All security critical functionalities such as authentication, authorization and encryption are implemented based on well-established (standard or de-facto standard), proven and actively maintained frameworks. MDO provides default configurations for all security critical functionalities that can be easily configured and extended for the customers’ security policies. This includes the enforcement of secure user passwords, configurable session timeouts (15 minutes) and authentication methods.
Passwords and other sensitive data are always stored in an encrypted database. Passwords are also stored in a one-way encrypted (bcrypt) algorithm for an added layer of security. Other fields as deemed necessary by the customer can be configured to be encrypted by bidirectional encryption mechanism. (When enabled, such fields will not be searchable or indexable.) New security configuration options and features such as password history, captcha support for locked users, or more recent encryption and hashing methods are regularly verified, governed and included in the release cycles to meet the requirements of different security policies.