Security overview

Before continuing with this article it is recommended to take a look at the Service architecture to better understand the context.

Network security

All PackAware systems and subsystems except the SQL database accept connections from the Internet.

The SQL database is accessible only from Azure cloud IP ranges and selected developer PC IP addresses.

Access management

Authentication

Azure Active Directory and Microsoft identity platform is used to authenticate users of the service. The user's password never leaves Microsoft systems. Azure AD enables organizations to use SSO (single sign-on) and multi-factor authentication.

PackAware identifies the user by the ID tokens provided by the Azure Active Directory.

Authorization

Authorization refers to the permissions the user is assigned when using the service and determines what content the user can access and what operations the user can perform.

Authorization is performed by the PackAware application based on user group memberships defined for the authenticated user and permissions defined to the user groups.

There are multiple ways to assign users to user groups:

  • Direct assignment via email invitation
  • Account email domain (e.g. users with @arnon.fi account)
  • AD group (users that are member of specified AD group)
  • AD tenant (all within defined in AD directory)

See PackAware documentation for the roles that can be assigned to user groups: https://packaware.com/Support/Documentation/Organization-roles https://packaware.com/Support/Documentation/Order-group-roles

The customer has full control over the user groups and permissions.

PackAware system administrators and support personnel can override the permissions defined by the customer to provide support or when required for security, maintenance, marketing or purpose of providing the service.

Information protection and encryption

Encryption in transit

All communication between systems is encrypted by TLS or equivalent cryptographic protocol.

Connection Protocol
Browser – Application server HTTPS with TLS
Browser – Log service HTTPS with TLS
Browser – Content delivery network HTTPS with TLS
Browser – Map Service HTTPS with TLS
Browser – Azure AD HTTPS with TLS
Application server – Log service HTTPS with TLS
Application server – SQL database TLS
Application server – Blob storage HTTPS with TLS
Application server – Email service HTTPS with TLS
Content delivery network – Application server HTTPS with TLS
Tracking device supplier system – Application server HTTPS with TLS

Encryption at rest

Outside temporary caches and buffers customer data is stored encrypted.

System Encryption
Log service Encrypted, managed by Microsoft
SQL database Encrypted, managed by Microsoft
Blob storage Encrypted, managed by Microsoft
Azure AD Encrypted, managed by Microsoft
Email service Encrypted, managed by AWS

Encryption key and access key management

The encryption keys, access keys and other secrets used in production systems are handled only by named system administrators. For Azure services, access to management operations is protected by Azure AD.

Additional information

Please refer to our Privacy Policy or Contact Support.