A Look at the Information Security Levels in eXo Platform
Information security and privacy are receiving special attention in companies and increasingly they are influencing the choice of which solutions and platforms to deploy. The global cybersecurity market is expected to be worth $170 billion by 2020, according to Hemanshu “Hemu” Nigam, founder of security advisory firm SSP Blue. Intranet solutions are no exception to this rule. Because they are at the center of an enterprise’s IT infrastructure, special care is given to all security aspects.
eXo Platform addresses this issue in various ways, mainly:
Security in the product through detection and fixing of vulnerabilities
Security through access control
Security of data exchange
Security of the deployment architecture
Security in the product through detection and fixing of vulnerabilities
eXo pays particular attention to the detection, fixing and prevention of vulnerabilities. For that, a dedicated team consistently follows a vulnerability tracking plan using advanced methods and tests. Third-party library vulnerabilities are also monitored thanks to the security detecting features of Nexus Pro. Maintenance releases are issued periodically and delivered to our customers to give better and up-to-date protection.
However, eXo’s internal team is not alone in working to maintain this high level of security in the product. As an open-source-driven solution, the source code of eXo Platform is open to contributions by experienced customers and partners and this has two main advantages:
eXo’s ecosystem of customers, partners and community members can read and test the code and they can participate in this continuous improvement of the product.
Customers are allowed to audit and test the code to check for security compliance. Each eXo client represents a potential contributor to making the product more secure.
Security and Access Control
The eXo Platform solution provides a high level of flexibility in managing user and group access rights through fine-grained permission settings at different levels of the product. Permission management is based on groups and the group memberships granted to each user. A user can belong to several groups with different membership levels according to his/her role(s) in the organization.
Permission settings in eXo Platform are available at each of the following levels:
Sites: Whether you are running one site (typically the default intranet site) or multiple sites on your eXo Platform instance, you can set the access and edit permissions for each site separately.
Pages: Fine-grained permission settings are available for each page of an eXo site, allowing you to determine things like who can access a page, edit containers and applications inside the page, etc.
Containers: Each application container that you put on a page has its own permission settings. This allows you to apply specific access permission rules simultaneously for a set of applications.
Applications: Applications in eXo are either portlets or gadgets. All of the main features you see on your pages, such as the activity stream, calendar, forum, company navigation menu, spaces, etc., are actually portlets, and each portlet has its own access permission settings.
Content: For certain applications, the content (such as wiki pages in the Wiki application, documents and folders in the Documents application, forum topics, etc.) has its own permission settings.
This multi-layered manageability of permission settings allows you to have a platform that shows just the right things to the right people.
Security of Data Exchange
eXo can use SSL to encrypt all data in transit over HTTPS. This can be done either using a reverse proxy to set up an HTTPS virtual host that runs in front of eXo Platform, or by running eXo Platform itself in HTTPS.
Nevertheless, this configuration depends on customer choice based on their existing IT architecture, its planned evolution and on targeted use cases defined by the customer, like whether they allow external or mobile access.
Security of the Deployment Architecture
Although the choice of deployment architecture and strategy belongs to the customer, eXo supports its customers in the various phases of analysis and preliminary project design. Dedicated consultants can help a customer during the identification and definition of use cases. Their main role is to assist in defining the right parameters and in the selection of the optimal architecture while disseminating best security practices.
Security is a vast subject with many different aspects. This is only a brief overview of the most common aspects to show how eXo is following an end-to-end approach to ensure we meet the standard of security requested by organizations today in their private implementations of eXo Platform. If you walk away having learned one thing from this brief posting, it is that the level of security and the safeguarding of the privacy of information in eXo Platform can always be thoroughly tested by our customers (think military, public and banking sectors) and that we are pleased to have among them some of the most demanding in this regard.
