Data Security in Maritime Optima
This is a letter to IT managers getting questions from colleagues about this new Maritime Optima application they have been testing out and that they like.
The potential for saving time and making better decisions is clear, but does this software follow the company's data security policy? This blog post is about how we address data security and integrity in Maritime Optima.
Maritime Optima is a cloud based freemium service that provides real-time and historical vessel tracking. We collect this information from more than 80 AIS satellites and 600 terrestrial AIS base stations. Each vessel has a public questionnaire template attached. For some of the vessels there is some pre-filled information in these public questionnaires. Any user can create a private questionnaire by copying a public questionnaire and adding his own vessel information. By private we mean information that is only accessible to members of a team.
Users can add private information such as photos, documents, contact details and notes about any vessel or port.
Now let’s go through the various mechanisms we use to secure your data.
Hosted by Microsoft Azure
Maritime Optima is hosted from Microsoft Azure data centers in the Netherlands. Microsoft is a trusted hosting service providing physical access control, guards, 24/7 technical staff, and “everything redundant”; servers, network connections, power supplies, cooling.
An important benefit of Azure hosting is the integrated security features. Databases and servers are organized into virtual networks with separate firewalls. Our developers and operators must use two-factor authentication and each group has minimal access rights for their job.
Authenticated, verified users
In Maritime Optima a team might consist of one user or several users. Team data is only available from service endpoints that require an authenticated user session linked to a team. All user accounts are verified, either through one of our approved OAuth2.0 Identity Providers (Microsoft, Google, Apple) or by email confirmation.
A team owner may restrict new users to email accounts on their company email domain.
Encryption in transit
Like everyone else we use HTTPS. Like everyone should do we regularly update our server software and security configurations. We test our own security regularly and we monitor for weaknesses. That means, for instance, disabling support for vulnerable TLS versions and cipher suites, refusing old web browsers with known vulnerabilities and generally forcing clients to connect using the most secure connection options.
We require grade A in the SSL Labs TLS test of our backend application server.
Encryption at rest
Team data is stored in databases and file systems that are encrypted. Somebody breaking into our data center and stealing hard drives will not get your data.
Backup and recovery
Customer data are backed up continuously. We are able to restore to any point in time down to the second for the last 14 days.
Our backend infrastructure is running on a Kubernetes cluster with automatic recovery of any services that may fail. The cluster is scaled to have spare capacity to operate continuously in case a physical server goes down, until a new server is automatically marshalled.
Maritime Optima is available as Android and iOS apps in addition to the web application. Data security on mobile devices is a challenging area requiring vendors, customers and users to work together. The metaphor about the weakest link in the chain applies here. What we do at Maritime Optima:
- Our apps only require minimum access rights on each device.
- We support login with ID providers offering two-factor authentication; Microsoft, Google and Apple.
- All data between the device and our servers is encrypted.
- We publish timely security updates of our apps.
We recommend that each customer uses available security mechanisms:
- Limit user accounts to your company’s email domain.
- Require use of Microsoft or Google logins with two-factor authentication and/or biometric login.
- Enroll employee devices in a mobile device management system and enforce automatic screen lock, biometry or code to unlock, limit apps that can be installed, enable automatic software update.
All additions, changes and deletions your team members make on team data are audit logged, and the log is available to all members of the team. Knowing where your data comes from and who changes what is essential for data integrity.
Vessel Exchange Log
As an owner/operator you will collect and maintain vessel information from multiple sources such as technical management, crewing agent, insurance and the classification company. When chartering out a vessel you will be supplying the questionnaire as part of the charter party, it documents the promises you make about vessel performance and capabilities.
If you are on the other side of the table, you are receiving this questionnaire as documentation of the vessel.
Deviations and disagreements over vessel performance can cause expensive claims and claims processing. It is critical to track exactly who has provided what information to whom, when. By using the Vessel Exchange module of Maritime Optima for such inter company communication - rather than person-to-person email - you will be able to prove that John at the classification company claimed the ice class certificate is valid until April 2023, that your colleague Lucy included that information in your questionnaire and your colleague Peter sent that questionnaire to Mark your charter party customer.
We hope this short tour has given you a glimpse of how we at Maritime Optima take a broad view on data security and integrity.
It is not enough to “make backups and use HTTPS”, the whole product has to be designed with features and workflows that ensure business critical information and communication is captured, tracked and available.
Want to know more or have a chat about privacy or data security? Please contact me at email@example.com or drop by our office at Aker Brygge, Oslo - Covid restrictions permitting. See you!