Introduction

Imago is a geological image capture, storage and high-performance image viewing platform. It is a high availability, scalable solution that delivers the costs benefits of cloud management to geological image data.

Imago consists of cloud, desktop and mobile components. The cloud components are built using the Azure cloud platform. They benefit from Azure’s multilayered security across its physical data centres, infrastructure and operations.  In general, Microsoft’s recommended practices are followed for security, backup and disaster recovery.

The solution is in daily use at several of the world’s tier-1 exploration and mining organisations. It has a history of high availability, low outages and zero data loss.

System Architecture and Security

Imago is an Azure application and benefits from Azure’s security framework and capabilities.

Specifically, the solution consists of:

• Database, web, caching, blob storage and processing nodes,
• All nodes are monitored 24x7 with alerts,
• Firewalls restrict inbound and outbound network traffic,
• Web proxies isolate the external network from internal processing,
• Intrusion detection tools are active,
• System and network activity are logged,
• Application components are separated into isolated containers and
• Network communications use the encrypted https protocol.

By default, Imago has all infrastructure inside Azure’s US West data centre.

As of October 2019, there have been no identified breaches or security failures.

Application Security and User Authentication

Imago uses a role-based approach to application security. Roles are divided into subscription, owner, contributor and viewer capabilities. Each user is assigned roles depending what they may access or perform within the application. A workspace is the basic unit of security. It groups imagery, notes and other data together. A user’s roles are associated with a workspace.  The roles control their activities within it.

Users are managed either by the Imago system or by a client’s Active directory server. If users are managed by active directory then SSO authentication is available based on SAML. Users are provisioned and deactivated according their status in AD. Two-factor authentication is configured via Active directory.

If users are managed within Imago then account name/password authentication is used. Password restrictions, account expiration and retry/fail attempts are defined according to client requirements. Clients provision and deactivate users directly within Imago.

Data Security and Disaster Recovery

Imagery is stored within Azure blob storage services. These services maintain copies of each image at 3 different physically-separated data centres. Metadata are stored in a SQL database.

As of October, 2019, all imagery and metadata are stored inside Azure’s US West data centre by default. No imagery or metadata are stored externally to this data centre. Upon client request, imagery may be moved to local imago servers temporarily for data clean up, migration or client specific-processing. However, these servers are controlled and are not accessible external to Imago’s local infrastructure. They are not intended as long-term storage.

Data are encrypted at rest.

All records and images are soft deleted. No actual data is permanently deleted without written client authorisation. Continuous backups are performed and archived for 180 days. Imagery can be mirrored on a client’s internal storage if required.

The client owns all imagery. Imago only accesses this imagery to provide services or support to the client. Client data confidentiality is a very high priority to Imago. No imagery is provided to third parties, although internal staff/subcontractors have access if required. All staff/subcontractors are contractually bound to comply with client confidentiality and data disclosure.

Disaster recovery is available 24x7. Coverage is available across 24 time-zones. There is a risk management/recovery plan in place and staff are assigned roles according to this plan. Isolated tests of the recovery plan have been performed successfully.

Imago is not intended to be a mission critical operational system. It only provides an expected 12-hour response to service failure. Imago’s data capture components are designed to continue offline so operational activities are usually not impacted by a failure.

As of October, 2019, there has only been approximately 24 total hours of downtime over a 2 year period. No failures have resulted in a loss of data and most have been resolved within 60 minutes.

Configuring SSO

In order to configure SSO we request you create an app in AD with SAML SSO and export the federation.xml file from it. Send that to us at. We will send you an imago SDP xml file so you can add imago's certificate and endpoints for your site.

Once this is completed we can begin testing.

Conclusion

Each client has specific requirements to data and application security. If they can provide details of these requirements then Imago can evaluate against them to provide either a compliance confirmation or a timeline to compliance estimate.

Imago takes client data confidentiality and cloud security seriously. We are continually refining our security approaches and tools to assure our services.