Vector Risk Cloud Service Security Features
“According to an IDC study, 70% of CIOs will embrace a cloud-first strategy in 2016, meaning they will consider cloud-based delivery the preferred choice when implementing new services.”
(Quote from in the Azure Security, Privacy and Compliance whitepaper, referenced below).
Vector Risk approaches the security of customer data from two viewpoints: security features built into Microsoft Azure and security features built into the Vector Risk service itself.
Microsoft is one of the world’s largest cloud service providers. As the world’s pre-eminent software company Microsoft has vast experience in protecting computer networks against all kinds of threats, including but not restricted to viruses and denial of service attacks, and data theft. Download the Azure Security, Privacy, and Compliance whitepaper to learn more or take a look at the essential security features listed in the Azure Security sections below.
In developing its cloud analytics service, Vector Risk recognized early on that the key benefits to consumers of the service could only be gained in a multi-tenancy model, whereby all users share the same hardware and simultaneously access a single active instance of the software. We knew that the issues of security and privacy would be uppermost in our customers’ minds, so we included industry best practice security features in every aspect of the design. The key tenets we followed were:
Segregation. We established a Vector Risk Security Database to hold all credentials. The database contains “organisations”. Each organisation is segmented into “environments”. Each environment is assigned to a “level” (production, staging, test or training). Each level has its own database, so there can be no pollution of data between levels. Users are assigned to environments, and there is a hierarchy of permissions.
Access. The Vector Risk service can be accessed via a downloadable GUI or via direct system links to Vector Risk’s secure (HTTPS/SSL) web services. In all cases, the underlying cloud service (and the customer’s data and results) are only accessible through these web services (the GUI simply accesses these same services with credentials supplied by the user at login). The web services use soap headers to pass the credentials (also known as simple authentication).
Data Security. A customer’s data must be fully protected from outside access, encrypted where necessary (for example, counterparty names), and protected from inside the customer’s organisation by a hierarchy of permissions. In addition, the data should be physically protected (in a secure data centre and country with strong privacy laws), with frequent backups. Users have no direct access to any of the databases.
Vector Risk Security Features - Details
Architecture. The diagram below shows the components of the Vector Risk service. Remember, a user may access the system via the GUI or via the web services. The GUI only accesses the rest of the system via the web services, all of which are secured by credentials held in the Security Database.
Internet Protocol. IPV4.
Network Protocols. Users HTTP/HTTPS to Microsoft Azure cloud. Data transfers are protected by SSL/TLS.
Logins and Passwords: Credentials are hashed and salted using industry best practice techniques.
Roles. Users are assigned roles on a per-environment basis. Roles determine if a user can view, load data, change configurations, change user permissions and administer the system. Users are assigned roles through the application GUI.
Audit Logs. An audit trail is kept that includes all logon and logoff events, privileged operations, unauthorised access attempts, security-related system alerts and failures, system user and group additions, deletions and modifications to permissions.
Counterparty Names. All sensitive information that traverses networks between the client and Azure is encrypted using the AES algorithm. The GUI decrypts the data so that the user sees it in screens and reports it as plain text.
Azure Design and Operational Security
Microsoft has developed industry-leading best practices in the design and management of online services, including:
Security Centers of Excellence. The Microsoft Digital Crimes Unit, Microsoft Cybercrime Center, and Microsoft Malware Protection Center provide insight into evolving global security threats.
Security Development Lifecycle (SDL). Since 2004, all Microsoft products and services have been designed and built from the ground up using its Security Development Lifecycle - a comprehensive approach for writing more secure, reliable and privacy-enhanced code.
Operational Security Assurance (OSA). The Microsoft OSA program provides an operational security baseline across all major cloud services, helping ensure key risks are consistently mitigated.
Assume Breach. Specialized teams of Microsoft security engineers use pioneering security practices and operate with an 'assume breach' mindset to identify potential vulnerabilities and proactively eliminate threats before they become risks to customers.
Incident Response. Microsoft operates a global 24x7 event and incident response team to help mitigate threats from attacks and malicious activity.
Azure Security Controls and Capabilities
Azure delivers a trusted foundation on which customers can design, build and manage their own secure cloud applications and infrastructure.
24-hour monitored physical security. Datacenters are physically constructed, managed, and monitored to shelter data and services from unauthorized access as well as environmental threats.
Monitoring and logging. Security is monitored with the aid of centralized monitoring, correlation, and analysis systems that manage the large amount of information generated by devices within the environment and provide timely alerts. In addition, multiple levels of monitoring, logging, and reporting are available to provide visibility to customers.
Patching. Integrated deployment systems manage the distribution and installation of security patches. Customers can apply similar patch management processes for Virtual Machines deployed in Azure.
Antivirus/Antimalware protection. Microsoft Antimalware is built-in to Cloud Services and can be enabled for Virtual Machines to help identify and remove viruses, spyware and other malicious software and provide real-time protection. Customers can also run antimalware solutions from partners on their Virtual Machines.
Intrusion detection and DDoS. Intrusion detection and prevention systems, denial of service attack prevention, regular penetration testing, and forensic tools help identify and mitigate threats from both outside and inside of Azure.
Zero standing privileges. Access to customer data by Microsoft operations and support personnel is denied by default. When granted, access is carefully managed and logged. Data centre access to the systems that store customer data is strictly controlled via lock box processes.
Isolation. Azure uses network isolation to prevent unwanted communications between deployments, and access controls block unauthorized users. Virtual Machines do not receive inbound traffic from the Internet unless customers configure them to do so.
Azure Virtual Networks. Customers can choose to assign multiple deployments to an isolated Virtual Network and allow those deployments to communicate with each other through private IP addresses.
Encrypted communications. Built-in SSL and TLS cryptography enable customers to encrypt communications within and between deployments, from Azure to on-premises datacenters, and from Azure to administrators and users.
Private connection. Customers can use ExpressRoute to establish a private connection to Azure datacenters, keeping their traffic off the Internet.
Data encryption. Azure offers a wide range of encryption capabilities up to AES-256, giving customers the flexibility to implement the methods that best meet their needs.
Identity and access. Azure Active Directory enables customers to manage access to Azure, Office 365 and a world of other cloud apps. Multi-Factor Authentication and access monitoring offer enhanced security.