We know your data and code is extremely important to you and your business, and we’re very protective of it. After all, BMLL’s data and code is hosted on BMLL, too!
Data centre access limited to data centre technicians and approved staff only. Biometric scanning for controlled data centre access. Security camera monitoring at all data centre locations. 24×7 onsite staff provides additional protection against unauthorised entry. Unmarked facilities to help maintain low profile. Physical security audited by an independent firm.
System installation using hardened, patched OS. Dedicated firewall and VPN services to help block unauthorised system access. Distributed Denial of Service (DDoS) mitigation services powered by industry-leading solutions
Our primary data centre operations are regularly audited by independent firms against an ISAE 3000/AT 101 Type 2 Examination standard. Systems access logged and tracked for auditing purposes. Secure document-destruction policies for all sensitive information. Fully documented change-management procedures.
We employ a team of 24/7/365 server specialists at BMLL to keep our software and its dependencies up to date eliminating potential security vulnerabilities. We employ a wide range of monitoring solutions for preventing and eliminating attacks to the site.
All private data exchanged with BMLL is always transmitted over SSL (which is why your dashboard is served over HTTPS, for instance). All pushing and pulling of private data is done over SSH authenticated with keys, or over HTTPS using your BMLL username and password.
The SSH login credentials used to push and pull cannot be used to access a shell or the filesystem. All users are virtual (meaning they have no user account on our machines) and are access controlled through the peer reviewed, open source git-shell.
Every piece of hardware we use has an identical copy ready and waiting for an immediate hot-swap in case of hardware or software failure. All data held on the main file-system is securely backed up on a near-real time basis. This replication is subject to the same encryption as the original data. Every line of code we store is saved on a minimum of three different servers, including an off-site backup. We do not retroactively remove repositories from backups when deleted by the user, as we may need to restore the repository for the user if it was removed accidentally. We do not encrypt repositories on disk because it would not be any more secure: the website and git back-end would need to decrypt the repositories on demand, slowing down response times. Any user with shell access to the file system would have access to the decryption routine, thus negating any security it provides. Therefore, we focus on making our machines and network as secure as possible.
No BMLL employees ever accesses private data stores or instances unless required to for support reasons. In order for them to do so, you will need to supply the BMLL employee with the appropriate one-time encryption key. When working a support issue we do our best to respect your privacy as much as possible, we only access the files and settings needed to resolve your issue.
We protect your login from brute force attacks with rate limiting. All passwords are filtered from all our logs and are one-way encrypted in the database using bcrypt. Login information is always sent over SSL. Two-factor authentication (2FA) is an required security measure when accessing your BMLL account. Enabling 2FA adds security to your account by requiring both your password as well as access to a security code on your phone to access your account. We have full time security staff to help identify and prevent new attack vectors. We always test new features in order to rule out potential attacks, such as XSS-protecting wikis, and ensuring that Pages cannot access cookies. We also maintain relationships with reputable security firms to perform regular penetration tests and ongoing audits of BMLL and its code. These firms include ^Lift Security and NCC Group. We’re extremely concerned and active about security, but we’re aware that a few companies are not comfortable having a third party generate encryption keys on their behalf. For these companies we offer bring-your-own-key (BYOK) for data storage, enabling each object to be encrypted with its own key, generated by the customer.