Data protection

Secure IT-architecture

Ledidi is humbly aware of the sensitive nature of the data we process on behalf of our customers, and security and privacy are by far the most important factors in everything we do. Ledidi’s native cloud solution is built ground-up using the most secure global cloud infrastructure (Amazon Web Services) and uses industry standards for e.g. encryption, multi factor authentication, logging, network configuration, backup, data restoration and prevention of attacks.

Development - OWASP SAMM and AWS well-architected solution

Development - OWASP SAMM and AWS well-architected solution

It’s important for Ledidi that we take advantage of all the knowledge built into international standards and guidelines:

Ledidi follows AWS' guidelines for Well Architected solutions. These guidelines are to a high degree focused on security, and are based on AWS' compliance with international standards.


OWASP SAMM (The Open Web Application Security Project) is the basis for the security aspects of Ledidi's development processes and procedures.

Ledidi’s solution is mapped against health care guidelines, such as the Norwegian Normen and the HHS HIPAA.

Encryption

Encryption

All data is encrypted in transit and at rest and Ledidi has complete control over the physical location of all data storage. Secure communication to and from the solution is ensured through the use of TLS 1.2, while data at rest and internal communication are encrypted using AES-256. Certificates are managed using AWS Certificate Manager.

Confidential computing

Confidential computing

Ledidi is in the process of implementing confidential computing. When in place, data will also be protected during processing in AWS Nitro Enclaves.

Access management

Access management

A centralized authentication solution (AWS Cognito and AWS Cognito Userpool), in combination with our own product-specific authorization libraries, is used to prevent unauthorized access to the system. Each component of the solution is by default integrated with AWS IAM, which we use to restrict inter-component communication to only what we need.


Ledidi supports standards like OpenID connect and SAML for integration with other identity providers.


At the customer project level, the project administrator can control access in a fine-granular manner, for different types and levels of data access and functional access. Access can even be controlled based on data entry statuses, and can be limited to just a set of variables / fields within the dataset. A more detailed example of the latter is to mark variables as restricted, and then define who should have access to restricted variables.

Multi-factor authentication

Multi-factor authentication

To activate a user account the user must enter a strong password and activate a 2FA-tool, such as Google Authenticator.

Data centers

Data centers

The solution is run on AWS data centers located within EEA, utilizing AWSs expertise and industry leading approaches to datacenter security.

Network Configuration

Network Configuration

The components of the solution are established and run on a separate logical network in AWS, i.e. a Virtual Private Cloud (VPC), and all components are protected by configuration of AWS security groups, which constitute virtual firewalls. These are used on many levels, and Ledidi only keeps components that actually need to be in the same network zones in the same zones. Ledidi also takes advantage of AWS WAF, which provides extra protection towards web-attacks for those resources that have to be exposed on public networks, like the APIs.

API gateway

API gateway

Traffic is routed through AWS Route 53 and AWS CloudFront, which handles content delivery and load-balancing, and the AWS API gateway which authorizes API calls using Cognito.


There are several measures in place to prevent and protect against attacks. Firstly, the solution is designed and developed according to the principles of data protection by design and default, being a cloud native solution developed in the GDPR era. Second, numerous AWS services are being used to help secure the solution; e.g. AWS WAF against web-attacks, AWS Shield against DoS and DDoS, and AWS GuardDuty for alarms and notifications about threats/events.


The solution is regularly penetration tested by an external party.

Monitoring and logging

Monitoring and logging

In addition to AWS GuardDuty, AWS CloudWatch is being used to monitor the solution and alert Ledidi administrators about events that might have a security relevance.


AWS CloudTrail is used for complete audit logging, and review of audit logs is part of the 2nd line monitoring and support responsibility.


All actions in the solution are logged for future audit (including administrative actions), and all data entries have full version history.


Access to all servers is protected through public-key cryptography, with 2048-bit SSH-2 RSA keys, to encrypt and decrypt login information

Backup and restore

Backup and restore

Data is backed up at regular intervals and the solution has built-in restore capabilities, including the possibility to rebuild in a separate cloud environment.

Need to look at Ledidi's Security Overview?

Please send us your contact information and you will hear from us shortly!

Message sent!

Your message has not been delivered. Try again.