Security Processes

Byond is hosted in the public cloud with AWS. AWS provides state-of-the-art data centers and a world-leading compliance program. AWS operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which Byond operates. AWS manages the network devices, but OpusXenta is responsible for secure network configuration.

If a customer chooses to self-host the solution, they will take responsibility for layers from Operating System down.

4. Personnel Security

All OpusXenta staff undergo screening checks before employment including reference, qualification and police checks. Security awareness training is provided at initiation and continuously throughout the year. Staff with privileged access to systems or data receive additional job-specific training on privacy and security. Personnel requiring access to production systems or customer data are required to have undergone appropriate security clearances.

OpusXenta has appointed a Chief Information Officer who is responsible for the performance of the ISMS. All staff have security responsibilities assigned as part of their roles.

5. Identity and Access Management

Byond provides out of the box functionality to support secure access control for customers:

• Role-Based Access Control (RBAC) for configurable, granular provision of permissions and functionality to users
• a SAML 2.0 compliant Service Provider interface configurable for either, or both, Administration and Student portals (coming 2024H2)

When the system is configured to use the native password authentication, password length and complexity requirements are enforced by the system with configurable password policies, including a banned word dictionary. Password expiration can be configured.

Access for OpusXenta staff to the application and infrastructure is provided on a least necessary privilege basis.

6. Standard Operating Environments

OpusXenta uses a documented Standard Operating Environment for all servers. The servers are provisioned as documented and all changes to the environment go through OpusXenta secure development practices.

7. Patch Management

Operating systems automatically apply security updates weekly. Application vulnerabilities are identified through automated systems. The patching and upgrade of software components is incorporated into regular software development procedures and release schedules.

Critical issues and security patches may necessitate an out-of-cycle release, but these are processed through standard change management workflows.

8. Software Development

OpusXenta uses a Secure by Design approach in our Software Development Life Cycle. Security is considered in the design, development and testing of our software. We use a series of software development environments including development, staging and production. Software is only able to progress to the next environment after it passes all the checks at each level including mandatory internal peer code review, static code analysis, automated unit and integration testing, manual QA and UAT.

Access to release branches in the code version repository is strictly limited. OpusXenta uses static code analysis tools to identify known vulnerabilities in developed code, conducted as part of the automated build pipeline.

OpusXenta web applications are developed using security best practice. All developers are trained to be aware of OWASP security guidelines. Database queries are parameterized. Application inputs and outputs are properly sanitised and encoded. Errors and exceptions are logged and monitored. User authentication passwords held within the database are stored salted and hashed.

9. Database Systems

Each customer uses a logically isolated database. Databases are securely provisioned with unique credentials per customer ensuring secure data partitioning. All use and administration of the database is through the web application frameworks minimizing any exposure through direct database access. Database administrator accounts are only used to provision less privileged accounts for system use.

The network is designed to restrict access to the database to the fewest necessary systems. All database data is encrypted at rest using AES-256 with secure key management procedures.

Production, test and development environments are strictly separated on both the database and application server basis.

10. Network Security

OpusXenta divides its systems into separate networks (AWS VPCs) to better protect more sensitive data. Systems supporting testing and development activities are hosted on a separate network from production systems. Customer data is only permitted to exist in the production and staging networks.

Network access to the production environment from open, public networks (the internet) is restricted. Only required network protocols and ports are exposed to minimize the potential attack surface for malicious actors. Changes to the production network configuration are restricted to authorised personnel and all changes logged. OpusXenta uses an Infrastructure as Code approach to the network configuration which uses versioned repositories and is deployed through automations to avoid potential misconfiguration.

Multitenancy: the network and application layers are shared but each customer uses a logically isolated database and object storage in an isolated namespace.

11. Cryptography

Data at rest and in transit is encrypted with modern cryptographic algorithms and protocols.

Transport Layer Security (TLS) is used for all public network connections with a modern security policy meeting an SSL Labs A rating. TLSv1.0 and TLSv1.1 are disabled unless required for legacy application support. HTTP Strict Transport Security (HSTS) ensures that a TLS connection is always used.

AWS S3 is used for storage of documents and other unstructured data. S3 buckets are securely configured, objects are private and encrypted at rest using AES-256.

Structured data stored in AWS RDS is encrypted at rest using AES-256.

12. Logging and Monitoring

Site uptime, host and application performance is monitored by independent third-party services with operational alerting and response procedures in place. Regular governance meetings and performance review ensure the ongoing performance and availability targets are met.

OpusXenta uses Network Intrusion Detection and Cloud Security Posture Management systems. Alerts are centrally monitored and acted upon by responsible teams.

13. Penetration Testing

OpusXenta engages independent, CREST certified entities to conduct application penetration tests annually. Results of these tests are shared with OpusXenta management and available to customers under NDA. Findings are reviewed, prioritised and tracked to resolution. Customers wishing to conduct their own penetration test of a hosted service should obtain permission from OpusXenta.

14. Backup Management

The database operates on the AWS RDS service. Transaction log backups offer a Recovery Point Objective (RPO) of 5 minutes. In case of catastrophic failure Recovery Time Objective (RTO) will vary according to the size of customer databases.

Complete logical backups of the database are stored in S3 daily, offering 99.999999999% durability.

15. Data Retention

Data is retained within the system for the life of the contract. At contract termination, data is returned to the customer and permanently destroyed according to standard operating procedures. Data will be made available in standard, documented formats.

Database backups are retained for 12 months and deleted by automated lifecycle policies.

16. Business Continuity

The concepts of business continuity and disaster recovery are integrated into our design and architecture of highly available systems in the public cloud. Failure is routinely expected, planned for, tested and managed with automated systems and redundancy.

Resilience and scalability are addressed on AWS through:

• Running multiple EC2 instances in multiple Availability Zones (distinct locations that are engineered to be insulated from each other)
• Elastic Load Balancing across multiple Availability Zones
• Using the AWS-managed Relational Database Service (RDS) for highly available databases
• Using Amazon S3 simple, durable, massively scalable data storage

17. Incident Management

OpusXenta has documented Incident Response, Business Continuity and Disaster Recovery plans that are tested at least annually.

Customers will be notified in accordance with our Incident response plans in the case of an incident, the timing of which is outlined in the relevant plans and is based on severity and urgency. The nominated role at OpusXenta will continue to communicate with the customer on the specified schedule until the issue is resolved. OpusXenta will inform the customer as soon as is practical in all cases.

18. Third Party Supplier Management

OpusXenta relies on sub-service organisations, such as AWS, to run its business efficiently. We evaluate and qualify our vendors with a risk-based approach and documented standards which include security, technical and financial assessments. OpusXenta ensures our security posture is maintained through legal agreements and regular security compliance review of these arrangements.

19. Contacts

OpusXenta is continually striving to keep our systems secure. If you become aware of any security issue or have any further queries regarding this document, please contact the security team directly at [email protected].