Data security encompasses the entirety of information security. This includes physical security of hardware and storage devices, as well as administrative and access controls. It also covers the logical security of software applications and organizational policies and procedures. Data security is a foundational element of the Beacon system design and implementation
​

Beacon leverages Microsoft Azure as its cloud service provider (CSP). This supports the use of best-in-class data storage solutions (e.g., Azure Storage, Azure Cosmos DB) to provide highly available, highly secure data storage to support Beacon processing.

Beacon solutions are designed to implement secure transit and storage of all data during all stages of the data’s lifecycle. The below outlines key technologies used to execute this security posture:
​

Beacon implements storage encryption via whole disk encryption leveraging AES-256 or greater encryption at rest. AES-256 encryption is considered the industry standard for encryption and provides strong protection for all data at rest.
​

Beacon utilizes TLS 1.2 or greater encryption for all transmission of data within the solution. This implements the TLS Perfect Forward Secrecy (PFS) specification against modification or inappropriate disclosure of information. Cryptographic algorithms are monitored and managed carefully to ensure deprecated algorithms are removed once deemed insecure.
​

All Beacon security keys are managed within the Azure Key Vault solution. This supports encrypted storage and management of the keys, as well as supporting automatic key rotation when keys need to be retired or expired.
​

All Beacon system data is secured upon receipt. Beacon brings the data into the system and stores it in the inner most security zone for maximum protection. All data is encrypted throughout its lifecycle to ensure data integrity and confidentiality.
​

The Beacon program leverages a least-privilege security model focused on scoping system access to the minimum set of resources necessary to support system operations. This incorporates controlled assignment of access based on a comprehensive role-based access control (RBAC) model that defines each role and the necessary capabilities for that role. This model includes regular monitoring and review requirements that include quarterly review and continued assessment of all role access and assignments within the solution. In support of data security, access to Customer Data is limited to only those with an operational need to access.
​

All user access and role assignment are managed through an established User Access Management program. This program provides a structured access request and approval process that ensures privilege assignment and escalation is tracked, monitored, and limited based on assigned user role. All role assignments and access requests are subject to the established monitoring and review process. This is also applicable to data access. Access to backend data sources is highly restricted to those supporting in an administrative role. All other staff are prohibited (by policy and access control) from accessing this data directly.
​

Because submission data is sensitive and may need to be audited in the future, all data associated with Beacon will be retained indefinitely. Any data purge or deletion requests from clients or CEs will be discussed and only approved after written authorization from all impacted parties.