System Security

Physical security: where are your servers and are they secure?

Our servers are hosted by Amazon Web Services (AWS), and all our resources are located in the London region.  The data-centre is accredited to ISO27001, among others – details of compliance with numerous security and Information Governance standards is available at https://aws.amazon.com/compliance/.

Server security: are the servers secure?

Yes. All services that are not needed on the server are turned off. Remote access uses encrypted connections, using non-standard logins and public/private key authentication (and encrypted private keys). Our server provider does not have access to the server or the data on it. Servers are isolated from the internet and access is only permitted from particular locations.  Two-factor authentication is always used to access control panels.  Firewalls are enabled limiting traffic by type and source.

Application security: is the Lamplight software secure?

Yes.  Authorisation and access control across the entire application defaults to ‘no access’ unless you are logged in and have the appropriate permissions. No application code is located in public directories on the server. Passwords are stored securely (not in plain text), but password policy (strength, frequency of changes etc) are for the customer to decide and adopt.  Repeated login attempts take an increasingly long time to complete.

All data coming into the application are validated and filtered; all data out are escaped, and all forms are ‘salted’ prevent CSRF attacks.  Each customer’s data are stored in a separate database, with separate access for each customer.  Data changes are logged by who made the change and the date and time of the change.

Filtering and validating data’ means that whatever you enter into Lamplight is checked to ensure it’s the right kind of data. ‘Escaping’ data means displaying it on screen safely. It can also refer to a technique for inserting data into the database safely. Lamplight does both. CSRF (cross-site request forgery) is a hacking technique. SSL (secure socket level) is a way to encrypt data between a web server and your computer. 256-bit is the ‘amount’ of encryption.
Encryption

All data transferred between our server and your computer is encrypted using 256-bit SSL.  Databases are encrypted on disk, as are backups, using AWS standard key management.  Files uploaded are stored on AWS S3 and are encrypted at rest.  Our servers are located in a VPC private network meaning traffic between them is isolated.  Amazon do not have access to any data.

How can we secure our system?

Lamplight provides a number of features to allow you to strengthen the security of your system.  These can be applied globally, or to particular logins.  These include:

Two factor authentication

Two factor authentication can be enabled on individual logins, using an app on your phone to generate a unique 6-digit code every 30 seconds. To log in, you enter your username and password as usual, and then the 6-digit code generated by your phone.  So discovering your password is not enough for an attacker to login as you.

Password policies

You can decide what restrictions to place on passwords used in Lamplight.  You can set minimum lengths, inclusion of punctuation, and “don’t use common passwords”.

Login policies

You can stop particular operators from logging in at particular times (e.g. weekends) or places (e.g. only from the office).

What is the backup policy?

Snapshot backups of AWS Aurora database data are taken nightly and retained (encrypted) for 28 days.  These are designed for catastrophic failure scenarios, where we need to restore data for all customers.  Backups are encrypted.

Customers can also take their own backups (through the system admin area of Lamplight) for download to their own storage.  These can be taken at any time.

File storage uses S3 which stores multiple redundant copies across the S3 infrastructure.

How do you ensure availability of Lamplight if something goes wrong?

We use AWS Auto-Scaling policies to ensure that multiple application servers are deployed across both London Availability Zones (AZs).  AZs are engineered to be separate from one another, so that if one AZ fails, the other will continue to operate.  If a server fails, or a whole AZ fails, new servers will be deployed within minutes.

A high availability Application Load Balancer is deployed to handle requests and direct them to application servers.

We use AWS Aurora for the database, with a redundant “hot spare” server online at all times.  Failover from primary to secondary servers is automatic and rapid (generally within a few seconds), and is built in to the service.

Both Aurora data and S3 file data is automatically replicated across multiple disks and is self-healing in the event of disk failure.  Both are scalable well beyond conceivable requirements.

We use Cloudfront monitoring to oversee performance and availability of all services.  We aim to deliver responses within 300ms (from the load balancer request to response) and currently average around 250ms during weekdays.

Disaster Recovery procedures apply when your datacentre is likely to be out of action for an extended period of time, and you need to switch to an alternative provision. Amazon already provides Availability Zones within the London region for High Availability; however to ensure data stays within the UK we do not use other regions as standby DR sites. We judge that the risk in which an entire Amazon region is offline for an extended period is sufficiently small that it does not justify the cost of maintaining a third party DR site.
What about the Data Protection Act and the GDPR?

You will probably need to register with the Information Commissioner, if you haven’t already (http://www.ico.gov.uk). We are voluntarily registered (number Z2557506).

The GDPR (General Data Protection Regulation) is the new legal framework for data protection in the EU.  It comes into force on 25th May 2018.  It is similar to the existing Data Protection Act but adds some new and different requirements.  The authoritative source in the UK is the Information Commissioners Office (ICO – https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/)

The system has the functionality you will require in order to comply with the GDPR requirements.  We are also training key staff and are working towards Cyber Essentials certification.  We will then seek ISO27001:2013 certification, and will be updating the implementation workbook and hosting agreement.