Knox-grade Security 

Polonious Knox-security

Data-Loss Prevention (DLP)

The security of your data is of utmost importance to us. We have a comprehensive set of organisational and technical controls to make sure your data is stored and handled securely according to industry best practices.

Organisational controls

  • Polonious is ISO 27001 and ISO 9001 certified and has established a mature IMS (Information Management System) which includes policies and procedures on who can access client data, how to access client data and acceptable use / handling of client sensitive data.
  • Polonious IMS systems managers run regular IMS awareness training and internal audits to make sure employees follow those procedures and policies.
  • All Polonious staff are vetted (including police checks) as part of the onboarding process.
  • Access to servers / services containing client data is restricted to a minimal number of staff (usually only 3 Polonious technical staff to reduce exposure but allow for 100% support coverage in case of sickness and vacation).

Technical controls

  • All client data is classified and tagged using AWS Resource Tags
  • All client data is encrypted in transit and at rest using best-practice encryption methods and standards. This includes encryption of EC2/EBS (application server / disk), RDS (database), and S3 (uploaded documents).- Encryption keys are securely managed via AWS KMS
  • Every Knox-grade Polonious client environment is hosted in its own VPC on AWS with strict security groups configured
  • Access to a Knox-grade Polonious client environment is secured via a dedicated VPN 
  • Access to the AWS console is restricted via security groups and IAM managed. Use of MFA-login is required to gain access to AWS console.
  • All AWS console actions are logged in CloudTrail / CloudWatch and forwarded to an external SIEM provider for analysis and automated alerting 
  • All actions on the operating system level are captured via SIEM agent and forwarded to an external SIEM provider for analysis and automated alerting
  • SIEM alerts are sent to multiple Polonious staff including ISO system manager who is not involved in the technical support processes

Our Knox-grade offering adds several additional security components and features to our standard setup on AWS as outlined in the previous section. The following diagram outlines the high-level architecture of those components with separate sections describing each component in more detail. The VPC set-up, as well as the application server, RDS server, and S3 are set up similar to our standard deployment outlined in previous section.

Web Application Firewall (WAF)

Our web application firewall (WAF) capability is configured via Cloudflare. Cloudflare’s enterprise-class WAF protects your services from common vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery requests with no changes to your existing infrastructure.

Network Intrusion Detection System (NIDS)

Internal NIDS plays an important role in any cyber security program. By detecting malicious network events, it provides vital information for correlation directives and cross-correlation rules. Combining this information with the events collected from other devices, the SIEM presents a complete picture of the malicious activity.

Host Intrusion Detection System (HIDS) & Monitoring

A host-based intrusion detection system (HIDS) gives you deep visibility of what is happening on your critical systems. With it, you can detect and respond to malicious or anomalous activities that are discovered in your environment. The SIEM agent provides the following:

  • Detect Changes & Threats to Systems
  • Implement File Integrity Monitoring (FIM) monitoring for key system changes
  • Deploy and manage the agent through the central management platform
  • Analyze all system network traffic and activity against IDS signatures and dozens of other security indicators
  • The agent logs all critical system activities such as software installation/uninstall, configuration changes, log clearing, privilege changes, authentications, scheduled jobs and network activity. Those logs are stored for 1 year.

Next Generation SIEM Analysis

The SIEM solution compares up to 3,250 metadata points across nearly 40 supervised machine learning anomaly detections, 14 commercial threat intelligence feeds, 0-Day file sandboxing, IDS analysis, Asset Risk analytic scoring and many other correlations to determine malicious activity.

SIEM - Security Incident & Events Monitoring

We embed specialised SIEM components into our offering which provides the ability to start detecting from day one. Our professionally managed SIEM provider solution is shipped with an extensive and continuously growing library of correlation rules researched and written by a specialised SOC team. This team of seasoned security experts tracks emerging threats in the wild and continuously updates the platform with the latest security intelligence, so you have an always-up-to-date security monitoring platform. The threat intelligence database is updated several times per day and the platform is continuously upgraded to remain vigilant against modern threats, typically once every 6 weeks.

VPN-based Access

All backend access to Knox Grade servers is secured via VPN. SSH users are managed via our central configuration management tool Puppet. SSH is configured to deny root user access so only public/private key access for dedicated support staff is possible.

Encryption at rest and in transit

All data stored is encrypted at rest including EBS volumes attached to EC2 Virtual Machines instances, RDS database, as well as S3 document store. All network traffic is encrypted SSL communication channels.

Backups & Point-in-time-recovery

We configure RDS to create daily snapshots of the database and keep backups of the transaction logs for 35 days (created in 5 minute intervals). This transaction log can be used to roll back data to any day and time within the last 35 days and allows a RPO of only 5 minutes.

Additionally nightly snapshots of the database are created and stored for a minimum of 10 days.

Data Replication

Additionally we can configure the RDS instance to run in Multi-AZ replication & fail-over mode. This means that a separate database instance is running in a different availability zone within the same region with an exact copy of the primary database. Amazon guarantees automatic and instant fail-over to the secondary instance in case of an outage of the primary database instance.

FAQ

Question: What hosting options are available?

Our Knox-grade offering is only available with AWS-based hosting as we utilise several AWS-services and other cloud-services. For our standard offering we also can host on our own servers which are deployed in Equinix and GlobalSwitch data centers. We can also support your IT team to self-host your Polonious environment.

Question: What Operating System options are available?

By default we run Centos on all our instances. However, we can also configure to run our service on RHEL or other selected operating systems if required.

Question: What EC2 instancy types do you use?

The EC2 and RDS instances are sized according to your needs based on number of system users. 

Question: What data import options are available within Polonious?

Polonious offers various interfaces to create or import cases and other data in the Polonious system via backend functionality including REST service calls to query and create or update various entity types. We can work with your IT department to work out the best method for your particular integration scenario. E.g. Polonious offers SFTP based uploading of data, which is then parsed and imported into the system on a regular basis via customisable CRON jobs.

Question: Do you have a Data Migration tool to import data from legacy systems?

We will require a CSV file export from your legacy system. Above mentioned data import tool can then be manually configured and triggered to import historic case data into Polonious.

Question: What SSO Integration do you support?

Polonious comes with built-in SAML 2 support. As such Polonious supports integration with SAML 2 compliant Active Directory products. We have successfully integrated with Microsoft AD and ADFS services. Our SSO component supports user authentication as well as Just-In-Time (JIT) user provisioning and user access management i.e. synchronisation of user security roles from the SAML 2 endpoint.

Question: Is Application Server High Availability included in your offering?

This is not included in the standard offering. However, Polonious can set up a cold stand-by application server which can be started within minutes in case of an outage of the active application server. From experience these scenarios are extremely rare (in fact we never had to make use of the stand-by server for a client) and as such we do not see the benefit of having a hot-standby server which only adds cost to the offering without adding much benefit.

Question: Do you actively monitor system availability?

Polonious has system monitoring services in place which alert our DevOps team in case of an outage or if other maintenance (such as disk space increase) is required.

Question: What DR processes are included in the offering?

Polonious performs regular Disaster Recovery (DR) drills. Generally we pick a random client and perform such a DR drill, however clients can opt out of this process. If a client requests dedicated DR drills for their particular data this can be quoted and added to the service offering at an additional cost.
Our DR drill involves setting up replacement EC2 and RDS instances, recovering the RDS DB to an agreed point in time (according to RPO), and connecting the new EC2 instance to the recovered RDS instance as well as to the S3 document store. We then verify that the instance is accessible and perform standard operations including checking case and case data availability within the system. A dedicated client contact can be involved in the DR drill if this is desired and perform their own verifications. This process usually takes up to one day. If additional tests by the client are requested this can result in a longer DR drill, and needs to be quoted on, otherwise this will be charged at our agreed standard hourly rate.

Question: What Data Backups are there for the document store?

Recently uploaded documents are cached on the local EBS volume of the application server for anti-virus scanning and faster access. Any uploaded documents are also immediately copied to a client specific and encrypted Amazon S3 bucket with access policies configured in a way that only the client services can access those documents.

Amazon S3 is designed to provide 99.999999999% durability of objects over a given year. This durability level corresponds to an average annual expected loss of 0.000000001% of objects. For example, if you store 10,000,000 objects with Amazon S3, you can on average expect to incur a loss of a single object once every 10,000 years. In addition, Amazon S3 Standard, S3 Standard-IA, and S3 Glacier are all designed to sustain data in the event of an entire S3 Availability Zone loss.

Our default offering utilises the highly redundant S3 service to store your documents. If you would like us to configure copies to be sent to Amazon Glacier, this can be set up at an additional cost.

Question: What Data Backups what is the backup retention?

As mentioned above, Amazon S3 provides 99.999999999% durability guarantee. Any document uploaded to Polonious is added and we never delete any documents so that we can roll back to a previous version of a document should this be required. Note that rolling back a document is not a feature accessible through the User Interface of Polonious but would require Polonious support involvement.

Question: What are the ongoing storage cost increases, what comes with the base offering?

The standard offering includes 1 TB for S3 documents and 100 GB for the RDS database.

Question: What test environments are included for Data load testing, Ref data and Migrations?

A test environment is included in the offering and can be used for testing all processes including data loading and data migration processes.

Question: What does Polonious provide for SLA Reporting?

Polonious keeps track of and can provide outage reports on request.

Question: What Supplier Contingency options are available?

Polonious is an established business and has reliably been offering their SaaS Case Management Solution for more than a decade to many dozens of clients all over the world. However, we understand that every client wants to make sure that they can not only retrieve / recover their hosted data from their Polonious service in the highly unlikely case that Polonious unexpectedly stops their offering, goes bankrupt, or a major disaster strikes and all instances and backups get destroyed.

There are various ways of mitigating such scenarios and to make sure that all data is still accessible and that the services can be resumed by the client without any involvement of Polonious.

One such solution which Polonious has implemented in the past is to copy all backups (including RDS database backups, document backups, and EC2 instance snapshots) over to a client controlled AWS account using AWS Pipeline. Polonious does not have permission to access this account other than the permission to add data backups. This optional set up is not included in our standard AW-based subscription.

Question: Does Polonious have any Data Breach reporting/notifications in place?

Polonious has Data Breach processes in place as part of our ISO27001 accreditation.

Question: Do you perform regular penetration tests?

Polonious engage independent third party experts to penetration test our Knox Grade security environment on an annual basis. These reports are available on request. Many customers perform their own independent penetration and vulnerability tests which we encourage and support. Any issues identified will be assessed by Polonious for relevance and impact and will be addressed accordingly.

Question: What are your security patching processes?

Our Amazon EC2 and RDS instances are auto-patched for security vulnerabilities on a weekly basis. We also monitor CVE for new vulnerabilities and for packages in our software itself. CVE provides insight into emerging threats and our team analyse and react to these with automated alerts and internal analysis embedded into our development practices. We automatically create cases to review all suspected vulnerabilities and to address any weaknesses as part of that case.

Question: Do you follow security best-practice in your SDLC?

Our team is trained on the Open Web Application Security (OWASP) Best Practices and implement their recommended approaches to coding and testing. Regular training sessions are provided to our team to ensure we are using best possible coding and security practices.

Question: Does Polonious have SOC 2 certification?

Since SOC 2 is primarily a US standard Polonious decided to certify with the internationally recognised ISO standard. Polonious is certified with ISO 27001:2013 and ISO 9001:2015. Those two standards cover most if not all aspects of SOC 2.

Question: Where is my data stored?

We store your data in data centers that correspond with the jurisdiction of our client.

E.g. if you are a Australian client we will store your data in AWS availability zone:
Asia Pacific (Sydney) Region

If you are a US client you can choose from one of the below Availability Zones:
US East (Northern Virginia) Region
US East (Ohio) Region
US West (Oregon) Region
US West (Northern California) Region

We can deploy your services in any of the AWS regions listed here:
https://aws.amazon.com/about-aws/global-infrastructure/

Question: What data does SIEM process and do they store my data?

Polonious has several SIEM sensors and we always use a sensor which is hosted in the same jurisdiction as  your hosted services. No client specific data is sent to our SIEM provider, only system events and network events. For further details read on below.

We use SIEM agents in all supported AWS services including EC2, RDS, S3, IAM, VPN. Those AlientVault agents send relevant system events to the sensor for collection. Below is a subset of events that are analysed:

  • CloudFlare access logs
  • VPN access logs
  • Amazon VPC Flow Logs –  this is the network traffic, it records which IP accessed which resources including timestamp
  • CloudTrail logs –  audit log for all actions taken with the Amazon API, either through the web UI, the CLI, or an SDK, this includes IAM changes, security group changes etc.
  • S3 access logs – who is accessing the file data, and what actions are being taken
  • RDS access logs – who is accessing the database and when
  • EC2 logs:
    • Linux Auth Logs –  sudo, login etc
    • OSQuery-Logs  – changes for users, file, listening ports, cron jobs, kernal modules, processes,  open network connections
    • Linux Audit Logs –  Linux auditd logs, e.g. file changes, user changes, sudo, hostname change, time changes
    • clamav Logs –  Anti-Virus scanning logs

The sensor forwards all those logged events to our SIEM provider which processes them and correlates to rules based on their threat database. Polonious staff get notified and react to any detected threats.

The raw log events are kept for 12 month.

Below link shows all Knox-compatible regions: https://docs.aws.amazon.com/general/latest/gr/rande.html

Don't miss our next newsletter!

Our newsletter is sent once per month and covers interesting and relevant news and developments related to investigation management. Unsubscribe any time.