The E-WorkBook Cloud
Information security and business continuity
What you need to know about the security, business continuity and customer responsibilities of our cloud platform.
While some IT personnel worry about information security outside of the enterprise walls, the truth is that vendors of Software-as-a-Service (SaaS) and cloud technologies can provide a much higher level of security than standard enterprise IT infrastructure, alongside the added benefit of data with disaster recovery.
In this document we outline some useful information demonstrating our commitment to the
security, performance and robustness of The E-WorkBook Cloud.
Security, compliance and privacy
Because we know how important the security of your data and IP is at IDBS we have a dedicated security team, and stringent round-the-clock, proactive monitoring tools, controls and policies, and security certifications to ensure we provide the highest levels of security for our customers.
We have taken several steps to prevent the disclosure of your information to unauthorized individuals or systems, including encrypting all traffic between our customers and The E-WorkBook Cloud.
With an HTTPS connection, all communications are securely encrypted. This means that even if somebody was able to intercept the connection, they would not be able to decrypt any of the data which passes between you and the website.
Our E-WorkBook ELN and Advance modules leverage technologies that provide “object privileges” to prevent unauthorized access of information. Other modules such as Request and Connect implement similar behaviors to secure data.
Other key considerations include:
- Inbuilt EWB authentication, SSO and LDAP
- Securing all pre-defined database accounts and only giving admin access to required personnel with critical responsibilities operating the system
- Limiting access to our servers to operations and support on the basis of a principle of least privilege
- Continual investment in automation to reduce the amount of manual effort required for support and maintenance
To prevent unauthorized data modification, The E-WorkBook Cloud stores all customer data securely in databases and object stores. To provide database integrity, user sessions are logged and the identities of all users are recorded.
To prevent service disruptions, The E-WorkBook Cloud is empowered by:
- Data Centers and Network Operations Centers (NOCs) that are manned at all times
- A Capacity Management process to ensure the availability of all required resources, such as bandwidth, data center capacity and utilities (power, cooling, etc.)
- Firewalls that are managed and protected with a whitelist policy (i.e. a list of applications that have been granted permission by the user or an administrator)
Network Traffic Control
Network address spoofing
Network MAC addresses are dynamically assigned to Amazon Elastic Compute Cloud (Amazon EC2) instances by the AWS network infrastructure. IP addresses are either dynamically assigned by the AWS network infrastructure or statically assigned by an EC2 administrator through authenticated API requests. The AWS network only allows EC2 instances to send traffic from IP and MAC addresses specifically assigned to them, or the traffic will be dropped. By default, AWS also protects EC2 instances by treating an instance as a standalone network host, not a router or network gateway, and drops any traffic not specifically addressed to the instance.
It is not possible for a virtual instance running in promiscuous mode to receive or sniff traffic that is intended for a different virtual instance. While customers can elect to place their interfaces into promiscuous mode, the hypervisor will not deliver any traffic to an instance that is not addressed to it. Even two virtual instances that are owned by the same customer located on the same physical host cannot listen to each other’s traffic. Additionally, attacks such as ARP cache poisoning do not work within Amazon EC2 and Amazon VPC. While Amazon EC2 does provide ample data protection between customers by default, as a standard practice it is best to always encrypt sensitive traffic.
Remote administrative login on our servers is limited to our own IP address range.
To provide additional layers of security:
- We validate all logins via The E-WorkBook Cloud authentication, LDAP, or SSO
- All traffic is over SSL/TLS (SHA256 – RSA 2048)
- Password rules can be set to comply with 21 CFR Part 11
Data Center Security
Amazon Web Services data centers provide several layers of security to ensure only Data Center Operations Engineers are physically allowed near routers, switches and servers. Public access to each data center is strictly forbidden and controlled.
There is CCTV surveillance of the entire data center building, including entrances and the data center itself. On-site security personnel monitor the data center 24 hours a day, 7 days a week. Access to the data center is highly restricted to personnel with authorized security credentials and controlled with appropriate processes.
Each Availability Zone runs on its own physically distinct, independent infrastructure, and is engineered to be highly reliable. Common points of failures, like generators and cooling equipment. are not shared across Availability Zones. Additionally, they are physically separate, to ensure that uncommon disasters such as fires, tornados or flooding would only affect a single Availability Zone.
Zero Downtime Network
The E-WorkBook Cloud is deployed in an N+1 architecture. This means our servers run across two geographically diverse data centers, ensuring there is a power backup in place should any single system component fail.
As part of The IDBS E-WorkBook Cloud service offering, we guarantee your system will be available more than 99% of the time. In the event we don’t deliver (which hasn’t happened to date), there are penalties to be paid as part of our promise and guarantee.
Data Center Certifications
Our third-party data center holds the following certifications: ISO9001, IS027001 (and more ISOs), SOC1, SOC2, SOC3.
The E-WorkBook Cloud will restore to point-in-time backups and daily snapshots which are copied to multiple data centers to ensure protection in case of a natural disaster.
We deploy an intrusion detection system (IDS) to monitor for known network signatures and utilize advanced analytics and machine learning to monitor for and identify any unusual network traffic.
We deploy vulnerability scanning software (VSS) to monitor the security patch status of all servers 24/7.
IDBS undertakes regular security audits and maintains records relating to its data protection practices and the security of any of customer’s confidential information.
IDBS has a long track record, spanning more than a decade, in operating to internationally recognized standards ensuring our products and services meet or exceed both IDBS’ and our customers’ needs and expectations.
IDBS understands that having both internal and external surveillance of our working practices and controls is highly valued, both when considering IDBS as a service provider and long after you have purchased our products and services. We know that our compliance with these standards de-risks your work with IDBS and helps enable the use of our products and services in managing regulated data, whether you choose to use our cloud-based services or use our products in your own installations.
The management systems cover quality (ISO 9001) and information security (ISO 27001). TickITplus lays out requirements for the IT sector that supplements standards such as ISO 9001 and ISO 27001. While ISO 9001 is a generic standard for any business, TickITplus assures, for example, that IDBS process outcomes comply with those expected of a business providing software products and services.
The scope of our certifications include our principal development center in Guildford, UK that encompasses E-WorkBook, ActivityBase, Connect, Request, and others. It also includes all corporate data management and IT systems. Importantly, it includes the provision of our cloud-based (SaaS) solutions and Software Development Lifecycle, including secure software development. All 114 controls of ISO 27001 Annex A are implemented as drawn out in the company’s statement of applicability.
Continuous Security Monitoring
IDBS uses a number of intrusion detection systems (IDS) to identify malicious traffic attempting to access its networks. Through the use of these systems, any unauthorized attempts to access the data center are blocked, and unauthorized connection attempts are logged and subsequently investigated.
The enterprise-grade anti-virus software IDBS uses guards against trojans, worms, viruses and other malware from adversely affecting the software and applications.
Complete Separation of Duties
At IDBS, job responsibilities are separated and mandatory employee background checks are employed at all levels of operations. The principle of least authority (POLA) is followed and employees are only given access to the level of privileges necessary to undertake their duties.
Managed Physical Access
As the cloud provider for the IDBS SaaS platform, Amazon Web Services (AWS) is responsible for protecting the global infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure includes the hardware, software, networking, and facilities that run AWS services.
We also provide around the clock support and monitoring to secure the availability of The E-WorkBook Cloud.
At IDBS, we take data management, availability and performance seriously, with these three requirements at the heart of our SaaS platform. We do this in the following ways:
All layers of the IDBS platform implement multiple levels of redundancy – meaning components of the platform are duplicated, and ensuring backups are always available. With this design, elements can ‘fail’, without any interruption to the service our customers receive. This is made possible by having multiple, redundant systems online to automatically assume processing on behalf of any failed component.
The IDBS platform has data mirrored in data centers across several locations as part of its N+1 architecture practice. Data is replicated and synchronized to the other data centers through a replication mechanism. If, for any reason, the primary data center fails, all operations pass to the secondary data center. This procedure is automated, but can also be activated manually.
IDBS has designed its systems to accommodate surges and spikes in usage, and to scale upward dynamically to address increased volume and transactions.
Service Level Commitment
We guarantee a 99% uptime (outside the scheduled service windows) for the IDBS production platform for all customers. We have consistently averaged an uptime of 99.9% and provide customers with a publicly available webpage that displays the system status at all times.
World Class Hosting Operations Team
We have a global team of dedicated hosting operations personnel with decades of experience running large Cloud and SaaS business applications demanding enterprise-levels of high performance and availability. This team proactively monitors the health of the entire system with industry-leading alert and trend-based tools designed to identify and resolve events before they impact the live site.
Scalable Application Architecture
The IDBS platform application runs on a three-tiered architecture. All three tiers – web, application, and database – are scalable.
IDBS invests heavily in performance at every layer. This includes a dedicated performance team of developers and database administrators, who proactively verify application performance benchmarks and tune the application for maximum performance.
High Performance Databases
IDBS runs on high-performance database server hardware with multiple cores and maximum RAM configuration. IDBS production database servers run exclusively on solid state drive (SSD) storage ensuring the fastest possible database performance available in the industry.
Although we take care of most responsibilities for our SaaS platform, there are also a number of responsibilities on their part that our customers need to be aware of. They include:
Safeguarding of Assets and Information
To help safeguard information assets available in the IDBS platform, the IT governance processes of customers should include end-user training, to ensure awareness of the need for both secure access and secure account credentials.
Like most cloud services, access to the IDBS platform requires a login ID and password. When an organization subscribes to our platform, it is the customer’s responsibility to manage which end users should be given access. It is also the customer’s responsibility to ensures access is removed from end users, when appropriate – for example, if an individual leaves the organization, or a change of roles and responsibilities following a restructure. Only valid account credentials should be used by authorized users to access the IDBS platform.
The IDBS platform should be considered sensitive and confidential by all platform users, and users should follow information best practices to ensure their account credentials are secure – ensuring that the platform’s information and is protected and restricted from unauthorized use.
IDBS platform users are responsible for maintaining the security and confidentiality of their user credentials (e.g. login ID and password), and are responsible for all activities and uses performed under their account credentials, whether authorized by them or not.
Cloud-based services are accessible to the global internet public. As a result, great care must be exercised by IDBS platform users in protecting their subscriptions against unauthorized access and use of their credentials.
To safeguard the platform’s security, user credential information – such as passwords or user identification information – should not be shared to any unauthorized person.
More Info Sheets