This document provides a summary of the Information Security policies, procedures and controls that have been employed by the PiPware Team to ensure the confidentiality, integrity and availability of both the PiPware Cloud Environment as well as supporting operations. The Information Security Management Framework (ISMF) is based on a set of controls as outlined by the Australian Government Information Security Manual released by the Australian Signals Directorate.
PiPware is hosted on the Amazon Web Services (AWS) cloud platform in one of two locations: Sydney (Australia) or Ireland (Europe). The hosting environment consists of Route 53, Application Load Balancer (ALB), Application/Web/Database servers and Redis Cache implemented on AWS ElastiCache. A Web Application Firewall (WAF) has been setup to protect the web application from common web exploits, such as the OWASP Top 10 exploits. Server encryption supports the TLS 1.2 protocol and the encryption key size is 2048 bits. The certificate is stored in the AWS Certificate manager and is used by the load balancer for HTTPS. The web server forces HTTPS traffic via an IIS rewrite rule; all traffic to HTTP will be redirected to HTTPS. A recent SSL Server test performed through Qualys SSL Labs received an overall rating of ‘A’. Data is encrypted at rest and in transit; furthermore personal information is anonymised by ways of masking at database level.The technical stack consists of .NET Core, SQL Server, AngularJS / React.
A jump host is used to restrict Remote Desktop Access to the production servers from the Internet; access to the jump host is restricted to specific IP addresses. In addition, Multi Factor Authentication (MFA) is employed to provide an additional layer of security. Application access to the SQL Server database is authenticated by a group managed service account: a managed domain account that provides automatic password management. All PiPware applications that access the SQL database run under this identity. Windows event logs are automatically uploaded to AWS CloudWatch every 15 seconds. All application log messages (Information/Warning/Error), performance metrics and exceptions are logged to Application Insights on Microsoft Azure. The team is notified when certain events occur e.g. failed logon. The principle of least privilege is applied across the PiPware environment and login credentials are managed in LastPass.
Differential backups of databases are done daily with a full back up once a week; transaction log backups are made hourly. These backups are automatically uploaded to an AWS S3 bucket where it is kept for recovery purposes. Differential and full back ups are kept indefinitely. The PiPware Disaster Recovery plan is reviewed after significant change to the system or environment and is tested annually. Recovery Time Objective (RTO) is set at 8 hours and Recovery Point Objective, 1 hour.
All security issues are reported by emailing security@PiPware.net and managed through a predefined process in JIRA. In the event a breach of client information is suspected, applicable notifications are sent out to the relevant parties. The PiPware security account subscribes to Microsoft Security Notifications. This feed is checked daily by the System Administrator and patches are applied either immediately or within the subsequent week depending on severity and potential risk.
PiPware system libraries are tested prior to release for any vulnerabilities using Snyk. System penetration testing is performed by an external security company at least annually or after significant change to the system. All 3rd party vendors are assessed with regards to their information security policies prior to employing their services. The biggest reliance is on AWS who holds a number of relevant ISO certifications.
All employees, management and contractors adhere to an acceptable use policy; this policy includes guidelines such as the use of external devices, accessing public/untrusted networks, safekeeping and sharing of passwords.
Australian Government Information Security Manual
Please report all information security issues by emailing security@PiPware.net