Security Considerations

Primero is designed with the understanding that it manages extremely sensitive data. The application has mechanisms for ensuring data confidentiality and sharing of information based on consent and need. The system is designed for stability and durability.

Primero v2 has updated and revised its approach to security. Core components have been upgraded or redesigned. UNICEF has implemented Primero v2 as a SaaS solution called Primero X. It runs on Microsoft Azure infrastructure. Some additional security provisions are guaranteed with Primero X.

Functional Security

Some security precautions are implemented explicitly as application behavior. Primero is being developed following security recommendations set out by the OWASP (https://www.owasp.org).

• Users, Authentication, Identity: 

• User access is protected by passwords with an enforced minimum strength. User management tools revoke access to users which have exited the organization or have been deemed as untrustworthy.
• Primero X supports federation and authentication with external identity providers such as Azure Active Directory, Okta, and Google via OpenId Connect. User security is delegated to stakeholder organisations.

• Need-to-see data access: All data that is collected in the system is presented only to the users with an explicit business reason for seeing this data. Case workers only see information about the cases that they manage. Different roles (such as supervisors, FTR officers, different kinds of service providers) have access only to the portion of an individual case that is relevant to their work.
• Consent: All sharing of information between users within the system as well as the ability to export data outside of Primero is regulated by the consent provided by the client.
• Role-based authorization: Complex authorization hierarchies ensure that users have explicit rights to access specific system functions that are relevant to their role.
• Session management: Long periods of inactivity indicate that a user is no longer interacting with the system. The system will sign the user out when this takes place.
• Audit logs: All interactions with the system and data are logged and exposed for review. Primero provides the tools to identify users that engage in potentially improper activities such as supervisors accessing specific records that they shouldn’t take interest in.

Platform Security

Primero is designed, developed and deployed as a full service platform. This includes both the web and mobile applications as well as the operating system hosting them. Primero is being positioned for distribution as a service, running on the Microsoft Azure cloud (https://azure.microsoft.com). This allows us to leverage Azure cloud hosting tools and SLAs to ensure greater consistency of deployment and security.

Self-hosted Primero relies on Ansible (https://www.ansible.com), a devops automation tool, to deploy Primero Docker images. This guarantees that Primero servers are always in a known state which is integral to identifying and remediating system security issues.

• In-transit encryption: 

• Primero is only accessible via HTTPS. It supports only the TLS 1.2 protocol.
• Out of the box, Primero servers use Let’s Encrypt (https://letsencrypt.org/) domain-validated certs, although any TLS certificate can be used.
• Primero X TLS is secured via a UNICEF managed wildcard certificate for primero.org, issued by DigiCert. UNICEF also manages the primero.org domain.

• At-rest encryption: Primero X Primero instances use encrypted data partitions for Azure PostgreSQL, Azure Kubernetes Service, and mounted volumes.
• Web server hardening:

• Limited repeated access from the same IPs to public facing pages to prevent DoS attacks
• Incorrect password timeouts to limit efficacy of brute force attacks
• Allow only explicit access to site via DNS to prevent opportunistic IP attacks
• We regularly review our web server configuration and deprecate supported compromised ciphers.
• Primero X utilizes an Azure Gateway to proxy all HTTP requests. Azure Gateway supports a Web Application Firewall (WAF) for additional security

• System hardening: 

• Recommended to run on Ubuntu 20.04 LTS. Optional nightly system security updates enabled by default.
• Strict user, file, and service ownership restrictions enforced through Linux user permissions
• Primero X relies on Azure service security guarantees and uptime SLAs.
• Primero X secret management is done through Azure Key Vault and exposed to the individual instances via Kubernetes secrets.

• Data durability: Primero X data resides in an Azure SaaS Postgres database. The database can be restored at a point in time. Additionally, nightly encrypted snapshots of each production database instance are stored in a locked down Azure Storage Account.
• Monitoring: 

• System resource and log monitoring on the Primero X Azure platform. Email alerts about suspicious activity.
• UNICEF is implementing Azure Sentinel to detect and alert on suspicious HTTP requests against Primero X. (https://azure.microsoft.com/en-us/services/azure-sentinel/)

Process

In 2014, Primero underwent a comprehensive security assessment and 3rd party security code review and penetration testing. A threat model was established for the product that has guided subsequent security work. The threat model is reviewed and updated with each major development effort.

UNICEF ICTD and Quoin collaborate in performing regular security scans of the system using Fortify on Demand, a 3rd party penetration testing tool.

(https://www.microfocus.com/en-us/cyberres/application-security/fortify-on-demand)

As the primary developer for Primero, Quoin regularly reviews public security vulnerability alerts for the open source components of Primero. Software engineers:

• Monitor the CVE threat repository (https://cve.mitre.org/),
• Monitor Github’s dependency alert service
• Closely monitor the Ruby, Ruby on Rails, and CouchDB websites for security alerts
• Follow recommendations from the OWASP (https://www.owasp.org ) open security project.

In addition, a security review based on the threat model and on common OWASP guidelines is performed for each significant development effort. The vulnerabilities are evaluated and prioritized based on potential risk. Security remediation work is queued up as part of Primero’s ongoing global support.

The Primero CI/CD pipeline is incorporating open source dynamic scans into its release process for Docker image builds based on OWASP ZAP (https://owasp.org/www-project-zap).

Updated versions of Primero are regularly tested by a dedicated UNICEF QA team and released for deployment.

FAQ

This list of frequently asked questions will be updated periodically.

• What type of security/vulnerability scans are performed? Fortify on Demand (dependency scan, static analysis, dynamic vulnerability scan), OWASP, GitHub security scan
• Have any external audit or penetration test activities been done? Yes, Fortify on Demand (v2), British Telecom (Primero v1)
• What level of planning is in place relating to incident management? UNICEF-supported Data Breach SOP
• How is the data of your customers segregated? Each implementation uses a different database. Users cannot query across dbs.
• What data breach notification procedures do you follow? UNICEF-supported Data Breach SOP.
• What data security protocol do you have in place (like MFA, VPN< SSL etc.)? TLS (we use Let’s Encrypt), federated identity, MFA available for specific roles.
• Who holds the encryption keys that protect the data? Is it yourselves or your cloud provider? Cloud provider.
• Regarding “row level/record level encryption” and “sensitive data masking”, does Primero provide that such storage has verifiable data protection controls (e.g. encryption, access control) both at rest or in transit? Individual access controls are enforced by UNICEF ICTD (Azure resources) and K8s access control restricting vendor access. Data is encrypted at rest in the PostgreSQL databases and in Azure block storage (document attachments). In transit we are using TLS.
• Are you encrypting individual records at rest? We are not encrypting individual records at rest. This is impractical if you want to report on data. In the future, we can improve our security/compliance by encrypting certain non-reportable fields.
• Is there backup encryption? Yes.
• Does Primero support sensitive data masking? We can only obfuscate the name field. This can be extended to other fields with a bit more effort.
• Is there account level protection (e.g. strong password passwords, 2FA)? Yes. Default identity is managed using AAD with 2FA options. We can integrate with local identity providers.
• Is there application (main app, APIs) level encryption via verified SSL Certificates over TLS 1.1 or higher? Yes