Security is what we do.
Security is in our genes. The DOQEX company was created in 2013 by the merger of two information security organisations. Securability – performed security testing and training, Panoplia – delivered standards compliance consultancy for ISO27k, PCI-DSS, IG and Data Protection.
ISO27001 compliant. The DOQEX company has been ISO27001 compliant since the time the standard incorporated BS7799. Our internal ISMS and security forum are active and continuously review processes for currency and effectiveness.
The threat landscape is never static. The information security landscape is constantly evolving. As more services become IP enabled and new (often old) vulnerabilities emerge, the risks rise at an increasing rate.
Active penetration testers. Although we no longer promote it DOQEX’s penetration testing, social engineering and application testing activities are vital at helping us maintain our knowledge and keep our expertise current. We take on a few challenges each year which we consider to be an enjoyable and vital component for monitoring and protecting DOQEX systems and software.
Active research geeks. At DOQEX we are proud to refer to ourselves as security geeks. Every member of DOQEX is actively involved in security research. Our lab in York sports oscilloscopes, 3D-printers, solder stations and a cornucopia of kit, servos, wires and arduinos. Three software languages and a tolerance for solder-fumes are mandatory!
Secure by design and default
Security is the only default. DOQEX was designed 10 years ago to support our own need to move and collaborate upon highly sensitive penetration testing results. We believe every vendor must rely upon your own products.
Multiple layers of Encryption. Multiple layers of strong encryption are used within DOQEX to protect your data. Meticulous attention is paid to key and storage management. No data is ever written to disk unencrypted; all data and the decryption keys themselves go through multiple encryption processes before they ever reach disk.
Secure development. We pay particular attention to secure development practices. Sanitising user inputs is the foundation stone however we deploy many other techniques including randomised memory locations, timing attack wait state routines and various obfuscation methods we shouldn’t divulge here!
The human factor. When thinking about security, you can’t ignore the weakest element – users! The UI/UX methodology of DOQEX is therefore designed to protect users from common mistakes. Our consultants have over 20 years of professional security testing experience, so we understand the failings of users and the social engineering techniques used against us.
The best control available. If you have just one control available, we believe that should be a comprehensive audit trail. This is why DOQEX logs every action made by users and every process where data is changed. An audit trail is no good hidden away either, which is why every user can view their own audit trail, schedule reports and enable notifications for almost every event.
What encryption standards does DOQEX use? DOQEX encrypts files using AES-256 with a 256-bit key in Galois Counter Mode (GCM). SecureMail email text data and sensitive configuration data is encrypted using XSalsa20 with Poly1305 MAC; the option exists to enable “legacy encryption” which reverts to AES-256 in Cypher Block Chain mode (CBC).
The Initialisation Vectors (IV) for use in all encryption modes are generated using a cryptographically secure random number generator which selects a 256-bit value unique to each file.
A unique key for each file. Each file (or SecureMail) is encrypted using a unique key for that file. These unique keys are themselves encrypted with AES using a master key which is never stored on disk. The individual encrypted file encryption key is stored in plain text along with the file’s individual IV.
All data is in-memory encrypted. All file and SecureMail data is encrypted in-memory on receipt. The encrypted data is stored within the encrypted FileVault, which is a separate volume on the DOQEX Node. The FileVault is encrypted using AES-256 in GCM/CBC mode, and is mounted by an administrator at node boot time. The encryption keys for the FileVault are never stored on disk on the node.
DOQEX Standards Conformity Summary
- DOQEX uses FIPS 140-2 approved encryption algorithms
- DOQEX complies with FIPS 180-4 for the Secure Hash Standard
- DOQEX complies with FIPS 186-4 for the Digital Signature Standard
- DOQEX complies with FIPS 197 for use of the Advanced Encryption Standard
- DOQEX exceeds FIPS 140-2 standards for IV generation
- DOQEX is a PCI-DSSv3 compliant solution component
- DOQEX is compliant with PSN and N3 code of connection requirements
- DOQEX is compliant with NHS IG (v14) controls
- TLSv1.2 with Extended Validation (EV) Security Certificates
- DOQEX hosted services are delivered from TIA-942 Tier 3 data centres.
FIPS 140-2 Test Results
Approved Encryption Algorithm. DOQEX uses the FIPS 140-2 approved encryption algorithm, Advanced Encryption Standard (AES).
CBC mode. AES is implemented in Galois Counter Mode (GCM), which requires the use of an Initialisation Vector (IV) which is generated using a cryptographically secure method (see section 4.7.1 of FIPS 140-2).
FIPS Test Results. A significant sample from DOQEX’s IV generation mechanism is taken. Note: a test generation suite using real data is available as part of the DOQEX tools which are included with every node. Testing prodcues the FIPS-compliant results shown opposite.
Select an image opposite to view the test results.