MemnonTech® operates on your infrastructure, which means it is governed by your existing information security controls: from firewalls and VPNs, to IAM and monitoring systems. This on-premises solution can help you avoid the regulatory compliance issues that arise when you use cloud-based solutions. Below is an overview of the security features built into the appliance, along with information about MemnonTech’s® development practices for application security. User Roles and Access Levels MemnonTech® provides a Linux user administration account and two types of application users. VM Administrator: A Linux user account that provides controlled access to the underlying Linux operating system, including direct file system and database access. It is intended to be granted to a small set of trusted administrators. Access is granted over SSH (Secure Shell). Standard User: An application account that has full access to its own data, but which must be granted access to data owned by other users or organizations. Site Administrators: An application account that has been granted the "staff" role. Staff can manage high-level application and VM settings, all user and organization account settings, and repository data. Organizations and teams provide the granularity necessary to assign permissions or access rights to specific users and groups of users. Organizations and Teams Organizations are a core concept in MemnonTech®. They allow you to create as many logical containers as you need for your business units, and even for your projects. Each organization account functions as the owner of one or more repositories, and the organization owners can add users to the teams they create. Teams can grant scoped access to one or more repositories, allowing you to create more effective segmentation of data ownership and access. Owners: Members of this team have full access to all resources owned by the organization account, and can define teams as necessary to grant access. Teams: A team can be created with one of three access control levels: “Admin” (full access), “Pull” (read only), or “Push and Pull” (read and write). Teams are assigned access to one or more repositories owned by the organization account. Users are then granted access to the team's repositories at the specified access level by being made a team member. Authentication MemnonTech® provides four primary authentication methods. These include: •SSH for both OS level systems administration and protocol access. SSH access is only allowed using public key authentication. •Username / password and HTTP cookies for web application authentication and session management. •Users can optionally enable two-factor authentication (2FA) on their accounts using standard TOTP compatible applications. •External LDAP, SAML, or CAS authentication using your Active Directory •SAML Identity Provider, or other compatible service. OAuth and Personal Access Tokens for API and external service authentication. •Encrypted CommunicationsMemnonTech® is designed to run behind your corporate firewall. To secure communications over the wire, we encourage you to run MemnonTech® over SSL. An administrator can add 2048-bit or higher commercial SSL certificates for HTTPS traffic. Additionally, SSH for virtual machine administration and repository access using our system, is enabled by default on MemnonTech®. Audit and Access Logging Having an accurate record of all user and system activity is a core requirement for many customers. MemnonTech® has detailed audit records, accessible to the site administrators, that capture relevant security information. The system also provides traditional operating system and application access logs. While not an exhaustive list, the following are some examples of the audit and logging information available: Audit logs: User logins, password resets, 2FA requests, email settings changes, and changes to authorized applications and APIs. Site Administrator actions, including unlocking of user accounts and repositories.Repository push events, access grants, transfers, and renames. Organization membership changes, including team creation and destruction. Access logsFull web server access logs for browser-based and API-based access. Full logs for access to repository data over Git, SSH, and HTTPS. Administrative access logs over SSH and HTTPS. Audit logs are permanently stored on the system, and both types of logs can be exported from the system in real-time using the standard syslog protocol. This enables you to integrate this data with remote systems, such as an IDS/IPS, for analysis and notification. VM Security MemnonTech® is built on a customized version of the Ubuntu Server Long Term Support (LTS) Linux operating system. Only necessary services and applications have been installed, and only services necessary for the appliance to function are exposed to the network. Internal system services, like the database, are configured to listen on the local `loopback` address. Application Security MemnonTech’s application security team focuses full-time on vulnerability assessment, penetration testing, and code review for MemnonTech® products. MemnonTech® also contracts with outside security firms to provide point-in-time security assessments of MemnonTech® products on a quarterly basis. Security Patching and Notifications Patching of the core operating system, and running services to address security concerns, is managed by MemnonTech® as part of its standard product release cycle. This includes patches for functionality, stability, and non-critical security issues forMemnonTech® applications. Critical security patches are provided as needed outside of the regular release cycle, to improve time to resolution and also limit changes to the system. Security-only patches are announced on our Enterprise customer portal, and also with email notifications. External Services and Support AccessBy design, MemnonTech® is able to operate without any egress access from your network to outside services. The system administrator can optionally enable the integration of external services including SMTP, Syslog, and Gravatar.