Security White Paper

Updated: 8 months ago

Last Updated: February 2024

Important Notes

  • EnrolHQ has been reviewed by Safer Technology for Schools and are badged. https://st4s.edu.au
  • EnrolHQ has been reviewed by UpGuard and received a rating of A.
    https://www.upguard.com/product/security-ratings
    Rating of A means 'Absolute low risk for a data breach in the immediate future; organisations possess strong competencies in creating, adopting, and implementing strong security policies.'
  • EnrolHQ is penetration tested in November each year. We rotate through a group of industry providers.

Architecture Overview

Our TeamHQ products are fully hosted on Amazon Web Services (AWS) and take advantage of a large set of its products: Amazon Elastic Compute Cloud (EC2) for scalable computing capacity in the cloud, Elastic Block Store (EBS), Simple Storage Service (S3), Virtual Private Cloud (VPC), Identity and Access Management (IAM), CloudTrail, Trusted Advisor, Security

Groups, and others for additional security purposes.

In order to obtain a higher performance level, all our customers are hosted and served from Amazon’s Sydney data centre.

AWS offers a reliable platform for software services used by thousands of businesses worldwide, provides services in accordance with security best practices, and undergoes regular industryrecognised certifications and audits. More information can be found in the AWS Security White Paper.

Operational Responsibilities

AWS operates, manages, and controls the components from the hypervisor virtualization layer down to the physical security of the facilities in which our applications operate. In turn, we assume responsibility and management of the guest operating system (including updates and security patches) and application software, as well as the configuration of the AWS provided security group firewall.

AWS also operates the cloud infrastructure used by us to provision a variety of basic computing resources, including processing and storage. The AWS infrastructure includes facilities, network, and hardware, as well as operational software (e.g., host OS, virtualization software, etc.), which supports the provisioning and use of these resources. Amazon designed and

manages according to security best practices as well as a variety of security compliance standards.

Secure Management

Our staff use Secure Shell (SSH) and Secure Sockets Layer (SSL) for management connections to manage the AWS infrastructure. The connections to AWS management are limited to our Sydney office public IP address. The SSH port is blocked to all IP addresses but one at the AWS security group firewall. This means that the only ports which accept connections and which are open to the world are the 80 (HTTP) and 443 (HTTPS) ports.

Intrusion Detection Systems

We employ network level intrusion detection systems (IDS), as well as host level ones (HIDS), to detect and stop any attempts of unauthorised access to our business systems.

Our Technology Stack and Security

Operating System Security

Our applications run on EC2 virtual instances which host the latest version of Ubuntu operating system with long term support (LTS). We regularly monitor Ubuntu notice boards and are on a alert watchlist for the latest vulnerabilities. We apply security patches as any issues arise. We also install Fail2Ban on all our Ubuntu instances. When users repeatedly fail to authenticate to a service (or engage in other suspicious activity), fail2ban issues a temporary ban on the offending IP address by dynamically modifying the running firewall policy. Each fail2ban "jail" operates by checking the logs written by a service for patterns which indicate failed attempts. We setup fail2ban to monitor Nginx logs and take appropriate action.

Our Ubuntu instances are managed through SSH port, which is only open to our public IP address. Our authentication is completed using a pem key. Password authentication is disabled.

Web Server Security

Nginx is our web server of choice. We use the latest stable version and apply regular patches. Nginx is used to serve static assets (images, css, js, pdf etc.). It also handles SSL and proxies the traffic to our applications. We use security audit tools to test our web server for the following vulnerabilities:

SQL Injection, Blind SQL Injection, File Handling, Cross Site Scripting, CRLF, Commands execution, Resource consumption, Htaccess Bypass, Backup file, and potentially dangerous files.

Application Security

Our web applications are written in Python on top of a Django web framework. We apply regular patches to the Python and Django web framework as they are released. We continuously upgrade our frameworks and dependencies to make sure we use the latest.version of Python, supported by Django, and the latest Django LTS version (LTS where possible). Our developers make sure that the applications they write are protected against the following security exploits:

  • Cross site scripting (XSS) protection - to mitigate this threat all end user entered content is escaped, so injecting a malicious script that can run on visitor’s browsers is impossible.
  • Cross site request forgery (CSRF) protection - All our webforms use CSRF tokens to prevent a malicious user from executing actions using the credentials of another user without that user’s knowledge or consent.
  • SQL injection protection - Our staff use Django’s ORM which protects querysets from SQL injection. This means that user-provided parameters are considered unsafe and they are escaped by the underlying database driver.
  • Clickjacking protection - Django contains clickjacking protection in the form of the X-Frame-Options middleware which in a supporting browser can prevent a site from being rendered inside a frame. SSL/HTTPS - The apps run on https:// protocol. All http protocol is redirected to https://.
  • Other security measures - Some of the other security measures include limiting the size of user uploaded content, blocking repeated failed login attempts, 2FA on all staff accounts and on parent accounts where we have sensitive parent data, strong password policy, host header validation amongst many others.
  • All our data for our development and demo environments is anonymised including names, phone numbers, addresses and email addresses.
  • We use Amazon's RDS for our production database, no direct access to the database is allowed from the internet. It is only accessible via the application server which itself is secured by private key.
  • The only ports for the EnrolHQ application EC2 instances that are open are 443, 80 and 22. There are no passwords to access the instances, access is only permitted to staff who have the private keys.

About Amazon Web Services (AWS)

Geographic Location of Data on AWS Network

All the data we collect is stored in Sydney AWS data centre and is not replicated to other data centres in other AWS regions.

Isolation of Customer Data/Segregation of AWS Customers

Our data stored on AWS includes strong tenant isolation security and control capabilities. As a virtualized, multi‐tenant environment, AWS implements security management processes and other security controls designed to isolate each customer, such as our applications, from other AWS customers. AWS Identity and Access Management (IAM) is used to further lock down access to compute and storage instances.

Secure Network Architecture

AWS employs network devices, including firewall and other boundary devices, to monitor and control communications at the external boundary of the network and at key internal boundaries within the network.

These boundary devices employ rule sets, access control lists (ACL), and configurations to enforce the flow of information to specific information system services. ACLs, or traffic flow policies, exist on each managed interface to manage and enforce the flow of traffic. Amazon Information Security approves all ACL policies and automatically pushes them to each managed interface using AWS’s ACL‐ Manage tool, helping to ensure these managed interfaces enforce the most up‐to‐date ACLs.

Network Monitoring and Protection

AWS uses a variety of automated monitoring systems to provide a high level of service performance and availability. Monitoring tools help detect unusual or unauthorized activities and conditions at ingress and egress communication points.

The AWS network provides significant protection against traditional network security issues:

  • Distributed Denial Of Service (DDoS) Attacks
  • Man in the Middle (MITM) Attacks
  • IP Spoofing
  • Port Scanning
  • Packet sniffing by other tenants

You can find more information about Network Monitoring and Protection in the AWS Security Whitepaper on the Amazon website.

Service Monitoring

AWS monitors electrical, mechanical, and life support systems and equipment to help ensure immediate identification of any issues. In order to maintain the continued operability of equipment, AWS performs ongoing preventative maintenance.

Data Storage and Backup

Our applications store data in Amazon EBS and backups in Amazon S3.

Change Management

AWS authorizes, logs, tests, approves, and documents routine, emergency, and configuration changes to existing AWS infrastructure in accordance with industry norms for similar systems. Amazon schedules updates to AWS to minimize any customer impact. AWS communicates with customers, either via email, or through the AWS Service Health Dashboard when service use is likely to be adversely affected.

Patch Management

AWS maintains responsibility for patching systems that support the delivery of AWS services, such as the hypervisor and networking services. Our team is responsible for patching its guest operating systems (OS), software, and applications running in AWS.

AWS Data Physical and Environmental Controls

AWS physical and environmental controls are specifically outlined in a SOC 1, Type 2 report. The following section outlines some of the security measures and controls in place at every AWS data centre around the world. You can find more detailed information about AWS and Amazon’s security controls on the Amazon security website.

Physical Facility Security

AWS data centres utilise state‐of‐the‐art, innovative architectural and engineering approaches. Amazon applied its many years of experience designing, constructing, and operating its own large‐scale data s to the AWS platform and infrastructure. AWS data centres are housed in nondescript facilities, and Amazon strictly controls physical access both at

the perimeter and at building ingress points using professional security staff, video surveillance, intrusion detection systems, and other electronic means.

Authorized staff must pass two‐factor authentication a minimum of two times to access data centre floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorised staff.

AWS only provides data centre access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if he or she continues to be an employee of Amazon or Amazon Web Services. All physical access to data centres by AWS employees is logged and audited routinely.

Fire Suppression

AWS installs automatic fire detection and suppression equipment in all AWS data centres. The fire detection system utilises smoke detection sensors in all data centre environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet‐pipe, double‐interlocked pre‐action, or gaseous sprinkler systems.

Controlled Environment

AWS employs a climate control system to maintain a constant operating temperature for servers and other hardware, preventing overheating and reducing the possibility of service outages. AWS data centres maintain atmospheric conditions at optimal levels. AWS personnel and systems monitor and control both temperature and humidity at appropriate levels.

Backup Power

AWS data electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, 7 days a week. Uninterruptible Power Supply (UPS) units provide back‐up power in the event of an electrical failure for critical and essential loads in the facility. Data centres use generators to provide back‐up power for the entire facility.

Video Surveillance

Professional security staff strictly controls physical access both at the perimeter and at building ingress points for AWS Data centres using video surveillance, intrusion detection systems, and other electronic means.

Disaster Recovery

AWS data centres include a high level of availability and tolerate system or hardware failures with minimal impact. Built in clusters in various global regions, all data centres remain online 24/7/365 to serve customers; no data centre is “cold.” In case of failure, automated processes move customer data traffic away from the affected area. Core applications are deployed in an N+1 configuration, so that in the event of a data failure, there is sufficient capacity to enable traffic to be load‐balanced to the remaining sites. You can find more information about AWS disaster recovery protocols on the Amazon Security website.

Uptime Service Level Agreement

The AWS servers are extremely reliable, with uptime statistics of around 99.999% over the last 5 years. Our uptime Service Level Agreement (SLA) is

guaranteed at 99.5%.

For more information:

https://aws.amazon.com/ec2/sla/

https://aws.amazon.com/s3/sla/

Database Backup

Our servers provide a continuous backup of data. We also recommend that clients' take a local copy.

Penetration Testing

We have multiple clients who do yearly penetration tests on our systems using third party security vendors. Please note that the following activities need to be scheduled before they can be performed.

These activities are prohibited and running them on your EnrolHQ instance will instantly shut it down as part of our security measures.

DNS zone walking via Amazon Route 53 Hosted Zones

Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS,

Simulated DDoS

Port flooding

Protocol flooding

Request flooding (login request flooding, API request flooding)

If you plan to perform a penetration test please email support@enrolhq.com.au with details. Be sure to include dates, accounts involved, assets involved, and contact information, including phone number and detailed description of planned events.

Our last EnrolHQ instigated penetration test by an external service provider was conducted in November 2023.

Further Questions

For any further questions, please email support@enrolhq.com.au