Information Security
Meeco’s Information Security Management System (ISMS) is a framework of policies and controls that systematically manage security and risks across Meeco’s operations and technology. Meeco follows the ISO27001 standard to manage Information Security. ISO27001 is a set of specifications detailing how to create, manage, and implement ISMS policies and procedures.
Meeco’s ISMS is designed to establish holistic information security management capabilities and to embed them in our day-to-day activities. This includes our goal to digitise non-digital assets and services, such as Verifiable Credentials (VCs) and to never store unencrypted customer data.
Our digital ambitions related to SSI and Web3, require us to continuously implement and improve our security policies and controls. An artefact of these continuous efforts is a yearly ISO27001 audit and accreditation.
Meeco’s ISMS Security Controls
ISMS Security Controls span multiple domains of Information Security as specified in the ISO27001 standards.
Control
Description
Information Security Policies
Overall direction and support to help establish appropriate security policies.
Asset Management
This component covers Meeco’s assets such as software codebase, intellectual property and data within and beyond the corporate IT network which may involve the exchange of sensitive business information.
Communications and Operations Management
Daily IT operations such as service provisioning and problem management follow IT security policies and ISMS controls.
Access Control
This policy mainly deals with limiting access to authorised personnel and monitoring network traffic for abnormal behaviour. Access permissions relate to both digital and physical mediums of technology. The roles and responsibilities of individuals are well defined, with access to business information available only when necessary.
Information Security and Incident Management
Meeco identifies and resolves IT issues in ways that minimise the impact to end-users.
Business Continuity Management
Meeco avoids interruptions to business processes whenever possible. Ideally, any disaster situation is followed by recovery procedures to minimise the damage.
Compliance
Meeco’s security requirements are enforced as per regulatory bodies, including ISO27001 and GDPR.
Cryptography
Supplier Relationships
Our third party vendors and business partners may require access to our network and sensitive customer data. Meeco has adopted controls to mitigate potential risks through IT Security Policies and contractual obligations.
Meeco’s Privacy Policy.
For a comprehensive description of our Privacy Policy, please view the policy here.
Vault-specific data security
All personal data at rest is encrypted with symmetric key encryption based upon AES-256-GCM. Additionally, all data is encrypted on a per user basis. If data is exchanged Vault-to-Vault a unique and encrypted shared space is generated. For each encryption space, each user has different symmetric keys.
Symmetric keys are stored into a Keystore and are encrypted with asymmetric key encryption based upon RSA-4096. The private key for this is derived from a passphrase created by the user and entered during Vault creation. In addition to the encryption, the Vault and Keystore are secured through the user’s unique personal log-in and/or device PIN Code.
Meeco support Anti-Correlation of Customer Information by ensuring that every connection between two Vaults has a distinct identity which can prevent correlation even if two Issuer Vaults were to collaborate. SVX ensures that every interaction with a VC (issuance, verification, revocation) can't be related by maintaining pairwise pseudonymity. For example, when Vaults share VC data between connections, we use connection IDs; resulting in Issuers and Verifiers knowing each user by a different ID. Additionally, every attribute has a universally unique identifier (UUID).
For full transparency, Meeco makes this important documentation publicly available and has published additional information about the key encryption library, which is open sourced and available on GitHub at Meeco for review and auditing. This is further supported by documentation at docs.meeco.me.
Additional Security Methods
The following operational security measures further enhance our data security:
1. Security Awareness and Employee Education
All Meeco employees undertake and maintain Security Awareness Training.
2. Encryption
To protect our data, Meeco use data encryption at rest, in transit, and in cloud. We use two types of cryptographic primitives:, which are generated on the device controlled by the end-user.
Data Encryption Keys (DEKs) which:
Are symmetric encryption keys used to encrypt data.
Use the cryptographic algorithm: AES-256-GCM.
Public-key cryptography (asymmetric encryption) which:
Allow users to securely share DEKs (sender encrypts with recipient’s public key).
Identify users in the Vault (used for login).
Use the encryption cipher: RSA-4096.
3. Microsoft Azure Security Tools
Our data security is managed in Azure via:
Encryption: Azure Disk Encryption, Azure storage service encryption, transparent data encryption.
Rights Management: Azure Right Management is a cloud-based service that uses encryption, identity, and authorisation policies to secure files.
Access Control: Azure role-based access control to restrict access to Azure resources based on user roles.
Network: To protect data in transit, we use SSL/TLS when exchanging data across different locations.
Monitoring: Microsoft Defender for Cloud automatically collects, analyses, and integrates log data from Azure resources, the network, and connected partner solutions, such as firewall solutions, to detect real threats and reduce false positives. Log Analytics provides centralised access to logs and helps in the analysis of data to create custom alerts.
Last updated