Security
Ans leads the way in security
We’ve built our product according to the highest security standards and and we are proud to exceed the industry standard when it comes to protecting your institution and users.
Product security & reliability
Ans offers many security features, including SSO, IP Whitelisting, audit and changelogs, private views, Role-Based Access Control, and two factor authentication to ensure best-in-class protection.
SSO
Ans offers SAML Single Sign-on (SSO) to allow admins to determine who has access to Ans from your existing identity provider/SSO solution — SurfConext, Azure Active Directory, and more.
Role-Based Access Controls
Access to data within the Ans application is governed by role-based access controls (RBAC). Ans has various permission levels for users (administrator, instructor, invigilator, reviewer, learner).
Password and Credential Storage
Ans enforces a password complexity standard, and stores credentials using a PBKDF function (bcrypt).
Uptime
Ans has 99% or higher uptime.
IP Whitelisting
Ans can be configured to only allow access from designated IP address ranges to access tests or results.
Cloud Security
Ans’s security and availability architecture is built on top of ISO 27002:2013 controls and SURF Juridisch Normenkader (Cloud)services to enable best practice protection controls, implemented based on industry standards.
Physical Security & Data Hosting
Ans uses only data centers in Europe. The services and data are hosted in CloudVPs in the Netherlands or Amazon Web Services (AWS) in Ireland (eu-west-1).
Intrusion Detection and Prevention
Ans has designed multiple layers of security monitoring to detect anomalous behavior. When incidents and security events exceed predetermined thresholds, our security team acts upon it.
DDoS Mitigation
Ans has designed a multi-layer approach to DDoS mitigation. A core technology partnership with Cloudflare provides network edge defenses, while the use of CloudVPS/AWS scaling and protection tools provide deeper protection along with our use of third party DDoS/WAF/RASP application tools.
Logical Access
Access to the Ans Production Network is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the Ans Production Network are required to use multiple factors of authentication and complete extensive background checks along with many technical and administrative controls.
Failover and DR
Ans was built with disaster recovery in mind. All of our infrastructure and data are spread across 3 availability zones and will continue to work should any one of those data centers fail.
Back Ups and Monitoring
On an application level, Ans produces audit logs for all relevant activities, ships logs to Appsignal for analysis, and uses Object store/S3 for archival purposes. All actions taken on production consoles or in the Ans application are logged.
Permissions and Authentication
Access to customer data is limited to authorized privileged employees who require it for their job responsibilities. We have SAML Single Sign-on (SSO), 2-factor authentication (2FA), and strong password policies on GitHub, Google, AWS, and Ans to ensure access to cloud services is protected.
Encryption
All data sent to or from Ans is encrypted in transit using 256 bit encryption. Our API and application endpoints are TLS/SSL only and score an “A+” rating on Qualys SSL Labs‘ tests. This proves we only use strong cipher suites and have features such as HSTS and Perfect Forward Secrecy fully enabled. We also encrypt data at rest using an industry-standard AES-256 encryption algorithm.
Pentests & Vulnerability Scanning
Ans uses third party security tools to continuously scan for vulnerabilities. Our security team responds to issues raised. We engage with independent third-party security experts to perform detailed penetration tests on the Ans application and network.
Security Incident Response
In case of a system alert, events are escalated to Ans’s teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.
Application Security
Ans practices extensive processes and controls to ensure application security. All Ans engineers utilize common best practices defined by standards like OWASP, NIST and CIS Benchmark.
Framework Security Controls
Ans leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.
Quality Assurance
Our Quality Assurance (QA) staff reviews and tests our code base. Application security engineers identify, test, and triage security vulnerabilities in code.
Separate Environments
Testing, staging, acceptance and education environments are logically separated from the Production environment. No Service Data is used in our development or test environments.HR Security
At Ans we ensure that our employees adhere to the highest security standards by implementing extensive employee background checks and multiple administrative controls.Training
All employees complete Security and Awareness training annually and during onboarding.
Policies
Ans has developed a comprehensive set of security policies based on ISO 27002:2013 ISMS framework. These policies are updated frequently and communicated to all employees.
Employee Screening
Ans performs background checks on all new employees in accordance with local, federal and state laws applicable to our business. The background check includes employment verification, criminal checks and education verification.
Confidentiality
All employee contracts include a confidentiality agreement.
Compliance
Ans has built its Information Security Management System on top of ISO 27002:2013 controls and SURF Juridisch Normenkader (Cloud)services to ensure the best practice protection controls are implemented based on industry standards and we are compliant with applicable local, federal and state regulations, as well as industry standards.
Questions or issues?
If you think you may have found a security vulerability within Ans, please follow our responsible disclosure guidelines.