NCSC - SaaS Security Principles - MIDAS Evaluation
The UK's National Cyber Security Center (NCSC) provide guidance for organizations looking to use, deploy, and understand the risks of adopting Software as a Service (SaaS) applications.Our MIDAS cloud-hosted SaaS solution was assessed in July 2021 against NCSC's SaaS Security Principles, and we are pleased to publish the results below:
You can view our latest NCSC evaluation here.
| Question | Answer | Detail |
| Does the SaaS provider protect external data in transit using TLS? | Yes | MIDAS uses HTTPS to transmit and receive data. TLS 1.3 (or TLS 1.2 where 1.3 is not supported) is used to encrypt data whilst in transit between MIDAS' servers and the user's browser with "Robust" Forward Secrecy. HTTP Strict Transport Security (HSTS) with long duration is also deployed. |
| Does the SaaS provider protect external data in transit using correctly configured certificates? | Yes | MIDAS meets the recommended cryptographic profiles for TLS as published by the NCSC. MIDAS currently gets an 'A+' rating from SSL Labs. Note that this was performed on their top level domain, and not all subdomains that may be used for API calls. |
| Does the SaaS provider protect internal data in transit between services using encryption? | Unknown | At this time, it is unknown whether MIDAS protects internal data in transit between services using encryption. However, MIDAS does state that databases are not encrypted at rest. |
| Does the SaaS provider protect internal data in transit between services using correctly configured certificates? | Unknown | At this time, it is unknown whether MIDAS protects internal data in transit using correctly configured certificates. |
| If APIs are available, does the SaaS provider protect both internal and external APIs through an authentication method? | Yes | API access is an optional "addon". If enabled, successful API calls may only be made with an API Key |
| If there is a concept of privilege levels in the service, does the SaaS provider have the ability for low privilege users to be created? | Yes | MIDAS offers a range of account "roles" and has extensive user permissions. |
| If there is a concept of privilege levels, does the SaaS provider provide 2FA/multi-factor authentication on at least the high privileged accounts? | Yes | MIDAS offers 2 Factor Authentication (2FA) which may be enabled for all user accounts. When enabled, users are required to enter a one-time code sent to their registered email address in order to complete their login. |
| Does the SaaS provider collect logs of events? Types of log may include security logs and resource logs |
Yes | Each MIDAS system records all activity taking place within the system - in including successful and failed logins. Each entry in the log is timestamped and attributed to the user who performed the action (where applicable). Logs are typically kept for a period of 30 days, but this is configurable in each MIDAS system. |
| Does the provider make logs available to the client? | Yes | User accounts granted the "Can use Activity Tracking" privilege can view the Recent Activity Log for their MIDAS system. |
| Does the SaaS provider have a clear incident response and patching system in place to remedy any publicly reported issues in their service, or libraries that the service makes use of? The provider's previous track record on this is a good metric to see how they'll cope with a new issue occurring. |
Yes | MIDAS have a dedicated Security Center, in which they encourage security researchers to responsibly disclose any security or vulnerability concerns. MIDAS will then correspond with the reporter until the issue is resolved. A security changelog is also published. |
| Does the SaaS provider give clear and transparent details on their product and the implemented security features (i.e. how easy has it been to answer the above questions) ? | Yes | MIDAS publishes the majority of the answers to the above security questions. They have recently launched a dedicated Security Center, providing additional security information, security changelogs, and audit reports. |