Every aspect of our service is built with security at the heart of all our business and technical decision-making processes.
How do we handle security at NT-ware?
We have implemented industry-leading security and vulnerability assessment tools to maintain a strong security position.
All our infrastructure is regularly scanned by industry leading vulnerability assessment tools. Every endpoint in our company is protected by enterprise-grade antivirus and malware detection. We have invested heavily into the Microsoft Security Suite to protect our email and file level security handling and proudly support and enforce the safe handling and distribution of email through Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) security. All our mail infrastructure is protected and filtered through Microsoft Exchange Online Security features, Phish, SPAM and Malware detection. End users are also protected using Microsoft Safe Links, attachment sandboxing and desktop virus integrations on-demand detection.
Next to our security infrastructure, identity protection for our staff is vital. Multi-factor Authentication (MFA) is mandatory on all cloud accounts, integrated Azure accounts and any 3rd party services we utilize. High-value assets and service accounts can be further protected using Conditional Access. All workstations are automatically locked when the station has been inactive for five minutes.
In addition, we actively participate in security readiness programs and training, helping our staff stay informed and alert. These include but are not limited to Cyber Security Assessment, Cofense Phishing Campaigns and access to external security training programs.
NT-ware and uniFLOW Online within the Microsoft® Azure infrastructure
uniFLOW Online is delivered as a pure Software-as-a-Service (SaaS) which we have built natively on the Microsoft Azure Web Service platform.
The NT-ware Operations and Development access to the Microsoft Azure tenants is secured through Azure Active Directory Identity Protection which also incorporates the following security standards:
The above list is not exhaustive and we repeatedly review and improve our security standing.
uniFLOW Online security white paper
The uniFLOW Online security white paper provides an overview of the system security used within uniFLOW Online. It covers the following security information:
Want to know more? Check it out uniFLOW Online security white paper.
Security is a layered approach within NT-ware. We work with enterprise-level products and services to protect both ourselves and your data.
Our policies have been built by capturing best practices from industry certification standards, including ISO 27001, and by aligning our measures with all relevant controls and sub controls for Group 2 of the Top 18 CIS Controls® (Center for Internet Security). This initiative forms much of our security planning and future strategy. We perform internal reviews of this program every six months and are also externally reviewed by the Canon Europe Security and Forensics team.
We have built a strong set of security guidelines which govern both the end user and IT operations within NT-ware. Hardware disposal, remote access, network segmentation and BYOD are only some examples of the complete set. These are openly communicated within the company and form part of our onboarding program for new starters. All security policies are reviewed at least annually and any changes are communicated to all concerned.
Security standards as part of our development
Security and risk management is initiated during the product planning phase which involves all key stakeholders (dedicated Product Planning, Development, Security and Quality Assurance teams).
All members of the NT-ware Development team follow best coding practices to prevent security leaks and vulnerabilities from the start. We use multiple sources as input to guarantee secure development, such as Common Weakness Enumeration (CWE), OWASP Top 10 Most Critical Web Application Security Risks, National Cyber Security Centre (NCSC) and others. This way, we stay up to date on the latest security findings or threats related to technology in our software products.
The utilization of the following industry security suites is also part of our development and quality assurance processes:
NT-ware development for uniFLOW and uniFLOW Online is in-house; there is no contractor or external developer involvement. Other software components such as Canon-embedded device software is developed in close cooperation with Canon INC development. Non-Canon-embedded device development is conducted by an external development company. Development and company security practices are reviewed by NT-ware to align with our best practice and methodologies.
All code changes and ‘check ins’ are performed through an open peer review process limiting the chances of any one individual injecting malicious code into our development pipeline.
The importance of preforming Penetration Testing is recognized and actively performed with every feature release of uniFLOW Online and uniFLOW Server. For such testing we work in conjunction with Canon Europe Security so the testing is carried out by an accredited industry PEN testing and security organization.
Every report is reviewed directly by the Chief Information Security Officer (CISO) and Development Director. In addition, matter specialists are consulted where needed. We review the threat for exploitability or attack vector among our key indicators to determine the priority and schedule accordingly.
All security incidents or findings discovered during testing will be ticketed in accordance with our Security Incident Management process. NT-ware regularly reviews the ticket priority and general security matters among key department heads.
For more information on our Security Incident Management, click here: Security Incident Management.
Customer Penetration Testing (PEN)
NT-ware fully supports customers performing PEN testing activities. We welcome the testing as this provides valuable feedback from our customers and helps to further improve the overall security position of uniFLOW Online. To do this safely, the instructions below must be followed should customers wish to PEN test uniFLOW Online.
If the PEN testing is non-invasive, this can be performed directly against the customer's uniFLOW Online tenant. It is acknowledged such 'tests' happen on the internet every day against online infrastructure. Such testing MUST NOT include any intentional service saturation, denial of service (DOS) tests that impact the system’s performance or stability and would be a direct breach of the Service Agreement signed by all parties.
We request that any relevant findings are shared with NT-ware to review and qualify/ rule out any false positive results.
What if I need to perform possible ‘invasive’ testing?
Please contact Canon or your Canon Business Partner to raise a project request with NT-ware through our Jira Software ticketing system. We will review the request and at the discretion of NT-ware provide a suitable ‘test' tenant of uniFLOW Online that will not impact the service we provide to other customers.
Infrastructure and hardware security
The physical security of our infrastructure and hardware is a crucial point to recognize. All uniFLOW Online hardware is hosted within Microsoft Azure data centers. For Microsoft Azure data center hardware disposal protocols, please check the Microsoft hardware disposal procedures.
NT-ware’s corporate IT infrastructure is hosted globally in Germany, Singapore and the US office. We follow strict security access and hardware disposal processes in all locations.