OctopusBI
OctopusBI Premium Security Overview
- 1.1 Introduction
- 1.2 Physical Security
- 1.3 Data Security
- 1.4 Data Protection During Storage
- 1.5 Data Backup
- 1.5.1 Backup storage
- 1.5.2 Data retention period
- 1.5.3 Data archival
- 1.5.4 Types of Data being backed up
- 1.5.5 Expiration of the data retention period
- 1.6 Data minimization
- 1.7 Data portability and ensuring erasure
- 2 Network Security
- 2.1 AWS services
- 2.2 AWS Network Security
- 3 Application Security
- 4 Security Audits and Vulnerability Management
Introduction
OctopusBI transforms organizations into insight-driven institutions by leveraging the infinite power and potential of education analytics. OctopusBI, a Business Intelligence platform and master connector, solves data problems for a comprehensive view of student, classroom, and business operations.
Our organization is driven by a single goal: to provide businesses with invaluable data insights to transform future outcomes. We envision a new era of global education, powered by intelligent learning institutions that improve students' academic and personal success.
We are a diverse team with a never-say-die attitude, committed to being true partners in the success of our clients. We are a group of education professionals, business analysts, and software engineers who all believe in using business intelligence and innovation to effect positive, meaningful change in the global education sector.
Physical Security
The premium product is hosted on the AWS platform which is a highly stable infrastructure and it’s the world’s most comprehensive and broadly adopted cloud platform. These data centers are designed with environmental safeguards to protect AWS data centers around the world.
The services we deployed with ECS/Fargate are configured to run all 3 Availability zones (ap-southeast-2a,ap-southeast-2b and ap-southeast-2c) in the Asia pacific (Sydney) region, Redshift is currently configured in `ap-southeast-2c` availability zone which is a single AZ and RDS is configured with Multi-AZ. These zones provide resilience in the face of most failure modes including natural disasters or system failures.
Development, Staging, Pre-Production and Production environments are completely isolated from a VPC level (Virtual private cloud) and AWS account level.
The Backend database of the host and the services are on private VPC (Virtual private cloud) that are not visible to any public network to ensure maximum security for your data.
AWS data centers are staffed 24x7 by professional security guards and access to the premises is strictly prohibited.
AWS Compliance enables customers to understand the robust controls in place at AWS to ensure data security and privacy in the AWS Cloud. AWS and customers share compliance responsibilities when systems are built in the AWS Cloud. AWS computing environments are continuously audited and certified by accreditation bodies across geographies and verticals, including SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70), SOC 2, SOC 3, ISO 9001 / ISO 27001, FedRAMP, DoD SRG, and PCI DSS Level 1. i. AWS also has assurance programs that provide templates and control mappings to assist customers in establishing the compliance of their AWS-hosted environments.
Customers reduce the scope and cost of audits required by operating in an accredited environment. AWS continuously assesses its underlying infrastructure, including the physical and environmental security of its hardware and data centers, so customers can take advantage of those certifications and simply incorporate those controls
Data Security
Data encryption and pseudonymization in back-end
Data of an educational institution is way more sensitive because it contains all the sensitive data of a student such as their name, age, email address, phone number etc.… so by using Pseudonymization we make all your data sets more private, so the personal identifiable information as mentioned above is classified and protected using the rest encryption method which the data is encrypted in the RDS level and in the S3 bucket if an attacker managed to obtain the encrypted data he/she cannot decrypt it without a valid key.
Key management
The cryptographic keys are created and managed securely by the AWS KMS system (AWS Key management service).
Tenant management
Each OctopusBI user will get a separate tenant; those tenants are segregated from other tenants, not shareable and segregated from the backend as well.
Secure communication
We protect your data even when they are transiting between the application and the servers end to end equipped with transport layer 1.3 protocol. To ensure that the data cannot be viewed if intercepted. This protection is accomplished by encrypting your data before transmission, authenticating end-to-end and decrypting and verifying your data upon arrival.
Data Protection During Storage
We encrypt your data using 256-bit AES (Advanced Encryption Standard), also known as AES-256 which is one of the most powerful and sophisticated block ciphers available. For storing your passwords in a secure way we use the default Amazon Cognito encryption which is a sophisticated algorithm that is used for data protection and for the field level encryption, a user base token is provided by the Cognito.
Data Backup
Although not directly related to security, we all know that in the event of a security incident, the first thing we look at is our backup. It is critical to keep both fast-to-recover backups and slower air gapped systems. The Data backs up daily and is maintained with appropriate versioning and with 30 days data retention. And these backups are verified and checked for integrity
Backup storage
Backups are stored in the same region(Sydney) in AWS.
RDS - Built-in backup service for RDS.
RedShift - Built-in backup service for Redshift.
Data retention period
Prod Env: RDS - 30 Days (daily backups)
Prod Env: Redshift - 30 Days
Data archival
Only the backups of EC2 instances are archived in both Dev/QA and Prod environments.
Types of Data being backed up
EC2 Instance Data and RDS Data.
Expiration of the data retention period
At the end of the data retention period the backed up data will be deleted automatically.
Data minimization
OctopusBI collects data which are only required to create an account in the application. No additional data is requested by the end user other than what is listed in the Privacy Policy.
Data portability and ensuring erasure
OctopusBI is in compliance with the 'Right to be Forgotten' clause under GDPR for customer data Which means the user has the right to ask OctopusBI to delete their data upon their request
Network Security
AWS services
The Aws services use to host the octopusBI premium product including EC2 (Elastic compute cloud), S3 bucket (Simple Storage Service), VPC (Virtual Private Cloud), SES (Simple Email Service) and other AWS services. OctopusBI’s premium product is designed to take the full advantage of AWS's real time redundancy and capacity capabilities.
AWS Network Security
OctopusBI uses protocols such as HTTPS, TLS 1.3, SFTP, SSH to secure the communication internally as well as externally and when communicating between the agent and a tenant we use socket communication.
Application Security
Secure and quality Application Code
Keeping and improving security of our application is a disciplined, continuous and continuing activity. Secure coding and security testing are essential in OctopusBI. Before being merged into the code base repository all code in application goes through a developer peer review procedure. Security auditing is part of the code review. Secure coding and code review materials from the OWASP (Open Web Application Security Project) as well as other community sources on recommended security practices.
User Identification and Authentication
For user identification and Authentication we use the AWS Cognito, AWS Cognito handles web application authentication. So the users can sign in directly with a username password or via a third-party service.
DDoS countermeasures
AWS shield standard is enabled to protect the application and the API’s from DDoS attacks, AWS shield is a managed Distributed Denial of Service protection service that always protects AWS-hosted applications from DDoS attacks.
Access management to production
Access to the application production environment is restricted to a selected number of members in the OctopusBI team, we conduct periodic reviews on the product and all the AWS resources to ensure only right people have access to relevant environments., furthermore the production environment is also protected with necessary best practices.
Monitoring and logging
AWS CloudWatch collects monitoring and operational data in the form of logs, metrics, and events, and visualizes it using automated dashboards to get a unified view of AWS resources, applications, and services that run on AWS and these event logs have a retention period of 3 months.
Security Audits and Vulnerability Management
Internal Penetration testing
Security is a part of our everyday practice at OctopusBI with code reviews, security testing and frequent dependency audits. We test our premium product prior to every production release for any security flaws in the application to ensure the maximum security in the system before we give the application to customers.
External Penetration testing
In addition to our regular internal security audits prior to every release and throughout the year OctopusBI gives the application to a third-party organization every 4 months to check for any security vulnerabilities.
Internal vulnerability assessment on Assets
A vulnerability assessment on all the OctopusBI systems, applications and/or infrastructure will be assessed for potential vulnerabilities, systems hardening and configuration errors before they are installed into the production environment to avoid any security weakness.
We have installed more sophisticated virus detectors in all systems to detect any malicious activity in the system continuously. We annually perform a Network scan to check for any unauthorized ports or any unauthorized services.
Compliance (ISO/IEC 27001:2013)
Overview of the ISO/IEC 27001:2013
ISO/IEC 27001:2013 defines the requirements for establishing, implementing, maintaining, and constantly upgrading an information security management system within the context of an enterprise. It also includes guidelines for assessing and treating information security risks that are adapted to the organization's needs.
By utilizing a risk management method, the information security management system ensures the confidentiality, integrity, and availability of information while also providing interested parties with assurance that risks are appropriately controlled.
Disaster recovery
OctopusBI has determined its requirements for information security and the continuity of information security management in adverse situations. IS Officer shall be responsible for maintaining information security continuity at all times during a disaster or business interruption
OctopusBI has an overall RTO of 4 hours and a RPO of 8 hours
In OctopusBI we have initiated a disaster recovery procedure that provides the possible initial actions to be taken at the event of a disaster.