Introduction

Imago is a geological image capture, storage and high-performance image viewing platform. It is a high availability, scalable solution that delivers the costs benefits of cloud management to geological image data.

Imago consists of cloud, desktop and mobile components. The cloud components are built using the Azure cloud platform. They benefit from Azure’s multilayered security across its physical data centres, infrastructure and operations.  In general, Microsoft’s recommended practices are followed for security, backup and disaster recovery.

The solution is in daily use at several of the world’s tier-1 exploration and mining organisations. It has a history of high availability, low outages and zero data loss.

System Architecture and Security

Imago is an Azure application and benefits from Azure’s security framework and capabilities.

Specifically, the solution consists of:

• Database, web, caching, blob storage and processing nodes,
• All nodes are monitored 24x7 with alerts,
• Firewalls restrict inbound and outbound network traffic,
• Web proxies isolate the external network from internal processing,
• Intrusion detection tools are active,
• System and network activity are logged,
• Application components are separated into isolated containers and
• Network communications use the encrypted https protocol.

By default, Imago has all infrastructure inside Azure’s US West data centre.

As of October 2019, there have been no identified breaches or security failures.

Application Security and User Authentication

Imago uses a role-based approach to application security. Roles are divided into subscription, owner, contributor and viewer capabilities. Each user is assigned roles depending what they may access or perform within the application. A workspace is the basic unit of security. It groups imagery, notes and other data together. A user’s roles are associated with a workspace.  The roles control their activities within it.

Users are managed either by the Imago system or by a client’s Active directory server. If users are managed by active directory then SSO authentication is available based on SAML. Users are provisioned and deactivated according their status in AD. Two-factor authentication is configured via Active directory.

If users are managed within Imago then account name/password authentication is used. Password restrictions, account expiration and retry/fail attempts are defined according to client requirements. Clients provision and deactivate users directly within Imago.

Data Security and Disaster Recovery

Imagery is stored within Azure blob storage services. These services maintain copies of each image at 3 different physically-separated data centres. Metadata are stored in a SQL database.

As of October, 2019, all imagery and metadata are stored inside Azure’s US West data centre by default. No imagery or metadata are stored externally to this data centre. Upon client request, imagery may be moved to local imago servers temporarily for data clean up, migration or client specific-processing. However, these servers are controlled and are not accessible external to Imago’s local infrastructure. They are not intended as long-term storage.

Data are encrypted at rest.

All records and images are soft deleted. No actual data is permanently deleted without written client authorisation. Continuous backups are performed and archived for 180 days. Imagery can be mirrored on a client’s internal storage if required.

The client owns all imagery. Imago only accesses this imagery to provide services or support to the client. Client data confidentiality is a very high priority to Imago. No imagery is provided to third parties, although internal staff/subcontractors have access if required. All staff/subcontractors are contractually bound to comply with client confidentiality and data disclosure.

Disaster recovery is available 24x7. Coverage is available across 24 time-zones. There is a risk management/recovery plan in place and staff are assigned roles according to this plan. Isolated tests of the recovery plan have been performed successfully.

Imago is not intended to be a mission critical operational system. It only provides an expected 12-hour response to service failure. Imago’s data capture components are designed to continue offline so operational activities are usually not impacted by a failure.

As of October, 2019, there has only been approximately 24 total hours of downtime over a 2 year period. No failures have resulted in a loss of data and most have been resolved within 60 minutes.

Configuring SSO

In order to configure SSO we request you create an app in AD with SAML SSO and export the federation.xml file from it. Send that to us at. We will send you an imago SDP xml file so you can add imago's certificate and endpoints for your site.

Once this is completed we can begin testing.

Conclusion

Each client has specific requirements to data and application security. If they can provide details of these requirements then Imago can evaluate against them to provide either a compliance confirmation or a timeline to compliance estimate.

Imago takes client data confidentiality and cloud security seriously. We are continually refining our security approaches and tools to assure our services.

FAQ

Q: How is administrative access to Imago cloud environment managed? Describe the security controls for privileged access (i.e. VPN, MFA, etc).​
A: Admin access is handled directly through the azure portal with its security controls.

Q: Will implementation require access to Imago APIs? If so, please describe authentication/authorization for API calls.​
A: Imago products uses its own API calls. Every call is controlled through time-limited api tokens issued by the cloud backend for each unique session.

Q: How blob access is controlled? What is the authentication method and what entities are allowed access to it?​
A: All blob storage is kept inside private Azure storage containers. Access is granted via time-limited Azure Shared Access Signatures. These signatures can only be issued by Imago. Clients have no mechanism to generate them.

Q: Are blob accessible to the Internet?​
A: No, unless a time-limited Shared Access Signature is generated.

Q: Are https connections (TLS 1.2 and up) enforced for all connections (intra Azure and external connections)? 
A: Yes

Q: Can you please clarify how the environment components are segregated from each other (i.e different subnets? ​
A: Production containers reside inside an internal private Azure network. Public network endpoints are funneled into a single reverse proxy that has acces to this private network.

Q: Data will be encrypted at rest? How are keys managed? ​
A: Yes. Keys are managed inside an Azure key vault.

Q: How data will be segregated from other tenants? What controls to prevent spill over and unauthorized access? ​
A: Each client has an independent subscription. This subscription segregates all database and storage calls. Over a 1000 security tests are dedicated to ensure separation between subscriptions.

Q: What components are exposed to the Internet (i.e Web Portal)? How traffic is scanned and secured against external threats (i.e WAF?)? 
A: ​Only a single reverse proxy is exposed to the internet. Azure Defender monitors network traffic.

Q: What are the security controls to identify code vulnerabilities and apply patches when required? 
​A: Auditing tools (whitesource, npm audit) are used against cloud and desktop applications.

Q: Is the application scanned regularly by SAST or DAST tools? ​
A: Security audits are performed internally every 4-6 months that include code and production scans.

Q: What is the process for app changes/updates? What is the impact to Imago business operations? ​
A: Imago uses a CI/CD delivery model.

Q: What is the RTO and RPO for Imago solution?  ​
A: To date, recovery times have been satisfied with 1-2 days (or less) when data has been mistakenly archived.

Q: Do DR recovery procedures meet RTO and RPO requirements? 
A: ​To date, yes.

Q: Is there application redundancy in another region? What region? What components are replicated? Is there automatic failover in case of disruption to minimize business process downtime? 
A: ​Image storage is replicated across 3 different geographic locations according to Azure account rules. Azure automatically recovers and switches to alternative regions if needed.

Q: How often are backups performed? Are they encrypted? Are they accessible from the public Internet?
A: Metadata is backed up every hour and kept for 3 years. Image storage automatically maintains blog backups for the last 180 days.