Our Security Practices
Ciso is developed by Omegapoint, which is certified according to ISO/IEC 27001. This means that our security work is conducted within an established Information Security Management System (ISMS), with risk-based governance, continuous monitoring, and ongoing improvement.
Development and secure development process
Security is a fundamental part of our development process and is built into the system from the outset. Development is carried out in a structured and controlled manner to minimize the risk of vulnerabilities.
All code is developed in isolated environments and reviewed before being deployed. We use Azure DevOps with automated build pipelines that ensure both code and dependencies are validated before release.
This means that:
- All code undergoes mandatory peer review before being merged
- Security requirements and authorization logic are reviewed in every change
- Development takes place in isolated feature branches
- Automated pipelines identify vulnerabilities in dependencies
- Only verified code is promoted to production
- Production data is never used in development or test environments
Architecture and isolation
Ciso is designed to handle sensitive information and is built on an architecture where customer data is strictly separated.
Each customer operates within a dedicated application instance and has its own dedicated database. This ensures that no data is shared between customers and that the impact of any incident is limited.
The application runs in a Kubernetes cluster where components are isolated, and database access is only possible through the application layer.
This means that:
- A dedicated application instance per customer
- A dedicated database per customer
- No data sharing between customers
- Isolation between platform components
- Reduced attack surface through layered architecture
Access control and identity
Access to systems and data is strictly controlled and based on the principle of least privilege. Permissions are assigned based on role and necessity and are regularly reviewed.
Ciso can integrate with the customer’s identity provider via Microsoft Entra ID, enabling Single Sign-On and centralized identity management.
This means that:
- Role-based access control (RBAC)
- Support for multi-factor authentication
- Integration with external identity providers (SSO)
- Regular review of permissions
- Traceable access to systems and data
Access to the production environment is particularly restricted:
- No permanent administrative access for developers
- Access is granted only when required and is time-limited
- All administrative actions are logged and traceable
Encryption and secret management
Protection of data is a core part of the platform’s security. All communication is encrypted, and the handling of secrets is centralized and controlled.
Communication between users, systems, and internal services is conducted over secure protocols, and sensitive data is never exposed in plaintext.
This means that:
- TLS is used for all external and internal communication
- API communication always occurs over encrypted connections
- Certificates and secrets are not stored in code
- Centralized management of secrets and keys
- Automatic rotation of certificates and keys
- Access to secrets is governed by roles and policies
Logging, monitoring, and detection
We use a modern logging and monitoring platform that provides full visibility into system behavior and enables rapid detection of anomalies.
Logs are collected from applications, infrastructure, and integrations and are analyzed centrally.
This means that:
- Centralized logging of system events and API activity
- Real-time monitoring of systems and resources
- Automated alerts on anomalous behavior
- Detection of anomalies in traffic and usage patterns
- Traceability of changes and access
Incident management
We have established processes for handling both technical and security incidents in a structured manner.
Incidents are identified through monitoring, alerts, or reporting and are handled according to defined procedures.
This means that:
- Rapid identification and classification of incidents
- Immediate actions to limit impact
- Root cause analysis after incidents
- Documentation and follow-up
- Communication with affected customers when relevant
When necessary, incidents are escalated to our infrastructure provider for handling of underlying components.
Backup and recovery
We maintain a robust strategy to protect data and ensure recovery in the event of incidents.
Backups are performed continuously and stored separately from the production environment, enabling recovery even in severe scenarios.
This means that:
- Continuous backup of databases and configurations
- Point-in-time restore with high granularity
- Backup stored across multiple separate locations
- Geographically separated storage
- Verification of backup and restore processes
Platform hardening
The platform is hardened according to established security principles to reduce risk and increase resilience against attacks.
We rely on automation and Infrastructure as Code to ensure consistency and reproducibility across environments.
This means that:
- Infrastructure defined and managed as code
- Automated provisioning and configuration
- Hardened Kubernetes cluster based on established guidelines
- Stricter network policies and segmentation
- Implementation of Zero Trust principles
- Enhanced internal encryption between services
- Centralized management of keys and secrets
Summary
Our security practices cover the entire system lifecycle – from development to operations and continuous improvement.
This means that:
- Security is integrated into the development process
- Customer data is strictly isolated and protected
- Access is controlled and traceable
- Data is protected through encryption and secure handling
- Systems are continuously monitored
- Incidents are handled systematically and followed up
- The platform is hardened and reproducible
Together, this creates a solution where sensitive information can be handled with a high level of security and reliability.