GB Square Placeholder

Vault Vision’s Top Ten Security Principles

At Vault Vision, we are on a continual mission to improve security for our customers. We believe that constant dialog with the information security community and security experts will identify the best ideas and features for user protection and incident mitigation. 

Vault Vision Authentication Platform’s transparent and security-first mindset puts measures in place to protect our customers from threats and attacks. Our top ten security principles at Vault Vision for the security community to use as a model.

  1. Web Logins 
    • Vault Vision uses the same infrastructure and platform for user authentication that we offer to our customers
    • Out platform includes industry leading support for WebAuthn and FIDO hardware tokens 
    • We enable MFA on all 3rd party web logins 
    • We enable SSO on all 3rd party SaaS providers 
  2. Email protections 
    • All of our outgoing email is signed with DKIM and is DMARC compliant, including strict SPF policies 
    • All of our inbound email is filtered with Microsoft’s strictest filter controls 
    • All of our email accounts require MFA 
  3. De-centralized Networks 
    • All our networks run decentralized in a cloud provider with strict access control 
    • There is no back office corporate network, we run everything either in a strict access cloud or on an MFA SaaS provider that support SSO 
  4. Highest Grade Encryption 
    • SHA256 for all hashing 
    • AES256 for all application encryption 
    • TLS v1.2 is the minimum allowed version
    • Bcrypt for credential and password hashing
  5. Security Keys and Passwords are never stored on disk in plain text at rest 
    • Employees all use a password manager 
    • All desktops, laptops, and cloud disks are encrypted by default by the either AWS encryption, self-encrypting hard-drives, or LUKs 
  6. Continually Rolling Rebuilds and Patching 
    • All our infrastructure is rebuild on a rolling continual basis so that over a months period, the entire platform has been rebuilt with the latest OS and library security patches.  This in enabled because our platform has been created using code as infrastructure automation.  At any given time, some component or microservices is rebuilding, retesting and redeploying itself to keep up with security patches
  7. Backups 
    • All backups and snapshots are encrypted with keys stored in either a password manager or online key manager 
  8. Principal of least-privilege 
    • All global admin accounts are isolated and not used as daily driver accounts that do things like check mail or browse the internet. They are used only for admin purposes and then exited 
  9. Web service and site protections 
    • All our non-public websites and webservices use HTTPS and require authentication.  And unless a site or service is meant to be public and available anonymously with a purpose, they too use HTTPS and require authentication. 
    • We use cookies that are secure (HTTPS only) and isolated from JavaScript 
    • We set a number of standard HTTP security headers 
    • We use framework built-in protections for CRSF, XSS, SQLi 
  10. We use scanners and vulnerability detectors on a regular basis 
    • We use industry best scanners such as Nmap, Nikto to find and detect vulnerabilities as early as possible 
    • We have a public disclosure policy that rewards bug bounties and security researchers