FAQ

FAQ2021-03-23T07:45:18+00:00
What is the type of service you are providing ? (Ex: SaaS, IaaS, PaaS)2021-02-17T15:26:53+00:00

PaaS in case of a cloud.
On-premise in case of a private installation.

Do all users have a unique ID for all your systems and applications?2021-02-22T11:11:48+00:00

Users are identified by their unique email address.

Do you have password complexity control?2021-02-22T11:50:46+00:00

Yes – Minimum 8 characters, must contain a mixture of uppercase, lowercase, and numerics.

This can be also configured system-wide.

Are accounts disabled after 3 or less consecutive failed logons?2021-02-22T11:54:14+00:00

By default we lock out users after 10 failed attempts for 10 minutes. It can be configured on on-premise server.

Do you enforce inactivity timeouts to lock applications/access after a set period of time?2021-02-22T15:26:29+00:00

Tokens are being invalidated after 30 minutes of inactivity after that time, the user must login again. We don’t delete the user.

Are users required to change passwords at first use if originally assigned by a 3rd party?2021-02-22T11:54:39+00:00

If the user is comming from SSO, it won’t have a password.
If the user is created in Wallboard with an “empty” password, then the user must set it’s password via reset password form (details are sent in email).

Do you delete, disable or modify default accounts and/or passwords when commissioning a new application/system?2021-02-22T11:54:49+00:00

When installing a new system, the default admin must change its password on the first login.

Do you operate on a “least access” basis, whereby access to any system has to be explicitly granted?2021-02-22T15:26:13+00:00

Yes.

Is there a bypass to SSO?2021-02-22T13:10:53+00:00

We can force users to use SSO only.

Is any data stored in the cloud? If so, how to you ensure it is protected?2021-02-22T15:22:25+00:00

On-premise installation – we don’t have to store anything in the cloud.
Cloud installation – everything is stored in the cloud and the server is protected with best security practices.

Do you have MFA capability for the end-user, during authentication?2021-02-22T13:07:59+00:00

Yes, with SSO.

Are privilege admin accounts separate from user accounts?2021-02-22T13:06:35+00:00

We store admin and regular accounts in the same database table.

Are vendor/contractor accounts deleted/disabled after use?2021-02-22T11:33:49+00:00

We don’t have guest accounts.

Do you keep detailed audit logs on the portal?2021-02-22T15:25:53+00:00

Yes, in system logs.

Docker container Logs have a maximum file size(300MB) and once reached will be compressed, a maximum of 5 files will be kept and the oldest overwritten. Dependent on Server usage logs are generally kept for one month. The file size and count can be increased but is not user-configurable, therefore Wallboard will need to make the required changes. These logs can be stored in an ELK stack which enables us to configure a longer time to store logs, depending on the storage space. We usually recommend 3 months.

What is your application structure?2021-02-22T13:17:41+00:00

The Wallboard application is designed as a 3-Tier Application.

We have these layers:

  • Backend as a server-side application that provides an API 
  • Frontend UI is a web application that communicates with the server using that’s API 
  • Client applications that are running on the player, communication with the server over an API 
  • Displayer web application as a presentation layer running on the client applications also communicates over an API with client and server layers
     
Is the database available directly from the internet?2021-02-22T13:18:48+00:00

The database is not available directly from the internet, its port is not exposed to the internet and it is only available on the server’s localhost. To connect from the outside requires an SSH connection with private key authentication.  

We can customize this on an on-premise or dedicated cloud server installation.
 

How the communication works between the components?2021-02-22T15:10:20+00:00

All traffic is encrypted between the application server and all of the connectors/endpoints.

All traffic goes over HTTPS, the certificate is issued by Comodo or Let’s Encrypt. 

We can customize this on an on-premise or dedicated cloud server installation.

By default, we have enabled TLSv1.0 as well to support IE 8-10.  

SSL2/3 are disabled and TLS is enabled up-to v1.3. Client applications use the most secure version that is applicable on the client platform. 

Enabled protocols can be customized on an on-premise or dedicated cloud server installation.

How do you store the data?2021-02-22T13:41:50+00:00

Sensitive data, like user details, device information are stored in a database that is not exposed to the internet.  

  • By default, we don’t have data at rest encryption on the database.  
  • The database can be customized or can be provided by the customer on an on-premise or dedicated cloud server installation. 

Uploaded files are stored outside of the database and only available on a web-based API.

Is PII (Personally Identifiable Information) storing is compliant with GDPR?2021-02-22T15:25:13+00:00

Open registration is not enabled, it is a private service. We only store user email, optional name, and phone number. The user can delete itself.

What is your retention policy?2021-02-22T14:04:42+00:00

Retention policy cannot be configured, you have to delete unused files and contents manually. Statistics, metrics, logs are deleted regularly.  

What data are synced with the player applications?2021-02-22T14:05:34+00:00

Only the required content files are synced to the player application. 

What is your policy in case of a contract termination?2021-02-22T14:12:59+00:00

By deleting a customer, we delete all of the customer data and user information immediately except logs. 

What controls are in place to detect and prevent unauthorized access and data leakage?2021-02-22T14:30:01+00:00

Traffic is logged within the NginxApplication access log. User logins, failed attempts, and actions are logged within Wallboard also.

Is a technology asset inventory maintained, documenting all systems that comprise or connect to the technology?2021-02-22T14:34:36+00:00

Asset inventories are created project-by-project and updated whenever technology changes are made.

How are system patches and security updates deployed?2021-02-22T15:02:49+00:00

Client-Side Application

  • Wallboard tests and releases build on internal servers first and are usually deployed onto production servers within weeks.

Server-Side Application

  • Wallboard is continually monitoring, testing, and updating the software depending on specific vulnerability notifications of the technology used.

As soon as we are aware of a new vulnerability, we do fix and deploy them as a server update as soon as possible.  

Regular host machine update can be a part of the contract. 

How are vulnerabilities detected, managed, and mitigated?2021-02-22T15:01:14+00:00

Vulnerability scanning tools are currently run manually on a scheduled basis. Wallboard are looking to automate this process.

Can the access be controlled by SSO, for the end-user authenticate?2021-02-22T15:24:35+00:00

Supported protocols: SAML 2.0, OpenID Connect, LDAP.

Supported platforms(examples): Okta, Keycloak, Microsoft Cloud (with your own personal ms account), AD, ADFS, Google.

Does the application have a Test instance?2021-03-22T07:27:25+00:00

The application has a Test instance, the access has to be requested. (to the beta server)

Does the application support SLO (Single Log Out)?2021-03-22T07:33:49+00:00

Yes, with SAML2.0 if the IDP supports.

Can the log out link in the application be configured?2021-03-22T07:33:10+00:00

Application Vendor (Wallboard) has to configure it.

Go to Top