Be confident in your choice
We want you to be confident in your decision to use the Connect platform. So we’ve gathered answers to questions that we'd expect anyone who’s serious about security to ask.
- Impacts of Federated Login on Instrument Connection
- Security overview
- Secure coding & code management
- Network access security
- Data storage & retention security
- Data transmission security
- User authorization & authentication security
- Application layer security
- Privacy & confidentiality
- Download our whitepaper
Impacts of Federated Login on Instrument Connection
Instrument Connect Mobile Application (ICMA) is a mobile application that is available on the iOS and Android platforms. This application is being upgraded for compatibility with users that have a federated identity. This upgrade will be completed in Q1 of 2021. During the interim period, users may encounter one of the following scenarios:
(1) For existing ICMA users that have logged into the application, we do not anticipate an issue as their identity token will remain valid as long as they do not explicitly log out.
(2) For existing ICMA users that have explicitly logged out of the application and attempt to log back in they will be prompted for a username and password. These users will be unable to authenticate as federated users do not maintain a password with Thermo Fisher.
(3) When the federated authentication supported, users may be prompted to re-login in ICMA.
Specific impacted instruments:
- A Link Code will be required for establishing a proper association with Connected Pipettes
- Connected Proflex and SimpiAmp Thermal Cyclers will need to be sure that they are running the latest Proflex firmware (v2.0.0) and Simpliamp firmware (v1.4.0) in order to ensure compatibility with federated users.
- QuantStudio 1 and 5 PCR Systems will not be able to function as connected instruments for federated users until new firmware is released in Q2 of 2021.
- QuantStudio 3D instrument stores the user credentials on the instrument itself, and uses cloud only to upload files. Therefore federated users will need to wait until new firmware is released in Q2 of 2021.
Connect is hosted by an Amazon® Web Services (AWS) data center that has achieved the highest levels of SSAE 16 certification and has published a Service Organization Control 1 (SOC 1®) report.
In April 2010, the American Institute of Certified Public Accountants (AICPA) announced the retirement of SAS 70 to be replaced by SSAE (Statement on Standards for Attestation Engagements) 16.
SAS 70 did not set any standards for data center excellence; it merely verified that the controls and processes set in place by a data center were actually followed. It was also intended to report on the financial controls of an organization. SSAE 16 not only verifies controls and processes, but also requires verification of design and operating effectiveness.
There are two types of SSAE 16 audits:
Type 1: Auditors test the accuracy of the service provider's description and assertion.
Type 2: Auditors test the accuracy of the service provider's description and assertion, as well as the implementation and effectiveness of controls over a specific period of time.
In addition to SSAE 16, a new framework for examining the controls at a service organization has been established by three Service Organization Control (SOC) reports.
Amazon Web Services has achieved SSAE 16 certification and has published a Service Organization Control 1 (SOC 1) report. Although not legally required, we can provide a copy of our audit of the SOC 1 report upon formal request.
Connect is a secured, high-performing computing platform built on an Amazon Web Services (AWS) cloud computing infrastructure. Connect is designed to host data analysis applications (a "software-as-a-service" (SaaS) delivery model). The data analysis software is a three-tier SaaS application (front-end web tier, application tier, and database tier) hosted on an Amazon Elastic Compute Cloud (EC2) instance. Each tier is isolated using Amazon security groups. An Elastic Load Balancer (ELB) instance is used to front-end web/application servers for high availability. The database instances used to support the applications are segregated from the web/application tiers.
Multi-tenancy software is designed to allow multiple users access to the same software simultaneously, in a controlled and segregated manner, such that individual users can access only their own data. User access is controlled through an authentication system.
Currently, we do not offer any applications that are HIPAA compliant.
Secured coding and code management
Yes. We used industry-standard secured coding best practices throughout the development lifecycle. Our code base was rigorously reviewed and tested for security vulnerabilities and also audited by third-party security experts on a recurring basis.
Network access security
No, HTTPS is the only supported protocol to gain access to the Connect platform and data analysis software running on Connect. Traffic is encrypted between the user’s web browser and Connect using AES 256-bit SSL encryption.
No, all connections are initiated by the client.
No, all data transfers are done through HTTPS protocol (443/TCP).
Yes, all of the underlying systems within the Connect platform use a host base intrusion detection system (IDS) to monitor and analyze all traffic to detect possible intrusion. The IDS automatically feeds data into our Security Event & Incident Management (SEIM) system for real-time alerts and notifications.
Yes, the Connect platform is protected by firewalls. Firewalls are deployed between each network segment to isolate and control access between the systems in each tier to prevent potential intruders from directly accessing backend systems.
Yes. The Connect platform is isolated from other AWS users using security features from Amazon hypervisor and firewalls.
Data storage and retention security
Yes. User data is isolated and access is restricted to the data owner. No other users can see the data unless it is shared or the owner collaborates with other users.
Yes. Customer data is isolated and access is restricted to the data owner. No other customers on Connect can see your data unless you share/collaborate your data with that user.
- In transit: Data uploaded from a user’s computer/instrument to Connect is encrypted using HTTPS/SSL with a 2048-bit SSL certificate.
- At rest: Yes. At the data storage layer, our system uses server-side AES 256-bit encryption provided by Amazon Web Services (AWS) to secure all data. The data is more secure than it would be if stored on a typical unencrypted desktop/laptop computer.
256-bit encryption means that there are 2^256 (2 to the 256th power) possible combinations. This means it would take the fastest super computer available today more than 9^50 years to complete the decode process.
No, the system does not support configuring custom encryption keys per customer.
Amazon Web Services (AWS) maintains the encryption keys.
Data Manager (a component within Connect) has a feature to allow customers to delete data as needed.
Users can delete their own data and analysis results through the Connect interface.
Yes, we will destroy all data upon a user’s request.
Data transmission security
All communication and data transmission between the user’s computer and Connect is secured with proven, industry-standard SSL encryption. This security measure at the transit layer is very much the same as that used by online banking institutions; it protects data transmission from being hijacked or sniffed over the wire during transfer. This is much more secure than passing data on USB drives (un-encrypted) and sending data via email.
Yes, collaboration and sharing of data is secure. Only the data owner can initiate sharing. The recipient will then have permission to access the data from his/her browser via secured HTTPS. Data is not transferred to the recipient. By sharing, the recipient will simply have permission to access the data from the data owner's folder. This “shared” access can be revoked by the data owner at any time.
No, Connect and associated analysis software receive data but do not initiate connections to the user's network devices. If needed, users can initiate a download of data and analysis results onto their computer.
User authorization and authentication security
The system uses an internal user authentication system to authenticate and authorize logins.
Yes, passwords are stored and encrypted on our secure systems.
Yes, the system requires and enforces complex passwords.
Each user is assigned a password-protected account. All data uploaded by that user can be viewed only by that user. Each user account is segmented so that no other users have access to the data except when the data is shared. This “shared” access can be revoked by the originator at any time.
Yes, Connect utilizes single sign on (SSO). Customers with existing accounts on ThermoFisher.com can use the same credentials to connect to Connect.
No, at this time we do not support SSO integration with a customer’s authentication platforms.
No, only username/password authentication is supported at this time.
Yes, the system logs all user activities. We currently retain audit logs indefinitely and expect to build APIs to provide users with access to their logs in future releases.
We currently retain audit logs indefinitely and expect to build APIs to provide customer access to their logs.
Application layer security
Connect and the applications running on it are scanned and go through security penetration tests before production releases.
Our security team performs security tests against the OWASP Top 10 Security Threats (see figure below) and ensures that any vulnerabilities are fixed through a combination of code and configuration changes.
Yes, security scanning and penetration test are performed both by an internal security team and also by third-party security assessment experts.
Yes, Thermo Fisher Scientific maintains an incident response plan.
Yes, the system is designed to log access attempts, and logs are imported to InfoSec Event Management system for analysis and notification as a part of the standard operating procedure.
Protection against viruses/malware in a software-as-a-service (SaaS) environment such as Connect is a shared responsibility between the provider and the end user. It is extremely important that Connect users do their part by protecting their computers with an up-to-date anti-virus/anti-malware program.
Thermo Fisher Scientific has deployed all appropriate and current security best practices to ensure that our Connect platform and the software applications running on it are not infected with viruses/malware that would damage the end user’s computer if he or she clicked on links or accessed features or software functionalities. Please refer to other Connect FAQs for details regarding the multi-level security measures that were implemented on the Connect platform. Additionally, the Connect platform does not reference or link to other external or third-party websites, which helps to ensure that we don’t contact or spread malicious software.
No. Connect and software applications running on it are SaaS based, which means there is nothing that needs to be installed on the end user’s computer to run it. Users simply need a web browser and internet connectivity to access and use our platform. Antivirus software (e.g., McAfee® software) that is installed on the end user’s computer will not have any compatibility issues with our platform as long as one of our supported web browser versions is used to access the system.
Privacy and confidentiality