Insights

Security of Rosslyn in the cloud

Bright coloured words, icons and a white company logo on purple background

Rosslyn’s procurement analytics platform is fully cloud-based. That’s great news for anyone who understands the versatility, flexibility, power, and ease of use of cloud systems.

While IT professionals accept the many advantages of cloud systems, they also recognize they come with their own security and robustness risks.

Anticipating this, Rosslyn has protected and reinforced its platform with the latest and most reliable security and safety features.

  1. MS Azure Partners

We leverage the full suite of MS Azure’s security standards, hosting our award-winning Rosslyn platform on Microsoft Azure – one of the most robust, secure and reliable IT infrastructures on the planet.

We have Azure subscriptions in the UK, EU and USA. Data is never transferred outside your chosen jurisdiction.

  1. Encryption

We use the latest state-of-the-art encryption techniques to keep your data secure. All access to Rosslyn is via SSL (TLS) so all data is encrypted in transit. Authentication and authorization use the latest EC cryptographic ciphers, based on Rosslyn’s own CA (X.509) and PGP PKI.

All our systems and data are hosted in the fully ISO27002 and SAS70 certified Microsoft Azure Tier-III Data Centers (Europe and USA), in Azure SQL databases, encrypted at rest by default.

Our database architecture uses a hierarchy of encryption levels that ringfence the Transparent Data Encryption certificate. Our TDE asymmetric key encrypts the database encryption key, which in turn encrypts the database data, log files, and any backups. All databases are encrypted with AES 256 encryption.

  1. Role-Based Access Control

For added security, interaction is based on Role-Based Access Control (RBAC). The Rosslyn RBAC administration database manages access and permissions at role and group level. User hierarchies are configured at multiple security levels to replicate the needs and permissions of business and technical users. And the system can restrict access on a jurisdiction basis at user and group

level (i.e., only US persons can access US data, etc.).

Access to all Rosslyn systems is controlled on a ‘need to know’ basis, with restrictions based on role and business need. Access to the most sensitive user accounts, such as super-user and admin accounts, is restricted to only Rosslyn-authorized users, and closely monitored. No admin account is treated as a normal user account, and the least privilege principle applies, with users only given access privileges commensurate with their responsibilities.

Rosslyn also supports single sign-on (SSO) mechanisms – SAML2, OpenID Connect, JWT (JSON WebTokens), etc. – and can use Microsoft Active Directory as Identity Provider, via SAML2 or OpenID Connect, to allow users to login using Active Directory credentials.

  1. Certification

We are ISO 27001 and ISO 9001 certified, audited twice a year, and we undertake comprehensive annual penetration testing, as well as daily vulnerability scans.

  1. Agile Development

We’ve made sure the Rosslyn Platform stays up to date all the way through its development via an agile development program. We’re committed to frequent iterations, bringing new innovations to market online via monthly release cycles, so the security features remain fully up to date. And we’re always ready to discuss your security concerns with you.

Some of the world’s largest multinational corporations have stayed with Rosslyn for years because they trust us so much. We aim to keep that reputation with continuing reliability and safety to match – plus all the advantages of access to the cloud.