Due to the nature of the assets DF Studio stores and the workflows it enables, security has always been a fundamental concern for DF Studio and is considered and reviewed throughout the development process. The following overview explains some of the many ways that the DF Studio software, infrastructure, and team work to ensure the security of the files and information stored and transmitted through DF Studio.
Since 2012, DF Studio has been hosted entirely by Amazon Web Services (AWS) and makes extensive use of its service offerings. AWS processes provide for regular updates and patches to database servers and operating system software, with firewalls and monitoring services to prevent unauthorized access or DDoS attacks. Physical security is managed entirely by AWS, and DF Studio is configured to increase availability and fault tolerance by maintaining application servers, databases, and file storage in at least two separate physical locations at all times. Load balancers respond automatically to traffic requirements, and in the case of an interruption in service, failover to another application server or database is automatic.
Software developers at DF Studio are familiar with OWASP Top 10 principles, which are considered during development, and integrated into the process of developing and deploying code, with automated monitoring for known vulnerabilities in the processes and third-party libraries in use.
All application traffic is encrypted over SSL (TLS 1.2) between the user’s web browser and the server. DF Studio’s certificate uses a 2,048 bit key and is managed and renewed regularly by AWS Certificate Manager.
Database servers and servers performing background operations on DF Studio assets reside in private subnets, inaccessible from the internet. Public-facing servers delivering the DF Studio interface to web browsers are hosted in public subnets with firewall protection, accessible only through load balancers.
Data enters DF Studio in a number of ways. Digital Assets enter DF Studio through an upload API (via encrypted HTTPS transfer). There is a browser-based upload client built into the web application and a number of desktop applications and plug-ins that may be used to engage with the upload API. Asset metadata may be added through the web application via direct input or CSV import, by Messenger recipients using the Metadata Messenger interface, or by using the Enterprise Asset API. All data is encrypted in transit. It is not currently encrypted at rest.
DF Studio files and their metadata may be downloaded through the web UI or using the Enterprise Asset API.
A robust node-based permission system may be used to grant users access to information and functionality within the DF Studio account at levels ranging from Admin to View-Only (or No Access).
An optional watermarking feature is available, which generates custom watermarked images for sharing outside of the DF Studio account.
DF Studio offers a variety of authentication methods. For DF Studio account users, DF Studio uses either a local username/password combination or SSO using a secure SAML configuration which supports the transmission of encrypted payloads. For local accounts, password hashes are stored using password-specific hashing functions. When using local account authentication, DF Studio offers a two factor Browser Verification feature that must be verified using a token sent by email or SMS.
Messenger recipients authenticate using a URL containing a unique key that has been emailed to them. No assets are ever sent or exposed via email.
Users attempting to login with too many different passwords are automatically blocked, requiring assistance from customer support or a password reset using a link delivered via email.
Third Party Verification
DF Studio undergoes annual penetration testing by an outside security firm specializing in threat assessment. DF Studio maintains a “low risk” security rating, which has been supported by additional penetration tests undertaken by some DF Studio customers.