Security is always important when dealing with sensitive and critical information, such as much of the information court reporting and other legal support businesses handle. So RB9 follows general security rules for business applications. And because RB9 and RB Lite are cloud based, we choose Microsoft Azure Cloud Services and OMTI has been audited and recognized as SOC 2 compliant.
A few important RB security points to know:
You can turn on two-factor authentication (2FA) for users logging in to RB9, RB Lite, and RB Connect. 2FA is a more secure way to confirm a user’s identity by adding a second factor to signing in with a user name and password, such as a code sent to their cell phone that they must enter into the log-in page.
You can also require that users have complex passwords, and that they have to periodically update their password. You determine the length of time before they must update their password and if they can keep using the same password.
To be compliant with general security rules for business applications, automatic log-off is enforced in RB9, RB Lite, and RB Connect. The default is that you are automatically logged out after 20 minutes of inactivity, but you can change that to up to an hour in System Preferences.
You receive alerts at the end of periods of inactivity to extend your time before being automatically logged off, just like on banking sites.
You must save your work before logging off. RB9 and RB Lite do not save your work for you before they log you off.
RB9, RB Lite, and RB Connect are housed in the cloud on Microsoft Azure Cloud Services, which in addition to a guaranteed 99.9% uptime, benefit from Microsoft’s dedicated resources and processes that guarantee the security and privacy of data on Azure, including various security certifications and following international standards for privacy controls in the cloud. These safeguards are beyond what a single court reporting agency could provide.
RB9 and RB Lite are more secure than an in-house system in other ways, such as open port security: If you’re trying to log into RB9 or RB Lite remotely without a secure connection, you do not need to keep the well-known default SQL port open; nor do you need to keep any custom ports open for RB Repository downloads. (And that’s one less thing you need IT to do.)
Your info remains confidential
You maintain control of your files. We do not host files on our own servers; your files reside on Microsoft Azure Cloud Services. Your client/case/job information remains confidential.
Better than backup
With your RB data and repository files on Microsoft’s Azure’s Cloud Services, you no longer need a back-up system. Data is mirrored between servers in different locations, so even if one server were to go down, another server would be accessed immediately with no interruption in service and no lost data. Repository files are also protected similarly, with duplicates stored in several locations.
- RB9 and RB Lite store the password using secure hash algorithm SHA-512, so no one can decrypt the password.
- RB9 and RB Lite only allow access via TLS 1.2. Other security protocols, such as SSL, TLS 1.1/1.0, which are outdated and vulnerable, cannot access RB9 or RB Lite.
- RB9 and RB Lite store sensitive data, such as birthdays, SSN, and Tax ID, using AES 256-bit algorithm. The symmetric key is stored in SQL Server, and its password is managed by OMTI. This means if someone steals the data, they cannot decrypt the data even if they know the password.
- The SQL Server cannot be accessed from other locations. Only our web server can access.
- RB Connect uses an SSL with 2048-bit signatures and 256-bit encryption.
- RB Connect only allows access via TLS 1.2. Other security protocols, such as SSL, TLS 1.1/1.0, which are outdated and vulnerable, cannot access RB Connect.
- Like RB9 and RB Lite, RB Connect uses the Microsoft Azure platform. Azure is HIPAA, TRUSTe, PCI DSS, NERC CIP compliant. (Additional Azure security info )
- In RB9, RB Lite, and RB Connect, optional two-factor authentication (2FA) sign-in sends a code to the user’s cell phone or email address for an extra layer of security when logging in.