NCSC - SaaS Security Principles - MIDAS Evaluation
The UK's National Cyber Security Center (NCSC) provide guidance for organizations looking to use, deploy, and understand the risks of adopting Software as a Service (SaaS) applications.Our MIDAS cloud-hosted SaaS solution was assessed in July 2022 against NCSC's SaaS Security Principles, and we are pleased to publish the results below.
You can view the previous NCSC evaluation (from July 2021) here.
Question | Answer | Detail |
Does the service protect external data in transit over the Internet between the user and service, using TLS? | Yes | MIDAS uses HTTPS to transmit and receive data. TLS 1.3 (or TLS 1.2 where 1.3 is not supported) is used to encrypt data whilst in transit between MIDAS' servers and the user's browser with "Robust" Forward Secrecy. HTTP Strict Transport Security (HSTS) with long duration is also deployed. |
Does the service protect external data in transit using correctly configured certificates, as described in NCSC's TLS guidance? | Yes | MIDAS meets the recommended cryptographic profiles for TLS as published by the NCSC. MIDAS currently gets an 'A+' rating from SSL Labs. Note that this was performed on their top level domain, and not all subdomains that may be used for API calls. |
Does the service encrypt data when at rest? | Yes | As of 4th July 2021 all cloud hosted customer's databases are encrypted at rest. Read More |
If APIs are available, are internal and external APIs protected by authentication? | Yes | API access is an optional "addon". If enabled, successful API calls may only be made with a valid API Key |
Can 2FA be mandated for all users? | Yes | MIDAS offers 2 Factor Authentication (2FA) which may be enabled for all user accounts. When enabled, users are required to enter a one-time code sent to their registered email address in order to complete their login. |
If there is a concept of privilege levels, do you at least make 2FA/multi-factor authentication available on high privileged accounts? | Yes | The 2FA option in MIDAS is a global setting. If enabled, it applies to all user accounts within a given MIDAS system. |
Does the service support Single Sign-On to my organisation's identity provider? | Partial | Self-hosted MIDAS systems licensed for "Unlimited" users can be configured to allow Single Sign-On (SSO) via Active Directory authentication. |
Does the service have the concept of privileged administrative users that can alter configurations, and standard users that cannot? | Yes | An extensive range of user permissions can be assigned on a per-account basis. This allows the creation of full administrative users right down to very restricted "view only" users. |
Does the service collect security logs? | Yes | Each MIDAS system records all activity taking place within the system - in including successful and failed logins. Each entry in the log is timestamped and attributed to the user who performed the action (where applicable). Logs are typically kept for a period of 30 days, but this is configurable in each MIDAS system. In addition, server access, firewall, and email logs are also kept at a server level. |
Do you make security logs available to the customer? | Yes | Each MIDAS system's "Recent Activity Log" is accessible to all users in a MIDAS system who have been granted access to view the log. As a general rule, root server logs (i.e. server access, firewall, email, etc) are not made available to customers, as there may be numerous customer's MIDAS systems residing on each root server. |
Do you have an incident response process? | Yes | MIDAS have a dedicated Security Center, in which they encourage security researchers to responsibly disclose any security or vulnerability concerns. MIDAS will then correspond with the reporter until the issue is resolved. A security changelog is also published. |
Do you have a policy for applying security updates in response to publicly reported issues in your service, or libraries that the service uses? | Yes | Server software is automatically kept up to date by the vendor. Where security issues within MIDAS are reported, these are quickly assessed and where necessary an update or patch is made available, typically within 24 hours of confirmed report. |
Do you have a vulnerability disclosure process? | Yes | MIDAS publish vulnerability disclosure reporting guidelines, in which they encourage security researchers to responsibly disclose any security or vulnerability concerns. MIDAS will then correspond with the reporter until the issue is resolved. A security changelog is also published. |
Do you publish a privacy policy? | Yes | See https://mid.as/legal. |
Can you tell me where my data will be processed and stored? | Yes | See Where is my data stored if I choose a "cloud hosted" MIDAS system?. |
How easy has it been to answer the other questions in this assessment? | - | These answers are published at https://security.midas.network/ncsc-evaluation. |
Are the answers you've needed been published on their website? This could be in a security whitepaper or the report from an independent audit? | - | These answers are published at https://security.midas.network/ncsc-evaluation. Additional security audits / reports are published at https://security.midas.network/audits. |
Do you publish a good-practice security guide that explains how to use the service's security features well? | Yes | See Tips for keeping your MIDAS system secure. |