IScreenYouScreen.com (ISYS) is a Software-as-a-Service (SaaS) product.
The production service is hosted in the cloud on Amazon Web Services (AWS), which is the most mature
and feature rich Cloud computing platform currently available, and complies to a vast array of
security and compliance standards.
ISYS has been designed with cloud architecture principals in mind, providing automatic horizontal
scaling, disposable virtual servers, always-on resilience, redundant data storage, and
security-by-design. All of this means that a good service will be provided at all times, no matter
how busy the system gets, or what kind of hardware failures may crop up.
ISYS Cloud Architecture Principals
- Auto-scaling – Servers are created and removed automatically so performance keeps up with
- Load balancing – Redundant load balancers distribute workload between the scaling group of
- Built to fail – failure of one or more components provides little degradation of service.
The service recovers or rebuilds failed components.
- Data is replicated to multiple datastores for redundancy.
- Stateless web services – Session data is centrally managed for scaling.
- Application and Database servers are on secure isolated private subnets.
- DNS, CDN, Object Storage and load balancers have full redundancy
ISYS Infrastructure Architecture
- CDN Edge Servers provide caching of slow changing and static data for optimal performance.
- Static web content is delivered from durable Object Storage.
- Auto-scaling group of web servers across at least two datacenters.
- Elastic Load Balancer delivers web requests to the auto-scaling group.
- Master and slave configuration of databases across two AZs
- Data recovery is available to any point in time over the last 10 days
- Serverless components use API Gateway and Functions to serve dynamic page assets
The application has been built with security at it’s heart:
- Infrastructure Security – ISYS is entirely hosted on AWS which complies with a vast array
of security standards, including: ISO 27001, PCI DSS Level 1, SOC 1,2&3.
- Client Isolation – client access controls are enforced at a domain level within the
codebase, preventing accidental or malicious cross-client access.
- Network Segregation – web servers sit on public subnets with restricted ports enabled,
application and database servers sit on private subnets with security groups
(firewalls) restricting access to known web and application servers and ports.
- Data Security – databases are on private subnets; backups are held within a secure
repository; attachments are held in a private object store and released through a temporary
signed url valid for 10 minutes.
- Transport Encryption – all internet facing traffic is encrypted in transit
using TLS 1.0 or later.
- Data Encryption at Rest – The Database repository and all uploaded attachments are
protected with AES-256 Encryption.
- Web Application Firewall - protects the service with content and connection filtering.
- Sensitive data (NI, Passport, Driving Licence, etc.) are wiped on completion of the screen.
- Backups of this data are kept for up to 6 months before being securely deleted
- Retrieval of attachments and sensitive data items are recorded in the audit log.
- Attachments are archived after 3 months and automatically permanently deleted 6 months from the