Find Your Grind takes security incredibly seriously, security is woven into the very fabric of the product and considered at every stage of the development process.

The key points of Find Your Grind’s security policy are focused around these core facets:

• Reducing the value of Find Your Grind as a target
• Reducing the possible attack surface of the Find Your Grind platform
• Incorporating automated security scanning into the platform
• Automatic threat detection and monitoring
• Implementing a vulnerability assessment solution
• Encryption all the way through (SQL TDE, HTTPS between services, etc)
• Penetration Testing
• Two-Factor Authentication where possible
• Authentication and Authorization

REDUCING THE VALUE OF FIND YOUR GRIND AS A TARGET

A conscious decision was made to limit the amount of high value information that Find Your Grind collects during a transaction in order to lessen its value as a target for attackers. Small amounts of PII are collected, only what is necessary to identify a user within the platform.

REDUCING THE POSSIBLE ATTACK SURFACE OF THE FIND YOUR GRIND PLATFORM

The websites and APIs of the Find Your Grind platform are all hosted in completely separate domains and therefore only have access to the data required to function correctly.

Reporting data is held separately from transactional data.

Each Find Your Grind account receives its own slice of the data architecture by using tenanted databases. In the event of a breach, only the small part of the data available to the tenant would be exposed, lessening the attack vector.

INCORPORATING AUTOMATED SECURITY SCANNING INTO THE PLATFORM

DataDog actively monitors all of the applications, websites, and devices within the Find Your Grind cloud. This tool provides an overview of all of the different parts of the stack and monitors the applications, logs, and ingress/egress of traffic within the environment. Using these data sources it can run heuristic algorithms over the captured data to identify trends and threats to the system in real time. 

AUTOMATIC THREAT DETECTION AND MONITORING

DataDog Application Security Management detects threats based on traffic analysis, dependencies within the application, and hot code paths. 

Monitoring allows DataDog to distinguish anomalies vs real threats and alert appropriately.

IMPLEMENTING A VULNERABILITY ASSESSMENT SOLUTION

DataDog ASM provides an integrated, on cloud, assessment tool that integrates seamlessly with the Find Your Grind platform to provide insights at a lower level than the out of the box Microsoft tooling. These scans are completed regularly and the definitions are updated automatically.

The databases within the Find Your Grind portal are all enrolled in the Threat Detection and Vulnerability Assessment program provided by Azure which reports their data back to the Azure Security portal for analysis and remediation.

ENCRYPTION ALL THE WAY THROUGH

Find Your Grind looks to encrypt as much data as possible, both in transit, and at rest within its system. Azure Databases use Transparent Data Encryption (TDE) to secure their data at rest and SSL whilst communicating that data to the various services.

All of the services within the Find Your Grind stack use SSL to encrypt the messages that they pass between themselves.

All connections on port 80 are forbidden, and automatically routed to port 443 and secured via SSL through the use of HSTS (Http Strict Transport Security).

The cloud infrastructure is secured using Azure Active Directory, which is a hosted, secure, application access management system.

PENETRATION TESTING

Whilst in its infancy, Find Your Grind performs penetration testing by utilizing the DataDog ASM. Whilst this provides a level of assurance and security, automated tools can only go so far. Thus penetration testing provided by a third party company will be utilized as part of security policy.

TWO-FACTOR AUTHENTICATION WHERE POSSIBLE

Find Your Grind strongly encourages the use of two-factor authentication wherever possible through its platform. All email accounts that are tied to Azure, or any other hosting or development service, are required to have two-factor authentication enabled as a minimum level of security.

AUTHENTICATION & AUTHORIZATION

Find Your Grind uses Google Firebase to provide an OAuth2 compliant solution to its clients and their customers. This is done through the use of OpenID Connect which provides an authentication protocol over the top of the existing OAuth2 protocol to provide a truly cross platform solution.

Firebase provides a solid backbone for the core of the Find Your Grind authentication system which will allow the seamless integration of web and mobile authentication clients, as well as backend API clients and federation of existing OAuth2 identity providers.