Updated: 8 months ago
Last Updated: February 2024
Our TeamHQ products are fully hosted on Amazon Web Services (AWS) and take advantage of a large set of its products: Amazon Elastic Compute Cloud (EC2) for scalable computing capacity in the cloud, Elastic Block Store (EBS), Simple Storage Service (S3), Virtual Private Cloud (VPC), Identity and Access Management (IAM), CloudTrail, Trusted Advisor, Security
Groups, and others for additional security purposes.
In order to obtain a higher performance level, all our customers are hosted and served from Amazon’s Sydney data centre.
AWS offers a reliable platform for software services used by thousands of businesses worldwide, provides services in accordance with security best practices, and undergoes regular industryrecognised certifications and audits. More information can be found in the AWS Security White Paper.
AWS operates, manages, and controls the components from the hypervisor virtualization layer down to the physical security of the facilities in which our applications operate. In turn, we assume responsibility and management of the guest operating system (including updates and security patches) and application software, as well as the configuration of the AWS provided security group firewall.
AWS also operates the cloud infrastructure used by us to provision a variety of basic computing resources, including processing and storage. The AWS infrastructure includes facilities, network, and hardware, as well as operational software (e.g., host OS, virtualization software, etc.), which supports the provisioning and use of these resources. Amazon designed and
manages according to security best practices as well as a variety of security compliance standards.
Our staff use Secure Shell (SSH) and Secure Sockets Layer (SSL) for management connections to manage the AWS infrastructure. The connections to AWS management are limited to our Sydney office public IP address. The SSH port is blocked to all IP addresses but one at the AWS security group firewall. This means that the only ports which accept connections and which are open to the world are the 80 (HTTP) and 443 (HTTPS) ports.
We employ network level intrusion detection systems (IDS), as well as host level ones (HIDS), to detect and stop any attempts of unauthorised access to our business systems.
Our applications run on EC2 virtual instances which host the latest version of Ubuntu operating system with long term support (LTS). We regularly monitor Ubuntu notice boards and are on a alert watchlist for the latest vulnerabilities. We apply security patches as any issues arise. We also install Fail2Ban on all our Ubuntu instances. When users repeatedly fail to authenticate to a service (or engage in other suspicious activity), fail2ban issues a temporary ban on the offending IP address by dynamically modifying the running firewall policy. Each fail2ban "jail" operates by checking the logs written by a service for patterns which indicate failed attempts. We setup fail2ban to monitor Nginx logs and take appropriate action.
Our Ubuntu instances are managed through SSH port, which is only open to our public IP address. Our authentication is completed using a pem key. Password authentication is disabled.
Nginx is our web server of choice. We use the latest stable version and apply regular patches. Nginx is used to serve static assets (images, css, js, pdf etc.). It also handles SSL and proxies the traffic to our applications. We use security audit tools to test our web server for the following vulnerabilities:
SQL Injection, Blind SQL Injection, File Handling, Cross Site Scripting, CRLF, Commands execution, Resource consumption, Htaccess Bypass, Backup file, and potentially dangerous files.
Our web applications are written in Python on top of a Django web framework. We apply regular patches to the Python and Django web framework as they are released. We continuously upgrade our frameworks and dependencies to make sure we use the latest.version of Python, supported by Django, and the latest Django LTS version (LTS where possible). Our developers make sure that the applications they write are protected against the following security exploits:
All the data we collect is stored in Sydney AWS data centre and is not replicated to other data centres in other AWS regions.
Our data stored on AWS includes strong tenant isolation security and control capabilities. As a virtualized, multi‐tenant environment, AWS implements security management processes and other security controls designed to isolate each customer, such as our applications, from other AWS customers. AWS Identity and Access Management (IAM) is used to further lock down access to compute and storage instances.
AWS employs network devices, including firewall and other boundary devices, to monitor and control communications at the external boundary of the network and at key internal boundaries within the network.
These boundary devices employ rule sets, access control lists (ACL), and configurations to enforce the flow of information to specific information system services. ACLs, or traffic flow policies, exist on each managed interface to manage and enforce the flow of traffic. Amazon Information Security approves all ACL policies and automatically pushes them to each managed interface using AWS’s ACL‐ Manage tool, helping to ensure these managed interfaces enforce the most up‐to‐date ACLs.
AWS uses a variety of automated monitoring systems to provide a high level of service performance and availability. Monitoring tools help detect unusual or unauthorized activities and conditions at ingress and egress communication points.
The AWS network provides significant protection against traditional network security issues:
You can find more information about Network Monitoring and Protection in the AWS Security Whitepaper on the Amazon website.
AWS monitors electrical, mechanical, and life support systems and equipment to help ensure immediate identification of any issues. In order to maintain the continued operability of equipment, AWS performs ongoing preventative maintenance.
Our applications store data in Amazon EBS and backups in Amazon S3.
AWS authorizes, logs, tests, approves, and documents routine, emergency, and configuration changes to existing AWS infrastructure in accordance with industry norms for similar systems. Amazon schedules updates to AWS to minimize any customer impact. AWS communicates with customers, either via email, or through the AWS Service Health Dashboard when service use is likely to be adversely affected.
AWS maintains responsibility for patching systems that support the delivery of AWS services, such as the hypervisor and networking services. Our team is responsible for patching its guest operating systems (OS), software, and applications running in AWS.
AWS physical and environmental controls are specifically outlined in a SOC 1, Type 2 report. The following section outlines some of the security measures and controls in place at every AWS data centre around the world. You can find more detailed information about AWS and Amazon’s security controls on the Amazon security website.
AWS data centres utilise state‐of‐the‐art, innovative architectural and engineering approaches. Amazon applied its many years of experience designing, constructing, and operating its own large‐scale data s to the AWS platform and infrastructure. AWS data centres are housed in nondescript facilities, and Amazon strictly controls physical access both at
the perimeter and at building ingress points using professional security staff, video surveillance, intrusion detection systems, and other electronic means.
Authorized staff must pass two‐factor authentication a minimum of two times to access data centre floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorised staff.
AWS only provides data centre access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if he or she continues to be an employee of Amazon or Amazon Web Services. All physical access to data centres by AWS employees is logged and audited routinely.
AWS installs automatic fire detection and suppression equipment in all AWS data centres. The fire detection system utilises smoke detection sensors in all data centre environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet‐pipe, double‐interlocked pre‐action, or gaseous sprinkler systems.
AWS employs a climate control system to maintain a constant operating temperature for servers and other hardware, preventing overheating and reducing the possibility of service outages. AWS data centres maintain atmospheric conditions at optimal levels. AWS personnel and systems monitor and control both temperature and humidity at appropriate levels.
AWS data electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, 7 days a week. Uninterruptible Power Supply (UPS) units provide back‐up power in the event of an electrical failure for critical and essential loads in the facility. Data centres use generators to provide back‐up power for the entire facility.
Professional security staff strictly controls physical access both at the perimeter and at building ingress points for AWS Data centres using video surveillance, intrusion detection systems, and other electronic means.
AWS data centres include a high level of availability and tolerate system or hardware failures with minimal impact. Built in clusters in various global regions, all data centres remain online 24/7/365 to serve customers; no data centre is “cold.” In case of failure, automated processes move customer data traffic away from the affected area. Core applications are deployed in an N+1 configuration, so that in the event of a data failure, there is sufficient capacity to enable traffic to be load‐balanced to the remaining sites. You can find more information about AWS disaster recovery protocols on the Amazon Security website.
The AWS servers are extremely reliable, with uptime statistics of around 99.999% over the last 5 years. Our uptime Service Level Agreement (SLA) is
guaranteed at 99.5%.
For more information:
https://aws.amazon.com/ec2/sla/
https://aws.amazon.com/s3/sla/
Our servers provide a continuous backup of data. We also recommend that clients' take a local copy.
We have multiple clients who do yearly penetration tests on our systems using third party security vendors. Please note that the following activities need to be scheduled before they can be performed.
These activities are prohibited and running them on your EnrolHQ instance will instantly shut it down as part of our security measures.
DNS zone walking via Amazon Route 53 Hosted Zones
Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS,
Simulated DDoS
Port flooding
Protocol flooding
Request flooding (login request flooding, API request flooding)
If you plan to perform a penetration test please email support@enrolhq.com.au with details. Be sure to include dates, accounts involved, assets involved, and contact information, including phone number and detailed description of planned events.
Our last EnrolHQ instigated penetration test by an external service provider was conducted in November 2023.
For any further questions, please email support@enrolhq.com.au