SKsoft’s CVE-2021-44228 Apache log4j 2 vulnerability response (Dec 16 2021)
Based on a review of our products we have not found that this vulnerability has any impact on our solutions. Our products are embedded in Microsoft Dynamics AX, D365F and SL and therefore would fall under Microsoft’s response. This declaration also covers our BankFabric product as it is hosted on Microsoft Azure. Our EBICS integration (with our D365F Treasury Automation Suite product in central Europe) uses a Java library but its version and functions do not include those that have the log4j vulnerability.
BankFabric Security
We believe the security and privacy of your data is paramount. We understand that keeping your trust is continuously earned, so data security is the cornerstone of every thought that goes into the design of BankFabric. From the moment data transfer is initiated we use secure methodologies, practices, and tools to meet and exceed the security standards and practices of the banking industry.
Infrastructure Security
- Data storage is accomplished in the most secure way in Azure storage. Azure storage has more security certifications than any other cloud provider. See here. Microsoft invests a billion dollars annually and employs 3,500 security experts dedicated to security and privacy.
- We only use your Azure subscription for storage of files. Your data never hits a storage medium other than Azure storage in your subscription and secure locations created at or by the bank.
- Your data and all the components employed to keep it safe are built on the Azure backbone. From the time data transmission starts until the file is secure at the bank, it does not leave the Azure infrastructure.
- All files stored in Azure are encrypted, using server-side encryption (SSE). Encryption is 256-bit AES and is FIPS 140-2 compliant.
- The BankFabric database, including backups, are encrypted on disk. The encryption uses FIPS 140-2 validated cryptographic module and uses an AES 256-bit cipher for the Azure storage encryption. Microsoft guarantees a 99.99% uptime SLA.
- Sensitive information that is used to connect to your bank, such as encryption keys, passwords and secrets are stored in Azure Key Vaults.
- Geo-redundant locations and data replication configurations are controlled by each customer.
- All communication is encrypted via SSL (TLS 1.2) and authenticated by Microsoft Identity servers.
- Secrets are continuously and automatically swapped to maintain source verification and eliminate common vulnerabilities for our customers.
- PEN testing is performed on the site annually by a third party.
- SOC II Type 2 audit is performed annually. Reports are available when NDA is provided.
Account Security
- Login security is handled by Microsoft Identity server and Azure AD. This allows you to manage sign-on security to your satisfaction without an additional password. You set specific password requirements and multifactor authentication options on your Azure AD.
- BankFabric application security is handled through a framework where your administrator can add users and give specific permissions for each page of the application. In some cases more granular security is configurable.
- Authorization checks are multilevel throughout the User interface and APIs. Unauthorized attempts to access data are logged and reported. Only users that have authenticated through Microsoft identity server can access BankFabric.
- You maintain security standards and processes with the Bank. Encryption keys and passwords for secure communication with the bank will be entered into BankFabric but stored in your Azure subscription, in an Azure Key Vault.
Microsoft D365 Security
- Microsoft D365 connects to BankFabric via a secure SSL connection with Microsoft’s Identity server authentication.
- Each D365 environment uses a unique Azure AD application registration client ID and secret pair.