Examview Cloud Security Summary
For more information contact: Bill McIntoshSchool Vision IncEducational Technology ConsultantPhone : 843-442-8888Email :[email protected]
Content
SECURITY SUMMARY
Amazon Web Services (AWS)
Amazon Web Services (AWS) is a leading provider of cloud-based
services and solutions. There are several important reasons that
Turning Technologies chose AWS to be our cloud hosting provider
for the ExamView Cloud system:
• Secure: In order to provide end-to-end security and end-to-end privacy, industry experts AWS build services
in accordance with security best practices, provide the appropriate security features in those services, and
document how to use those features.
•
Scalable and Elastic: Turning Technologies can quickly add and subtract AWS resources to their applications in
order to meet customer demand and manage costs. We ensure our products are of the highest quality with the
most responsible pricing for our clients.
• Experienced: When using AWS, organizations can leverage Amazon’s leadership in the industry, with more than
15 years of experience delivering large-scale, global infrastructure in a reliable, secure fashion to some of the
most prolific web-based commerce companies.
SECURITY SUMMARY
Security
Security is one of the fundamental design requirements of the ExamView Cloud
application. This requirement is comprised of several key aspects that, when combined,
create a secure system.
Data Privacy
The protection of customer data is a very important requirement of the ExamView Cloud
system. ExamView Cloud contains Personal Identifying Information (PII) in the form of first
and last name, and (potentially) student identifiers like email and ID number. In order to
secure this PII data at rest, these fields are encrypted within the AWS Relational Data Store
(RDS) database using industry “best practice” encryption technologies.
Network Security
All communication between the end user and the ExamView Cloud application is
performed over the HTTPS “Secure Socket Layer” (SSL) protocol. In the event that an
end user makes a regular HTTP request, ExamView Cloud will automatically rewrite the
non-secure HTTP request into an HTTPS request before allowing the end user to access
the information. ExamView Cloud utilizes AWS firewalls and security groups to limit
communication between service layers and between individual servers. ExamView Cloud
is hosted by our own Virtual Private Cloud (VPC) within the AWS infrastructure. This VPC
architecture provides additional isolation for the ExamView Cloud application.4
Service Security
Individual AWS services and hosted servers are secured using AWS Identity and Access
Management (IAM). IAM provides a role-based system for controlling access to services
and servers. The ExamView Cloud architecture utilizes IAM roles to limit the group of
administrators that are authorized to sign in to the hosted services and servers. IAM
roles are also utilized to control the actions that each type of hosted server is allowed to
perform within the AWS service environment.5
Physical Security
Physical security encompasses limiting access to actual hardware computing infrastructure.
This is one of the most important tenants of application security, as a failure at this
level can render security controls at other levels useless. Law #3 of the “Microsoft 10
Immutable Laws of Security” article states: “If a bad guy has unrestricted physical access to
your computer, it’s not your computer anymore.”2
SECURITY SUMMARY
AWS takes many steps to ensure the physical security of their data centers. The first
of these measures involves “limiting knowledge of the location of the data centers to
those within Amazon who have a legitimate business reason for this information.”1 For
employees that are authorized to access the data center, “physical access is strictly
controlled both at the perimeter and at building ingress points by professional security
staff utilizing video surveillance, intrusion detection systems, and other electronic means.
Authorized staff must pass two-factor authentication a minimum of two times to access
data center floors. All visitors and contractors are required to present identification and
are signed in and continually escorted by authorized staff. AWS only provides data center
access and information to employees and contractors who have a legitimate business
need for such privileges. When an employee no longer has a business need for these
privileges, his or her access is immediately revoked, even if they continue to be an
employee of Amazon or Amazon Web Services. All physical access to data centers by
AWS employees is logged and audited routinely.”3
In addition to these access controls, AWS provides fire detection and suppression,
uninterrupted power supplies, climate and temperature management and preventative
building maintenance. These items are detailed in the “Amazon Web Services: Overview
of Security Processes” white paper.3
Scalability
Due to the often large, but always varying size of the participant user base, it is important
that the ExamView Cloud application is able to scale to meet user demand. AWS
provides two mechanisms that help ExamView Cloud meet this requirement.
Auto Scaling Groups
The ExamView Cloud application is hosted on application servers. Each application
server is able to provide service to a limited number of clients. AWS Auto Scaling Groups
(ASG) allow the system to automatically increase or decrease the number of available
application servers to meet user demand. ASGs utilize AWS performance metrics, such
as average response time, CPU utilization and request counts in order to provide a high
quality of service for the user while minimizing excess capacity.6
Elastic Load Balancing
The AWS Elastic Load Balancer (ELB) is an essential component of the auto scaling
process. All requests that are destined for the ExamView Cloud application pass through
the ELB. The ELB utilizes performance metrics to distribute the request workload amongst
the available application server instances.7
SECURITY SUMMARY
Reliability
The ExamView Cloud application is designed to be a highly available and reliable system.
ExamView Cloud utilizes multiple AWS availability zones to meet this requirement.
Availability Zones
Within each region, AWS offers multiple availability zones. Each availability zone is an
isolated infrastructure segment that is connected via a low-latency link to the other
availability zones in the region.8 In the event of an infrastructure failure, it is unlikely that
the failure would affect multiple availability zones. ExamView Cloud is designed to utilize
services in many different availability zones to minimize application service disruption.
References
1. Varia, J. & Mathew, S. (2014, January). Overview of Amazon Web Services.
Retrieved from http://media.amazonwebservices.com/AWS_Overview.pdf
2. Microsoft 10 Immutable Laws of Security. (2014, January). Technet.Microsoft.com.
Retrieved from http://technet.microsoft.com/library/cc722487.aspx#EIAA
3. Amazon, Inc. (2014, November). Amazon Web Services: Overview of Security Processes.
Retrieved from http://d0.awsstatic.com/whitepapers/Security/AWS%20Security%20Whitepaper.pdf
4. Amazon VPC. (2014, January). AWS.Amazon.com.
Retrieved from http://aws.amazon.com/vpc/
5. AWS Identity and Access Management (IAM). (2014, January). AWS.Amazon.com.
Retrieved from http://aws.amazon.com/iam/
6. Auto Scaling. (2014, January). AWS.Amazon.com.
Retrieved from http://aws.amazon.com/autoscaling/
7. Elastic Load Balancing. (2014, January). AWS.Amazon.com.
Retrieved from http://aws.amazon.com/elasticloadbalancing/
8. Regions and Availability Zones. (2013, October). Docs.AWS.Amazon.com.
Retrieved from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html
Amazon Web Services (AWS)
Amazon Web Services (AWS) is a leading provider of cloud-based
services and solutions. There are several important reasons that
Turning Technologies chose AWS to be our cloud hosting provider
for the ExamView Cloud system:
• Secure: In order to provide end-to-end security and end-to-end privacy, industry experts AWS build services
in accordance with security best practices, provide the appropriate security features in those services, and
document how to use those features.
•
Scalable and Elastic: Turning Technologies can quickly add and subtract AWS resources to their applications in
order to meet customer demand and manage costs. We ensure our products are of the highest quality with the
most responsible pricing for our clients.
• Experienced: When using AWS, organizations can leverage Amazon’s leadership in the industry, with more than
15 years of experience delivering large-scale, global infrastructure in a reliable, secure fashion to some of the
most prolific web-based commerce companies.
SECURITY SUMMARY
Security
Security is one of the fundamental design requirements of the ExamView Cloud
application. This requirement is comprised of several key aspects that, when combined,
create a secure system.
Data Privacy
The protection of customer data is a very important requirement of the ExamView Cloud
system. ExamView Cloud contains Personal Identifying Information (PII) in the form of first
and last name, and (potentially) student identifiers like email and ID number. In order to
secure this PII data at rest, these fields are encrypted within the AWS Relational Data Store
(RDS) database using industry “best practice” encryption technologies.
Network Security
All communication between the end user and the ExamView Cloud application is
performed over the HTTPS “Secure Socket Layer” (SSL) protocol. In the event that an
end user makes a regular HTTP request, ExamView Cloud will automatically rewrite the
non-secure HTTP request into an HTTPS request before allowing the end user to access
the information. ExamView Cloud utilizes AWS firewalls and security groups to limit
communication between service layers and between individual servers. ExamView Cloud
is hosted by our own Virtual Private Cloud (VPC) within the AWS infrastructure. This VPC
architecture provides additional isolation for the ExamView Cloud application.4
Service Security
Individual AWS services and hosted servers are secured using AWS Identity and Access
Management (IAM). IAM provides a role-based system for controlling access to services
and servers. The ExamView Cloud architecture utilizes IAM roles to limit the group of
administrators that are authorized to sign in to the hosted services and servers. IAM
roles are also utilized to control the actions that each type of hosted server is allowed to
perform within the AWS service environment.5
Physical Security
Physical security encompasses limiting access to actual hardware computing infrastructure.
This is one of the most important tenants of application security, as a failure at this
level can render security controls at other levels useless. Law #3 of the “Microsoft 10
Immutable Laws of Security” article states: “If a bad guy has unrestricted physical access to
your computer, it’s not your computer anymore.”2
SECURITY SUMMARY
AWS takes many steps to ensure the physical security of their data centers. The first
of these measures involves “limiting knowledge of the location of the data centers to
those within Amazon who have a legitimate business reason for this information.”1 For
employees that are authorized to access the data center, “physical access is strictly
controlled both at the perimeter and at building ingress points by professional security
staff utilizing video surveillance, intrusion detection systems, and other electronic means.
Authorized staff must pass two-factor authentication a minimum of two times to access
data center floors. All visitors and contractors are required to present identification and
are signed in and continually escorted by authorized staff. AWS only provides data center
access and information to employees and contractors who have a legitimate business
need for such privileges. When an employee no longer has a business need for these
privileges, his or her access is immediately revoked, even if they continue to be an
employee of Amazon or Amazon Web Services. All physical access to data centers by
AWS employees is logged and audited routinely.”3
In addition to these access controls, AWS provides fire detection and suppression,
uninterrupted power supplies, climate and temperature management and preventative
building maintenance. These items are detailed in the “Amazon Web Services: Overview
of Security Processes” white paper.3
Scalability
Due to the often large, but always varying size of the participant user base, it is important
that the ExamView Cloud application is able to scale to meet user demand. AWS
provides two mechanisms that help ExamView Cloud meet this requirement.
Auto Scaling Groups
The ExamView Cloud application is hosted on application servers. Each application
server is able to provide service to a limited number of clients. AWS Auto Scaling Groups
(ASG) allow the system to automatically increase or decrease the number of available
application servers to meet user demand. ASGs utilize AWS performance metrics, such
as average response time, CPU utilization and request counts in order to provide a high
quality of service for the user while minimizing excess capacity.6
Elastic Load Balancing
The AWS Elastic Load Balancer (ELB) is an essential component of the auto scaling
process. All requests that are destined for the ExamView Cloud application pass through
the ELB. The ELB utilizes performance metrics to distribute the request workload amongst
the available application server instances.7
SECURITY SUMMARY
Reliability
The ExamView Cloud application is designed to be a highly available and reliable system.
ExamView Cloud utilizes multiple AWS availability zones to meet this requirement.
Availability Zones
Within each region, AWS offers multiple availability zones. Each availability zone is an
isolated infrastructure segment that is connected via a low-latency link to the other
availability zones in the region.8 In the event of an infrastructure failure, it is unlikely that
the failure would affect multiple availability zones. ExamView Cloud is designed to utilize
services in many different availability zones to minimize application service disruption.
References
1. Varia, J. & Mathew, S. (2014, January). Overview of Amazon Web Services.
Retrieved from http://media.amazonwebservices.com/AWS_Overview.pdf
2. Microsoft 10 Immutable Laws of Security. (2014, January). Technet.Microsoft.com.
Retrieved from http://technet.microsoft.com/library/cc722487.aspx#EIAA
3. Amazon, Inc. (2014, November). Amazon Web Services: Overview of Security Processes.
Retrieved from http://d0.awsstatic.com/whitepapers/Security/AWS%20Security%20Whitepaper.pdf
4. Amazon VPC. (2014, January). AWS.Amazon.com.
Retrieved from http://aws.amazon.com/vpc/
5. AWS Identity and Access Management (IAM). (2014, January). AWS.Amazon.com.
Retrieved from http://aws.amazon.com/iam/
6. Auto Scaling. (2014, January). AWS.Amazon.com.
Retrieved from http://aws.amazon.com/autoscaling/
7. Elastic Load Balancing. (2014, January). AWS.Amazon.com.
Retrieved from http://aws.amazon.com/elasticloadbalancing/
8. Regions and Availability Zones. (2013, October). Docs.AWS.Amazon.com.
Retrieved from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html
