OctopusBI

Octopus Insights Security Overview

Introduction

OctopusBI transforms organizations into insight-driven institutions by leveraging the infinite power and potential of education analytics. OctopusBI, a Business Intelligence platform and master connector, solves data problems for a comprehensive view of student, classroom, and business operations.

Our organization is driven by a single goal: to provide businesses with invaluable data insights to transform future outcomes. We envision a new era of global education, powered by intelligent learning institutions that improve students' academic and personal success.

We are a diverse team with a never-say-die attitude, committed to being true partners in the success of our clients. We are a group of education professionals, business analysts, and software engineers who all believe in using business intelligence and innovation to effect positive, meaningful change in the global education sector.

Physical Security

  • The Tentacle product is hosted on the AWS platform which is a highly stable infrastructure and it’s the world’s most comprehensive and broadly adopted cloud platform. These data centers are designed with environmental safeguards to protect AWS data centers around the world.

  • The services we deployed with ECS/Fargate were configured to run all 3 zones (ap-southeast-2a,ap-southeast-2b and ap-southeast-2c) in the Asia pacific (Sydney) region and the RDS is configured with multi AZ. These zones provide resilience in the face of most failure modes including natural disasters or system failures.

  • AWS data centers are staffed 24x7 by professional security guards and access to the premises is strictly prohibited.

  • Development, Staging, Pre-Production and Production environments are completely isolated from a VPC level (Virtual private cloud) and AWS account level.

  • AWS Compliance empowers customers to understand the robust controls in place at AWS to maintain security and data protection in the AWS Cloud. When systems are built in the AWS Cloud, AWS and customers share compliance responsibilities. AWS computing environments are continuously audited, with certifications from accreditation bodies across geographies and verticals, including SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70), SOC 2, SOC 3, ISO 9001 / ISO 27001, FedRAMP, DoD SRG, and PCI DSS Level 1. i. Additionally, AWS also has assurance programs that provide templates and control mappings to help customers establish the compliance of their environments running on AWS.

  • Customers reduce the scope and cost of audits required by operating in an accredited environment. AWS continuously assesses its underlying infrastructure, including the physical and environmental security of its hardware and data centers, so customers can take advantage of those certifications and simply incorporate those controls.

Data Security

 

Field level encryption

Field level encryption is enabled for every sensitive data we are encrypting using AWS KMS.

 

Key management

The cryptographic keys are created and managed securely by the AWS KMS system (AWS Key management service).

 

Secure communication

We protect your data even when they are transiting between the application and the servers end to end equipped with transport layer 1.3 protocol and, TLS_AES_128_GCM_SHA256 To ensure that the data cannot be viewed if intercepted. This protection is accomplished by encrypting your data before transmission, authenticating end-to-end and decrypting and verifying your data upon arrival.

Data protection during Storage

We encrypt your data using 256-bit AES (Advanced Encryption Standard), also known as AES-256 which is one of the most powerful and sophisticated block ciphers available. And by using base 64 Encoding method.

Data Backup

Although not directly related to security, we all know that in the event of a security incident, the first thing we look at is our backup. These can be useful for forensic investigations as well as returning to a known healthy state. It is critical to keep both fast-to-recover backups and slower air gapped systems. Data backups take place daily and are maintained with appropriate versioning and the retention time for the backups are 30 days.

Backup storage

Backups are stored in the same region(Sydney) in AWS.

  • RDS - Built-in backup service for RDS.

  • RedShift - Built-in backup service for Redshift.

 

Data retention period

  • Prod Env: RDS - 30 Days (daily backups)

  • Prod Env: Redshift - 30 Days

 

Data archival

  • Only the backups of EC2 instances are archived in both Dev/QA and Prod environments.

 

Types of Data being backed up

  • EC2 Instance Data and RDS Data which includes all client data stored in the application.

 

Expiration of the data retention period

  • At the end of the data retention period the backed up data will be deleted automatically.

Data minimization

  • OctopusBI collects data which are only required to create an account in the application. No additional data is requested by the end user other than what is listed in the Privacy Policy.

Data portability and ensuring erasure

  • OctopusBI is in compliance with the 'Right to be Forgotten' clause under GDPR for customer data that means the user has the right to ask OctopusBI to delete their data upon their request.

AWS Services

AWS services

The AWS services used to host the octopusBI Tentacle product include Simple Email Service (SES), Secret Manager, AWS simple storage service (S3), Simple Queue Service,Simple Notification Service (SNS) and Cloudwatch.

Application Security

Secure and quality Application Code

Keeping and improving security of our application is a disciplined, continuous and continuing activity. Secure coding and security testing are essential in OctopusBI. Before being merged into the code base repository all code in application goes through a developer peer review procedure. Security auditing is part of the code review. Secure coding and code review materials from the OWASP (Open Web Application Security Project) as well as other community sources on recommended security practices.

Customer identity and access management

Since the tentacle is authenticated through instructure Its products support centralized identity management and delegated authentication via integration with Central Authentication Service (CAS), SAML 2.0 and JWT. If authentication fails, the application looks up the credentials using its internal authentication service. If authentication fails again, the application will deny the user login.

DDoS countermeasures

AWS shield standard is enabled to protect the application and the API’s from DDoS attacks, AWS shield is a managed Distributed Denial of Service protection service that always protects AWS-hosted applications from DDoS attacks.

Monitoring and logging

AWS CloudWatch collects monitoring and operational data in the form of logs, metrics, and events, and visualizes it using automated dashboards to get a unified view of AWS resources, applications, and services that run on AWS and these event logs have a retention period of 3 months

Access management to production

Access to the application production environment is restricted to a selected number of members in the OctopusBI team, we conduct periodic reviews on the product and all the AWS resources to ensure only right people have access to relevant environments, furthermore the production environment is also protected with necessary best practices.

Security testing and Vulnerability assessment

Internal Penetration testing

Security is a part of our everyday practice at OctopusBI with code reviews, security testing and frequent dependency audits. We test our Tentacle product prior to every production release for any security flaws in the application to ensure the maximum security in the system before we give the application to customers.

External Penetration testing

In addition to our regular internal security audits prior to every release and throughout the year OctopusBI gives the Tentacle application to a third-party organization twice a year to check for any security flaws.

Internal vulnerability assessment on Assets

A vulnerability assessment on all the OctopusBI systems, applications and/or infrastructure will be assessed for potential vulnerabilities, systems hardening and configuration errors before they are installed into the production environment to avoid any security weakness.

 

We have installed more sophisticated virus detectors in all systems to detect any malicious activity in the system continuously. We annually perform a Network scan to check for any unauthorized ports or any unauthorized services.

Compliance

Overview of the ISO/IEC 27001:2013

ISO/IEC 27001:2013 defines the requirements for establishing, implementing, maintaining, and constantly upgrading an information security management system within the context of an enterprise. It also includes guidelines for assessing and treating information security risks that are adapted to the organization's needs.

By utilizing a risk management method, the information security management system ensures the confidentiality, integrity, and availability of information while also providing interested parties with assurance that risks are appropriately controlled.

Disaster recovery

OctopusBI has determined its requirements for information security and the continuity of information security management in adverse situations. IS Officer shall be responsible for maintaining information security continuity at all times during a disaster or business interruption

OctopusBI has an overall RTO of 4 hours and a RPO of 8 hours

OctopusBI has a disaster recovery procedure that provides the possible initial actions to be taken at the event of a disaster.