Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Infrastructure, Security and Application Management

            Modified on Mon, 16 Sep, 2024 at 9:34 AM

            This help document details all Venue Directory system information in relation to Infrastructure, Security and Application Management.


            TABLE OF CONTENTS


            Cyber Essentials Plus certified

            Cyber Essentials is a UK Government IT assurance scheme operated by the National Cyber Security Centre. It encourages organisations to follow good security practices to protect them from external and internal network threats.

            Venue Directory successfully achieved the Cyber Essentials certification first time on the 5th of March 2021 and we have continued to monitor and update our infrastructure on a regular basis to maintain those security standards and successfully renewed Cyber Essentials accreditation every year since.

            In April 2024, we achieved the Plus certification where a hands-on technical verification is carried out.

             Certification Number: 9886836b-633b-41d1-8477-853968df7538. You can validate the authenticity of the accreditation scanning the QR code below:

            As part of the Cyber Essentials scheme, which includes over 60 different checks and policies, Venue Directory regularly scans the company devices and network infrastructure to comply with those regulations. This is monitored on a daily basis and any critical and important vulnerabilities will be patched and resolved within 14 days of the patch being published.

            Site Hosting 

            All websites owned and/or operated by venuedirectory.com are hosted on Microsoft’s Azure cloud platform. Azure provides state-of-the-art virtualized hosting with a high degree of security and resilience and the ability to quickly scale based on demand. 

            All servers are virtual machines and they are fully secured in the Microsoft and Amazon Dublin data centres (within the European Economic Area).

            This means we have no concerns over physical hardware failure and can respond very quickly if an issue occurs. We can initialise a new server instance within 5 minutes.

            Microsoft Azure and Amazon Web Services meet a broad set of international and industry-specific compliance standards, such as ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2, as well as UK specific standards, such as Government Cyber Essentials PLUS.


                         Our Infrastructure

            Venuedirectory.com runs on the Microsoft technology stack (SQL Server, Windows Server, ASP.NET, .NET 8+) and uses the latest stable Microsoft server products updated with the most recent security updates. Access to production servers is IP restricted to authorised staff only. The following diagram demonstrates our current infrastructure setup:

            A screenshot of a computer Description automatically generated

            Server Infrastructure:

            All our web servers run in a virtualized environment in Microsoft Azure and mail server in Amazon AWS allowing us to deploy new servers quickly if required and scale them up or down based on traffic/demand. Azure and Amazon AWS comply with ISO 27018:2014, ISO 27001:2013 and both are UK Cyber Essentials PLUS certified.

            We use a variety of server sizes from a 2 Cores 8 Gb on internal servers and/or small requirements to a 8 Cores 112 Gb for our production database server. 

            Windows Server 2019 and 2022 64 bits is the standard operating system for our Windows servers and version 22.04 of Ubuntu on our Linux servers.

            Web servers on these machines run IIS 10 on Windows and Apache and Nginx for the Linux servers with TLS 1.2 security implemented and SSL certificates for HTTPS secure data transmission.

            All disks (OS and data) are encrypted. Bitlocker in Windows and DM-Crypt for Linux.

            The remote management of all our servers is password secure and access is restricted to authorised personnel.

            All servers have installed Microsoft AntiMalware, Diagnostics and Monitoring tools and we run and check a vulnerability assessment periodically to make sure all latest security and software updates are installed and audit any malicious access attempts.

            Database Infrastructure:

            We run Microsoft SQL Server 2019 Standard on a standalone setting in our Virtual Machines on Azure.

            Other relational database management systems we use are MySQL and PostgreSQL on Linux servers for internal use or CMS database driven systems developed in collaboration with external companies.

            Our custom solutions segregate each client’s data into a separate database with unique login credentials each to minimise the risk of any data leak across different instances.

            We use other non-relational database systems such as Redis Distributed Cache and Azure Blob and Table Storage.

            We don’t store data in any local desktop databases applications.

            Although our hosting solution provides redundancy and resiliency for our data, to minimise potential impact to our clients we automatically back-up our databases every 15 minutes. This means that we can restore individual client’s data within a 15-minute window. We also ship our backups daily, encrypted and password secure, to a separate storage location hosted on Amazon AWS in their Dublin data centre.

            Development Team Infrastructure:

            Our developers run dedicated desktop and laptop Windows PCs with a minimum specification of Intel i7/i9 processors and 16/32Gb of RAM and 512Gb SSD disks for high performance. The operating system will be Windows 10 or 11 Pro with disk encryption enabled.

            All the workstations are secured with Microsoft Active Directory and Okta as SSO provider. Disks are Bitlocker encrypted and EDR Crowdstrike tool will stop possible breaches by preventing and responding to all types of malware attacks.

            We run MS Visual Studio Professional 2022 and MS SQL Server Management Studio for our development as standard. Developers might use a variety of tools for their work approved by company software policies.

            The code is securely stored in our Azure DevOps account. The version control chosen is Git and we use a variety of Git clients on developers machines for pulling and pushing code to our repository, all secured using https or SSH access.

            The range of internet browsers developers use to check their work is on Firefox and Chrome latest versions although Edge are also supported and tested on most occasions. On 15th June 2023 Microsoft officially end-of-support for the Internet Explorer 11.

            Other development tools we use on a daily basis are: Redis Desktop Manager, Azure Storage Cloud Explorer, Remote Desktop Manager

            Key Development Team Applications:

            1. Jira Software (cloud version): Ticketing and project management system. User authenticated linked to our secure Okta accounts.
            1. Azure DevOps (cloud): Code repositories. Build and release deployment tools. User authenticated integrated with Azure Active Directory and 2-step verification from unknown devices access.
            1. Slack (cloud version): Chat messaging application. We currently only use it to send automated system alerts and code build/deployment messages.
            1. AWS storage for backups

            Support Team Infrastructure:

            All desktop and laptops are Windows PCs run on Windows 10/11 Pro.

            All the workstations are secured with Microsoft Active Directory and Okta and Crowdstrike is the chosen EDR tool.

            Local user accounts do not have administrator privileges. 

            All PC’s run the Windows built-in firewall and company Netskope will scan for any insecure access.

            Key Support Team Applications:

            1. FreshDesk (cloud based): Ticketing system. User authenticated and HTTPS
            1. FreshChat (cloud based): Customer Chat Widget. User authenticated and HTTPS
            1. Jira (cloud based): Ticketing and project management system. User authenticated and HTTPS

             

            Our Security 

            We take security very seriously at venuedirectory.com. Our services run using 2,048-bit RSA encryption with the latest TLS protocol version 1.2 implemented and servers constantly monitored and patched up and upgraded to the latest security standards.

             

            A screenshot of a computer screen Description automatically generated

            The Qualys SSL Labs score above demonstrates our web servers include the most secure encryption protocols to date and are protected against the latest known threats. Qualys, Inc. is a pioneer and leading provider of cloud-based security and compliance solutions with over 9,300 customers in more than 100 countries. 

            All our servers are connected securely from our premises network only and a firewall solution blocks any unwanted external traffic and/or any malicious attacks. All the latest security updates are applied as soon as they become available and our data drive applications are protected against SQL injections.

            All account passwords are one-way hashed using a secure algorithm; this uses the SHA-256 hashing algorithm. This means that even we cannot see any passwords and no passwords are ever stored in plain text. We operate a secure password reset system where the user wanting to reset their password will need access to the email address associated with the account. When passwords are reset by the system, the user is forced to change the password to one of their choosing on their next login.

            For additional security, each Gratis user is required to provide 3 pieces of information to access the system. Username and password, followed by three characters chosen randomly from the 15 character security key provided by the agents.

            Mail delivery

            We use a mail server solution allocated in Amazon Web Services (AWS) for delivering application notifications such as enquiries, documents, claims, contact forms and many others.

            Our mail server runs on a Linux box Ubuntu and includes the latest updates and the highest security standards and protocols and encryption methods to ensure the communication to the destination does not allow any untrusted access attempt to send non-authorised emails or to interfere with the email messages delivery in any way. Every single email we send contains a unique 1,024 bits DKIM signature to prevent spoofing and to confirm its authenticity.

            To improve deliverability rate and comply with some third-party mail server restrictions, we suggest to all our GRATIS agents to change their SPF domain record to include:

            include:venuedirectory.com

            In order to authorise venuedirectory.com domain to send communications to venues and clients on behalf of the GRATIS agents using our services.

            Internal Office Systems

            We use the O365 Suite for productivity applications and store documents and files in Box. Our e-mail client is Outlook. All securely accessed through Okta SSO.

            All systems are fully encrypted with the ability to control and limit access within the business. 

            All Passwords must meet a strong standard set by Venuedirectory with the password recovery only available to the authorised Administrator accounts. 

            Administration access accounts have 2-step verification on unknown devices and are limited to authorised personnel. 

             

            Disaster Recovery

            In the unfortunate event where a complete outage and/or critical situation brings our infrastructure down to a halt and is beyond our control to resolve within the current data centre/platform, we have implemented a recovery plan in order to move our applications and data elsewhere in the shortest time-scale possible.

             

            Database backups in Amazon Glacier Storage (Dublin data centre) will be copied and restored to the new platform/data centre and our code from the Azure repository in North Central US Microsoft data centre will be re-deployed to the new virtualized web servers. 

             

            All the processes above can take many hours but would bring our applications back in the eventuality of a major disaster in our current infrastructure.

             

            Performance and Capacity Management

            We use a variety of monitoring tools and features from our Azure subscription to analyse services usage and whether our infrastructure requires changes or any increase in resources to perform to our clients expectations and guarantee our SLA reaches the highest possible (average of last 3 months 99.93%).

             

            Tools we use to monitor the performance of our infrastructure includes:

            1. Microsoft Azure Monitor: Provides a variety of health checks and metrics of all our Azure services. We do set different alerts to warn our team when any services outage or certain levels are reached.
            1. Datadog: Logs all our systems performance in one place and provides a range of dashboards and monitoring alerts to give us an insight of any issues as soon as they are happening. Alerts are sent to Hipchat rooms and by email monitored at all times.
            1. Microsoft Operations Management Suite: It constantly checks servers health and network connectivity, whether security or antivirus/malware updates are required, any malicious access attempts and the status of the website applications in our web servers.
            1. Azure Application Insights: Websites and applications auditing tool. It allows us to find out performance and any disruption on our applications and compare previous data so we could investigate if a recent code change has had any impact and rollback if necessary.

             

            Application Upgrades

            We follow a trunk based development cycle:

            1. New features are envisioned and prioritized. Support tickets and bugs are triaged.
            2. Work requirements are analysed and a low-level specification is written down or a higher level specification is attached to our ticket system and distributed to developers on team capacity.
            3. The development team completes the work based on iteration requirements and feedback is given by the QA team in our pre-production environment.
            4. All the code and libraries are fully scanned and analysed with Mend and Checkmarx standards to stop any vulnerabilities before being deployed to any UAT or production environment.
            5. Work signed off on pre-production gets deployed to the UAT environment for regression and QA (Quality Assurance) testing.  Any internal and/or external training will be provided and feedback is given. Any communication and documentation will be put in place to inform clients about the upcoming changes.
            6. Final release of the iteration into production as soon as possible. Check deployment, fix any issues and roll back if required.

            A diagram of a product development process Description automatically generated

             

            Antivirus and Firewall

            Our virtualized servers come with the Microsoft Anti malware for Azure solution and updates are regularly installed with the latest definitions. The monitoring tools will report to us whenever any suspicious activity has been detected or if any missing updates.

             

            We have implemented a number of inbound NAT rules on our server load balancers and network interfaces to only allow specific ports to our servers and where possible set restrictions from where those connections are allowed, such as office network or VPN clients and whether they will be permanent or temporary access. On top of that, the standard Windows Firewall is implemented to add an extra layer of security.

             

            Supported Web Browsers

            All our websites, whether developed and/or controlled by us, support the most common internet browsers W3C and HTML5 standards compliant.

            Any internet browser version from 2018 onwards should be fully supported and that includes:

            • Microsoft Edge
            • Firefox
            • Chrome
            • Safari

             

            Mobile Phone Compatibility

            Most of our developments are mobile friendly and functionality will not be compromised whether it is on a desktop/laptop browser screen or on a smaller device's displays. 

            All of our latest applications are developed with a responsive design in mind to adjust automatically to the size of the screen on the device they are used. 

            We keep working on improving existing applications and ensure any new developments offer the best user experience including mobile and tablet use.

             

            Application diagram

             

            A diagram of a company Description automatically generated

             

            Frequently Asked Questions

            • Who does or how do we perform our disk encryption?  Is it outsourced?

            We use the Microsoft Azure builtin disk encryption managed under each Virtual Machine we have with them. The encryption key is stored in an Azure vault.

             

            • Intrusion protection monitoring?  How do we do this?

            This is achieved using the Azure Security Center feature which monitors various aspects of our servers and services and alerts us whenever there are malicious attempts to gain access to any of our cloud services.

             

            • Email delivery - what's the technical explanation of how we deliver our GRATIS user emails?

            Our mail server is a Postfix hosted on an Ubuntu Server

            The server is restricted to only allow access from our web/application servers. It uses the latest security protocols (TLS 1.2) and also implements a variety of authentication and validation mechanisms to digitally sign every email (DKIM) and guarantee our domain is not blacklisted in any spam list.

            The current deliverability score is 92.25% at the time of writing this document.

            The process in which applications such as GRATIS send emails to users is establishing a secure connection to the mail server and transferring the messages over through an encrypted channel.


            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0