©2022 Memnon Technologies. All Rights Reserved
MemnonTech® operates on your infrastructure, which means it is
governed by your existing information security controls: from firewalls and VPNs, to
IAM and monitoring systems.
This on-premises solution can help you avoid the regulatory compliance issues that arise
when you use cloud-based solutions.
Below is an overview of the security features built into the appliance, along with information
about MemnonTech’s® development practices for application security.
User Roles and Access Levels
MemnonTech® provides a Linux user administration account and
two types of application users.
VM Administrator:
A Linux user account that provides controlled access to the underlying Linux operating system,
including direct file system and database access. It is intended to be granted to a small set of trusted
administrators. Access is granted over SSH (Secure Shell).
Standard User:
An application account that has full access to its own data, but which must be granted
access to data owned by other users or organizations.
Site Administrators:
An application account that has been granted the "staff" role.
Staff can manage high-level application and VM settings, all user and organization account settings,
and repository data.
Organizations and teams provide the granularity necessary to assign
permissions or access rights to specific users and groups of users.
Organizations and Teams
Organizations are a core concept in MemnonTech®. They allow you to create as many logical
containers as you need for your business units, and even for your projects.
Each organization account functions as the owner of one or more repositories, and the organization
owners can add users to the teams they create.
Teams can grant scoped access to one or more repositories, allowing you to create
more effective segmentation of data ownership and access.
Owners:
Members of this team have full access to all resources owned by the organization account, and can
define teams as necessary to grant access.
Teams:
A team can be created with one of three access control levels: “Admin” (full access), “Pull” (read only),
or “Push and Pull” (read and write). Teams are assigned access to one or more repositories
owned by the organization account. Users are then granted access to the team's
repositories at the specified access level by being made a team member.
Authentication
MemnonTech® provides four primary authentication methods.
These include:
•SSH for both OS level systems administration and protocol
access.
SSH access is only allowed using public key authentication.
•Username / password and HTTP cookies for web application
authentication and session management.
•Users can optionally enable two-factor authentication (2FA) on their accounts using standard
TOTP compatible applications.
•External LDAP, SAML, or CAS authentication using your Active
Directory
•SAML Identity Provider, or other compatible service. OAuth and Personal
Access Tokens for API and external service authentication.
•Encrypted CommunicationsMemnonTech® is designed to run behind your corporate firewall.
To secure communications over the wire, we encourage you to run MemnonTech® over SSL.
An administrator can add 2048-bit or higher commercial SSL certificates for
HTTPS traffic.
Additionally, SSH for virtual machine administration and repository
access using our system, is enabled by default on MemnonTech®.
Audit and Access Logging
Having an accurate record of all user and system activity is a core
requirement for many customers. MemnonTech® has detailed audit records,
accessible to the site administrators, that capture relevant security information. The
system also provides traditional operating system and application access logs.While
not an exhaustive list, the following are some examples of the audit and logging
information available:
Audit logs:
User logins, password resets, 2FA requests, email settings changes, and changes to authorized
applications and APIs.Site Administrator actions, including unlocking of user accounts and
repositories.Repository push events, access grants, transfers, and renames.
Organization membership changes, including team creation and destruction.
Access logsFull web server access logs for browser-based and API-based access.
Full logs for access to repository data over Git, SSH, and HTTPS.
Administrative access logs over SSH and HTTPS. Audit logs are permanently stored on the system,
and both types of logs can be exported from the system in real-time using the standard syslog protocol.
This enables you to integrate this data with remote systems, such as an IDS/IPS, for analysis and notification.
VM Security
MemnonTech® is built on a customized version of the Ubuntu Server Long
Term Support (LTS) Linux operating system. Only necessary services and
applications have been installed, and only services necessary for the appliance to
function are exposed to the network. Internal system services, like the database, are
configured to listen on the local `loopback` address.
Application Security
MemnonTech’s application security team focuses full-time on vulnerability
assessment, penetration testing, and code review for MemnonTech® products.
MemnonTech® also contracts with outside security firms to provide point-in-time
security assessments of MemnonTech® products on a quarterly basis.
Security Patching and Notifications
Patching of the core operating system, and running services to address security concerns,
is managed by MemnonTech® as part of its standard product release cycle.
This includes patches for functionality, stability, and non-critical security issues forMemnonTech®
applications.
Critical security patches are provided as needed outside of the regular release cycle, to improve
time to resolution and also limit changes to the system. Security-only patches are
announced on our Enterprise customer portal, and also with email notifications.
External Services and Support AccessBy design, MemnonTech® is able
to operate without any egress access from your network to outside services. The
system administrator can optionally enable the integration of external services
including SMTP, Syslog, and Gravatar.
Security Testing Services
Contact Us
We can discuss your requirements. From ethical hacking, network
security.
security development, to advanced security testing and custom
softwaredevelopment we can help you.
In the first instance contact:
info@memnontech.com