Operational Security of Services

last updated: 07 April 2021

Managing Access

Access management generally requires three capabilities: the ability to identify and authenticate users, the ability to assign users access rights, and the ability to create and enforce access control policies for resources, as discussed below.

Identify and Authenticate Users. All service users are required to have a unique username and password. Passwords are hashed using SHA2-512 with a random salt and are not reversible. Passwords can only be reset not recovered. Access is limited to a set of whitelisted URLs and domains.

Only a single administrative role exists to access backend resources, such as database and web servers. This account is assigned to the current CTO. All other data access is performed via stored procedures for non-administrative service personnel.

Customer interfaces are accessed by six tiers of users;

• Super Administrators
• Administrators
• Trusted Providers
• Providers
• Volunteers
• Public

Super administrators have the ability to create any level of user. Administrators can create new providers and volunteers.

All access levels are controlled by a combination of unique usernames, passwords, and whitelisting of URLs.

Individual developers do not have uncontrolled access to resources.

Protecting Data

All data in transit to management consoles and public facing interfaces is protected by TLS and certificates are checked and renewed monthly. TLS is enforced for all URLs and the service is not accessible over unencrypted http access.

Our Qualys rating is A for our TLS protection; https://www.ssllabs.com/ssltest/analyze.html?d=demo.teamkinetic.co.uk&latest

All backup data in transit is encrypted using AES 256-bit end to end encryption and is transferred in a TLS encrypted tunnel.

Backup data is held in an encrypted AWS S3 bucket with no public access and only a single administrative account with permissions to access or update data.

Data access is filtered through the data access layer and SQL injection attacks are not possible due to the parameterized nature of all queries. Organisation data is siloed using a combination of URL whitelisting and login credentials. Administrators have full control over what, if any, opportunity data is shared with other organisations.

An audit log of destructive commands is maintained for 6 months, that includes the command, parameters, execution scope, and executing user.

Audit logs and traffic analysis is routinely checked for suspicious patterns that would indicate a potential data breach.

We will notify customers promptly, and within 24 hours, in the event of an actual or suspected personal data breach involving personal data. We will co-operate fully to investigate such a breach and will report the real or suspected breach in accordance with the Information Commissioner's Office guidelines.

Threat and Vulnerability Management

TeamKinetic Clients

All TeamKinetic managed clients run multiple endpoint protection. Security updates are downloaded and installed automatically on release.

Malwarebytes endpoint security is installed on each managed device for real time protection against malware, ransomware and additional malicious website protection. It detects and removes malware in real-time and also runs a local scan of the device daily.

Server Patching

All hosting servers are automatically patched with security patch releases, including patches for MSSQL, IIS or any critical subsystems.

Microsoft security bulletins are used to ensure vulnerabilities in operating systems are patched immediately that security patches are made available.

Vulnerability Scanning

Access logs are used to check for potential XSS, injection or other malicious attacks via the application. Any threats that have the potential to succeed are discussed at weekly meetings and an action plan is enacted to mitigate such attacks.

Penetration tests are run during development for new releases at regular intervals. Live releases are penetration tested every month and the results discussed at monthly security meetings. Mitigation action plans are formed an enacted where necessary.

Realtime Protection

Hardware firewalls and traffic analysis are used upstream of the data hosting servers to mitigate the effects of DDoS attacks. A further level of software firewalls are used on all servers with a default rule of no access on any port. Ports are then opened singularly to enable the minimum services possible to run that server. Open ports are restricted to single or small ranges of IPs if no public access is required. No open FTP servers are allowed and sFTP access is granted in a time limited fashion if required.

During Development

We follow the OWASP security by design principles when developing new releases or functionality for our applications and APIs.

https://www.owasp.org/index.php/Security_by_Design_Principles

Data Availability

Summary

• Database transaction logs taken at 10 minute intervals
• Complete database backup performed nightly
• Complete virtual server back performed nightly
• All backup data encrypted using AES 256 bit key
• Backups transferred off site each day using encrypted TLS transfer
• Backups stored in private encrypted AWS S3 glacier storage
• Backup retention for 30 days.
• In case of failure minimal data loss of 10 minutes
• In case of failure maximal data loss of 24 hours
• Re-provisioned server available within 48 hours

Data Backup Policy

1. Data will be protected by regular backups.
2. All backup data MUST be stored in an encrypted manner, encrypted at rest with the AES-256 symmetric encryption algorithm.
3. Backup copies must be stored in an environmentally protected and access controlled secure offsite location.
4. Stored copies must be stored with a short description that includes the following information:Backup date / Resource name / type of backup method (Full/Incremental)
5. Stored copies must be made available upon authorised request
6. Requests for stored data must include:
   1. completion of a form that outlines the specifics of the request, including what copy is being requested, where and when the requester would like it delivered and why they are requesting the copy;
   2. acknowledgment that the backup copy will be returned or destroyed promptly upon completion of its use;
   3. submission of a return receipt as evidence that the backup copy has been returned.
7. A record of the physical and logical movements of all backup copies shall be maintained.
8. The record of physical and logical movements of backup media shall include:
   1. all identification information relating to the requested copies;
   2. purpose of the request;
   3. the person requesting the copy;
   4. authorization for the request;
   5. where the copy will be held while it is out of storage;
   6. when the copy was released from storage;
   7. when the copy will be returned to storage.
9. Media in transit and store shall be protected from unauthorized access, misuse or corruption, including sufficient protection to avoid any physical damage arising during transit and store. All personnel responsible for data backup processing shall have:
   1. relevant identification;
   2. relevant authorization.
10. Where special controls are required, i.e. to protect sensitive or critical information, the following should be considered:
    1. use of a secured container(s);
    2. hand delivery;
    3. tamper-evident packaging;
    4. in extreme cases, the delivery split and dispatched by separate routes.
11. All backup media shall be appropriately disposed of.
12. Prior to retirement and disposal, IT will ensure that:
    1. The media no longer contains active backup images;
    2. The media’s current or former contents cannot be read or recovered by an
       unauthorized party;
    3. With all backup media, IT will ensure the physical destruction of media prior to
       disposal.
13. On a weekly basis, log information generated from each backup job will be reviewed for the following purposes:
    1. To check for and correct errors;
    2. To monitor the duration of the backup job;
    3. To optimize backup performance where possible.
14. Every quarter the Backup Operators shall report on its ability to recover data (relevant for physical storage media).
15. The ability to recover data shall be measured by:
    1. ability to retrieve backup media sample (copies);
    2. a backup recovery exercise.
16. The backup media recovery sample shall include:
    1. visual inspection of backup copies and media boxes to ensure safekeeping and secure transit.  Selection should be from various boxes and include daily and weekly backup copies;
    2. general comments relating to backup copy conditions;
    3. random selection of backup copies to measure the integrity of stored media.