Oroson and Security

As a company we use Oroson everyday to store a significant amount of sensitive data. Ensuring Oroson is secure is vital for protecting our data, and our customers data. Security is our highest priority.

The purpose of this document is to highlight in an open fashion the measures which Oroson has taken to ensure that the entrusted data is secured both from attack and from accidental compromise.

Security and Data Policies

Organisational security

As a remote development team Oroson faces challenges and opportunities which may not be present in a more static environment. Oroson engages with 3rd party security specialists to build and implement procedures to constantly improve security posture.

All customer data stays within the production data centre with strict access controls in place.

Personnel security

References are obtained from all personnel before starting with the company, and in some circumstances AccessNI or similar background checks may be required. All employees and 3rd parties who could have access to the systems are provided with an introduction to the security policies and must agree to confidentiality and non-disclosure terms.

As remote workers, all personnel are provided with training on how to secure their environments including provision of secured devices, and training on physical and environmental security practices.

A joiners and leavers process is followed for all personnel to ensure access is enabled and removed immediately.

The Oroson Site Reliability Engineering (SRE) team are the only Oroson employees which can access production data for debugging purposes. This is a small group of senior engineers who report directly to the Oroson CTO.

Security and privacy training

All personnel are required to undergo security training at the start of their tenure with the organisation, this features personal data responsibilities as framed against the Data Protection Act 2018 as well as more general security training to assist with identification of phishing and malware.

This training is revisited on an annual basis and as required should a shortfall in training be encountered.

Audits, compliance and 3rd party assessments

Oroson work diligently and with 3rd parties to ensure compliance with international standards.

At the time of writing, Oroson are certified as CyberEssentials compliant, a UK Government standard. More details of this certification are available at the NCSC website. The CyberEssentials certificate is available here.

Policies and standards

Although Oroson has not yet obtained the ISO27001:2013 certification, Oroson have aligned all policies to ISO27001:2013. The policies currently govern the following areas:

  • Security Policy - A general document listing requirements for securing the organisation.
  • Data Audit - Lists the types of data which are collected in the application including personal data. This lists amongst other items the retention time, storage location and lawful basis for processing.
  • Data protection policies including:
    • Subject Access Request
    • Breach Notification
  • Business Continuity Policy
  • Deployment and Change Control Process

All documents are regularly reviewed and updated as required by senior team members.

Audits

Oroson engage with external parties to provide guidance on standards as required. The effectiveness of all policies is audited during this process, and all policies are developed to align with ISO27001:2013. All audit results are dealt with at a senior management level and tracked to completion including root cause analysis where applicable.

Penetration testing

Oroson engage with external experts to provide application and network level security and penetration testing, including full scanning of cloud infrastructure and configuration. Penetration testing and security scans are performed by external security experts at least annually. The latest penetration test was performed in December 2018.

All security testing results are dealt with at a senior management level and tracked to completion including root cause analysis where applicable.

Data requests

Oroson have implemented a Subject Access Request policy which allows users to retrieve their data in an organised fashion within the requirements of the Data Protection Act 2018. The outline process for this is included within the privacy policy.

Secure by Design

Software development lifecycle

Oroson operates a secure software development lifecycle which includes assessments of security to be carried out as part of the requirements gathering.

The security process continues with the use of static analysis software including sonarqube and dependency checkers, this allows developers to see an overview of potential issues.

Developers use version control processes to control each change within the system, this allows for full traceability of issues. All requirements, features, and configuration changes must be raised in the Oroson issue tracker. Oroson uses the Git version control system. Changes to the Oroson code base are performed on separate branches and tested using a suite of automated tests. A Pull Request (PR) is raised for this branch and another member of the development team reviews. After successful review all PRs are merged into a development branch and periodically the development branch is merged into the master branch. Once in the master branch, the code is tagged and a Continuous Integration (CI) process builds the code and deploys it to a staging environment. Once in staging the release is tested and issues are signed off by a Product Owner. Either one of the CTO or Chief Architect can then sign off the release to be installed in production.

Protecting Customer Data

As previously mentioned, Oroson are responsible for a significant amount of personal and other data which is provided by customers, and used for improving workflow and increasing productivity. This data is often classified as client confidential or for internal use only. It is vital that this information is treated with respect and remains secure.

Data encryption in transit and at rest

All data transmitted to or from Oroson clients/servers is over a secure connection using strong encryption. Oroson support all the latest recommended cipher suites including TLS1.2, ESDHE_RSA with P-256 and AES_128_GCM by default. These cipher suites are monitored and updated as required. There is occasionally a requirement to support older cipher suites although this is largely negated by only supporting newer devices.

Data is encrypted at rest in all locations including Amazon S3 and RDS databases. All encryption keys are managed using Cloud KMS services, and rotated at least every 90 days.

The Oroson application is entirely cloud based and uses infrastructure from both AWS and Google Compute Engine. Both of these organisations feature strong levels of security using the shared responsibility model and allow organisations to bring their own security requirements. Both organisations are certified to ISO27001:2013 amongst other certifications and contain strong, auditable processes for items including:

  • Physical and environmental security
  • Network security
  • Deletion of data after use

Oroson’s application and data are based in a number of availability zones within the AWS eu-west-1 / Ireland region. The systems are regularly tested to understand the ability to recover from failure. Backups and logs are also replicated to the eu-central-1 / Frankfurt region to provide business continuity in the case of a catastrophic AWS region failure.

Network security

The Oroson production and staging environments are completely separate AWS accounts. Data from production is never made available to staging or development.

Keys are not shared between different environments and user details are not permitted to cross over.

Oroson implements a number of methods for increasing network security, including the use of tools such AWS GuardDuty and AWS Config Service within the cloud environment for intrusion detection and prevention. These tools allow administrators to be aware of, and take action on, issues and potential issues before they cause problems. These tools feature automated actions in some cases to quickly remove instances or devices suspected of compromise.

Classifying data

The level of confidentiality is determined based on the following criteria:

  • Value of information - Based on impacts assessed during risk assessment
  • Sensitivity and criticality of information - Based on the highest risk calculated for each information item during risk assessment
  • Legal and contractual obligations

All information is classified into confidentiality levels.

Confidentiality level Labeling Classification criteria Access restriction
Confidential CONFIDENTIAL Unauthorized access to information may cause catastrophic (irreparable) damage to business and/or to the organization's reputation Information is available only to individuals in the organisation
Internal use INTERNAL USE Unauthorized access to information may cause minor damage and/or inconvenience to the organization Information is available to all employees and selected third parties
Public (unlabeled) Making the information public cannot harm the organization in any way Information is available to the public
Restricted RESTRICTED Unauthorized access to information may considerably damage the business and/or the organization's reputation Information is available only to a specific group of employees and authorized third parties.

The basic rule is to use the lowest confidentiality level ensuring an appropriate level of protection, in order to avoid unnecessary protection costs.

Oroson heavily restricts the access and movement of data, especially from high security areas to low security areas.

Authorising access

Access to systems must be on an “as needs” basis and removed as soon as no longer required. Passwords must follow guidance issued by NCSC and the use of a password manager is mandated. Keys for accessing remote resources using API functionality should be rotated on a regular basis and must never be older than 90 days, the functionality for performing this rotation should be automated where possible.

All production systems use AWS roles and instance profiles, so no production API keys can exist outside the AWS production environment.

Employees are not granted access to any resources until required to have access.

Authentication

Oroson uses 2-factor authentication for all systems which support it, this includes cloud providers and communication devices.

Any server instances require the use of a private key for authentication as opposed to password access. Where sudo or administrative access is enabled, a strong passphrase is required and implemented using operating system functionality.

All employees must use an approved password manager for storage of sensitive information as recommended by the NCSC.

System monitoring, logging and alerting

All systems are monitored using a combination of tools including services provided by cloud providers, this allows alerting and automatic resolution of issues should a server become unavailable.

All logs are immediately removed from systems and copied to a central location for examination and analysis as required. Log systems have access only to write to the log storage location and cannot delete or modify.

Endpoint monitoring

Servers and instances are monitored using a selection of monitoring tools as listed above. Workstations in use by Oroson developers have antivirus installed which is regularly updated and provides alerting of issues as required. Access to Oroson production systems is through a Bastion host which uses strong SSL keys and enforces strict IP address whitelisting.

All devices must be patched within 5 days for high and critical issues. Patches should be applied to testing environments first where possible.

Mobile device management

Mobile devices are controlled using centralised infrastructure and can be remotely wiped as required.

Responding to security incidents

In order to manage incidents effectively, Oroson have implemented a formal procedure. Each member of the team has a responsibility to follow an issue through from open to close with support from the CTO and other representatives as required. As with all processes, this is regularly updated and audited.

Data and media disposal

All data is deleted using industry standard techniques when the retention policy h as been reached. Backups are retained for a specified period of time although these are outside the reach of all but the most senior users and require a manual process to restore if required. No customer data will ever exist outside the production environment, and production data is never allowed on local workstations or laptops.

After deletion of this data, Oroson lean on the requirements within the AWS ISO27001:2013 certification regarding media destruction as listed in whitepaper.

Protecting secrets

Oroson have developed a secure methodology for securing secrets within the infrastructure, this includes keys and credentials. All secrets are obtained only when required and then removed at the earliest possible opportunity, secrets are not contained within configuration or other files.

All production systems use AWS roles and instance profiles, so no production API keys can exist outside the AWS production environment.

Workstation and laptop security

All devices, including laptops, tablets and mobile phones must have the following measures applied:

  • Firewall installed and switched on
  • Full Disk Encryption enabled with strong passphrase
  • All passphrases should follow the guidance issued by NCSC
  • The use of a password manager is mandatory
  • Antivirus installed where possible

Server hardening

All instances are based on secure images, which have all extraneous services removed, default passwords changed, and users removed. Base containers contain only the software absolutely required to implement the system and users are not able to access the containers directly.

Disaster Recovery and Business Continuity

Due to the distributed nature of the organisation, business continuity measures are well established, and recovery from a single failure can be easily performed. Risks and controls in place are listed within the Risk Assessment and Treatment documents.

Business continuity for the production environment is achieved by reliance on the ability of the AWS and GCE clouds to recover from failure. The environment is based across multiple availability zones within a single region (eu-west-1 / Ireland) and all instances can be brought up within these availability zones as required.

Backup of production data

Oroson continually backs up customer data within the production AWS account.

  1. RDS instances are backed up on a rolling basis using standard RDS snapshots. These snapshots are retained for 7 days.
  2. Daily RDS snapshots are taken and replicated to the eu-central-1 / Frankfurt region. The source account can only write backups, and not read, remove, or update existing snapshots.
  3. S3 buckets have versioning enabled. All changes to S3 objects replicate to a S3 bucket in another AWS region (eu-central-1 / Frankfurt). The source account can only write new versions of data, and not read, delete, or update existing data.

3rd Party Suppliers

Oroson use a number of 3rd party suppliers who have been vetted and approved as required within the risk assessment and treatment plan, if suppliers are not ISO27001:2013 accredited they are required to complete a questionnaire listing their technical and organisation measures in place to protect data. The CTO will ensure that all appropriate external parties are familiar with this policy and adhere to Oroson security policies.

Conclusion

Security is an integral part of the Oroson lifecycle, we believe that if an organisation is trusting us to take care of their data we should apply as many resources as possible to protection.

For more details please speak to one of our account management team or to the CTO directly.

Changelog

  • November 2018 - Original Version - Prepared by Oroson Ltd