Notification
Click here to check out our recommendations on Good security practices for your environment on the TOTVS Fluig Platform.
Purpose
This guide aims to describe the security controls available within the TOTVS Fluig Platform and its execution in on-premise or cloud environments.
Encryption
Data traffic | All communication between the TOTVS Fluig platform and customers is made through HTTPS/TLS – the most popular and reliable protocol available on the market. Saiba mais sobre configuração HTTPS The customer must provide a valid certificate to be used by the Fluig server, e.g. fluig.empresa.com.br. If the customer does not have a certificate, we suggest using the following address: 2-month HTTPS certificate It is also recommended to configure a DMZ network for the platform. |
---|---|
Passwords | Sensitive user data are written in a manner so that the original content cannot be discovered. The PBKDF2WithHmacSHA1 algorithm is used for storing user passwords in TOTVS Identity. |
Authentication | The Single Sign On (SSO) process occurs via the SAML Protocol, with a certificate generated internally, with no information being exchanged. |
Availability and Continuity
TOTVS Identity services in the Cloud | Minimum availability of the Identity environment is 99.5% per month on the production environment. All monitoring and notifications about changes to the service status are available at: http://status.fluigidentity.com |
---|---|
Analytics service in the Cloud | Minimum availability of the Fluig Analytics environment is 99.5% per month on the production environment. |
CLOUD service | Availability and continuity policies change according to the business proposal. Our plans start with 97.5% availability per month. Check out the specific use and availability values on our proposal. |
High availability On premises | The on-premises customer is responsible for creating an environment that meets their availability and performance needs. We have recommendations on how a customer should configure their environment to ensure greater availability. Learn more about how to create high availability environments. We offer support packages to help customers better manage their environment. |
Physical Environment
Depending on use and contract, the customer can be allocated in the TOTVS NIMBVS or the Amazon data center. Each has different characteristics.
NIMBVS Environment | Certifications
Location Data centers are located in São Paulo, Brazil |
---|---|
Amazon Environment | The following certifications are included for Fluig Viewer services and for customers allocated on the Amazon cloud:
More details about certifications on the Amazon environment Location Allocated data centers are in the São Paulo Zone, Brazil |
Add-on Services Environment
For the platform operation, based on the fog computing concept, some services run on cloud services. For transparency purposes, here are the services and locations.
Identity Environment (Production) | Location Data centers are located in the São Paulo Zone, Brazil, in the Amazon Web Services (AWS) |
---|---|
Analytics Environment | For more information on the architecture and security for the Analytics Services, see the security guide. Location Data centers allocated in the United States, in the Rackspace services |
Fluig Viewer Environment | Location Data centers are located in the São Paulo Zone, Brazil, in the Amazon Web Services (AWS) |
Integration with External Systems
The platform can be integrated with various systems in different scenarios. For security reasons, we recommend checking all integrations available.
Legacy systems | One of the TOTVS Fluig platform's most used features when creating projects is the integration with systems that the company already has, whether for query or processing purposes. Supported integration types:
Supported REST authentications:
|
---|---|
Development services | The platform provides various services that enable the development of customizations and integrations. Therefore, we recommend reviewing the access security to APIs, datasets, and web services. See the user guide for more information. |
Required components | On-Premise - License Server The License Server must be installed to check the customer’s contract. The server connects to the cloud to check the contract to which the customer has access. Learn more about the license server. On-Premise - Database As per the portability matrix, the platform requires the use of a database. Check the supplier’s documentation for more details on this component’s security features. |
Optional components | Microsoft Active Directory Microsoft Active Directory can be used for user authentication. Both the platform and Identity have connections. In Identity’s case, we have Identity | SmartSync, which is used to make this communication even more secure. SMTP - Sending e-mail We use the SMTP protocol with SSL or TLS to send notification e-mails. Learn more about e-mail settings. PUSH Notifications Both the Google® and Apple® infrastructures are used for notifying mobile application users: small messages with no business-critical data are sent by the technology partner UrbanAirship, centralizing all messages sent to TOTVS Fluig customers. |
Mobile Environment
The platform may be accessed via mobile devices through Fluig Mobile, available for Android and iPhone/iPad.
Data traffic | Communication between Fluig Mobile and the Fluig server occurs via a network connection, with all data traffic being sent via HTTP. For access via cellular data network (3G/4G), Fluig must have its address published on the internet. HTTPS may be enabled to provide for greater security, using valid certifications for mobile devices. If the address is not published on the internet, the mobile device on which Fluig Mobile is installed must be connected to a network that allows access to the Fluig server. E.g., Company’s Wi-Fi, VPN connection, etc. |
---|---|
Authentication | Authentication is provided by oAuth, a secure authorization protocol that does not store the user and password at login, only the authentication key (token). |
Network and application security
Followed recommendation | In most security actions, OWASP recommendations are taken into account. |
---|---|
Vulnerability testing | Third parties perform independent Pentests on a regular basis. Any vulnerability detected is evaluated according to the impact and probability of the failure, and correction tasks are created for the responsible team. To ensure this process, customers are advised to open a ticket reporting the situation mapped in the Pentest, along with the impact. Each ticket opened will be evaluated by the TOTVS security team. If the vulnerability is confirmed, the ticket will enter the standard maintenance process. Each situation should have a separate ticket, and it is advised to avoid creating a ticket that combines multiple situations. It is important that tests be conducted in an environment updated with the latest version of Fluig, available for download on the Customer Portal. |
Security incidents | In the event of an information leak or detected vulnerability, we allocate our technical professionals to remedy the issue. To ensure this process, customers are advised to open a ticket reporting the situation. |