Security

efoil Security

• efoil employs advanced security techniques and business practices at every level to ensure the security and integrity of customer data.
• efoil constantly reviews its practices and the current state of the art to ensure that the highest levels of security are maintained.
• efoil directly manages all aspects of its security.

Internet Connection Security

SSL

All connections to efoil are protected by 128 bit SSL encryption.

User Passwords

efoil does not store user passwords either in its database or on the user’s PC. Instead, efoil stores only an MD5 hash of the user’s password in efoil’s database. MD5 hashes are non-reversible, and as a result, efoil has no method of determining user passwords. User passwords are never stored on a user’s PC by efoil’s software.

Passwords are never transmitted to efoil. Instead, efoil employs a multi-step login process using MD5 hash values and unique one-time random identifiers that eliminates the need to transmit passwords and works to prevent man-in-the-middle attacks

Session Control

efoil uses a randomly generated temporary cookie to identify user PCs and page requests during a session. The cookie contains no information, and is used solely as a temporary identifier of each efoil web page request on the user’s PC. At the end of the user session, the temporary session cookies are deleted from the user PC’s memory.

Intrusion Detection

efoil logs and reviews all accesses of servers, and employs third-party providers to supply additional real-time detection and blocking of attacks and intrusions.

Security Review

efoil employs third parties to carry out frequent security testing.

Data Encryption

All databases on the efoil system, both when in operation and when backed up, are stored on encrypted storage media at all times. Industry standard encryption algorithms are used, in combination with military-grade encryption keys.

All passwords and encryption keys to efoil servers and encryption software are stored on separate devices using specialized software employing industry standard encryption.  Passwords and encryption keys are not stored on the encrypted hardware and are not written to temporary files. Direct physical access to efoil hardware and software systems does not provide access to any customer data.

Employees

Access to efoil hardware and software, and distribution of encryption keys, is strictly limited to a select number of efoil employees.  efoil manages its systems and software in-house.

Network Design

efoil uses internal non-routable IP addresses, internal firewalls and other techniques to block unauthorized access to efoil database servers. efoil database servers are not accessible from the Internet. All transactions with efoil database servers are transmitted through secure efoil web servers.

Hardware Reliability

efoil’s system consists of multiple redundant servers simultaneously carrying out all functions, as well as a duplicate remote near-online system that can be on-line in minutes in case of a primary site failure.

Backup

All data is simultaneously recorded to multiple servers, providing instantaneous backup of all data.  Data is remotely backed up hourly.

Application Security

Hierarchical Security Model

efoil’s application security model is hierarchical. efoil’s system will not provide a requested page until it confirm’s that the requesting user is authorized at each level of the hierarchical chain leading to the requested page. This methodology prevents users from penetrating efoil’s application security by requesting specific pages out of context.

SQL Injection Attacks

efoil’s system audits user provided information and uses other techniques to block SQL injection attacks.

Operating System Reliability

Setup, Patch Levels

efoil maintains all server software and hardware firmware at the latest patch levels, after an appropriate review and test of each patch.  Servers are hardened by extensive setup procedures that disable and/or remove all unnecessary users, protocols and processes.

Passwords

efoil's system protects all operating system accounts with strong passwords, which are unique to each account and server.

Auditing

User Tracking

efoil’s system logs all accesses to the efoil software by user. efoil customers can track and review all activities by their users on the efoil system

Database Changes

All changes to and views of user data are logged by the efoil system and are accessible to efoil customers in real time. Audit information tracks all accesses of jointly shared data, enabling each party with access to jointly shared data to determine which other parties have accessed or changed jointly shared data.