Introduction

As a cloud application, at morbit we’re very aware of how important security is to our customers. As such we’ve taken precautions to ensure that not only is our platform secure by design, but that we share with our customers what we’ve done. In summary we use the same levels of encryption as internet banking applications.

This document will provide the security information on the web portal, servers, data in transit, data in storage and our GDPR statement.

Web portal

Intrusion and vulnerability scanning

Our application is regularly scanned by these intrusion and vulnerability checkers:

• OWASP ZAP (https://owasp.org/www-project-zap/)
• Snyk (https://snyk.io/website-scanner/)
• Observatory by Mozilla (https://observatory.mozilla.org/)

Certificates

Our site is only available to you via HTTPS. Any HTTP attempts will be redirected to HTTPS. Our certificates have the following encryption methods available:

TLS Protocol

Protocol – TLS v1.2 and v1.3 only

TLS Ciphers

• TLS-AES-128-GCM-SHA256 (TLS v1.3)
• TLS-AES-256-GCM-SHA384 (TLS v1.3)
• TLS-CHACHA20-POLY1305-SHA256 (TLS v1.3)
• ECDHE-ECDSA-AES128-GCM-SHA256 (TLS v1.2)
• ECDHE-RSA-AES128-GCM-SHA256 (TLS v1.2)
• ECDHE-ECDSA-AES256-GCM-SHA384 (TLS v1.2)
• ECDHE-RSA-AES256-GCM-SHA384 (TLS v1.2)

Passwords

For security purposes we have implemented strong password requirements. These are mandatory and are:

• Passwords must meet complexity requirements (at least three of four-character classes – upper case, lower case, numeric, symbol/international) and a minimal length of 10 characters
• 30-minute temporary account lockout after 3 incorrect access attempts
• Account access audited and maintained for minimum of 3 months
• Accounts are provided per user

Multi-factor Authentication (MFA)

We provide the ability to lock user access to MFA logins only. With support for Microsoft and Google Authenticator applications, you can either enforce your users to use MFA or make it optional.

However, we recommend all customers use enforced MFA enabled logins for the following benefits:

• Protection from phishing attacks and credential theft
• Compliance with industry standards and regulations
• Improved user confidence in the site security

Server Security

Our servers run the latest security patches, and these are at a minimum monthly applied to ensure we remain up to date with our OS releases. These servers are hosted in AWS Ireland.

The OS has been locked down further with the use of the Microsoft Security Baseline tool. Precise details can be provided upon considered request.

Morbit Hub

The Morbit Hub is a Windows Service that runs on the local LAN. It can be deployed multiple times on a subnet to ensure service resilience. It runs as an API engine that currently supports the following protocols:

• REST API
• SNMP
• SSH
• Telnet
• WMI

The Hub enables users to interact using the local API of on-premises devices to allow monitoring and management. Some common scenarios are shown below:

All instructions sent to the Hub over HTTPS are managed via the Morbit Cloud, and data is processed on the Hub prior to being sent to the Cloud. This ensures only authorised data is sent to the service. The way this is done has a patent granted, so you can read about the entire process of device discovery and data handling here: https://www.ipo.gov.uk/p-ipsum/Case/ApplicationNumber/GB1902637.6.

The host Operating System of the Morbit Hub, must be Windows 10 version 1607 and above, or Windows Server 2016 and above. This is so that TLS 1.2 is natively supported as a minimum version that our service will function with, although TLS 1.3 is preferred with later operating systems.

Connected Devices

To enable Connected Devices, this must be enabled on a company-by-company basis. Once enabled, each Hub in a network must be manually activated to allow the feature, via a locally run PowerShell script on the Hub host computer. This is to ensure only authorised persons may activate the feature.

The security behind the Connected Devices has been architected to ensure several steps are taken to prevent unauthorised access to devices and equipment:

Even when access to the on-premises device is made, the local security and authentication of that device still applies to grant or deny access.

Data in transit

Public internet

All traffic from your networks to us, is done via HTTPS using your morbit hub. This communication has the following encryption applied:

TLS Protocol

Protocol – TLS v1.2 and v1.3 only

TLS Ciphers

• TLS-AES-128-GCM-SHA256 (TLS v1.3)
• TLS-AES-256-GCM-SHA384 (TLS v1.3)
• TLS-CHACHA20-POLY1305-SHA256 (TLS v1.3)
• ECDHE-ECDSA-AES128-GCM-SHA256 (TLS v1.2)
• ECDHE-RSA-AES128-GCM-SHA256 (TLS v1.2)
• ECDHE-ECDSA-AES256-GCM-SHA384 (TLS v1.2)
• ECDHE-RSA-AES256-GCM-SHA384 (TLS v1.2)

Your LAN

All traffic on your LAN uses the security of your network. If you have implemented IPSec on your Windows server hosting the hub, our hub will use that.

Microsoft Teams services

Users of the MS Teams module are not required to deploy any morbit software on their network. Our access into the service is via the Microsoft Graph API. This is diagrammed below:

To do this, you will need to register an application in Azure with access to the Microsoft Graph API and relevant permission roles. These permissions are further documented in our Microsoft Teams Service Description document - available here.

Sensitive Data

Our database backend is on a private network and inaccessible from the internet. To ensure the security of your data, all sensitive data is encrypted, including but not limited to:

• All usernames
• All passwords
• Cisco Endpoints:
  • Login credentials
• Poly Endpoints:
  • Login credentials
• Call Details:
  • All participant display names
  • Video addresses
• Teams Tenant:
  • Tenant ID
  • Tenant
  • Client ID
  • Client Secret
• Teams Users:
  • User Principal Name (UPN)
  • Email address
  • Display name
  • Job title
  • Given name
  • Surname
  • Office location
  • Preferred language
• Neat Pulse API (optional feature)
  • Organisation ID
  • Token

GDPR

Morbit respects your privacy and is committed to protecting your personal data. For our latest privacy policy and GDPR information, please go to www.morbit.co.uk/privacy-policy.

Further information

We realise that you may have further questions about our security, so feel free to contact us on the details shown on the last page.