GTP Common Security Questions

Owned by Terry Humphries, created
Last updated: Feb 12, 2024
2 min read

How is my data protected?

All databases are encrypted at rest using AES256-CBC. All data in transit is encrypted using TLS 1.2. Databases are backed up every 6 hours, daily, and monthly. These backups are also encrypted using AES256-CBC. The retention period for these backups is: 6 Hours - 2 days and Daily - 15 days. Only authorized GTP personal will access your database and backups.

How is User security enforced?

GTP’s Data Stewardship policy requires that all individuals at your company have a valid user defined with GTP Authentication services. Our Authentication services uses Azure AD B2C as our user identity provider for password based authentication and GTP Shop Pass for password-less authentication. Note GTP Shop Pass will not be released until late 1st Qtr 2023. We also offer a feature called SSO for GTP services. This feature allow us to integrate GTP authentication with a company’s SAML2 identity provider. This places control of password requirements, password reset, and MFA enforcement in the company’s domain.

How does GTP ensure its Infrastructure remains secure?

We are currently moving all of our Production Infrastructure to a new subscription in Azure that enforce FedRAMP Moderate policy controls. Likewise our Development/Test Infrastructure is being moved to a new subscription in Azure that enforce FedRAMP Moderate policy controls

As we move services to the FedRAMP policy bound subscription we are minimizing our surface area that is exposed to the public Internet. Once we complete the move the only public IP addresses will be for the web sites GTP provides.

All access to the Azure assets of GTP require the GTP staff member be connected via Azure VWAN P2S VPN. Only 3 people at GTP are authorized to perform Azure and Atlas change management.

All changes to must be requested via the internal ITSM site. The are reviewed for business need and security exposure before they are made.

All changes are logged via Azure audit logging with a retention of 2 years.

All of the Azure DevOps Projects we use to manage our source control are designated as private. We also use private agents in out Azure subscription for all build/deployment tasks. this ensures that our source code is not exposed via Azure DevOps public agents.

All GTP devices are managed via an MDM platform.

 

© Copyright 2022 GTP Services, LLC All rights reserved. | About | Contact