Table of Contents

Our FAQ

You are here:

Question: What hosting options are available?

Our Knox-grade offering is only available with AWS-based hosting as we utilise several AWS-services and other cloud-services. For our standard offering we also can host on our own servers which are deployed in Equinix and GlobalSwitch data centers. We can also support your IT team to self-host your Polonious environment.

Question: What Operating System options are available?

By default we run Centos on all our instances. However, we can also configure to run our service on RHEL or other selected operating systems if required.

Question: What EC2 instancy types do you use?

The EC2 and RDS instances are sized according to your needs based on number of system users. 

Question: What data import options are available within Polonious?

Polonious offers various interfaces to create or import cases and other data in the Polonious system via backend functionality including REST service calls to query and create or update various entity types. We can work with your IT department to work out the best method for your particular integration scenario. E.g. Polonious offers SFTP based uploading of data, which is then parsed and imported into the system on a regular basis via customisable CRON jobs.

Question: Do you have a Data Migration tool to import data from legacy systems?

We will require a CSV file export from your legacy system. Above mentioned data import tool can then be manually configured and triggered to import historic case data into Polonious.

Question: What SSO Integration do you support?

Polonious comes with built-in SAML 2 support. As such Polonious supports integration with SAML 2 compliant Active Directory products. We have successfully integrated with Microsoft AD and ADFS services. Our SSO component supports user authentication as well as Just-In-Time (JIT) user provisioning and user access management i.e. synchronisation of user security roles from the SAML 2 endpoint.

Question: Is Application Server High Availability included in your offering?

This is not included in the standard offering. However, Polonious can set up a cold stand-by application server which can be started within minutes in case of an outage of the active application server. From experience these scenarios are extremely rare (in fact we never had to make use of the stand-by server for a client) and as such we do not see the benefit of having a hot-standby server which only adds cost to the offering without adding much benefit.

Question: Do you actively monitor system availability?

Polonious has system monitoring services in place which alert our DevOps team in case of an outage or if other maintenance (such as disk space increase) is required.

Question: What DR processes are included in the offering?

Polonious performs regular Disaster Recovery (DR) drills. Generally we pick a random client and perform such a DR drill, however clients can opt out of this process. If a client requests dedicated DR drills for their particular data this can be quoted and added to the service offering at an additional cost.
Our DR drill involves setting up replacement EC2 and RDS instances, recovering the RDS DB to an agreed point in time (according to RPO), and connecting the new EC2 instance to the recovered RDS instance as well as to the S3 document store. We then verify that the instance is accessible and perform standard operations including checking case and case data availability within the system. A dedicated client contact can be involved in the DR drill if this is desired and perform their own verifications. This process usually takes up to one day. If additional tests by the client are requested this can result in a longer DR drill, and needs to be quoted on, otherwise this will be charged at our agreed standard hourly rate.

Question: What Data Backups are there for the document store?

Recently uploaded documents are cached on the local EBS volume of the application server for anti-virus scanning and faster access. Any uploaded documents are also immediately copied to a client specific and encrypted Amazon S3 bucket with access policies configured in a way that only the client services can access those documents.

Amazon S3 is designed to provide 99.999999999% durability of objects over a given year. This durability level corresponds to an average annual expected loss of 0.000000001% of objects. For example, if you store 10,000,000 objects with Amazon S3, you can on average expect to incur a loss of a single object once every 10,000 years. In addition, Amazon S3 Standard, S3 Standard-IA, and S3 Glacier are all designed to sustain data in the event of an entire S3 Availability Zone loss.

Our default offering utilises the highly redundant S3 service to store your documents. If you would like us to configure copies to be sent to Amazon Glacier, this can be set up at an additional cost.

Question: What Data Backups what is the backup retention?

As mentioned above, Amazon S3 provides 99.999999999% durability guarantee. Any document uploaded to Polonious is added and we never delete any documents so that we can roll back to a previous version of a document should this be required. Note that rolling back a document is not a feature accessible through the User Interface of Polonious but would require Polonious support involvement.

Question: What are the ongoing storage cost increases, what comes with the base offering?

The standard offering includes 1 TB for S3 documents and 100 GB for the RDS database.

Question: What test environments are included for Data load testing, Ref data and Migrations?

A test environment is included in the offering and can be used for testing all processes including data loading and data migration processes.

Question: What does Polonious provide for SLA Reporting?

Polonious keeps track of and can provide outage reports on request.

Question: What Supplier Contingency options are available?

Polonious is an established business and has reliably been offering their SaaS Case Management Solution for more than a decade to many dozens of clients all over the world. However, we understand that every client wants to make sure that they can not only retrieve / recover their hosted data from their Polonious service in the highly unlikely case that Polonious unexpectedly stops their offering, goes bankrupt, or a major disaster strikes and all instances and backups get destroyed.

There are various ways of mitigating such scenarios and to make sure that all data is still accessible and that the services can be resumed by the client without any involvement of Polonious.

One such solution which Polonious has implemented in the past is to copy all backups (including RDS database backups, document backups, and EC2 instance snapshots) over to a client controlled AWS account using AWS Pipeline. Polonious does not have permission to access this account other than the permission to add data backups. This optional set up is not included in our standard AW-based subscription.

Question: Does Polonious have any Data Breach reporting/notifications in place?

Polonious has Data Breach processes in place as part of our ISO27001 accreditation.

Question: Do you perform regular penetration tests?

Polonious engage independent third party experts to penetration test our Knox Grade security environment on an annual basis. These reports are available on request. Many customers perform their own independent penetration and vulnerability tests which we encourage and support. Any issues identified will be assessed by Polonious for relevance and impact and will be addressed accordingly.

Question: What are your security patching processes?

Our Amazon EC2 and RDS instances are auto-patched for security vulnerabilities on a weekly basis. We also monitor CVE for new vulnerabilities and for packages in our software itself. CVE provides insight into emerging threats and our team analyse and react to these with automated alerts and internal analysis embedded into our development practices. We automatically create cases to review all suspected vulnerabilities and to address any weaknesses as part of that case.

Question: Do you follow security best-practice in your SDLC?

Our team is trained on the Open Web Application Security (OWASP) Best Practices and implement their recommended approaches to coding and testing. Regular training sessions are provided to our team to ensure we are using best possible coding and security practices.

Question: Does Polonious have SOC 2 certification?

Since SOC 2 is primarily a US standard Polonious decided to certify with the internationally recognised ISO standard. Polonious is certified with ISO 27001:2013 and ISO 9001:2015. Those two standards cover most if not all aspects of SOC 2.

Question: Where is my data stored?

We store your data in data centers that correspond with the jurisdiction of our client.

E.g. if you are a Australian client we will store your data in AWS availability zone:
Asia Pacific (Sydney) Region

If you are a US client you can choose from one of the below Availability Zones:
US East (Northern Virginia) Region
US East (Ohio) Region
US West (Oregon) Region
US West (Northern California) Region

We can deploy your services in any of the AWS regions listed here:
https://aws.amazon.com/about-aws/global-infrastructure/

Question: What data does SIEM process and do they store my data?

Polonious has several SIEM sensors and we always use a sensor which is hosted in the same jurisdiction as  your hosted services. No client specific data is sent to our SIEM provider, only system events and network events. For further details read on below.

We use SIEM agents in all supported AWS services including EC2, RDS, S3, IAM, VPN. Those AlientVault agents send relevant system events to the sensor for collection. Below is a subset of events that are analysed:

  • CloudFlare access logs
  • VPN access logs
  • Amazon VPC Flow Logs -  this is the network traffic, it records which IP accessed which resources including timestamp
  • CloudTrail logs -  audit log for all actions taken with the Amazon API, either through the web UI, the CLI, or an SDK, this includes IAM changes, security group changes etc.
  • S3 access logs - who is accessing the file data, and what actions are being taken
  • RDS access logs - who is accessing the database and when
  • EC2 logs:
    • Linux Auth Logs -  sudo, login etc
    • OSQuery-Logs  - changes for users, file, listening ports, cron jobs, kernal modules, processes,  open network connections
    • Linux Audit Logs -  Linux auditd logs, e.g. file changes, user changes, sudo, hostname change, time changes
    • clamav Logs -  Anti-Virus scanning logs

The sensor forwards all those logged events to our SIEM provider which processes them and correlates to rules based on their threat database. Polonious staff get notified and react to any detected threats.

The raw log events are kept for 12 month.

Below link shows all Knox-compatible regions: https://docs.aws.amazon.com/general/latest/gr/rande.html

Question: I don't see my question answered here. What now?

Just get in touch via our bot or our contact form and we are happy to assist.

GICOP changes 2021Download the GICOP whitepaper and stay compliant.

Our whitepaper covers all aspects you need to know to stay compliant with the latest GICOP changes coming into effect in 2021. Submit below form to receive the download link and related updates going forward.

SIU Insights report 2021How do you compare to other SIUs?

Check out some interesting results from our SIU management survey. Submit below form to receive the download link and related updates going forward.