1 imc Express Security Policy

At imc Express, we take security very seriously and ensure that your data is always protected. We use the latest encryption technologies to ensure that all data is kept confidential and secure.

In addition, we have implemented several policies to protect our users' data. Read on to learn what we do to always ensure the security of your data.

1.1 The imc Express team

Our imc Express development team is not only comprised of highly skilled and experienced professionals but is also ISO 27001 certified. This certification reflects our commitment to the highest international standards in information security management. It reinforces our operational security measures, which are designed to prevent undue access concentration to sensitive data among individual employees. The ISO 27001 certification underscores our dedication to protecting critical and confidential information, ensuring our team operates with an elevated level of trustworthiness and expertise.

1.2 Data flow and architecture

imc Express processes data with various providers in a secure manner. The diagram below illustrates the possible data flow, with data exchange with subcontractors marked in red.

All these interfaces are secure and encrypted to ensure that data is kept confidential and safe.

1.3 Hosting

The services used in imc Express are hosted on AWS servers in the eu-central-1 region in Frankfurt, Germany.

Details can be found in the document "imc Express Processor Agreement". 

AWS data centers are architecturally and technically state-of-the-art. Amazon has extensive experience in operating large data centers, which has been incorporated into the AWS platform and infrastructure.

 All AWS data centers are located in discrete facilities, and access is restricted at both perimeter and building entrances by security personnel using video surveillance, intrusion detection systems, and other electronic means. Employees must go through two-factor authentication at least twice to gain access to data center floors. All visitors and contractors must show identification and are signed in and supervised by authorized personnel.

Employees must go through two-factor authentication at least twice to gain access to data center floors. All visitors and contractors must show identification and are signed in and supervised by authorized personnel.

AWS grants access to data centers and information only to employees and contractors with a legitimate business need. Access is revoked immediately when it is no longer needed. All access to data centers is logged and audited. All storage devices that reach end-of-life are decommissioned, demagnetized, and physically destroyed in accordance with DoD 5220.22-M or NIST 800-88 industry standards.

To learn more about AWS security practices, please visit these links:

• ISO certification
• AWS Security Processes
• Service organization controls

imc Express is implemented in a Kubernetes cluster architecture. This provides a scalable and highly available infrastructure.

The Kubernetes cluster distributes the imc Express application across multiple servers and zones within Frankfurt to ensure that services are continuously available and to automatically respond to failed servers.

In addition, the cluster architecture allows the imc Express application to be easily scaled to increase performance as needed.

To maintain business continuity in the event of a disaster, we perform automated, routine and frequent data backups and restores.

AWS CloudFront is used to facilitate efficient and global content delivery. CloudFront has multiple points of presence in different parts of the world, allowing faster access to imc Express content.

1.4 Technology and Quality Assurance (QA)

Our software development process is extremely efficient. We use GitLab as our source code repository and take advantage of local repositories by using pull requests for our team to develop software and perform code reviews.

Then, developers publish the code to our staging environment, which is protected by secure branching so that QA and other stakeholders can effectively test the code.

1.5 User authentication

All authentication processes use TLS encryption for secure communication. In Express there are two possible types of user authentication:

1.5.1 imc Express Stand Alone

imc Express uses Keycloak, a tested and mature open source software, to support Single Sign On (SSO).

This means that users can access multiple applications with one set of credentials without having to log in multiple times.

Keycloak is an established software that has been in use for some time and is trusted by many companies.

1.5.2 imc Express in connection with the imc Learning Suite

imc Express uses an IDM system that is integrated into the imc Learning Suite. In this scenario, user management takes place exclusively in the ILS.

1.6 Data Security

1.6.1 Data encryption

imc Express uses 256-bit TLS/SSL encryption and at least 2048-bit RSA encryption to protect data in transit. This technology is used to encrypt network traffic between all services used.

imc Express also provides data at rest encryption for your data.

All data stored with our cloud provider is encrypted using AES-256, a secure encryption protocol that provides a high level of security. To ensure an even higher level of protection, the encryption keys are replaced every twelve months. This prevents unauthorized access to the data, making it virtually impossible for malicious actors to gain access. This protocol of regularly exchanging encryption keys is an additional safeguard that helps keep data safe and secure.

Please follow these links for more detailed information:

• S3 Encryption: https://docs.aws.amazon.com/AmazonS3/latest/userguide/defaultencryption-faq.html
• RDS Encryption: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.html
• Keyrotation: https://docs.aws.amazon.com/kms/latest/developerguide/rotatekeys.html#rotate-aws-managed-keys

1.6.2 Disaster recovery and incident management

Our team is prepared for any emergency or incident that may occur. We have a streamlined process in place to ensure that we can communicate with all stakeholders and take the necessary steps to prevent future incidents.

If there are any interruptions, those affected will be kept informed.

1.6.3 Data deletion, archiving and storage

imc Express handles data with great responsibility. In the context of our ISO27001 certification and in order to comply with the requirements of our information security management system, we have implemented a detailed deletion and archiving concept. This also includes clear guidelines for data retention. All data is stored securely for the period required by law or necessary for the performance of the service. In addition, we guarantee that personal data will be securely removed as soon as it is no longer needed or at the request of the data subject. Thanks to these strategies, imc Express not only meets high security standards, but also contributes significantly to compliance with the General Data Protection Regulation (GDPR).

1.7 Network security

IDS/IPS: At imc Express, we rely on an advanced, containerised architecture with Kubernetes clusters that eliminate the need for traditional intrusion detection and prevention systems (IDS/IPS). The nature of our short-lived containers reduces the attack surface and the need for IDS/IPS, as security risks are constantly minimised through continuous system renewal. Instead, we rely on Kubernetes-native security tools and automation to ensure dynamic and robust defence against threats, leveraging the benefits of modern infrastructure.

WAF: At imc Express, we leverage a Web Application Firewall (WAF) to safeguard our web applications from a variety of cyber threats, including SQL injection and cross-site scripting. By filtering traffic, our WAF acts as a critical shield for our containerized infrastructure, ensuring the security and integrity of our data.

DOS attacks: imc Express is protected against Denial-of-Service (DOS) attacks through the use of AWS Shield. AWS Shield is a managed service provided by Amazon that protects web applications from DOS and Distributed Denial-of-Service (DDoS) attacks.

A Denial of Service attack is an attempt to make a website, application, or service unavailable to its users by overwhelming the server's bandwidth or resources. Distributed Denial-of-Service attacks use multiple different sources (often hijacked or infected computers) to launch a coordinated attack on their target.

AWS Shield protects the infrastructure of imc Express by analyzing the traffic and identifying and blocking malicious requests. Through the utilization of AWS Shield, imc Express's resources are safeguarded, ensuring the availability of the authoring tool for its users.

Furthermore, AWS Shield also contributes to the privacy and security of user data in imc Express, as it guards against unwanted or harmful traffic.

Click to get more information.

2 Measures to increase security and software quality

During the development of imc Express, special attention is paid to all articles, methods, documentation, tools and technologies published by the Open Web Application Security Project (OWASP).

2.1 Best practices

Authorization and authentication are implemented using extensively tested components that are used in many other projects. All cryptographic functions are based on OpenSSL and are regularly and automatically updated.

SQL injection attacks are prevented by the use of an ORM (Object-Relational Mapping, concept for mapping objects in relational databases), which automatically protects all entries against SQL injection.

All data traffic is secured by TLS. Our TLS configuration is regularly checked and adjusted if necessary. In modern browsers, the connection to imc Express is encrypted and authenticated with TLS 1.3 (a strong protocol), ECDHE_RSA with P-256 (a strong key exchange) and AES_256_GCM (a strong encryption). In addition, robust "forward secrecy" (sometimes also referred to as "perfect forward secrecy") is used, which enables secure connections that are not dependent on the server's private key.

To increase code quality, the entire source code is automatically checked by several linter to automatically report known problems. Each code contribution can only be accepted after a successful check. The automatic check is not only carried out for new code contributions, but also for every update of dependencies. All dependencies are automatically checked for known vulnerabilities and possible updates.

2.2 Release Process

All libraries used are checked for known security vulnerabilities with every release. The containers created are then scanned automatically. All additional components contained in the container are also checked.

Different release processes are used depending on the type of release.

2.2.1 Feature Release

A Feature Release is a new, complete version of the imc Express software, often inclusive of brand new features and functionalities. Unlike the traditional process of announced releases, imc Express adopts a more flexible approach to development. The goal is to stay agile and enable improvements to be made continuously. Therefore, new releases are not explicitly announced, allowing the development team to focus on continuous improvement and regularly incorporating user feedback.

Feature releases are published at irregular intervals of about 2-4 months.

2.2.2. Patches

A Patch refers to minor software updates applied to the existing version of imc Express to address bugs or enhance performance. These software updates occur regularly and improve user-experience by effectively resolving reported issues without changing overall functionality.
The process is the same as in the graphic above.

Patches are published at irregular intervals whenever necessary.

2.2.3 Hotfix/Security update

The process for security updates differs from the process for “feature releases” in order to be able to react quickly to security-related or other critical issues that affect the functionality of imc Express at any level.

These patches are provided immediately to resolve the problem and maintain business continuity.

The latest “stable version” (status of the productive system) always serves as the basis; the improvements are only incorporated into the development status at a later point in time.

Hotfixes/security updates are published at irregular intervals as required.

2.3 Announcement of system updates

Updates of imc Express are carried out to keep the product up to date with the latest technology and security, and to guarantee user-friendliness and freedom from errors.

Most of these updates are carried out in the background and are therefore unobtrusive for the user of imc Express. However, should it occur that an update takes a longer period of time to complete, this will be announced in advance within imc Express. These announcements usually also contain information about the expected downtime, i.e. the period during which imc Express is not available.

Updates to imc Express are carried out without fixed times, in order to ensure the rapid and flexible development of the system. The international use of imc Express also makes it impossible to carry out updates exclusively outside office hours.

Feature releases notes are displayed to all users in imc Express after a product update and can also be viewed at any time in the always-available release notes.

2.4 Enhancing cybersecurity

At imc Express, we prioritize robust cybersecurity by conducting regular third-party penetration testing. External experts simulate cyberattacks on our systems to identify vulnerabilities that internal reviews might overlook. This strategic approach enhances our defense mechanisms, ensuring resilience against evolving cyber threats and demonstrating our commitment to data protection.