The Elastic Digital (Trading as Elastic Grid) Security Policies and Procedures
Physical and Network Security
We use Amazon's AWS platform and infrastructure for the Elastic Grid platform. Elastic Grid employees do not have any physical access to our production environment.
Here are more details about the security setup of AWS:
(From AWS Security Whitepaper)
In addition to physical security, being on AWS’s platform also provides us significant protection against traditional network security issues on infrastructure such as
- Distributed Denial Of Service (DDoS) Attacks
- Man In the Middle (MITM) Attacks
- IP Spoofing
- Port Scanning
- Packet sniffing by other tenants
The production environment is also secured using anti-malware and intrusion prevention policies.
We use two-factor authentication for access to all our administrative operations on our production infrastructure. Administrative privileges are restricted to very few employees. Additionally, both application level roles and AWS roles are used to ensure only required operations are allowed for specific users.
Secured VPN accounts are required to gain console access to our servers and each login is identified by a user. In addition our servers can be accessed only from restricted IPs.
Hosts are segmented and access is restricted based on functionality. That is, application requests are allowed only from AWS ELB and database servers can be accessed only from application servers.
- Secure Access: Elastic Grid platform servers can be accessed only via HTTPS. We use industry standard encryption for data traversing to and from the application servers
- XSS: All user inputs are properly encoded when displayed to ensure XSS vulnerabilities are avoided
- CSRF: All POST requests are checked for CSRF token before processing the request
- SQL Injection: We use prepared statements for database access to avoid SQL Injection
- Encrypted Data Storage: The type of data we deal with is typically product marketing content and partner campaign tracking, which does not fall into the sensitive data category. However, passwords are encrypted using industry standard hashing algorithm. Users register with their own choice of password which should comply with strong password principles.
Vulnerability Scanning and Patching
We periodically check and apply patches for third party software/services. As and when vulnerabilities are discovered, we apply the fixes. We do monthly vulnerability scanning using the services of an independent IT security consultant.
Data Storage and Redundancy
We have configured our databases in Multi Availability Zones to make sure no interruption impacts the continuity of the service by automatically failing over to the other database. Each AZ runs on its own physically distinct, independent infrastructure, and is engineered to be highly available and reliable.
Every hour, the principal databases are backed up, which are stored on-site.
Server snapshots are taken at the following frequency:
- Hourly (one instance kept)
- Daily (six instances kept)
This gives us the ability to restore servers and their configurations at each of these restore points.
Monitoring and Service Level Agreement
We use both internal and multiple external monitoring services to monitor the Elastic Grid platform. Our monitoring system will alert the Operations & Security Team through emails and phone calls if there are any errors or abnormality in the request pattern.
We will use commercially reasonable efforts to make our service available with a monthly uptime percentage of at least 99.89%.
We are working continuously to make our system secure. If you find any security issues, please submit it to email@example.com. We take security very seriously and is our highest priority. We will make sure the issue is fixed and updated at the earliest possible time.
Contacting Elastic Digital about Security
If you have any questions about our privacy statement, the information we have collected from you online, the practices of this site, or your dealings with this web site, please contact us:
Elastic Digital Pty Ltd
Suite 4A, 30 Boronia Street
Redfern NSW 2016
ABN: 72 092 238 018
ACN: 092 238 018
+61 2 8396-5700
+61 2 8399-3601