-
Notifications
You must be signed in to change notification settings - Fork 6
Security
CareTogether relies on several key elements to safeguard organizational data and user privacy.
Like any hosted service, CareTogether expects that organizations using it understand the shared responsibility model used by this CMS. While CareTogether follows best practices to protect against numerous threat vectors, organizations need to be aware of the scope of threats that they themselves are responsible to protect against. The design of CareTogether ensures that these organizational responsibilities align consistently with a standard understanding of organizational responsibility scope. Specifically:
- CareTogether relies on Azure's industry-leading infrastructure security practices to safeguard the platform on which CareTogether itself runs (servers, disks, networking equipment, various software services, etc.).
- CareTogether itself is responsible for implementing a secure application design, routinely scanning for and patching vulnerabilities in its application components and any dependencies, and regularly assessing its security posture to ensure continuous improvement.
- Organizations need to ensure responsible use of the CMS platform by their users. While it is infeasible for organizations to require security best practices of all their end users (e.g., volunteers), organizations do have a joint responsibility with CareTogether to encourage and promote secure user behavior such as using unique and secure passwords, maintaining appropriate security of their email/phone/other authentication mechanisms (e.g., advising use of secure passwords for social media accounts if users choose to use social logins for single sign-on to CareTogether), and accessing CareTogether only from reasonably secure desktop/mobile devices. In addition, organizations have further responsibilities regarding CareTogether use by staff and other higher-privileged users: maintaining good practices around user logins (no reuse of login identities by multiple users), providing adequate security training and guidance, adequately securing any organizational email accounts or other organizational identities, and ensuring that all CareTogether access happens on reasonably secure desktop/mobile devices.
- Organizations need to configure user access policies correctly. CareTogether can provide support (including training and reviews) to assist with this, but ultimately the choice of how to configure user access policies is up to each organization. Organizations should perform adequate testing to assure themselves that they sufficiently understand how they have configured their user access policies in CareTogether.
The application requires all requests from end users to be authenticated against a federated identity provider using OAuth2 and OpenId Connect. These protocols are implemented using an industry-standard library (MSAL) to ensure the authentication interactions are secure. The identity provider, Azure AD B2C, implements Microsoft's best practices for account protection, including in the customizations made to it. In addition, data access requests to the OData API are permitted for analytics purposes (e.g., to share data with Power BI or similar tools) but require the use of a secure API key (shared secret). Finally, all backend access to the Azure resources on which the application is hosted are authenticated and protected by Azure AD or by a secure deployment integration with GitHub.
Standard least-privilege patterns are used to restrict backend access to only authorized sysadmins. The application itself provides a rich authorization model that allows organizations to configure user access according to their own policies and procedures; in particular, all access to viewing or editing any records (family or community data) is filtered through this authorization model. Organizational data is also kept in isolated containers to prevent cross-organizational data access in a multitenant hosting environment.
To safeguard records against tampering, all data storage uses Azure's immutability guarantees via auditable time-based retention policies. The result is a provable guarantee that data has not been tampered with. Any edits required by system updates or administrative corrections leave a permanent version history, so all changes can be compared with prior versions of files. This capability is somewhat unique to CareTogether in the CMS space, as other systems typically rely on maintaining and (supposedly) securing database backups as evidence; these systems are vulnerable to malicious actors with administrative access.
CareTogether's data storage uses Azure's highest level of redundant storage infrastructure services (Read Access with Geo-Zone Redundant Storage or RA-GZRS) to ensure that all data is maintained in at least six copies, including three across separate availability zones in the primary region and three locally redundant copies in the secondary region that is hundreds of miles away from the primary region. Azure Storage also regularly verifies and automatically repairs stored data integrity, as well as verifying the integrity of all transmitted data, to protect against any random corruption. In addition, from an operational perspective, the CareTogether application layer is treated as immutable components that are redeployed with each update, ensuring that the application can be recovered quickly (by simply redeploying) and fully (with no risk of missing server-level configuration settings) in the event of an Azure outage that impacts regional availability of compute resources.