OutSystems applies security best practices and manages security to allow customers to focus primarily on their business. OutSystems Cloud inherently protects customers from threats by making sure security controls are applied at every layer, while ensuring that customer applications and data are isolated.
OutSystems allows any customer to conduct security audits and penetration tests within the OutSystems Cloud, as long as they are limited to the customer’s own cloud infrastructure.
Data center security and compliance
OutSystems Cloud physical infrastructure is hosted within Amazon Web Services secure and certified data centers. Amazon Web Services (AWS) data centers have multiple layers of operational and physical security to ensure the integrity and safety of data. The data center is manned and supported 24 hours a day, 7 days a week and 365 days a year. AWS system security includes:
Intrusion detection devices
Distributed Denial-of-Services mitigation services
Recurring risk assessments to ensure compliance with industry standards.
Amazon’s data center operations have been accredited under several security compliance standards, such as ISO 27001, SOC 1/SSAE 16/ISAE 3402, SOC 2, SOC3, FedRAMPSM and FIPS 140-2.
Application security in OutSystems Cloud
Applications built with OutSystems benefit from an extra level of security in the application code itself. For example, there are many common threats (such as SQL injection) that exploit vulnerabilities in the way programs are written. OutSystems generates standard code in a way that explicitly prevents these types of threats.
Additionally, OutSystems systematically validates the security of the code that is generated for web and mobile web applications. Using static code analysis tools, the OutSystems research and development team applies advanced vulnerability scanning to OutSystems-generated code during regression testing, and has defined key acceptance criteria regarding web security for all generated code to eliminate all critical, high and medium vulnerabilities.
This gives you an extended security level within the code generated by OutSystems. It also ultimately reduces the cost of maintenance as new security issues are automatically fixed in customer applications simply by applying patches and upgrades.
Secure software development lifecycle
The security model that supports application lifecycle and promotion is tailored to support patterns of both simple and complex software factories. Administrators can set restrictions on who is allowed to stage specific applications to the appropriate environment.
IT team responsibilities are defined by roles and users can specify what each role can do in each environment. For example, the developer role might not be allowed to push applications to production, while the operations role can.
A role can have custom permissions for each application. Alternatively, teams can be defined as being responsible for multiple applications, and assigned role permissions valid for all the applications managed by the team. This model enables organizations to map to how they manage the security of their software factory, simplifying the management of several applications and their teams of users.
To strengthen the security of OutSystems applications and user trust, SSL/TLS certificates are setup by default for all applications. These certificates provide end-to-end encryption between browsers and applications, which is crucial for applications that transmit sensitive data.
To further strengthen user trust and brand recognition, users can define their preferred domain name and upload their SSL certificate in the OutSystems management console.
Virtual private cloud (VPC) and VPNs
The OutSystems Cloud dedicates a Virtual Private Cloud for each Enterprise customer, which ensures complete isolation of the environment of each customer/tenant from other tenants. Each tenant has a dedicated set of virtual machines and a dedicated database instance, both running on the dedicated Virtual Private Cloud.
The Virtual Private Cloud also provides a secure and seamless bridge between an existing IT infrastructure and OutSystems Cloud environments. With this technology, cloud environments can communicate with on-premises systems through VPN tunnels and vice versa, enabling teams to integrate and expose core system data in a secure way.
Additionally, an organization is able to access the cloud through VPN by defining the routing and updating security policies. The OutSystems Cloud becomes an extension of their corporate data center, without having to sacrifice security or change management practices.
VPN connections use industry-standard IPsec tunnel mode (with IKEPSK, AES-128, HMAC-SHA-1, PFS) to authenticate the two sides of the VPN connection and to protect the data in transit from eavesdropping and tampering. IPsec adds minimal overhead to the traffic stream.
A team may subscribe to additional VPNs, for example, in order to connect to multiple geographic locations or to create a redundant VPN connection to provide failover.
OutSystems proactively monitors reputable industry sources for security vulnerabilities, and uses standard risk rating methodologies to plan an appropriate response.
Additionally, OutSystems regularly applies patches to the operating system and application server.
Privacy and data protection
OutSystems applies industry-standard procedures to safeguard the confidentiality of the data stored by the applications hosted in the OutSystems Cloud. For example, access to OutSystems employees is controlled and restricted to the minimum requirements to provide the cloud services.
A Virtual Private Cloud for each customer/tenant prevents cross-tenant accesses, and ensures the privacy and security of customer’s data.
In addition to the multiple background checks and HR procedures, encryption of data-at-rest further protects your data against data centers employees illegitimate conduct.
Production data is automatically backed up, with the ability to restore to any point-in-time in the last 15 days, so you can safely recover from data corruption.
With the OutSystems security model, a team can easily restrict user and developer access to the production data of each application, even when all applications share the same OutSystems cloud infrastructure.