Your Strategy 365
Security Overview
Table of Contents
1. Overview
2. Authorizing Access
3. Secure Software Design
4. Environmental Controls
5. Network Security
6. Encryption in Transit and at Rest
7. System Monitoring, Logging, and Alerting
8. Backups & Disaster Recovery
9. Incidence Response Plan
10. Threat Assessment
1. Overview
Protecting Customer Data
Our system is a cloud-based solution hosted on Amazon Web Services (AWS) infrastructure and we use AWS tools and services to manage our infrastructure security whenever applicable.
Your Strategy 365’s cloud-based solution is deployed using AWS enabling us to guarantee high security through utilizing a series of high tech, best in the industry solutions that work to ensure the safety of all user data on the AWS network.
AWS has devoted an entire portion of their site to explaining their security measures, which you can find in the following links:
https://aws.amazon.com/compliance
https://aws.amazon.com/security
2. Authorizing Access
We know the data you share in Your Strategy 365 is private and confidential. We have controls over our employees' access to internal data and we are committed to ensuring that your data is never seen by anyone who should not see it.
We use AWS IAM for AWS console access and give specific access to developers for the particular work they are performing as needed. Developer’s permissions are updated and adjusted so when a developer’s job no longer involves infrastructure management, the developer’s console access rights are immediately revoked.
Customer data is stored only in the production environment. Developers only have approval to access user data in order to solve client requests, issues or bugs. All logs of SSH connections to our production environment are saved and archived.
The operation of Your Strategy 365 wouldn't be possible without a few members having access to our databases in order to optimize performance and storage. This team is prohibited from using these permissions to view customer data without explicit, written permission from the user.
3. Secure Software Design
Any new feature or code that will be implemented into our system starts with an analysis of security and privacy risks. All code is saved into a git version control repository and evaluated in a test environment before deploying it into our production environment.
4. Environmental Controls
Our data center resides in Amazon Web Services US-East1 region which is located in Virginia, USA. There are a variety of environmental controls implemented at the data center facilities:
• Servers are locked inside the infrastructure in a designated area.
• The server area is cooled by a separate air conditioning system, which keeps the climate at the desired temperature to prevent service outage.
• The facilities are protected by a fire suppression system, which protects the computing equipment and has built-in fire, water, and smoke detectors.
• The facilities have on-site generators, which serve as an alternative power source.
• There is 24-hour video surveillance of all entrances and exits, lobbies, and ancillary rooms. The videos are recorded and monitored, and retained for later use.
5. Network Security
We segregate our network into Custom VPC using public and private subnets for web application and database. The network is in an isolated zone with the IP restricted.
Firewalls (AWS WAF) are installed to shield the application from attack and prevent the loss of valuable customer data. The firewalls are configured to serve as perimeter firewalls to block ports and protocols.
The application is protected by a dedicated DDoS mitigation service (AWS Shield) to ensure high availability at all times, as well as prevent attacks and malicious activities.
6. Encryption in Transit and at Rest
Your Strategy 365 ensures the security and privacy of user information by encrypting data on all servers at rest and in transit. We're using TLS v1.2 with strong ciphers to protect data in transit, and AES-256 to encrypt data at rest. Log in authorization checked by the default auth operation in Laravel. System encryption managed by AES-256, AES-128 algorithm. We use bcrypt hashing and salt function for all user passwords. Our system uses AWS KMS, AWS Server-Side Encryption (SSE), AWS Secure Sockets Layer (SSL), Client-Side Encryption (CSE), HDFS, and LUKS Encryption. By using these encryption techniques this allows for data to be protected and kept private.
7. System Monitoring, Logging, and Alerting
We use AWS Guard Duty for continuous threat detection, AWS CloudWatch for basic monitoring and for AWS Cloud Trail for logging activity. Logging is in place for all actions that are taken not only by admins but also users. The logs are available to only select members of the organizations so that accountability is in place for all actions taken. All logs are stored in a designated location. When possible certain events such as too many failed login attempts or major changes inside the system trigger alerts.
8. Backups & Disaster Recovery
We consistently backup the data of our customers. We use AWS Lifecycle Manager to schedule back-ups and snapshots for our Elastic Block Storage. Data is backed up every six hours. Backups are encrypted and stored, where they are retained for 28 days.
We use Amazon Lambda to schedule automated Amazon Machine Image backup.
For Disaster Recovery we use Amazon RDS Multi-AZ Deployments.
9. Incidence Management
To handle security incidents effectively, Your Strategy 365 uses monitoring and tracking tools. In the event of an incident the relevant development or infrastructure team member is notified. The team has procedures in place for communicating relevant incidents to any involved party.
10. Threat Assessment
We use Amazon Inspector to perform ongoing, automated security assessments. These assessments help improve the security and compliance of the application, evaluate for vulnerabilities and exposure to unintended network accessibility of our Amazon EC2 instance.