Security Brief

Terminology

SOFTWARE

Programs and other operating information used to perform business logic and data manipulation.

IT INFRASTRUCTURE

The composite hardware, software, network resources and services required for the existence, operation and management of an enterprise IT environment.

CLOUD HOSTING

The process of outsourcing an organization’s computing and storage resources to a service provider that offers its infrastructure services in a utility model.

SAAS

Software As A Service is the process of outsourcing an organization’s computing and storage resources to a service provider that offers its infrastructure services in a utility model.

OPERATING SYSTEM

The low-level software that supports a computer’s basic functions, such as scheduling tasks and controlling peripherals.

SECURITY POSTURE

Refers to an organization’s overall cybersecurity strength and how well it can predict, prevent and respond to ever-changing cyber threats.

ON PREMISE (ON-PREM)

An on-premise solution requires server hardware, a server operating system such as Microsoft Small Business Server, and a database, such as Microsoft SQL. Server room and power are some of the associated costs. Likewise, server software updates, server administration and responsibility for backups.

MTBF

(Mean Time Between Failures) is a measure of how reliable a hardware product or component is. For most components, the measure is typically in thousands or even tens of thousands of hours between failures. For example, a hard disk drive may have a mean time between failures of 300,000 hours

ATTACK VECTOR

An attack vector is a method or pathway used by a hacker to access or penetrate the target system.

SMB

Small to Medium Business

ISO 27001

(Formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes.

Brief

Iseka Services PTD LTD is a software company based in Melbourne, Australia.  Iseka Services and LogixOne TM create software systems for business purposes for a range of different customers within different industries.  Other than personal computing devices Iseka Services does NOT provide any of its own IT Infrastructure.

Iseka Services Pty Ltd takes both the data integrity and business continuity of our customers very seriously and only utilise Tier 1 hosting providers.   At a minimum, any data or software that Iseka Services creates is hosted within ISO 27001 compliant infrastructure.

Why do we use the SaaS model? One of the main reasons is that leveraging SaaS services is the best way companies of any size can leverage the latest in not only security technology but security practices and people that are able to actively manage their own environments on an ongoing basis.  For all but the largest organisations being able to match the level of security companies such as Zoho, Google, Alibaba, Microsoft and the like provide would be basically impossible.

It is Iseka Services Pty Ltd view that leveraging the Cloud and SaaS based computing is by far the best way for companies of all sizes, especially smaller companies to secure not only their data but the business continuity processes.

 

Threats – Internal and External

The threat profile for companies that leverage technology to operate their business is ever changing.  Threats can occur from not only from external actors but also internal personnel.

These threats can come from what is known as ‘vectors’, hackers that use a range of different techniques to violate companies IT Infrastructure such as Windows Servers and other personal computing devices such as windows and MAC desktops, Android and IOS smart devices.   Hackers target the computers ‘Operating Systems’ with a range of techniques such as ‘phishing’ or ‘malware’ injection enable hackers to install in many cases undetected  software to either extract data, control or further infect other computers.

The main techniques hackers use to impact small to medium businesses (SMBs) include; Bait and Switch, Cookie Theft, Eaves-dropping, Malware, Denial of Service, key logging and Phishing in an effort to either infect more computers within the organisation, or to use tactics such as “ransom” the company by removing access to company data and systems until such time as a payment is made (commonly known as ransom ware and is currently the predominant way hackers are leveraging their capabilities).

Please see this article:   https://home.kpmg/au/en/home/insights/2020/05/rise-of-ransomware-during-covid-19.html  Source: KPMG 12th of May 2020.

The significance and prevalence of external attacks such as ransomware cannot be understated and companies hosting their own infrastructure need to be constantly working on protecting themselves by investing in expensive security technology and employing security professionals in an effort to combat this.

Another significant vector for subsequent data loss is from either intentional or non-intentional data and system downtime caused by employees.  Disgruntled or malicious employees can steal data or impact systems by gaining access to company systems.  It is also common for employees to lose data or harm IT Infrastructure un-intentionally.  This can be in the form of accidental deletion, power cycling, or even using poor internet browsing practices and through not updating operating systems.

 

SaaS and Cloud Computing – Tier 1 infrastructure for not much $’s

SaaS or Software as a Service is the provisioning of software technology and related support services on a subscription based commercial licensing agreement between the supplier and the customer or user.  Over the past decade SaaS solutions have become attractive to end-users primarily because they offer the ability to access technology that in the past, only the largest companies could afford, given they are based on shared infrastructure cost model.

By leveraging SaaS computing solutions the company or user ‘out-sources’ their security posture to the SaaS provider thereby enabling the leveraging of that providers significantly better security technology and practices.

In addition, SaaS solutions, particularly the ones Iseka Services use means that any workflow software or data is, in most cases, never bought to the desktop or to personal computing devices.  The users, other than IF they export the data, are only viewing the data.

SaaS computing not only provides the very best in security and data protection, it enables the customer, in many cases, to leverage a more cost effective software platform thereby further reducing cost.

Please review the table below for further reference.

Benefits of SaaS

Availability and Access

LogixOne is a “cloud” based technology, meaning that all of the backend hardware (server) infrastructure is accessible by any computer with an Internet connection and a browser.

This provides users Access from Anywhere on any device at any time meaning that they can work where ever and whenever they want.  Users are no longer bound to desks and allows customers more flexibility to create  a “work from home” model or to build a more “mobile” work force. This technology easily allows this.

Hardware Cost

Cloud based SaaS technology significantly reduces the cost of expensive personal computing hardware given that all that is needed to access LogixOne is a screen and a browser.

Many clients adopt Android based monitors to provide this access to internal staff which can cost as little as 30% the cost of a personal computer and require considerably less support given they have no moving parts.

In the field the LogixOne app works on any Android or IOS device and provides a very cost effective access method.

Expensive server hardware is not required.  The cost savings can be immense given the power, support and cost of this equipment.

Scalability

Traditional server-based architecture needs to be sized to cater for the expected current and future demand requirements and often becomes oversubscribed, creating performance issues, requiring increasing capacity in an incremental manner.  SaaS, cloud-based technology does not suffer from these issues; if the client requires another user, or additional functionality they simply subscribe.

Repeatability

Information Technology is typically one of the most difficult components to integrate when either adding additional business units, or acquiring existing organisations primarily because of the capacity requirements and competing infrastructure.

The simplicity of a SaaS solution means that clients can simply copy or extend solutions into new business units or when adding new users.

Predicable costs

Being able to predict the cost of business operations is of utmost importance to any financial entity as it allows that organisation to perform very quick “what-if” analysis on critical business decisions.  For example when deciding on new business pricing models or when acquiring additional business units, the ability to know what the IT cost is for each employee makes this process considerably more efficient.

Security

LogixOne is powered by Zoho technology and as such has a level of security that most companies would not be able to implement on their own.  The following are details of Zoho’s physical and network security:

Physical Security

Data-centres are hosted in some of the most secure facilities available in locations that are protected from physical and logical attacks as well as from natural disasters such as earthquakes, fires, floods, etc.

  • 7x24x365 Security. The data centres that host your data are guarded seven days a week, 24 hours a day, each and every day of the year by private security guards.
  • Video Monitoring. Each data centre is monitored 7x24x365 with night vision cameras.
  • Controlled Entrance. Access to the Zoho data centres is tightly restricted to a small group of pre-authorised personnel.
  • Biometric, two-Factor Authentication. Two forms of authentication, including a bio metric one, must be used together at the same time to enter a Zoho data centre.
  • Undisclosed locations. Zoho servers are located inside generic-looking, undisclosed locations that make them less likely to be a target of an attack.
  • Bullet-resistant walls. Zoho servers are guarded safely inside bullet-resistant walls.

Network Security

Zoho network security team and infrastructure helps protect your data against the most sophisticated electronic attacks. The following is a subset of our network security practices. These are intentionally stated in a very general way, since even knowing what tactics we use is something hackers crave. If your organisation requires further detail on our network security, please contact us.

 

  • Secure Communication. All data transmission to Zoho services are encrypted using TLS 1.2 protocols, and we use certificates issued by SHA 256 based CA ensuring that our users have a secure connection from their browsers to our service. We use the latest and strong ciphers like AES_CBC/AES_GCM 256 bit/128 bit keys for encryption, SHA2 for message authentication and ECDHE_RSA as the key exchange mechanism.
  • IDS/IPS. Our network is gated and screened by highly powerful and certified Intrusion Detection / Intrusion Prevention Systems.
  • Control and Audit. All accesses are controlled and also audited.
  • Secured / Sliced Down OS. Zoho applications run inside a secured, sliced-down operating system engineered for security that minimises vulnerabilities.
  • Virus Scanning. Traffic coming into Zoho Servers is automatically scanned for harmful viruses using state of the art virus scanning protocols which are updated regularly.

Security Certifications

  • ISO/IEC 27001 is one of the most widely recognised independent international security standards. This certificate is awarded to organisations that comply with ISO’s high global standards. Zoho has earned ISO/IEC 27001:2013 certification for Applications, Systems, People, Technology, and Processes.
  • SOC 2 – Zoho is SOC 2 Type II compliant. SOC 2 is an evaluation of the design and operating effectiveness of controls that meet the AICPA’s Trust Services Principles criteria.

Redundancy and Business Continuity

One of the fundamental philosophies of cloud computing is the acknowledgement and assumption that computer resources will at some point fail. We have designed our systems and infrastructure with that in mind.

  • Distributed Grid Architecture. Zoho services run on a distributed grid architecture. That means a server can fail without a noticeable impact on the system or our services. In fact, on any given week, multiple servers fail without our customers ever noticing it. The system has been designed knowing that server will eventually fail – we have implemented our infrastructure to account for that.
  • Power Redundancy. Zoho configures its servers for power redundancy – from power supply to power delivery.
  • Internet Redundancy. Zoho is connected to the world –and you- through multiple Tier-1 ISPs. So if any one fails or experiences a delay, you can still reliably get to your applications and information.
  • Redundant Network Devices. Zoho runs on redundant network devices (switches, routers, security gateways) to avoid any single point of failure at any level on the internal network.
  • Redundant Cooling and Temperature. Intense computing resources generate a lot of heat, and thus need to be cooled to guarantee a smooth operation. Zoho servers are backed by N+2 redundant HVAC systems and temperature control systems.
  • Geo Mirroring. Customer data is mirrored in a separate geographic location for Disaster Recovery and Business Continuity purposes.
  • Fire Prevention. The Zoho data centres are guarded by industry-standard fire prevention and control systems.
  • Data Protection & Back-up. User data is backed-up periodically across multiple servers, helping protect the data in the event of hardware failure or disaster.

LogixOne Hosting Providers

LogixOne products a hosted by two of the worlds largest hosting providers: Zoho and Alibaba.  We have specifically selected these providers given both then tenor in the cloud hosting market but also their level of commitment to ensure our Customers data is both safe and secure.

The following information details each Cloud Hosting Providers security compliance credentials.

Zoho Compliance Certifications

ISO/IEC 27001 is one of the most widely recognised independent international security standards. This certificate is awarded to organisations that comply with ISO’s high global standards. Zoho has earned ISO/IEC 27001:2013 certification for Applications, Systems, People, Technology, and Processes.

SOC 2 – Zoho is SOC 2 Type II compliant. SOC 2 is an evaluation of the design and operating effectiveness of controls that meet the AICPA’s Trust Services Principles criteria.

For further detail, please visit : https://www.zoho.com/compliance.html

Alibaba Cloud’s Compliance Program

includes a comprehensive range of certifications, worldwide attestation reports, and our commitment to data protection.

Alibaba Cloud has a wide range of compliance certifications such as ISO27001, SOC 2 Type 2 Compliant, PCI compliance, ISO 9001 and more.

For further detail please visit:  https://www.alibabacloud.com/trust-center/compliance?spm=a3c0i.8119595.8763586420.1.2dc1411dk6osEQ

On-Premise IT Infrastructure – An SMB’s Recipe for Disaster

We believe that running the very minimal amount of IT infrastructure on premises is the most appropriate strategy for companies that are considered Small to Medium for the following reasons:

  • Expensive – running on-premise IT infrastructure which has an inherent cost which in many cases cannot be isolated or even calculated in total, requires the following but are not limited to:
    • Hardware – Capital purchase and ongoing support of computers, monitors, networking equipment, backup drives, backup power supplies, etc. All of which have an inherent MTBF.
    • Software licences such as
      • Operating Systems
      • Applications
      • Supporting Apps such as antivirus, anti-malware
      • Management tools
    • Software Updates – any computing device has literally 100’s of different software applications running on it, be they system software, server or end user applications such as Chrome. The following is a snapshot of all the software that can run on ‘on-prem’ IT Infrastructure and all of which represents an ‘Attack Vector’ and as such, is a vulnerability.
      • BIOS
      • Operating System
      • Browsers
      • Browser plugins
      • End user applications
      • Device drivers
      • Antivirus software
      • Networking software
      • Databases
    • Backup – Many companies running on-prem infrastructure think they are doing backups to actually find out they are not. Running daily backups is a complicated process that requires not only more software licences but also adherence to processes which often lapse.  In the event of data loss and the need to recover from backups is very complicated and time consuming that is often not 100% successful and means the ‘system’ or access is down for an extended period of time.
    • Availability – On-prem infrastructure requires power and utilises hardware components that are susceptible to failures. These include components such as Hard-Drives, memory, motherboards, cables etc. which need to operate in unison. A breakdown in one component can bring the entire system down restricting access to employees.
    • Single Access – Running ‘on-prem server-based’ infrastructure typically means that end-users have only one connection point. They need to connect to that server for access and as such need to be either on site or need to connect remotely. Remote ‘Server-based’ connections add another level of complexity and risk to not only the ‘server’, but also to the company network and the personal computer dives connecting to it.

Iseka Services – ISO 27001 Only

Very early on in the inception of Iseka Services, we made a decision that we would only partner with the very best SaaS and Cloud hosting companies.  At a minimum, any data or software hosting provider of must have ISO 27001 certification.

Below are a list of some of our Vendor Partners and their corresponding security policies.

Zoho –                  https://www.zoho.com/security.html

Google –              https://cloud.google.com/security

Alibaba –              https://www.alibabacloud.com/trust-center

Apple –                 https://support.apple.com/en-au/guide/security/welcome/web

Further information on ISO 27001 https://en.wikipedia.org/wiki/ISO/IEC_27001#:~:text=ISO%2FIEC%2027001%20specifies%20a,successful%20completion%20of%20an%20audit.

Conclusion – Think of your needs not that of your hardware supplier

In our experience SMBs mitigate far more risk when leveraging both SaaS and cloud-based hosting services.  Apart from the significant cost reduction it allows SMBs to access both the security technology and the ‘best practices’ that large companies like Zoho and Google are able to provide.  We believe that no SMB could protect themselves to the extent these companies can.

We often hear of criticism from IT vendors regarding the use of cloud in their customer’s environment.  This is inherently motivated by their business needs to sell both hardware and ongoing support services.  Criticism’s often centre on things like:

  • “you hand over your data to someone else”. This is not only not true, it is a false equivalence in that it suggests that your data is safer when stored on “on-prem” infrastructure.   This is simply not the case, again based on the information above.  We suggest that all customers ask their hardware vendors the following question: “Please provide us an intrusion detection test and threat analysis on our IT Infrastructure”.

Small businesses need to be able to grow efficiently so that it can benefit profitably as revenue grows. This means controlling costs whilst leveraging technology, ensuring consideration of their exposure to attack.  Building complex internal data systems is not only complex it is very risky.  Cyber criminals are constantly searching for vulnerable systems and often find the server that is hidden in the cupboard has company data that can be used as a ransom.

In addition, the software technologies provided by SaaS companies run on a shared cost model. The cost to develop, design, host and support is shared by millions of paying users which allows SMBs, with help from people like Iseka Services, to afford the functionality that they could never implement themselves.