At Carousel, we do our absolute best to be good stewards of the data that you entrust with us. To that end, we have implemented technology, policies, and procedures to secure your data.
Infrastructure Security
Basic Network Diagram
URLS, Firewalls, and Ports
TCP Port 443 needs to be open between user workstations and your Cloud URL to access the Carousel user interface over the internet.
Web Sockets need to be open between your user workstations and your Cloud URL if your network proxy filters all web requests.
For customers in the US, TCP Port 443 needs to be open between user workstations and https://carousel-cloud-customer-data-us-east-2.s3.amazonaws.com to download assets from the UI.
For customers in Canada, TCP Port 443 needs to be open between user workstations and https://carousel-cloud-customer-data-ca-central-1.s3.amazonaws.com to download assets from the UI.
and
TCP Port 443 needs to be open between your Media players and your Cloud URL.
For customers in the US, TCP Port 443 needs to be open between Media Players and https://carousel-cloud-customer-data-us-east-2.s3.amazonaws.com to download assets from Carousel Cloud.
For customers in Canada, TCP Port 443 needs to be open between Media Players and https://carousel-cloud-customer-data-ca-central-1.s3.amazonaws.com to download assets from Carousel Cloud.
Web Sockets* also need to be open between your Media players and your Cloud URL if your network proxy filters all web requests.
This allows the players to be able to get on-demand content, alert content and channel change notifications from the Cloud
mail.carouselsignage.net is used to invite new users to join your Cloud Account so be sure to whitelist that as well
*Media players will still be able to change content/channels without WebSockets but it may be delayed up to a few minutes, also the player status will remain orange for connected players
Data Center
Carousel Cloud is hosted in Amazon Web Services, which is compliant with many security standards including:
SOC 1/ISAE 3402, SOC 2, SOC 3
FISMA, DIACAP, and FedRAMP
PCI DSS Level 1
ISO 9001, ISO 27001, ISO 27017, ISO 27018
For a complete list of data center controls in place by AWS, including Business Continuity & Disaster Recovery, Physical Access Controls, Monitoring and Logging, and more, please visit https://aws.amazon.com/compliance/data-center/controls/
Geographic Regions
Carousel Cloud is hosted within the us-east-2
or ca-central-1
region of Amazon Web Services.
Data Encryption
Data In-Transit
Data in transit is encrypted using HTTPS/SSL and TLS 1.2+ protocols.
Data At Rest
Data at rest is encrypted using an XTS-AES-256 block cipher.
Encryption keys are managed by AWS Key Management services
Monitoring
Carousel Cloud uses several services to automatically monitor uptime and site availability. Key employees receive automatic email and SMS notifications in the case of downtime or emergencies.
You can also check for outages and incident status on our Cloud Status Page.
Application Security
Carousel cloud contains many security features designed to protect access to your data from unauthorized users.
Authentication
Carousel Cloud Authentication
Password requirements and controls
Passwords are never stored in plain text, and are prevented from being added from log files.
Passwords are stored using the following encryption algorithm standard:
PBKDF2 with HMAC-SHA1, 128-bit salt, 256-bit subkey, 1000 iterations.
* (See also: SDL crypto guidelines v5.1, Part III)
SSO Authentication
Carousel can communicate using SAML (Security Assertion Markup Language) with an external IdP (Identity Provider) as the source of truth for who is allowed access to the Carousel system. Setting up this communication requires the exchange of several security settings between Carousel and the IdP.
Carousel officially supports the following IdP’s.
Role Based Access Control
Site Admins have the ability to create custom access rights for users in order to limit access to their relevant areas within Carousel.
Content Approval
Carousel Cloud includes the ability for signage content to require admin approval before it can be published live.
Secure Player Registration
All media players must securely register with Carousel Cloud before displaying signage content. In order to register a player, users must be able to log into Carousel Cloud with the appropriate user rights.
Players registration can also be revoked should it ever be necessary to do so.
Software Engineering Security
Ongoing Dependency Vulnerability Monitoring
We monitor all of our software dependencies closely for security advisories using automated tooling, and we update dependencies promptly when new security releases are issued.
Security-focused Code Review
Every change to the software, big or small, undergoes a critical code review process where engineers review the suggested change for accuracy, reliability, and security impact. A change cannot be merged in unless at least two engineers have approved it.
OWASP Top 10 Training
Our engineering team does regular research and training into the OWASP Top 10 list, and uses this training in both code creation and review.
Input/Output Sanitation
Data entered into a Carousel Cloud input field is checked relevance and sanitized to prevent any malicious code or script execution.
Multi-Stage Deployments
All changes must be promoted from development, into a staging environment where testing is performed, before being promoted to production systems. All production deployments follow a strict release checklist, are always performed by no fewer than two engineers, and detailed logs are kept.
Production Access
Access to production systems is strictly controlled, and all connections to production systems are logged. Access logs are stored on separate infrastructure using AWS Cloud Trail.
Ongoing Penetration Tests
We have partnered with a third party penetration test company to perform regular penetration tests of Carousel Cloud.
Organization Security
We require 2FA to be in place on all critical systems.
We have enacted an Asset Management policy which includes requirements around clean desk, screen locking, and device encryption, with enforcement via MDM software like Jamf. Access to our physical office is controlled and monitored using uniquely issued id cards. 24 hour security patrols are onsite.
Access to production systems is restricted to a limited scope of roles within the company.
All sensitive credentials are stored in encrypted vaults, with limited access.
Onboarding/off-boarding procedures are in place to ensure access to internal systems is granted/revoked appropriately.
All staff are subject to background checks.
Responsible Disclosure
If you have a security vulnerability to report, we ask that you send us a message directly at the following address:
All vulnerability report submissions are read within hours of receipt, and we aim to respond to all submissions within 48 business hours.