VeriNexus

Schedule A Demo

VeriNexus Comprehensive Security Policy

Introduction
At VeriNexus, security is integral to our operations. This document outlines the security protocols, safeguards, and practices we employ to protect client data and systems against evolving threats. VeriNexus maintains alignment with industry standards to ensure confidence in our security posture and services.

Network Security

Secure Protocols

  • Encryption Standards:
    • TLS 1.3: Secures data in transit over web services and database communications.
    • SSH (Secure Shell): Used for encrypted administrative access to servers and infrastructure.
    • SSL (Secure Sockets Layer): Maintained for backward compatibility in legacy systems.
    • IPsec: Employed for secure, point-to-point communications.
    • WireGuard VPN: Used for secure tunnelling, detailed further below.
  • DNS Security:
    • DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) prevent interception and tampering of DNS queries.
  • Session Timeout Enforcement:
    • All network communications enforce session timeout policies specific to their use:
      • Log shipment via WireGuard: 60-minute session limit.
      • Remote support sessions: 15-minute inactivity timeout, with re-authentication required.

Use of Insecure Protocols

  • Insecure protocols such as HTTP and DNS may be used for specific testing purposes in client environments:
    • Usage is limited to controlled testing scenarios to evaluate client systems.
    • No secure information leaves the client network during testing unless already part of their standard operations.
    • VeriNexus complies fully with client instructions for insecure protocol usage.

WireGuard VPN Policy

The WireGuard VPN is used for specific, tightly controlled purposes and is primarily employed for:

  1. Log Shipment:
    • WireGuard is primarily used to securely transfer log data from field devices to VeriNexus servers.
    • Database writes are conducted via TLS-secured streams, separate from the VPN infrastructure.
  2. Remote Operational Support:
    • Remote access for support and troubleshooting is allowed only via WireGuard VPN.
    • Connections are restricted to authorised personnel accessing systems through a secure jump server.
  3. Session Timeout and Monitoring:
    • Sessions are automatically disconnected after 60 minutes or upon inactivity, requiring re-authentication.
  4. Non-Routing Connections:
    • WireGuard is explicitly configured to prevent routing between networks at both ends of the connection.
    • Devices connected via WireGuard cannot act as gateways to route traffic between the customer’s network and the Nexus Node or vice versa.
    • This ensures that the VPN is strictly point-to-point, maintaining isolation and preventing unauthorized lateral movement.

Access Controls

  • Multi-Factor Authentication (MFA) is mandatory for all WireGuard VPN access.
  • Extensive logging of all sessions is maintained for monitoring and auditing purposes.

Database Security

  • TLS-Secured Data Streams:
    • All database transactions are encrypted using TLS 1.3 to ensure confidentiality and integrity.
  • Access Control:
    • Role-Based Access Control (RBAC) limits access based on job roles.
    • Privileged accounts require MFA and are subject to routine audit.
  • Redundancy and Backup:
    • Immutable backups are replicated across geographically dispersed locations and tested quarterly.

Infrastructure and Datacentre Security

Physical and Logical Security

  • VeriNexus operates from highly secure datacentres that meet rigorous international standards for access control, redundancy, and environmental protections.
  • Segregation:
    • By default, client environments use virtual segregation.
    • Air-gapped systems are available as an optional service, offering physical separation at additional cost.

Personnel Vetting and Security Awareness

  • Vetting Levels:
    • Personnel are vetted to SC, DV, NPPV2, or NPPV3 standards, depending on their roles.
  • Security Awareness:
    • All staff undergo regular training on cybersecurity best practices and insider threat prevention.
  • Insider Threat Detection:
    • Anomalous behaviour detection systems are employed to identify potential insider threats.

Application Security

  • VeriNexus follows OWASP standards and conducts:
    • SAST for identifying code vulnerabilities.
    • DAST for runtime security testing.
  • Regular penetration tests and red team exercises validate security postures.

Incident Response

  • Monitoring and Threat Detection:
    • VeriNexus employs advanced monitoring tools to detect potential security incidents across its systems.
    • Automated alerting systems notify relevant teams for prompt action.
  • Incident Response Playbooks:
    • Defined for scenarios including data breaches, malware incidents, and service disruptions.
    • Response Timelines:
      • Acknowledgement: <1 hour.
      • Resolution: <24 hours for critical incidents.
  • Post-Incident Review:
    • Reports include root cause analysis, remediation steps, and preventive measures.

Customised Security Solutions

  • VeriNexus offers tailored solutions to meet unique client requirements, including:
    • Dedicated resources and infrastructure.
    • Fully isolated, air-gapped systems available at additional cost.

Compliance and Testing

  • VeriNexus conducts regular vulnerability assessments and penetration testing to validate its security posture and ensure compliance with best practices.

(Note: VeriNexus leverages ISO 27001-certified datacentres for infrastructure. VeriNexus itself is not ISO 27001 certified but aligns its internal processes with ISO 27001 principles to ensure security across its operations.)

Continuous Improvement

  • Regularly updated policies ensure defence against emerging threats.
  • Clients are encouraged to participate in reviews and audits of VeriNexus security practices.