Cybersecurity has become a major concern for businesses, especially those operating in the digital health sector like Akinox.
In addition, protecting information and solutions has become essential with the advancement of information technology and the digitalization of healthcare data. The goal is to ensure patient trust, business sustainability, and user data protection. At Akinox, we have various methods to secure our platforms and solutions. We remain vigilant about the latest trends in cybersecurity, whether it’s through the creation of security positions or obtaining certifications.
Bug Bounty Program of the Government of Québec
Since October 2022, Akinox has been participating in the Québec government’s Bug Bounty Program, which is intended for technology companies seeking to further secure their information systems and strengthen their IT assets. To do so, information security researchers are working to detect potential vulnerabilities in the solutions enrolled in this program by testing them. This initiative has an excellent reputation and a good standing within the technology community, as it allows for significant improvement and strengthening of the IT assets of the Government of Québec, while also rewarding the efforts of the researchers. Two of our solutions were highlighted in this program: the Primary Care Access Point and our Virtual Care Platform (in French only).
Indeed, these two Akinox platforms, developed in collaboration with the Government of Québec and the Ministry of Health and Social Services, have been opened to the hacker community who would like to find security vulnerabilities in them. This program has been very beneficial for Akinox, as all reported issues were addressed and corrected.
“We are continuously working to improve our practices and technological solutions. It is rewarding to interact with our clients and the various cybersecurity agencies of the Québec Government and see that at all levels, security and privacy are a priority.”
Mathy Scott, Head of Information Systems Security at Akinox.
It is essential to participate in the government’s efforts by establishing a security culture with members of the technology community, which helps to secure all platforms and solutions used by the population.
Certifications ISO, SOC2, and Cloud Security Alliance Star 2
We are constantly performing procedures to obtain various certifications, with the aim of ensuring our compliance with international quality and cybersecurity standards and norms. In addition to our two certifications (ISO9001 and ISO/IEC 27001) obtained last year, we continue to make improvements to our Information Security Management System (ISMS) with our first ISO27001 surveillance audit.
Throughout the year, we enhance our internal audit practice to ensure that our controls are still in place. Furthermore, this allows us to establish a continuous improvement process that will facilitate monitoring and compliance, enabling us to adapt to the new version of the standard released after our initial certification. By basing our controls on internationally recognized standards, we ensure that our practice meet the expectations of our customers and are able to help protect confidential information contained in our platforms.
Additionally, we are completing our first SOC2 type 2 audit, which is an independent assessment of an organization’s security and compliance controls over a given period of time. The controls established by Akinox, in addition to being based on ISO27001, also meet the Security Trust Service Principle criteria required by the American Institute of Certified Public Accountants (AICPA). Their proper functioning was then observed over a period of three months, from October to December. This additional audit allows Akinox to further demonstrate to its clients the maturity and rigor of the processes put in place.
In addition to maintaining our existing controls, Akinox is also working towards achieving a Cloud Security Alliance Star Level 2 certification this year. This certification complements ISO27001 and SOC2 and includes specific controls that are focused on one of Akinox’s objectives of protecting cloud data and systems. Having already completed a Cloud Security Alliance Star Level 1 self-assessment, Akinox is currently incorporating the necessary changes to its policies, controls, and procedures to address the few gaps found to plan for the audit.
Partnership With ARMO
In order to secure our processes, Akinox’s experts started using the Kubernetes security tool - Kubescape. For your information, Kubernetes is an open source system that automates the deployment, scaling, and management of containerized applications, and has security compliance requirements. Our team seamlessly moved to the commercial solution ARMO Platform, from the Israeli company ARMO which develops a tool to help secure software running in Kubernetes, to receive the enterprise-grade benefits.
Thus, a partnership was created between Akinox and ARMO to continue using their tools to further secure our various deployment processes. Alexandre Lussier, DevOps at Akinox, and Mathy Scott, our Head of Information Systems Security, were the main contacts for this partnership and worked hard to strengthen the security of our various software programs.
“Akinox is growing a lot, both in terms of technological scale and different needs. It’s interesting to see their products reacting to these kinds of situations. It’s also beautiful to see Alexandre and Mathy working together to achieve their security goals in a DevSecOps way with our product and Akinox’s platform.”
Oshrat Nir, Head of Product Marketing at ARMO
ARMO Platform – Kubescape, is the Kubernetes security tool installed on all our clusters. It not only helps us secure our deployment, but also to identify vulnerabilities in the systems that include our solutions and platforms. Additionally, Kubescape has several features that allow us to build workflows based on the tool’s recommendations. It also enables us to focus our efforts on what really impacts the security of our environments. Kubescape also offers the possibility to:
- Detect errors or configurations issues that could lead to security problems;
- Analyze dependencies in various applications to find known vulnerabilities that may not have been patched before;
- Provide visibility into user permissions within Kubernetes clusters, which are separate from permissions managed directly in Microsoft Azure.
Another advantage of this tool is the multiple differentiators that allow us to reduce false positives, allowing us to better optimize our efforts and time. Kubescape only analyzes images that are used by our platforms and allows us to avoid dealing with certain recommendations that other tools would have made, whose contextualized residual risk would have been low or non-existent.
This partnership with ARMO also gives us the opportunity to participate in the KubeCon + CloudNativeCon event, which will take place in Chicago in November 2023. This event brings together professionals from the major open source and cloud native communities and provides an important forum for exchanging relevant information, perspectives on Kubernetes, and broader DevOps trends.
Creation of Two Security Positions at Akinox
With the increasing deployment of our platforms, we have created two security positions to benefit from more expertise in order to make our platforms and solutions more secure. Indeed, Akinox has created the positions of Cloud Security Specialist and Application Security Specialist.
The first position aims to respond to the rapid growth of Akinox and our cloud-hosted services, while supporting teams to deliver secure solutions. The Cloud Security Specialist will also perform vulnerability scans of infrastructure and tool configurations and identify possible improvements to monitoring and context-aware alerting solutions at Akinox.
The position of Application Security Specialist, on the other hand, has been created to assist Akinox’s development teams in their processes of designing and architecting secure applications. They will also help triage and prioritize vulnerabilities and regularly perform secure code reviews.
It is essential for Akinox to raise awareness among team members about risk analysis and tools to facilitate daily work. Informing and providing training to our collaborators are essential to make platform security a collective effort involving all our experts, regardless of their field of expertise. After all, together we go further.