The increased scale and complexity of money laundering and terrorist financing activity is increasing the number of reporting entities considering automated AML solutions. Of these solutions, SaaS products are highly popular as they offer reporting entities many benefits, such as moving from CapEx to OpEx. However, from our experience in the AML compliance sector and with mission-critical banking systems, the one giant elephant in the room that comes up time and again is security.
Security is one of the critical due diligence criterion in the procurement process, which comes as no surprise considering the extreme sensitivity of the data and information that AML software processes. Just like with reporting entities having to demonstrate compliance, automated SaaS-based AML solutions can’t just say they’re secure – they need to prove it.
So how secure is Jade ThirdEye? Our two-fold approach to security has been giving enterprise businesses peace of mind for several years now, operating with best practices at both a product and an organisational level. We’re proud to announce that we’ve recently gained CyberEssentials Plus Certification, proving our commitment to robust product and organisational security practices our customers can rely on. Now we’ll explore these two approaches in further detail.
Jade ThirdEye: Security from a product perspective
Jade ThirdEye provides reporting entities with an effective AML compliance solution that has a highly usable and contemporary interface, which is securely accessed through modern web browsers. Due to this approach, we ensure that modern security protocol and methods are leveraged at all times.
From a product perspective, Jade ThirdEye uses defence in-depth security strategy to protect your business and your customer data.
Environment security generally relates to security measures at a hosting level. While there are many facets to this, of which we’re happy to talk to you in more depth, we’ve gone into more detail with aspects and listed other measures below.
- Cloud security features. Depending on which cloud provider you prefer, we utilise their native security features to provide even more confidence for our clients. This ranges from physical and network security to identity access management, fault tolerance to multi-tenancy isolation.
- Secure file transfer. All activity data files received from a customer’s environment use Secure File Transfer Protocol (SFTP) and are only accepted from known customer endpoints.
- Other measures. We also have a range of other measures at an environment level, which includes malware detection, host-based intrusion detection, virtualised patching, database encryption, file encryption, disk encryption, and whitelisting.
Network security usually relates to security measures that oversee the transiting of data to and within Jade ThirdEye Bureau. We’ve drilled into two aspects of network security and listed the rest.
- End to End encryption. We encrypt all communication between components that are housed outside and within the secure environment, using VPN access methodology.
- Network architecture. We use dedicated, multi-tier network segments with strictly enforced access and security restrictions between web servers, application servers, and databases. The web servers use IP restriction and are therefore NOT publicly accessible. This network architecture approach creates a border management infrastructure throughout the network core, rather than just on the edge.
- Other measures. We also have a range of other measures at a network level, which includes AWS Firewall (ROW) and Dynamic Access Restriction Manager.
Application security relates to preventing security vulnerabilities such as unauthorised access and modification. On top of best-practice development security design methodology, our below – two in more detail and the others listed.
- Two-factor authentication. We use a time-based algorithm to produce single-use, 6-digit, one-time passcodes to increase the requirements for access.
- Role-based access. We enable Jade ThirdEye customers to manage access rights for their employees, ensuring the data, information, rules, and settings can only be accessed by the relevant users
- Other measures. We also have a range of other measures at an application level include authentication, and audit and logging.
Verifying our security practices
It is all well and good to claim to have robust security in place, but as mentioned above, where is the proof? Jade ThirdEye undertakes rigorous third-party penetration testing every year, of which the latest test was
“Commendably, Lateral Security did not identify any vulnerabilities which are considered likely to lead directly to compromise of the solution or unauthorised modification to the underlying data.” Lateral Security, Nov 2019.
In summary, we have an active security programme that is built upon a foundation of continuous improvement. Both external audits (like the one performed by Lateral Security) and our testing enable us to reinforce our security and resilience. And this isn’t just something we do from a Jade ThirdEye perspective; it’s also something we do across the rest of our business. Which brings us to...
Jade ThirdEye: Security from an organisational perspective
From an organisational perspective at Jade Software (the developer of Jade ThirdEye), we have been long-term partners with several large enterprises from highly regulated industries – from insurance to banking. Developing and supporting business-critical systems, we continually invest in leading security processes and tools to ensure our clients experience minimal disruption and exposure.
Jade is a GDPR-compliant business, with layers of best-practice security tools and processes in place to protect our and our clients’ businesses. This is well-summarised and exhibited through our recent Cyber Essentials Plus certification. After all, saying we’re secure is simply not enough.
What is Cyber Essentials Plus?
Cyber Essentials Plus is a digital security accreditation process that demonstrates to businesses that all who hold such certification take cybersecurity seriously. Most importantly, the certification provides a high level of trust and reliability as it delivered by a third-party, independent auditor. While it is a standard set by the United Kingdom Government, Cyber Essentials Plus is relevant and applicable in other countries too.
What security measures and practices do we have in place?
There are five themes that Cyber Essentials Plus accreditation covers, and under each of which are several standards. At a high level, these themes are:
- Using firewalls to secure the internet connection.
- Choosing the most secure device and software settings.
- Controlling access to data and services.
- Protecting from viruses and malware.
- Keeping devices and software up to date.
The five themes mentioned above are the ‘checks and balances’ that we use across our business. If you want to dive deeper into these themes to see what’s involved, learn more about Cyber Essentials here.
What does this mean for you?
Whether you’re simply considering or are putting together a business case for an automated AML solution, SaaS delivery and product security will be a key part of your evaluation. With this in mind, think about how you might use the information above in your assessment and communications with stakeholders.
If you’re considering Jade ThirdEye to streamline your AML programme, you can be assured that we take all forms of security seriously. Ultimately, your business and customer data will be in safe hands.