Security
Introduction

The information and information systems are valuable assets and must be protected. This is achieved by implementing proper security frameworks for managing risks and ensuring business continuity by preventing security incidents and reducing their potential impact.

We are using AWS Global Cloud Infrastructure to manage the application code, data, database and documentation. More details on how AWS’s security controls are implemented can be found here ( https://aws.amazon.com/compliance/data-center/controls/).

Data Security

Data is the key to any business, and to maintain confidentiality, availability and integrity of data at all times, we follow strict ISMS guidelines that revolve around our architecture, development and operations. Additionally, we use Amazon’s Relational Database Service for database operations in the cloud - which ensure secure and controlled network access through an industry-standard encrypted IPsec VPN along with scalability and High availability coupled with role based access restrictions. Access control is further enhanced through the Amazon Access Control Lists which provide an added layer of security based on Source and target identity.

Encryption
In Transit

All data transferred between your browser and servers is secured with industry standard TLS 1.2/1.3 encryption protocols. This includes web application, API, mobile Apps and email client access.

We have enabled secure configurations like perfect forward secrecy (PFS) and HTTP Strict Transport Security header (HSTS) to all our web traffic, this mandates browsers to connect only via encrypted communication channels.

At Rest

All our storage disks of all server instances are encrypted using Disk Level Encryption.

Customer data using sensitive fields is highly encrypted using 256-bit Advanced Encryption Standard (AES), further strengthened with AWS Key Management Service (KMS) for Key management.

Backups are encrypted using AES-256 at AWS S3.

Engineering Practices

Engineering teams follow secure coding guidelines, as well as manual review/ screening of the code before it is deployed to production environment.

The secure coding guidelines are based on OWASP standards and implemented accordingly to protect against common threats and attack vectors (like SQL injection, Cross site scripting) within the application layer.

Application Security

Our applications and services are hosted on Amazon Web Services environment across multiple regions using a combination of various AWS products and services. The infrastructure for databases and application server instances are securely managed and maintained by AWS. 

The application is initially protected by AWS’s Firewall which is highly equipped to counter regular DDoS attacks and other network related intrusions in a real time environment. The second layer of protection is a web application firewall (WAF) which monitors against offending IPs, users and spam to prevent from scripting attacks. At KONZE, we take an integrated approach to application security, to ensure everything from engineering to deployment, including architecture and quality assurance processes, complies with our highest standards of security. 

While the application can be accessed only by users with valid user access, it should be noted that security in cloud-based products is a shared responsibility between the company and the businesses who own those accounts on the cloud. 

We use the best possible security by assigning Authentication tokens passed through the WebAPI to access our services. The AWS Security Token Service configured over AWS IAM roles for users offers a cutting edge authentication mechanism deployed as part of our environmental access controls. 

Network Security

Our Local Internal network where applications are developed, deployed, monitored and managed is highly secured by industry-grade Firewalls with UTM and industry-leading Antivirus software suites, to protect internal information, data and network from intrusions and to provide real time alerts in the event of a threat or an incident.

All our Firewall logs are stored and reviewed periodically. Advanced features of Firewall like real time network systems monitoring, traffic tracking, malicious attack detection, Threat Weight Tracking have been well configured and live alerts are enabled to support staff for prompt reaction. 

Access to the production environment is strictly constrained via SSH and remote access is possible only via the Internal Office Network. Audit logs are generated for each remote user session and reviewed by a team of experts in almost real time. Also, the accesses to production systems are always through a multi-factor authentication mechanism. Our data centers hosted in AWS are ISO 27001 and SSAE-16 compliant.

Operational Security

These practices focus on monitoring real time communication systems for active threats and procedures to keep information systems protected.

Logging & Monitoring

Infrastructure and applications are monitored 24X7 with proprietary and enterprise tools. We monitor internal traffic within our network, as well as usage of devices and terminals. We record application logs, security logs, administrator logs, and system logs. These logs are then analyzed and correlated for anomalies and adverse events which maybe further investigated and escalated as incidents. These logs are stored securely in an isolated capacity.

Backup

Backing up the data regularly is critical for any Organization with business continuity in mind. We backup our AWS EC2 instances by creating their images using Amazon Machine Image (AMI), whereby a snapshot is created from the existing instance and can be used to restore the instance back completely, if needed.

Each snapshot (image) preserves the configuration and can be used to deploy new copies of it if needed in the unlikely event of instance failure. Images are stored on Amazon S3 which is known for being highly durable and reliable. Further, AWS full and partial Database backup solutions are used to automate backups on AWS RDS.

The technologies working in collaboration offer a dependable backup solution and the system can be restored to an operational state with minimum to no downtime. 

Security Patches

We perform preventative maintenance to protect against any potential vulnerabilities by deploying patches as and when they are developed internally or otherwise become available.

At Konze, we ensure that our development and AWS instances run on up-to-date supported Operating Systems with advised security patches in a timely manner.

Incident Management & Disaster Recovery

Incident Management Process describes the activities of an organization to identify, analyze, and correct hazards to prevent a future occurrence. If not managed, an incident can escalate into an emergency, crisis or a disaster.

Industry leading Incident Handling and Response tools are in use for Incident Management. Under strict Internal Policies every event gets recorded and analyzed. If identified as a possible threat scenario, a Risk Management Plan is put to action where the event and its monitoring / control mechanisms get re-evaluated to avoid any future reoccurrence. 

With system availability and uptime at the heart of our service offering, we use AWS DR Plans backed up by strict SLA clauses. Combined with our backup & restore mechanisms with agility being at the forefront, our DR solutions offers the shortest MTT (Mean Time To Recovery) in case of an unforeseen outage.

Reporting

Dedicated team is responsible to look at different events occurring within the environment that applies to you, and we follow the industry’s best practices mandatory actions of handling and reporting it in a timely manner. We track the root cause of the problem and take precautionary measures to avoid this in future. Further measures and controls are put in place to mitigate similar situations.

Breach Notification

If a breach is discovered at the service level, we will alert it’s customers and the concerned authorities within 72 hours of the discovery.