SECURITY AND DATA PROTECTION
AimBetter is committed to the security of our own and our customers’ data and the safety of the whole environment. As part of this commitment, we use a variety of leading-edge security technologies and procedures to help protect your information from unauthorized access, use, or disclosure.
Remember – AimBetter acts strictly as an observer – it cannot change anything!!
These are the primary features on which AimBetter has focused on both the development and implementation of the product and services:
- AimBetter’s role is to observe activity on designated servers. It cannot update data or interfere with normal operations in any way.
- The agent when installed has restricted functionality by design and authority, allowing only observation of executing procedures and metrics. It cannot change anything.
- Data movement happens in encrypted format out to the AimBetter data center via secure ports using standard high-security protocols.
- AimBetter Data Center operates on Tier-3 standard, equivalent to banking and insurance. Data is fully secured both physically and logically.
- User access to the results of the AimBetter monitoring process is restricted to users with credentials, and can further be limited to specific IP addresses.
WHAT WE DELIVER
We promise to provide full coverage of the following areas:
- Application Security
- Infrastructure & Network Security
- GDPR Compliance
- Data Privacy
- Access Security
Our employees are required to attend security awareness training and are informed of their security responsibilities.
AimBetter’s services provide our customers with information about the performance of their applications and systems. This is accomplished using our specialized on-site agent that collects data, consolidates and transmits over secure channels into our proprietary servers.
The flow of data and activity is illustrated in the graphic. Data can only flow in one direction – there is no possibility of feedback into or interference with the customer’s domain.
- The agent is installed on one of the customer’s servers to monitor servers in a local data center, cloud, or hybrid environment.
- Our agent collects and transmits monitored data to our remote servers via secure SSL-encrypted channels.
- AimBetter servers aggregate and analyze the server performance information and data in our secure data center.
- The resulting server performance reporting is made available via AimBetter’s password-protected website.
AimBetter only monitors performance for the applications and/or servers of the custom database environment specified during the installation of the AimBetter agent. Generally, the monitor collects metadata that includes aggregate time measurements for server resource utilization statistics, server error log, SQL server resources, SQL server queries statistics and SQL errors.
AimBetter agent processes:
- Database query activity.
- Database utilization metadata (database size, SQL response time, number of requests, etc.)
- Database errors (query error code, query timeout expired, duplicate key, etc.)
- Server utilization metadata (CPU usage, memory, disk, network utilization, etc.)
- Server event log.
We offer an optional separate function that can collect and report on connection performance to non-database-related hardware and services (disks, drives, folders, websites, etc.)
AimBetter is committed to protecting the privacy of our customers. The application data we process as part of our provision of services is only used to display application performance information back to the customer’s AimBetter account users, or to our Expert Support team to facilitate their support activities.
We undertake never to provide data to third parties without the explicit approval of the customer.
AimBetter only collects metrics relevant to server activity (for example, creation/reading/update of data), which is passed up through the firewall for analysis.
DATA CENTER SECURITY
AimBetter is hosted at our Tier3+ certified data center. Physical access to this location is restricted to people with authenticated credentials and all access/egress is reported.
The center is equipped with fully redundant power backup systems, fire suppression systems, security guards, and biometric authentication systems.
USER ACCESS MANAGEMENT
Users access the results of AimBetter’s services through their unique username (usually email address) and password. These passwords must meet a high level of complexity (for example – a minimum of eight characters with mixed cases and special characters). Customers are responsible for managing their accounts, including provisioning and de-provisioning their own users. User passwords are stored by us in an advanced, industry-standard encrypted hash format.
AimBetter adds the following mechanisms to protect against access violation:
- Multiple login failures will block the user and enforce re-authentication.
- Customers can opt to specify a range of valid IP addresses from which access is permitted.
ADDITIONAL SECURITY FEATURES
AimBetter has certain technical features built into its design to offer its customers additional security options:
- All data in transit is encrypted. SSL encryption is enabled by default for data being sent to AimBetter.
- The agent does not create any vulnerabilities in customers’ firewalls. Communication from the AimBetter agents to the AimBetter API is outbound on port 443 by default and can be configured to use a proxy server.
- Agents do not allow inbound connections.
- We cannot auto-update software installed on your servers. All updates must be manually installed by your administrators.
- Our data center is protected by a firewall, VPN gateway, and intrusion detection systems.
- All of our system databases are locally encrypted and cannot be accessed except via username/password access.
- Data retention persists only during the period of service. Upon termination of AimBetter services, all data will be removed from AimBetter systems (including backups) within 90 days.
UNIQUE AIMBETTER SECURITY FEATURES
As illustrated in the graphic, there are three primary areas in which the AimBetter product operates. We have introduced specific and unique procedures and technologies inside these, as well as in the movement of data. Combined, these produce an impenetrable shield around the whole operation, guaranteeing the integrity and privacy of your data and the safety of your own IT process.
Customer domain – AimBetter agent
The installation of the agent requires the creation of a specific user inside the customer’s own domain. This user has strictly limited access – cannot query / change/drop / create any table or object data on monitored servers.
AimBetter user itself needs only access to its program folder and specific permission on the single-host server. The script that creates this user grants specifically restrictive rights (VIEW) on the database and the server. As well, the roles allocated are reader-only. This user cannot make any changes to data or infrastructure. The script that provides registration can be viewed here.
Movement of data
AimBetter monitor pushes information out in a one-way stream from the agent. As a further level of security, there is the option to block inwards requests. All data is compressed and encrypted, then transmitted via SSL-secured ports through our firewall into our secured data center.
By lifting the monitoring results into our own cloud, AimBetter provides another level of security. Third-party service providers such as programmers and consultants can also access the information without having to be given access to the customer’s domain.
- We guarantee the complete security of your data, both onsite, in transit, and via user access.
- AimBetter guarantees the integrity of your site. There is no channel for data or programs to be uploaded into your location from our service.
- The flow of data is strictly one-way – outward from your domain.
- Our operations are completely limited to observation inside the customer’s own domain – cannot make any changes whatsoever to either data or software.
- We use leading-edge data encryption technology in all traffic movement between your site and our center.
- Our own data center is protected physically and logically to prevent access except by authenticated users. Security on-site is at the same level as banking and insurance data centers.
- Access to our service is restricted to authenticated users, with measures to detect and prevent attempted hacking.