Security Insight: Read our blog post on the evolution of Password Storage in MIDAS

NCSC - SaaS Security Principles - MIDAS Evaluation

The UK's National Cyber Security Center (NCSC) provide guidance for organizations looking to use, deploy, and understand the risks of adopting Software as a Service (SaaS) applications.

Our MIDAS cloud-hosted SaaS solution was assessed in July 2020 against NCSC's SaaS Security Principles, and we are pleased to publish the results below:

Question Answer Detail
Does the SaaS provider protect external data in transit using TLS? Yes MIDAS uses HTTPS to transmit and receive data. TLS 1.3 (or TLS 1.2 where 1.3 is not supported) is used to encrypt data whilst in transit between MIDAS' servers and the user's browser with "Robust" Forward Secrecy. HTTP Strict Transport Security (HSTS) with long duration is also deployed.
Does the SaaS provider protect external data in transit using correctly configured certificates? Yes MIDAS meets the recommended cryptographic profiles for TLS as published by the NCSC. MIDAS currently gets an 'A+' rating from SSL Labs. Note that this was performed on their top level domain, and not all subdomains that may be used for API calls.
Does the SaaS provider protect internal data in transit between services using encryption? Unknown At this time, it is unknown whether MIDAS protects internal data in transit between services using encryption. However, MIDAS does state that databases are not encrypted at rest.
Does the SaaS provider protect internal data in transit between services using correctly configured certificates? Unknown At this time, it is unknown whether MIDAS protects internal data in transit using correctly configured certificates.
If APIs are available, does the SaaS provider protect both internal and external APIs through an authentication method? Yes API access is an optional "addon". If enabled, successful API calls may only be made with an API Key
If there is a concept of privilege levels in the service, does the SaaS provider have the ability for low privilege users to be created? Yes MIDAS offers a range of account "roles" and has extensive user permissions.
If there is a concept of privilege levels, does the SaaS provider provide 2FA/multi-factor authentication on at least the high privileged accounts? Yes MIDAS offers 2 Factor Authentication (2FA) which may be enabled for all user accounts. When enabled, users are required to enter a one-time code sent to their registered email address in order to complete their login.
Does the SaaS provider collect logs of events?
Types of log may include security logs and resource logs
Yes Each MIDAS system records all activity taking place within the system - in including successful and failed logins. Each entry in the log is timestamped and attributed to the user who performed the action (where applicable). Logs are typically kept for a period of 30 days, but this is configurable in each MIDAS system.
Does the provider make logs available to the client? Yes User accounts granted the "Can use Activity Tracking" privilege can view the Recent Activity Log for their MIDAS system.
Does the SaaS provider have a clear incident response and patching system in place to remedy any publicly reported issues in their service, or libraries that the service makes use of?
The provider's previous track record on this is a good metric to see how they'll cope with a new issue occurring.
Yes MIDAS have a dedicated Security Center, in which they encourage security researchers to responsibly disclose any security or vulnerability concerns. MIDAS will then correspond with the reporter until the issue is resolved. A security changelog is also published.
Does the SaaS provider give clear and transparent details on their product and the implemented security features (i.e. how easy has it been to answer the above questions) ? Yes MIDAS publishes the majority of the answers to the above security questions. They have recently launched a dedicated Security Center, providing additional security information, security changelogs, and audit reports.