infrastructure, security & compliance
Our Cloud Infrastructure, Security & Compliance
We supply systems to private companies, public companies, the military, International Banks and Governments – we will have the right sized scalable solution that fits both your need and your budget.
As part of our standard service we will host your application on our multi-server Infrastructure within Microsoft Azure.
We use the same backbone cloud infrastructure as all the major Internet players – so you can be sure your experience with us will be exactly the same as if you were shopping on Amazon or checking your email at Google.
Azure listschemes)by then
Azure data centers are ‘lights out’ locations and use military grade access security. Our servers are residing in a highly secure infrastructure that is ISO rated and audited each year – Microsoft Audit their infrastructure every year and those reports are public information.
Certifications & Compliance
Our platform is hosted in an environment that has the following certificates of compliance :
- ISO/IEC 27001
- ISO 9001
- ISO 14001
- OHSAS 18001
- SSAE 18
- SOC 1
- SOC 2
- SOC 3
- Privacy Shield
EYVO and DFARS NIST 800-171
Our own company already operates and adheres to the latest NIST 800-171 security framework standards and will be aiming for certification during Q4 2020. We have in place a Systems Security Plan and a Plan Of Action to address any identified gaps. We also maintain a long list of security policies, procedures and controls to address everything in the NIST 800-171 Standard.
With Azure providing the physical hosting infrastructure through their Azure service, Microsoft enforces physical security through a variety of methods as covered in their Security Whitepaper per this link
The buildings, servers, and infrastructure of Microsoft’s Azure service is the same as their multi-billion dollar retail business, so you can be assured that your application and data are secure.
We encrypt all communication between customers and our Azure center using military-grade encryption (AES-256 256 bit). Access to Eyvo’s applications and services is only available through Port 443 secure sessions (https) and then only available with an authenticated login and password. Passwords are never transmitted or stored in clear text, so cannot be read by and third parties or bad actors.
Server and Perimeter Edge Security
We protect our application infrastructure by using Azure’s firewalls at both the infrastructure and application levels, as well as IDS ( intrusion detection systems) across all application and database servers. Anomaly detection systems instantly notifies operations staff, 24/7, if anything unusual is detected. In addition, we work with third party security firms and consultants to conduct vulnerability threat assessments including penetration tests.
As mentioned, all our front-facing servers are behind firewalls and only accessible via the https protocol. Database servers inside the perimeter firewalls are protected using several sub-nets with non-routable IP addressing schemes, network address translation.
We enforce a hardened operating system with level security by maintaining a minimal number of access points to all production servers. operating systems (O/S) accounts are protected using secure public key authentication schemes and only ops personnel have access to the servers. All O/S’s are run at each suppliers latest patch levels for security and are hardened according to recommended standards e.g. by removing/disabling any unnecessary users, irrelevant ports, and stopping unneeded processes. Access to the databases is controlled via a controlled password list.
No customer can see another customer’s data as each customers data is held on their own separate SQL Server instance. This is additionally enforced by several additional layers of our architecture, including authenticated sessions, which are required for any page access. Sessions are stored in cookies that do not encode any customer identifiable information and no customer information is ever sent or stored during page access, thus preventing customer spoofing.
Reliability and Backup
In addition to the physical redundancy that Azure provides, we have redundant configurations for each component of our dependent infrastructure. All customer data is stored on Azure business class SQLServer with live failover and geographic replication where needed. All customer data is replicated in real time to a secondary environment in a different data center varying between the East and West regions of Azure and then continually backed up onto the Microsoft Azure service allowing an ‘any point in time restore’. The Microsoft Azure service is then replicated throughout the Azure data centers globally. We use Azure High Availability Business Critical Gen5 class servers.
Disaster Recovery Program
We’re able to leverage the Microsoft Azure cloud to provide a best in class disaster recovery program. Using Microsoft Azure services for data storage as described above we eliminate the risk of customer data loss. If the primary hardware for a customer fails, we can immediately switch over to the secondary hardware, which is running concurrently with the primary. If there is a disaster that fails both the primary and secondary servers, we have the ability to failover to any number of Azure data centers in the United States and in Europe, in a matter of minutes.
Databases are partitioned for each customer so that the data for different customers does not commingle. Database infrastructure is completely segregated from the Application servers and the Internet via firewalls. Only application servers can query the database using strong authentication. Data is encrypted in transit and at-rest with cryptographically strong ciphers before storing into the database. Database servers have the same host-based security that protects all Eyvo servers.
- We require that our networking and security teams working on our infrastructure be certified. We also require that they be thoroughly experienced in managing and monitoring enterprise level networks.
- Our Certified Network Technicians are trained to the highest industry standards.
Dedicated, Managed Firewalls
- We use Cisco PIX Firewalls – the industry standard and leader – Without exception we take data security seriously, so seriously that we have a wide array of security services to meet a wide range of requirements. You have valuable and confidential information stored on our equipment. We make it our job to provide you with the expertise, services and solutions to secure your data based on your requirements and for many of our customers, managed firewalls are a primary and vital component of security. Fully supported around the clock by our thoroughly qualified Security Engineers, the firewall is dedicated completely to your environment.
In partnership with our Custom Application Delivery Team, you may also run your own private cloud. It has the same benefits as all of the above but with the added difference that its not shared and you may also layer on top of it any custom application code you need. We allow you to change our code base to better fit your ideas of how the system should perform around your business.
Furthermore, we will provide you with structured access through our firewall so that you, and only you, can gain access to your raw data – perhaps to run additional reports or to link to 3rd party tools.
How we secure against brute force hacking
For regular retail clients – Access to our application can be as simple as just entering your userid and password but we would not recommend that route – usually that’s for systems that are self-hosted and that are behind a hardened corporate firewall.
For systems that we host for you on the public internet, we provide three additional optional pieces of access security:
CAPTCHA – This is a process that protects websites against bots by generating and grading tests that humans can pass but current computer programs cannot. For example, humans can read distorted text but current computer programs can’t – this optional piece is free of charge to switch on and is implemented system wide and affects all users on the system.
2 Factor Authentication (2FA) – The Knowledge factor and the Possession factor. In other words this works on the premise of something you know and something you have – a well known principle in computer security. In our implementation of 2FA we assume you can receive an SMS text message on your cell phone or you have a smart phone. After you have entered your userid/password (and the optional Captcha code) then you are asked to enter the 2FA verification code which you get from either an SMS message or the installed app on your phone. This verifies that you really are who you say you are – this optional piece does generally incur a small cost per user and is implemented on a per user basis only (for a minimum of 6 users) and so can be rolled out to all users or only to users who have high levels of approval authority.
Static IP & VPN – We only grant access through our Firewall from your fixed static IP address and also only via our VPN – this really locks you down to access from a specific site and ensures no one can ‘listen in’.
Eyvo Security Downloadable’s
We have a specific downloadable White Paper on this subject that you may like to download to share with your colleagues available from here
Cloud Security Alliance
You may also download our Cloud Security Self Assessment (CAIQ v3.0.1) Response Document here
Contact us for more information.