White Paper

Security, Privacy, and Compliance in Windows Azure

Read -more


Safetey and security


For an online appointment system it is of the utmost importance to ensure that the client's data is fully protected. Based on five main criteria we will explain how Reflex Online has ensured that your data and your customer details are safe.



The network makes communication with the web application possible. Improperly configured firewalls, improper or inadequately segmented networks and vulnerable DNS configurations, can lead to a web application that is vulnerable to attacks. All traffic to and from Reflex Online is protected by Transport Layer Security TLS. (See http://en.wikipedia.org/wiki/Transport_Layer_Security). In addition, the data is  physically separated from the application by a firewall with a strict IP address range. This means that it is not possible to update the database directly from the outside without going through the application.



If patches are missing, it may be possible for attackers to exploit vulnerabilities in the operating system to access the web application. The use of unsafe management mechanisms (such as FTP and Telnet) or incorrect configuration of the platform may enable attackers to obtain unauthorized access to a system. Reflex Online has very deliberately chosen to host its applications at Microsoft. The Reflex Online applications run on the Windows Azure platform. This platform is maintained by Microsoft specialists. They ensure all standard software components (such as operating system, web servers and. Net framework) are always up-to-date. The updating services are part of an automated process. Reflex Online builds on these components. VIR 2007 Compliant VIR2007 is a policy document which defines the standards under which the Dutch government wants to work when it comes to information security.The ISO17799 is included within the VIR2007 (compliant with ISO17799, is the basis for the information security of the national government).



Vulnerabilities in web applications often occur at the application level. Well known examples are SQL injection and Cross-Site Scripting (XSS). Vulnerabilities often arise from a lack of security awareness among developers that do not always use secure programming techniques. These developers do not perform the necessary checks on user input and the resulting output. To avoid XSS / SQL injection attacks all values received must be checked and approved before they are processed. Should any the content prove vulnerable, then the processing is stopped and the connection to the remote, possibly malicious, party is terminated.


Identity and access control

Many web applications apply user authentication and authorization mechanisms based on restricting access to parts of the website. A weak authentication mechanism may lead to unauthorized persons gaining access to the web application. This also applies to session management, which is not correctly implemented. Another possible problem is that visitors gainaccess to other clients data by for example modifying a URL. Reflex Online uses the default session management offered by Microsoft. Reflex Online also checks in different layers at different times, if the connected user is allowed access to the information he or she is using.



Without data encryption the data privacy is always at stake with a web application. If data is not encrypted for transmition or storage, there is always a chance that attackers intercept data or extract data directly from databases with SQLinjection attacks. With the encrypted data exchange in the servers of Reflex Online, it is impossible to intercept intermediate data. Only the receiver (the browser) and the sender (server) know how to decrypt the messages.The Windows Azure platform inspects the communication to and from the servers. If something suspicious is detected, a DOS attack for example, it is automatically countered. In addition Reflex Online has various software measures in place to detect and block malicious attacks or attempts at an early stage.