Selecting software you can trust is a big task. You’ll need to assess the security, privacy, reliability and compliance of the application. And there are a number of items to consider. While it might seem like a tedious task, it’s also a critical one.
This is a big topic so we’ll be dedicating the last 3 parts of this series to this topic so you can have a comprehensive overview of what you should be looking for when choosing a grants management system.
In this part, we’ll cover the specific security features to look out for. In Parts 4 and 5, we’ll cover reliability, privacy and compliance.
Security in grants management software
The security features of your chosen software application are core to protecting your data and the data of your applicants. To find these features online, head over to the software vendors’ website and find their security page (it’s usually in the footer). If the following items are not referenced on the website and proof of security is not provided, you may need to contact the software provider directly to get this information.
One of the easiest ways to determine if software is secure is to see if the vendor is ISO/IEC 27001certified. This has become the de facto standard for software vendors. If they don’t have it, they cannot be relied on to be secure.
Importantly, you must follow due diligence and request copies of any certifications or audits that have been awarded. No vendor is certified unless they can provide the proof.
You can find the certifications and documentation for Good Grants on our security page.
1. Physical security
All SaaS software is physically run “somewhere”—whether that is in the cloud or run from a server at the vendor premises. Check to see how this infrastructure is physically protected and what measures are in place to ensure only authorised access is permitted.
Also check to see how the data in these infrastructures is accessed. FTP is an easy method for accessing servers but also one that is most vulnerable to unauthorised intrusion. Make sure there is a clear indication FTP access is avoided. Also confirm that only authorised staff of the vendor are allowed access to the application and that proper security protocols are followed when providing access.
In Good Grants:
Our multi-server architecture is secured in a Virtual Private Cloud (VPC). There is no access via FTP. Server access is only possible by authorised staff via SSH key-based authentication through VPN access to our VPC.
Access to our AWS infrastructure is only available to authorised Good Grants staff and is governed by Identity and Access Management (IAM) and multi-factor authentication (MFA).
2. Server security
Next, check how secure their servers are. If you see the application data is stored within AWS (Amazon Web Services) you can generally regard the underlying infrastructure as being very secure. AWS data centres and network architectures are built to comply with stringent global standards such as SOC 1, SOC 2, SOC 3, and Cloud Security Alliance Controls. So, if the data is not stored on AWS data centres, be sure to check whether these are SOC compliant and stand up to the Cloud Security Alliance Controls.
In Good Grants:
All our application stack physical infrastructure and data storage is within Amazon Web Services (AWS) data centres. AWS data centres are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilising video surveillance, intrusion detection systems and other electronic means.
These standards meet the requirements of the most securitysensitive organisations.
3. Role and permission-based access control
Good role and permission-based access controls limit the types of information a user can access, ensuring sensitive information can only be accessed by those with explicit authorisation to do so.
Keep an eye out for good role and permission functionality. SaaS with strong role and permission-based access control is usually far superior, has more utility and offers greater control over how your program might work than one without.
For example, you may need to give your accountants access to your scholarship system for auditing purposes. You’ll want to provide users with the role “accountants” permissions to view funding amounts on a per applicant basis. But funding may not be something you would like assessors to see, for example, so you could hide that detail for users with the role “assessor”.
In Good Grants:
Good Grants has an extensible system for defining user roles and associated system use permissions so that users can only access functionality they are permitted to, whether they be applicants, assessors or grant managers.
4. Passwords + multi-factor authentication
Encouraging strong passwords is a critical step in preventing unauthorised access to software. But passwords alone are not good enough. Look for multi-factor authentication (MFA) options too. MFA is the use of one or more extra steps to verify a user’s identity. If one factor, such as the password, is compromised, attackers are still unable to gain access without the other factors.
And it is a dire need… According to Verizon’s Data Breach Investigation Report, stolen passwords are still the top tactic used in hacking.
Every person accessing the system, including applicants, should be encouraged to register and set up a username and password, and preferably MFA while they are at it. So be sure to check that the software vendor has both a strong password policy and has either 2FA (2-Factor Authentication) or MFA (Multi-Factor Authentication) available.
In Good Grants:
User account access is password protected. Passwords are stored with one-way bcrypt hashing.
As a result, the original password can never be read, seen or recovered by anyone, even those with direct access to the system database.
Individual users can choose to increase protection of their account against unauthorised access by enabling Multi-Factor Authentication (MFA). MFA can also be required for specific roles with elevated access levels.
The primary authentication method after password is a Time-based One-Time Password (TOTP). Backup recovery methods include recovery codes and SMS.
Data encryption essentially means that if an unauthorised person ever manages to intercept your digital program data it would be unreadable. Data encryption scrambles data and renders it unreadable to anyone without authorisation to do so.
Data encryption should be applied to both data being transmitted and data in storage. Or in security terms, data “at rest” and data “in motion,” respectively. Keep an eye out for these terms.
There are varying standards of encryption available but one of the best is Advanced Encryption Standard (AES)-256.
Sometimes vendors don’t encrypt data “in motion” or your data “at rest”. Some vendors don’t bother with either. This is a significant flaw in their security and the ability to keep your information private. Look for indicators where they specifically say whether both are encrypted and what standard is used to do so.
In Good Grants:
In keeping with best-practice security, all data at rest (in our databases and media stores) is stored encrypted. All data in transit (including login credentials) is protected using TLS 1.2 (https) by default, with (AES)-256 bit encryption and SHA-256 signed certificates.
6. Real-time bot protection
With bot attacks on the rise around the world it stands to reason that any platform you select to manage your grants or scholarship program should be able to withstand or at least minimise bot attacks. Not only will it ensure unwanted traffic is prevented from im- pacting your program with a DDoS attack, it’ll also ensure the applications made to your program are made by real people.
In Good Grants:
Good Grants uses sophisticated, real-time bot protection technology to instantly analyse, detect and block unauthorised bot activity. The Good Grants bot protection approach compares every request to your grants or scholarship platform with a massive in-memory pattern database, and uses a combination of AI and machine learning to quickly decide whether access to your pages should be granted or not.DDoS attack, it’ll also ensure the applications made to your program are made by real people.