the context of a workgroup and requests for
data are routed to the appropriate schema.
Login Event Tracking
All login events, including failed logins, are
recorded and available for auditing.
Every change to Climb data is recorded in history tables within the Climb database, allowing users to view a history of values along with who changed the values and when the change occurred.
Authenticated Data Access
All access to Climb data is via a secure OData Web API layer that is compliant with the OAuth security protocol. All API requests require an authentication token header, which is available only by authenticating through Climb login.
All accounts are automatically logged out after a period 24 hours of non-use.
Role Based Security
Climb allows administrative users to define workgroup roles. Every user is assigned to a role. Each role may be configured to have a custom set of access privileges to application functionality. A role has no access, read only access, or read/write access to each set of application functionality.
The Climb application is only accessed via secure protocol, so data transmitted between the Climb database and the browser is encrypted via the SSL security protocol. Climb data are encrypted at rest in the Climb Azure SQL database using Azure’s Transparent Data Encryption protocol (TDE.) TDE performs page level encryption of the data before it is stored and decryption of the data as it is read into memory. Encryption keys may be customer managed. In addition, user account passwords are stored in encrypted format.
Unless otherwise noted, the Climb application runs 24x7x365. We reserve short, regular maintenance windows, for example during idle periods, where software updates can be performed.
RockStep Solutions partners with Microsoft Azure to provide a secure and reliable server infrastructure and server management service.
The Climb application is hosted on a distributed server infrastructure managed by a world class hosting provider (Microsoft Azure 1). Both technicians and researchers use Climb via an HTML5 compliant web browser with Internet connectivity.
RockStep Solutions partners with Microsoft Azure to provide a secure and reliable server infrastructure and server management service. Azure has achieved ISO 27001 certification and has been validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). Azure has passed annual SOC 1 and SOC 2 audits as well as FDA 21 CFR Part 11 and FedRAMP.
Disaster Recovery of Climb Data
Azure provides backup and recovery services, including geo-replication, which provides redundancy of data across regions to ensure access to data in the event of a local disaster. Backups are stored in encrypted format. The Azure platform is proven to have 99.95% compute availability and 99.9% storage and database availability. Automated database backups allow point in time restore to within 15 minute intervals going back 30 days. Standard RPO for a geo-redundant Azure SQL database is 1 hour.
In the event of hardware failure, affected resources are automatically moved to new hardware. Hardware failure does not cause service interruptions. Fault tolerance is built into the Climb application, long running operations are idempotent to avoid orphaned or corrupt data if a failure occurs during a transaction. Climb employs a fault detection/retry strategy for data retrieval and saving.
Application resources, including web applications, databases, and file storage are monitored constantly for performance and availability. Should there be a sudden rise in failure rates or if abnormal performance patterns emerge, the team is alerted so that the issue can be resolved as quickly as possible
What web application security practices to you follow?
Standard web application security practices including:
● Input validation (expected data types, data range and length)
● Implement least privilege approach, restrict users to only the functionality and data that is required to perform their tasks
● Authentication is required for all requests to all resources
● Centralized authentication control
● Only cryptographically strong hashes of passwords are stored
● Change all vendor-supplied or default passwords
● Encoding of hazardous characters
● Escaping output (preventing XSS attacks)
● Conduct code reviews on all application code prior to check in, peer review for security vulnerabilities
What are your company security policies?
RockStep Solutions maintains and enforces policies that provide a thorough and structured approach to security within our organization. These policies include:
● All employees and contractors are required to execute a non-disclosure agreement
● RockStep Solutions leverages LastPass password management software to enforce password policies for uniqueness, strength, and periodic changing. RockStep controls password sharing through LastPass and requires shared password changes upon termination of an employee who had access to the password
● Only the minimum necessary authorized employees are ever allowed access to sensitive information
● Access to customer information, when necessary, follows a “just in time access” approach, wherein the employee accesses the data for a limited time and for a specific purpose such as troubleshooting
● Secure computing methods for workforce members that access sensitive information (vulnerability education, hard drive encryption, malicious software protection, enforced password policy, etc.)
● Periodic, scheduled compliance reviews and enforcement
● Annual company-wide security and privacy training
● Periodic, scheduled vulnerability and risk reports, log review, and analysis
● Emergency contingency plans (e.g., loss of key employees)
● Annual security reviews by independent 3rd-party experts
What is the administrative procedure for creating a new account? How are forgotten passwords reset?
Climb accounts are created in a self-service fashion. Anyone may create a Climb account. However, only administrative users may add a Climb user to their workgroup, thus granting access to the workgroup’s resources. Climb offers self-service password reset. Passwords (or any other form of login credentials) are never sent by email.
Does Climb use "cookies?"
Yes. Climb collects various statistical parameters during a user’s visit. These data are related only to application health and performance and are not linked back to individual user accounts. No external resource access is tracked.
What software, languages, frameworks, etc. does Climb use? How is Climb architected?
Please contact us for more information regarding our software stack and system architecture.
What happens if a security vulnerability is discovered?
Operating system security patches are deployed through our Azure platform SLA and do not result in system interruption. We employ a responsible disclosure policy for application security vulnerabilities, and our automated deployment pipeline allows rapid release cycles. RockStep follows a “roll forward” release policy, as soon as vulnerabilities are discovered, an updated version of the software addressing the vulnerability is released.