|
Simple Secure Identity Management Verv IAM |
| Measure/Control | Description | Technology |
|---|---|---|
| Browser data cleared | Form and javascript variable data cleared after use | HTML and javascript methods to clear data variables executed in the browser after form/data submission |
| AES Field level encryption | Encryption of all private data in the browser prior to transport | The Advanced Encryption Standard (AES) is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001. Verv IAM uses a 128 bit keysize for internet transport |
| Measure/Control | Description | Technology |
|---|---|---|
| TLS 1.3 | Transport layer encryption protocol from browser to the cloud | Client-server applications use the TLS protocol to communicate across a network in a way designed to prevent eavesdropping and tampering |
| Encrypted payload | Data is encrypted over the wire |
Interception in TCP/IP sessions are foiled by an ephemeral key which is only in operation during transit from browser to server. This AES key is discarded after the API Gateway |
| Measure/Control | Description | Technology |
|---|---|---|
| Network Flow Monitoring | VPC flow logs capturing network IP addresses and network interface events, allow and deny status | AWS VPC Flow Logs network flow monitoring log capture |
| DDoS protection | Measures to protect from common DDoS attacks, such as SYN floods and UDP reflection attacks | AWS Shield Edge of network DNS rules to prevent infrastructure (Layer 3 and 4) attacks |
| Network ACLs | Network Access Conrol Lists are applied within the Virtual Private Cloud (VPC) | AWS Firewall Stateless inbound and outbound rules, to allow or deny traffic ingress and egress to a VPC |
| Monitoring | Analysis of aggregated network logs for potential threats | AWS WAF and GuardDuty threat monitoring intelligence output from detection of patterns that may indicate attacks |
| Measure/Control | Description | Technology |
|---|---|---|
| Web Application Firewall (WAF) | Monitor HTTPS requests access to content based on conditions such as IP addresses or the values of query strings | AWS WAF Web ACL rules define criteria for handling web requests, with default actions to block or allow through requests that pass rules inspections. |
| CORS | Cross-origin resource sharing (CORS) lets you control how your REST API responds to cross-domain resource requests. | CORS headers for Access Control Allow Origin whitelisted for the Verv IAM domain |
| Measure/Control | Description | Technology |
|---|---|---|
| Continous infrastructure monitoring | Monitoring of network, hosting, platform services and instances to view, manage and control infrastructure performance | AWS CloudWatch and CloudTrail |
| Measure/Control | Description | Technology |
|---|---|---|
| Identity Policies | User, group and role based permissions to allow and deny access to cloud resources | AWS IAM |
| Endpoint authentication | Validation of signed JWT tokens prior to forwarding requests to endpoint services | Verv IAM IDaaS |
| Multi-factor authentication | Account, email, pin and password plus MFA code for sign up and sign in to configure account data | Verv IAM IDaaS |
| User Account Management | Browser encryption of credentials and protection of private data for sign up and sign in | Verv IAM IDaaS |
| Privileged Access Management | Browser encryption of credentials and protection of private data for sign up and sign in | Verv IAM IDaaS |
| Measure/Control | Description | Technology |
|---|---|---|
| Continous infrastructure monitoring | Monitoring of Verv IAM instances to view, manage and control infrastructure performance | AWS Cloudwatch |
| Data encryption | Application and database encryption of data in process, in transit and at rest | Verv IAM IDaaS |
| Account Public Private KeyPair | Each account issued an RSA 2048 bit PKI keys able to be rotated. | Verv IAM IDaaS |
| Secrets Management | Rotate, manage, and retrieve secrets throughout the lifecycle used to access resources protected by a Key Management Service | AWS Secrets Management |
The GDPR is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. While primarily process-driven, there are a number of technical controls that can be followed.
| Requirement | Description | Compliance | ||
| Article 25 - Data Protection by Design and by Default | The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. | yes | ||
|
Article 30 - Records of Processing Activities |
The controller shall maintain a record of processing activities under its responsibility. |
yes | ||
|
Article 32 - Security of Processing |
The controller shall implement appropriate technical and organizational measures that consider the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. |
yes | ||
| Requirement | Description | Compliance |
| Firewalls |
Install and maintain a firewall configuration to protect cardholder data. |
yes |
|
Default passwords |
No default passwords are supplied for system passwords and other security parameters. |
yes |
|
Cardholder Data |
No cardholder data is stored. A secure link is provided to the protected PayPal payment gateway. |
yes |
|
Encrypted Transmission |
Encrypted link transmission of cardholder data across internet to PayPal payment gateway |
yes |
|
Anti-Virus and Malware |
AWS WAF web application firewall that helps protect web applications and APIs against common web exploits. It is regularly updated. |
yes |
|
Secure Systems |
Verv IAM systems development is aligned with best practice DevOps security and maintain secure systems and applications. |
yes |
|
Restrict Access |
There is no access to cardholder data and no cardholder data is stored |
yes |
|
Identify Access |
Identify and authenticate access to system components is enabled by default, using OAuth and IAM policy controls |
yes |
|
Physical Access |
There is no physical access to cardholder data. |
yes |
|
Track Access |
Logging and monitoring is enabled by default to track and monitor all access to network resources and cardholder data. |
yes |
|
Test Systems |
Security testing is performed regularly for all systems and processes. |
yes |
|
Policy |
An established and well maintained access policy that addresses information security is in place for all personnel. |
yes |
The Well-Architected Framework is a set of AWS-provided guidelines for ensuring cloud excellence across five pillars, including security.
| Measure/Control | Description | Compliance | ||
| Identity and Access Management | Identity and access management are key parts of an information security program, ensuring that only authorized and authenticated users are able to access your resources, and only in a manner that you intend. | yes | ||
|
Detective Controls |
Detective controls are an essential part of governance frameworks and can be used to support a quality process, a legal or compliance obligation, and for threat identification and response efforts. |
yes | ||
|
Infrastructure Protection |
Infrastructure protection encompasses control methodologies, such as defense in depth, necessary to meet best practices and organizational or regulatory obligations. |
yes | ||
|
Data Protection |
Before architecting any system, foundational practices that influence security should be in place. These methods are important because they support objectives such as preventing financial loss or complying with regulatory obligations. |
yes | ||
|
Incident Response |
Even with extremely mature preventive and detective controls, your organization should still put processes in place to respond to and mitigate the potential impact of security incidents. |
yes | ||