Security

Alma is hosted in the cloud by Ex Libris. Alma's data center is Equinix, one of the world’s premier hosting companies, at their data center in the Chicago suburbs; all of the servers, switches, storage etc., are owned and maintained by Ex Libris cloud personnel. As a multi-tenant solution, the infrastructure is shared among multiple customers. The Ex Libris Cloud Data Center utilizes 1G bandwidth as its backbone, and works with multiple ISP vendors at every point in time.

Ex Libris implements a multi-tiered security audit on different levels: security checks and manual code reviews daily, security architecture reviews monthly, static application security vulnerability assessment scans quarterly, as well as third-party patching on a quarterly basis and an annual scan of network vulnerabilities. The ISO 27001 certification that Ex Libris passed successfully includes annual external audits to validate that all security measures and mitigations are in place.

Ex Libris also conducts an annual security penetration test with an external security company which includes at least the OWASP Top 10 and SANS Top 25 security vulnerabilities, which validates that all security measures are in place.

About once per year, the Ex Libris data centers and applications undergo an audit. For example, the Ex Libris data facilities recently went through an in-depth audit of their control objectives and control activities and a SSAE16 SOC1 audit report was issued. The company’s ISO 27001 audit covered cloud services, development, QA, support and professional services processes, including internal risk assessment process required by ISO Certification.

Alma has an extensive API that you can utilize to create external applications that extend Alma's functionality. In order to do this, you will need to request an API key from GIL support. It is very important to keep these keys private to avoid possible unauthorized access to Alma. It is also very important to perform thorough testing of your application in the Alma sandbox prior to deployment on production Alma. Once you have been issued an API key, you are responsible for its proper usage.