When a company chooses to use Software as a Service (SaaS), the convenience of the application is often one of the main drivers. However, the company must ensure the SaaS provider securely protects their customers’ data. In the security world, we often refer to system security with three terms: Confidentiality, Integrity, and Availability. This is often referred to as the CIA Triad, or just CIA. Each of these items is unique, but they’re also tied together.
Confidentiality ensures only the appropriate individuals can access data.
Integrity ensures that data is not changed when it should not be changed. This includes situations like someone purposely changing data maliciously, as well as inadvertent changes.
Availability ensures that the data is accessible to the right individuals when it needs to be available to them.
Looking at the CIA Triad, we can see that focusing specifically on one item can lead to the detriment of the others. For example, if we focus on integrity to ensure the data is never changed, we might consider putting the data in a secure vault (electronic or physical). But if we do this, the data would not be easily available to the appropriate individuals when they need it, if it’s available to them at all.
Like any SaaS company, Lucid Software’s customers have data stored on our application’s servers. Securing our customers’ data is of the utmost importance, and we use several methods to secure customer data.
How Lucid protects customer data
Encrypting data enables the user to send and receive information to/from the application securely, without an unapproved person seeing that information. This is in-transit data and includes information like login credentials, and images used in documents.
Lucid ensures all of our users’ connections use HTTPS. Additionally, at-rest data (data stored on the server/database) is encrypted along with database-level encryption, and full disk encryption on our servers and workstations. For additional security measures, we provide Enhanced Privacy (Strict Privacy and Lucid KMS), which prevent our teams from accessing customer data and documents.
As mentioned above, all Lucid user connections are HTTPS. Username and password information is sent securely from the user to our servers. On our side, the passwords are salted then hashed and are not visible to Lucid employees.
For our customers to have additional control and security, we support Single Sign On (SSO) which allows our customers to implement their own security measures. Lucid products support secure user authentication and authorization through any identity provider using SAML, including Google, Okta, OneLogin, Ping, ADFS, Centrify, and Shibboleth. We also integrate with any SCIM provider, including Okta, OneLogin, Azure, and more.
SOC 2 Type II Audit, Penetration Tests, and Vulnerability Scans
With security controls in place, it is important to have those controls tested and validated. Lucid conducts regular vulnerability scans, third-party semiannual penetration tests, and works with a third-party organization to audit our security controls.
With each of these scans, tests, and audits, reports are generated with any potential findings. While the security measures we have in place ensure we do well on these tests, we have additional processes established to review the findings and take appropriate action. This allows us to continuously improve our security measures and posture.
Amazon Web Services
Lucid uses the industry’s leading provider of secure computing infrastructure, Amazon Web Services (AWS), for our products and services. AWS has the highest security measures in place, which we leverage to further improve our own security for our products and services. AWS also has its own services audited and certified, including SOC 2 Type II and ISO 27001.
With Lucid providing SaaS products, we provide easy-to-use and accessible products while implementing stringent security measures so our customers can use our products with confidence. Click here to learn more about our security practices and certifications.