Data-Loss Prevention (DLP)
The security of your data is of utmost importance to us. We have a comprehensive set of organisational and technical controls to make sure your data is stored and handled securely according to industry best practices.
- Polonious is ISO 27001 and ISO 9001 certified and has established a mature IMS (Information Management System) which includes policies and procedures on who can access client data, how to access client data and acceptable use / handling of client sensitive data.
- Polonious IMS systems managers run regular IMS awareness training and internal audits to make sure employees follow those procedures and policies.
- All Polonious staff are vetted (including police checks) as part of the onboarding process.
- Access to servers / services containing client data is restricted to a minimal number of staff (usually only 3 Polonious technical staff to reduce exposure but allow for 100% support coverage in case of sickness and vacation).
- All client data is classified and tagged using AWS Resource Tags
- All client data is encrypted in transit and at rest using best-practice encryption methods and standards. This includes encryption of EC2/EBS (application server / disk), RDS (database), and S3 (uploaded documents).- Encryption keys are securely managed via AWS KMS
- Every Knox-grade Polonious client environment is hosted in its own VPC on AWS with strict security groups configured
- Access to a Knox-grade Polonious client environment is secured via a dedicated VPN
- Access to the AWS console is restricted via security groups and IAM managed. Use of MFA-login is required to gain access to AWS console.
- All AWS console actions are logged in CloudTrail / CloudWatch and forwarded to an external SIEM provider for analysis and automated alerting
- All actions on the operating system level are captured via SIEM agent and forwarded to an external SIEM provider for analysis and automated alerting
- SIEM alerts are sent to multiple Polonious staff including ISO system manager who is not involved in the technical support processes
Our Knox-grade offering adds several additional security components and features to our standard setup on AWS as outlined in the previous section. The following diagram outlines the high-level architecture of those components with separate sections describing each component in more detail. The VPC set-up, as well as the application server, RDS server, and S3 are set up similar to our standard deployment outlined in previous section.
Web Application Firewall (WAF)
Our web application firewall (WAF) capability is configured via Cloudflare. Cloudflare’s enterprise-class WAF protects your services from common vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery requests with no changes to your existing infrastructure.
Network Intrusion Detection System (NIDS)
Internal NIDS plays an important role in any cyber security program. By detecting malicious network events, it provides vital information for correlation directives and cross-correlation rules. Combining this information with the events collected from other devices, the SIEM presents a complete picture of the malicious activity.
Host Intrusion Detection System (HIDS) & Monitoring
A host-based intrusion detection system (HIDS) gives you deep visibility of what is happening on your critical systems. With it, you can detect and respond to malicious or anomalous activities that are discovered in your environment. The SIEM agent provides the following:
- Detect Changes & Threats to Systems
- Implement File Integrity Monitoring (FIM) monitoring for key system changes
- Deploy and manage the agent through the central management platform
- Analyze all system network traffic and activity against IDS signatures and dozens of other security indicators
- The agent logs all critical system activities such as software installation/uninstall, configuration changes, log clearing, privilege changes, authentications, scheduled jobs and network activity. Those logs are stored for 1 year.
Next Generation SIEM Analysis
The SIEM solution compares up to 3,250 metadata points across nearly 40 supervised machine learning anomaly detections, 14 commercial threat intelligence feeds, 0-Day file sandboxing, IDS analysis, Asset Risk analytic scoring and many other correlations to determine malicious activity.
SIEM - Security Incident & Events Monitoring
We embed specialised SIEM components into our offering which provides the ability to start detecting from day one. Our professionally managed SIEM provider solution is shipped with an extensive and continuously growing library of correlation rules researched and written by a specialised SOC team. This team of seasoned security experts tracks emerging threats in the wild and continuously updates the platform with the latest security intelligence, so you have an always-up-to-date security monitoring platform. The threat intelligence database is updated several times per day and the platform is continuously upgraded to remain vigilant against modern threats, typically once every 6 weeks.
All backend access to Knox Grade servers is secured via VPN. SSH users are managed via our central configuration management tool Puppet. SSH is configured to deny root user access so only public/private key access for dedicated support staff is possible.
Encryption at rest and in transit
All data stored is encrypted at rest including EBS volumes attached to EC2 Virtual Machines instances, RDS database, as well as S3 document store. All network traffic is encrypted SSL communication channels.
Backups & Point-in-time-recovery
We configure RDS to create daily snapshots of the database and keep backups of the transaction logs for 35 days (created in 5 minute intervals). This transaction log can be used to roll back data to any day and time within the last 35 days and allows a RPO of only 5 minutes.
Additionally nightly snapshots of the database are created and stored for a minimum of 10 days.
Additionally we can configure the RDS instance to run in Multi-AZ replication & fail-over mode. This means that a separate database instance is running in a different availability zone within the same region with an exact copy of the primary database. Amazon guarantees automatic and instant fail-over to the secondary instance in case of an outage of the primary database instance.
Question: What hosting options are available?
Our Knox-grade offering is only available with AWS-based hosting as we utilise several AWS-services and other cloud-services. For our standard offering we also can host on our own servers which are deployed in Equinix and GlobalSwitch data centers. We can also support your IT team to self-host your Polonious environment.
Question: What Operating System options are available?
Question: What EC2 instancy types do you use?
The EC2 and RDS instances are sized according to your needs based on number of system users.
Question: What data import options are available within Polonious?
Question: Do you have a Data Migration tool to import data from legacy systems?
Question: What SSO Integration do you support?
Question: Is Application Server High Availability included in your offering?
Question: Do you actively monitor system availability?
Question: What DR processes are included in the offering?
Our DR drill involves setting up replacement EC2 and RDS instances, recovering the RDS DB to an agreed point in time (according to RPO), and connecting the new EC2 instance to the recovered RDS instance as well as to the S3 document store. We then verify that the instance is accessible and perform standard operations including checking case and case data availability within the system. A dedicated client contact can be involved in the DR drill if this is desired and perform their own verifications. This process usually takes up to one day. If additional tests by the client are requested this can result in a longer DR drill, and needs to be quoted on, otherwise this will be charged at our agreed standard hourly rate.
Question: What Data Backups are there for the document store?
Amazon S3 is designed to provide 99.999999999% durability of objects over a given year. This durability level corresponds to an average annual expected loss of 0.000000001% of objects. For example, if you store 10,000,000 objects with Amazon S3, you can on average expect to incur a loss of a single object once every 10,000 years. In addition, Amazon S3 Standard, S3 Standard-IA, and S3 Glacier are all designed to sustain data in the event of an entire S3 Availability Zone loss.
Our default offering utilises the highly redundant S3 service to store your documents. If you would like us to configure copies to be sent to Amazon Glacier, this can be set up at an additional cost.
Question: What Data Backups what is the backup retention?
Question: What are the ongoing storage cost increases, what comes with the base offering?
Question: What test environments are included for Data load testing, Ref data and Migrations?
Question: What does Polonious provide for SLA Reporting?
Question: What Supplier Contingency options are available?
There are various ways of mitigating such scenarios and to make sure that all data is still accessible and that the services can be resumed by the client without any involvement of Polonious.
One such solution which Polonious has implemented in the past is to copy all backups (including RDS database backups, document backups, and EC2 instance snapshots) over to a client controlled AWS account using AWS Pipeline. Polonious does not have permission to access this account other than the permission to add data backups. This optional set up is not included in our standard AW-based subscription.
Question: Does Polonious have any Data Breach reporting/notifications in place?
Question: Do you perform regular penetration tests?
Question: What are your security patching processes?
Question: Do you follow security best-practice in your SDLC?
Question: Does Polonious have SOC 2 certification?
Question: Where is my data stored?
E.g. if you are a Australian client we will store your data in AWS availability zone:
Asia Pacific (Sydney) Region
If you are a US client you can choose from one of the below Availability Zones:
US East (Northern Virginia) Region
US East (Ohio) Region
US West (Oregon) Region
US West (Northern California) Region
We can deploy your services in any of the AWS regions listed here:
Question: What data does SIEM process and do they store my data?
Polonious has several SIEM sensors and we always use a sensor which is hosted in the same jurisdiction as your hosted services. No client specific data is sent to our SIEM provider, only system events and network events. For further details read on below.
We use SIEM agents in all supported AWS services including EC2, RDS, S3, IAM, VPN. Those AlientVault agents send relevant system events to the sensor for collection. Below is a subset of events that are analysed:
- CloudFlare access logs
- VPN access logs
- Amazon VPC Flow Logs – this is the network traffic, it records which IP accessed which resources including timestamp
- CloudTrail logs – audit log for all actions taken with the Amazon API, either through the web UI, the CLI, or an SDK, this includes IAM changes, security group changes etc.
- S3 access logs – who is accessing the file data, and what actions are being taken
- RDS access logs – who is accessing the database and when
- EC2 logs:
- Linux Auth Logs – sudo, login etc
- OSQuery-Logs – changes for users, file, listening ports, cron jobs, kernal modules, processes, open network connections
- Linux Audit Logs – Linux auditd logs, e.g. file changes, user changes, sudo, hostname change, time changes
- clamav Logs – Anti-Virus scanning logs
The sensor forwards all those logged events to our SIEM provider which processes them and correlates to rules based on their threat database. Polonious staff get notified and react to any detected threats.
The raw log events are kept for 12 month.
Below link shows all Knox-compatible regions: https://docs.aws.amazon.com/general/latest/gr/rande.html