Why Trust Forensic Notes?

Cloud Security - Why Trust Forensic Notes


Forensic Notes is employing all best practices in securing their application and the data that exists within it.

- Mike Parsons - Security Evangelist and Mentor


I’m worried about storing my information on-line.  Why should I trust the ‘cloud’?

We understand this concern! In fact, there is a so much misinformation about the ‘cloud’ in the media, and TV and movies – we don’t blame you for being uncertain.  

The reality is, however, that modern cloud storage solutions are often more secure and more reliable than what can be provided by your in-house IT department.   

Let us convince you!

First, let us look at some facts:

  • The ‘cloud’ is not some mysterious place where your information is stored in some unknown location in the world. When you use a proven cloud solution, your data is stored in highly secured datacenters on the most advanced servers in the world at known physical locations.
  • Forensic Notes uses Microsoft Azure, a world leader in cloud solutions.
  • Microsoft is investing a billion ($1,000,000,000) dollars each year to safeguard its Azure infrastructure by continuing to invest in cyber security research and development.
  • Microsoft physically secures each datacenter to the highest standards (see video)
  • Highly paid experts manage Microsoft Azure while having direct communication with the engineers and architects who developed the software running your critical applications.
  • Microsoft Azure has obtained the most comprehensive compliance coverage of any cloud provider. Certifications include ISO, FedRAMP, HIPPA, etc. (see all certifications)

Can your IT department:

  • Employ the top experts in the field, including experts in cyber security?
  • Constantly upgrade and enhance the physical hardware of your network?
  • Have direct communication with Microsoft to troubleshoot and quickly respond to potential security issues?
  • Invest heavily in cyber security research and development?
  • Use state of the art intrusion detection systems?
  • Work with other Fortune 500 and Government agencies around the world?
  • Listen to your needs as an end-user?

Chances are, your IT department just can’t do all of the above.  Forensic Notes hosted on Microsoft Azure is your answer!

Why did Forensic Notes choose Microsoft Azure as their cloud solution?

We worked hard to find the best solution for a secure cloud solution, and BizTech Magazine appears to agree with our choice!  Read their article Why Enterprises That Value Security Trust Microsoft Azure.

As a client of Forensic Notes, your organization can benefit from Azures world-class cyber security expertise and leverage the benefits of Microsoft’s annual Billion-dollar investment in technology and cyber security.

With this kind of support and proactive cyber security protection from Microsoft, you can have peace of mind that you are using the highest industry standards for cyber security.

My organization requires that all data is stored in the United Kingdom (Canada / United States), what options do you have?

Forensic Notes currently hosts data in Azure datacenters located in the USA, but Professional clients who upgrade to Professional+ can choose to host within the United States of America, Canada or the United Kingdom. 

You’ll have complete control over where your data resides, and we can work with your IT department or Chief Security Officer (CSO) to determine the best solution for your organization’s security needs.

For more information, see the Professional+ section.

I think Forensic Notes would be more secure if it is hosted internally (in-house / on-site) within our network.   Do you offer a Self-Hosted or Enterprise option for your application?

In some circumstances, organizations will choose this route depending on their needs and existing investment in their own security solution.

We can offer a variety of Enterprise options to meet your needs.  Click here to view Enterprise solutions available.  Please contact us if you have any questions.

I need more detail about what makes the ‘cloud’ a more secure option than in-house?

Once again, this does depend on your organizations setup and current investment in security hardware and knowledge.

Forensic Notes utilizes several key Microsoft Azure Services that offer additional security not found in most IT environments, including:

  • Azure Key Vault
    Hardware Security Module (HSM) which protects the private keys used to decrypt your sensitive data.
  • Multi-Factor Authentication (MFA)
    All logins MUST utilize MFA to ensure compromised passwords do not result in compromised data.
  • Data Encryption in transit and at rest
    Data is encrypted using a unique encryption key for each note which can only be decrypted by utilizing the Azure Key Vault which logs every decryption. All data stored within SQL Server is also encrypted at rest using Transparent Data Encryption (TDE).

Click here to view detailed information on our security features.

I do not trust the application if anyone can access the login page. What other options exist?

Professional clients can choose to upgrade to Professional+ which restricts access by IP address and allows you to choose the location of the server. For more information, see the Professional+ section.

Professional+

Professional+ is an upgrade offered to Professional clients (10+ users) that require enhanced security features, ability to select the data storage location and desire premium support.

Professional+ offers:

  • Only Professional+ clients are hosted on the server
  • Application access restricted by IP address
  • Ability to choose the location of your server and stored data (Canada, United States, United Kingdom)
  • Each Account is setup with a unique Encryption Key (Key Encryption Key – KEK) stored within Azure Key Vault. This allows you full access to all logs generated.
  • Premium Support (24/7/365)
  • Unique login page with non-descriptive URL and login page details

SPECIAL NOTE:

Professional+ is designed for Law Enforcement, Government Agencies and Professional Digital Forensic Labs that require enhanced security. As a result, application access is granted to authorized IP’s only. This means that you will not be able to access the application from public internet connections unless you are going through an internal network via VPN.

UPGRADE NOTE:

By default, all accounts are setup within the United States. If you would like to upgrade to Professional+, please be aware that we will not be able to transfer your already existing account to a different region. A new account will need to be setup.

If you are unsure if Forensic Notes is right for your organization, please use the regular signup process and test with non-production data. Once you are confident that Forensic Notes is right for you, we will setup your account in the country of your choice once payment has been received.

For Professional+ pricing, please refer to our Pricing page.

I’m worried that my login credentials will be compromised. What are you doing to secure my password?

You are not alone with this concern.  Sites have been compromised in the past which has resulted in billions of passwords being stolen.

This is why Forensic Notes does NOT store any passwords.

All account creation, logins and Multi-Factor Authentication is handled by Azure Active Directory B2C service which can handle billions of authentications daily. As a result, we are only able to initiate a password reset and have no ability to view or retrieve your password.

Azure B2C is trusted by organizations and government agencies around the globe, including the State of Indiana which utilizes Azure and B2C to manage numerous applications for its 6 million citizens.

IMPORTANT NOTE:

As a result of using Azure B2C, you will notice that upon signup or login, your browser address bar will redirect to 

https://login.microsoftonline.com/forensicnotes.onmicrosoft.com/....

NOTE: Forensic Notes uses Azure B2C Login so URL will show Microsoft.

This is normal and upon successful login, you will be redirected to the Forensic Notes application.

I work for a government agency so “the cloud” is not an option. What options do I have?

One of the main reasons Forensic Notes was created was to provide a solution to Law Enforcement agencies to move away from paper notebooks towards electronic documentation.

The State of Indiana is now utilizing Azure to host multiple applications to service approximately 6 million citizens within the state.

The State of Indiana is not alone in trusting Azure. Other governments, healthcare, insurance and technology agencies like Somerset County Council (UK), Medisys (Canada), Geico (USA) and Citrix (Worldwide) also trust Azure with their sensitive data.

View 880+ case studies detailing how organizations in Banking, Education, Government and Healthcare are using Microsoft Azure.

The reality is that government agencies are trusting Azure Cloud solutions to host some of their most sensitive information as Azure now offers a Government only cloud hosting which is currently available in both the United States and Canada.

In fact, Azure Government is Level 5 DoD approved.

Azure Government is Level 5 DoD Approved

If you are a Government agency and require an Enterprise solution that uses Azure Government, contact us to find out what options exist.

I see that you allow Social Logins, doesn’t that make your application less secure?

As a user, access to your application may be considered less secure if you decide to use Social Login.  But the reason why is not so obvious.

Multi-Factor Authentication (MFA) greatly enhances the security of any account but like anything security related, you must take the proper precautions to secure not only your credentials, but more importantly your MFA device.

Many people will leave their Gmail, Facebook or LinkedIn accounts logged in on their computer or phone. If a person obtains your cellphone, then they will also have access to your Multi-Factor Authentication (MFA) device. This would allow them to click on the login, select your appropriate social account and then utilize your phone to provide access via MFA.

Therefore, the security of your account is dependent on proper security of your MFA device (usually your cellphone).

Why do you allow Social Logins?

Many users want the convenience that Social Logins provide. By using a Social Login, you do not need to re-enter a password each time you login. This is why many organization offer Single Sign-On (SSO) services.  

Some experts believe that SSO can enhance account security because  when users are forced to provide a unique password for every account they manage, human nature says the result will be less-than satisfactory.

A Social Login does not inherently make your account less secure as the main security issue is the potential loss of an un-secured cellphone that is utilized as your MFA device.

If you are concerned about the use of social login, you can create a local account. 

In addition, we provided a list below on how the security of ANY account can be further secured if you adhere and follow all of the following recommendations:

  • Create a unique email address that will be used to create your account. Ensure that the password is unique and complex.
  • Do Not write down your password except within a secured password manager application.
  • Do Not use this email or password for any other services.
  • Do Not auto-save the login credentials for this account on any devices including your cellphone.
  • Do Not access your sensitive accounts from public or unknown Wifi access points.
  • Encrypt your MFA device (cellphone) and use a strong password to lock your phone at all times when not in use.
  • Ensure your MFA device is set to NOT allow answering of calls or viewing of text messages without being unlocked.
  • Do Not use Social Login. Social Logins bypass the need to enter a password each time on trusted devices.

What happens if Forensic Notes is taken offline due to a programming bug, DDoS or local internet blackout?

This is the reality of any application, be it online or offline. From a network perspective, Microsoft Azure protects client websites with a “distributed denial-of-service (DDoS) defense system that is part of the Azure continuous monitoring and penetration-testing process. The Azure DDoS defense system is designed not only to withstand attacks from the outside, but also from other Azure tenants”.

To handles application specific attacks, Forensics Notes utilizes various programming detection techniques and dynamic IP blocking.

Professional+ and Enterprise clients are further protected by using unique non-descriptive URLs and IP blocking of any unknown IP addresses.

If you ever encounter a problem when using Forensic Notes, please contact support@forensicnotes.com

What happens if a ‘hacker’ logs into the database and accesses all the information?

As discussed within the Security & Encryption page, every individual note and associated attachment is encrypted using a unique 256-bit symmetric key (Content Encryption Key – CEK).

This CEK is then encrypted using the public key of a 2048-bit asymmetric encryption key (Key Encryption Key – KEK).

The Private key (KEK) used to decrypt all data is stored and only accessible within the HSM Azure Key Vault.

As a result, even if a ‘hacker’ gained access to an individual service, they would not be able to decrypt the information as the system works in tandem to create the overall security of the application.  

Each service is locked down to only operate with other specified services.

What about if the ‘hacker’ is able to download the database and brute-forces each individual record?

According to Wikipedia

breaking a symmetric 256-bit key by brute force requires 2128 times more computational power than a 128-bit key.  Fifty supercomputers that could check a billion (1018) AES keys per second (if such a device could ever be made) would, in theory, require about 3×1051 years to exhaust the 256-bit key space.

Each note you create and store is individually secured with unique 256-bit key! 

Moving away from technology to business practices…

What happens if my accountant/accounting department, etc. forgets to pay the monthly (or yearly) subscription?

We are committed to maintaining and securing your important data.  We send out reminders about payment for overdue accounts.   

For significantly overdue accounts we may disable your ability to add new notes, but we would never hold notes or files hostage for payment nor delete your data without providing you with a reasonable opportunity to bring your account up-to-date.

What happens if your company folds and shuts down the service?

Any company could theoretically go out of business.   We are committed to our customers and would never leave our valued clients without options or without providing significant notice of a pending shutdown.

We would do everything in our power to keep the site accessible to download existing files and records.

For Enterprise and Professional+ accounts, we would provide all source-code and instructions for properly deploying the application within your own Azure hosting environment.

For those organizations that require legal agreements, we would be happy to setup a software escrow for an additional fee.

Click here to find out more about Software Escrows.

Is there 24/7/365 Support available?

Yes, we recognize that Forensic Notes will be a critical software solution within your organization. As a result, Premium Support is standard when you upgrade to Professional+.

All Professional and Enterprise accounts have standard Priority Email Support during the hours of 8am to 6pm PST.

Who runs Forensic Notes?

Forensic Notes was founded by a group of guys living in Canada.

And who doesn’t trust Canadians?  

These guys have a lot of experience involving technology and legal matters, both criminal and civil.

And no, it's not because they've been arrested or sued a lot.

If you want to know more, please check out our Bio's.