Architecture, Security and Compliance

Security is at the heart of the system, from controlling how you access the system to how personal data is protected within the system. Our approach to security and compliance has always been done from the perspective of a regulated enterprise. The system has been built on cloud infrastructure to highest of standards, providing resilience to failure and automatically adapt to increases in demand, with ongoing consultation from our own certified solutions architect.

Overview

IScreenYouScreen.com (ISYS) is a Software-as-a-Service (SaaS) product.

The production service is hosted in the cloud on Amazon Web Services (AWS), which is the most mature and feature rich Cloud computing platform currently available, and complies to a vast array of security and compliance standards.

ISYS has been designed with cloud architecture principals in mind, providing automatic horizontal scaling, disposable virtual servers, always-on resilience, redundant data storage, and security-by-design. All of this means that a good service will be provided at all times, no matter how busy the system gets, or what kind of hardware failures may crop up.

 

ISYS Cloud Architecture Principals

  • Auto-scaling – Servers are created and removed automatically so performance keeps up with demand.
  • Load balancing – Redundant load balancers distribute workload between the scaling group of servers.
  • Built to fail – failure of one or more components provides little degradation of service. The service recovers or rebuilds failed components.
  • Data is replicated to multiple datastores for redundancy.
  • Stateless web services – Session data is centrally managed for scaling.
  • Application and Database servers are on secure isolated private subnets.
  • DNS, CDN, Object Storage and load balancers have full redundancy

 

ISYS Infrastructure Architecture

  • CDN Edge Servers provide caching of slow changing and static data for optimal performance.
  • Static web content is delivered from durable Object Storage.
  • Auto-scaling group of web servers across at least two datacenters.
  • Elastic Load Balancer delivers web requests to the auto-scaling group.
  • Master and slave configuration of databases across two AZs
  • Data recovery is available to any point in time over the last 10 days
  • Serverless components use API Gateway and Functions to serve dynamic page assets

 

ISYS Security

The application has been built with security at it’s heart:

  • Infrastructure Security – ISYS is entirely hosted on AWS which complies with a vast array of security standards, including: ISO 27001, PCI DSS Level 1, SOC 1,2&3.
  • Client Isolation – client access controls are enforced at a domain level within the codebase, preventing accidental or malicious cross-client access.
  • Network Segregation – web servers sit on public subnets with restricted ports enabled, application and database servers sit on private subnets with security groups (firewalls) restricting access to known web and application servers and ports.
  • Data Security – databases are on private subnets; backups are held within a secure repository; attachments are held in a private object store and released through a temporary signed url valid for 10 minutes.
  • Transport Encryption – all internet facing traffic is encrypted in transit using TLS 1.0 or later.
  • Data Encryption at Rest – The Database repository and all uploaded attachments are protected with AES-256 Encryption. 
  • Web Application Firewall - protects the service with content and connection filtering.

 

Data Lifecycle

  • Sensitive data (NI, Passport, Driving Licence, etc.) are wiped on completion of the screen.
  • Backups of this data are kept for up to 6 months before being securely deleted
  • Retrieval of attachments and sensitive data items are recorded in the audit log.
  • Attachments are archived after 3 months and automatically permanently deleted 6 months from the upload date.

 

 

Get Started Now

Take the first step to online referencing.