Overview

Security is one of the most important aspects of using Usage Engine. This document outlines some of the basic security considerations that should be upheld when using the service. Security defines several areas of interacting with data that are important in a given aspect:

• Protection from unauthorized access
• Handling of user data
• Ensuring that technical specifications and guidelines are met

Information security is a fundamental aspect integrated across every stage of Usage Engine's software development and operational processes. Digital Route follows stringent security practices, which are rooted in the Open Web Application Security Project (OWASP) Top 10 project. To validate compliance with the OWASP Top 10 objectives, routine penetration testing is conducted by external and independent vendors. By adhering to these practices, Usage Engine attains industry-leading standards and practices, ensuring the utmost protection and meeting all enterprise security requirements.

Security principles are divided into two main types: Rules (mandatory requirements) and Recommendations (optional considerations). Each of them is mandated through a specific principle. An outline of their roles in relation to the security aspect is:

• Rules – These are mandatory actions that need to be followed to run the service as intended. Many of them are implemented directly via technical specifications and certifications.
• Recommendations – These are best practices that are not mandatory, but are considered practical in maintaining a secure environment.
  

Vulnerabilities in the software undergo a triage process, where they are evaluated and prioritised based on severity and potential impact. This enables the implementation of targeted mitigation strategies to address the most critical vulnerabilities promptly, ensuring a strong security posture and protection against potential threats.

Privacy 

Usage Engine is a highly configurable service that can support various business models and processes. Data privacy requirements are to be fulfilled by configuring system interfaces, data structures, and relevant security settings.

...

Running deployments may store records that contain personal information in logs that are available to end-users. Deployments do not store individual records by default and the behavior is determined by the user-configured streams. The deployment logs are deleted after a period of 90 days. If you need the data to be removed before the expiry period, please submit your request to DigitalRoute Support.

Secure Keys Management

Secrets Wallet depends on a secure infrastructure that is carefully designed to provide a secure environment. All private operations are handled using a set of encryption keys that are used to authorize and authenticate Usage Engine operations. These keys are based on hardware security modules that use the FIPS 140-2 standard for protection. 

...

The Usage Engine platform service includes support for OAuth2 in the HTTP client Function. It is implemented by following the RFC 6749 specifications and creates a secure authorization layer intended to provide restricted resources. This functionality is developed to aid integration with other services and stream interaction. During the authentication process, as defined in the RFC, additional client-side and server-side data flow interactions can take place – the use of TLS and HTTP redirection.

...

To prevent abuse and potential weak security scenarios, you can protect the end-user device by following these recommendations:

...