A unique platform
Memority is a single platform with three offerings: My-Identity, My-Access and My-Keys. These three offerings share several services: data backend, cross-functional services, administration portal, functional portal, and so on.
Micro-service and cloud native
Memority has been developed on microservices approach, enabling each rendered function to be specialized. This architecture facilitates maintenance, operation, version update and security.
Multi-tenant at application level
The Memority platform is a multi-tenant architecture. Multi-tenancy is managed at the micro-service level, not at the container level. Each micro-service works for all the client tenants deployed on the platform. Consequently, segregation between application tenants is carried out at application and data backend level.
Blue/green version update
Our development teams work in agile mode and are organized into feature teams. The platform is updated every three weeks. These updates are carried out by redeploying the microservices on a second architecture and switching between the old and new architectures.
The Memority platform is systematically deployed on a region of one of our Cloud providers, which means that Memority is deployed on three datacenters all operating in active mode to offer maximum availability. As an option, we offer a DRP (Disaster Recovery Plan) to another region of the same Cloud provider.
All Memority components are deployed in the Cloud. We do not deploy any components on our customers’ information systems. We are fully responsible for the availability and operation of the platform, thus avoiding a complicated RACI between supplier and customer.
Performances & SLAs
Thanks to its innovative architecture, Memority has been tested for up to 100 million identities within a single tenant, while providing service to other tenants on the same platform. The architecture is highly scalable, thanks to the dynamic addition of micro-services instances.
Our customers are able to choose different architecture options:
• choice of Cloud provider: AWS or S3NS, or possibly GCP
• choice of region: Dublin, Paris, or possibly another region
• choice of shared or dedicated platform architecture
• choice of DRP or not
• choice of escalation to customer SOC.
Memority currently propose two Cloud providers:
• AWS for deployment in the Paris or Dublin regions
• S3NS for the Paris region. S3NS is the JV between Thales and Google. It provides a trusted cloud that will be SecNumCloud certified by 2025.
Dedicated security team
Memority has a dedicated security team made of a CISO and security experts.
Memority has a dedicated risk analysis for its services. It is updated annually and whenever new technical or functional components are defined (and generally whenever the risk profile requires it).
Security by design
Memority is designed for end-to-end security, in line with DevSecOps best practices. From risk analysis to the implementation of mitigation actions, source code is subject to peer code review as well as automatic static (SAST)
All our servers are surface encrypted (data encrypted at rest). All data flows, both internal and external, are encrypted (data encrypted in transit).
The Memority architecture is divided into specialized zones based on the principle of in depth defense. All the services required for such an architecture are in place: anti-DDOS system, firewall, web application firewall, etc. All operating systems are state-of-the-art hardened.
Memority is supervised by the Thales SOC in real time to detect intrusion attempts and counter them if necessary. An automatic vulnerability scan is performed on a daily basis to compare the software versions used with known vulnerability databases.
Based on the vulnerabilities detected and the associated criticality, Memority carries out software updates (patches or version upgrades) within a constrained timeframe, while respecting the service provided to our customers.
Inventory and change management
All our assets are inventoried in our Configuration Management Database (CMDB). Each change is subject to impact measurement, and internal and external communication if necessary. All changes are tracked.
Identity and authorization management
Memority has implemented the principle of least privilege and the principle of segregation of duties. Account and clearance reviews are carried out quarterly. All accesses benefit from MFA authentication.
All Memority secrets linked to the platforms are stored in secure enclaves (HSM) to which access is strictly regulated.
Managing privileged accounts
Privileged accounts are nominative. Access after MFA authentication is via a VPN and through a bastion. The bastion records all administrator actions (both online commands and graphics).
To avoid any risk of downtime, Memority is protected by specific anti-DDOS measures.
Memority has defined a crisis management plan, including in particular the specifics of cyber incidents, in order to keep customers and the relevant authorities informed and to implement remediation actions as efficiently as possible.
Two external audits are carried out each year to ensure continuous improvement.
Certifications and qualifications
Memority is in the process of obtaining ISO27001 / ISO 27701 certification (target date: second half of 2024). At the same time, the Memority security team is discussing with ANSSI the road to SecNumCloud SaaS qualification by 2025.
Our customers are authorized to audit their instances in accordance with Memority audit rules. We discuss with our customers and prospects the security measures in place and the improvements that could be made.
Memority complies with the RGPD (General Data Protection Regulation) as a subcontractor. All processing is carried out by Memority solely at the request of customers.