AMCS Cloud Security

This article is designed to give an overview of the cloud security employed by AMCS. It covers two areas, namely the application security features and the operational security systems used in the organization, to support product development and management.

1. Application Security Features

AMCS cloud security is delivered using industry best practices and technologies.  We also employ several operational systems and controls to ensure we continuously monitor for new threats or attacks, while keeping your data safe and secure.

1.1 Encryption of Data in Transit

Transmission of all data to our cloud environment is forced to be encrypted with industry standard protocols and cipher suites.  This includes:

• User credentials
• Operational and Financial Data
• Personal Identifiable Information (PII)

Third party systems that attempt to send data to our APIs without these encryption levels are rejected.

We enforce a minimum of TLS 1.2 to ensure all data we accept is encrypted, authenticated and has not been tampered with while in transit between applications.

1.2 Encryption of Data at Rest

Once your data has accepted into our cloud environment it is stored in secure storage services.  These services may vary depending on the type and application related to the data.  The three main types are database, file storage and BLOB storage.

All three of these services are configured to encrypt your data at rest, meaning that if an attacker obtains access to the physical disk or device, the data will be encrypted.

1.3 User Authentication, Authorization and Auditing 

All user credentials are transmitted and stored securely.  Passwords are stored using a one-way hashing algorithm.

The system provides the functionality for your user administrators to manage the access levels by groups and access rights.

All user activity is audited so that you have full traceability for activity on your system.

1.4 Single Sign On (SSO) and Multi Factor Authentication (MFA)

Where possible, AMCS provides full integration with your identity provider to implement a single sign on experience for your users.  These implementations will support any MFA controls you have configured using the following identify providers:

• Okta
• Azure AD
• Google

1.5 DDoS Protection

All network endpoints are protected from common network attacks including distributed denial of service attacks.  A mitigation is automatically put in place when an attack occurs and thereby ensuring the service is available to the valid users.

2. Operational Security Systems

2.1 Database Backup and Retention Policy

AMCS have a data backup and retention policy that is implemented as standard for all instances of AMCS Platform.  This policy includes the regular point-in-time backup of productions databases every 5 minutes continuously.  These snapshots are stored offsite in a different geographical location for the purposes of disaster recovery, but within the same geopolitical boundary to adhere to data sovereignty requirements.  The snapshots are stored for 35 days and can be used to restore the system to a point-in-time with one second accuracy.  In addition to this, long-term backup and retention is place as standard.  There are monthly backups taken that are retained for 12 months, and yearly backups are retained for 10 years. 

2.2 Continuous Monitoring and Alerting

All production systems are integrated to our global 24/7 monitoring system.  This ensures all applications, and their critical dependencies, are available.  In the event of an outage, an alert is triggered that initiates the support process.  

2.3 Threat Detection and Intrusion Alert System

The security system adapts to the usual behavior of the users and any external systems that interact directly with the environment.  When activity occurs that does not fit the usual pattern, it is flagged appropriately.  For example, if a public facing API that normally services traffic from a European region, suddenly gets called from North America, then this anomaly is flagged to the AMCS Cyber Security Team.  

2.4 Vulnerability Assessment

Vulnerability assessment agents are used to continuously scan all servers and endpoints for the latest known vulnerabilities, and these are reported centrally back to the AMCS Cyber Security team.  The vulnerabilities are scored using the CVSS and are actioned as per SLA (see Appendix A).

2.5 Dynamic Application Scanning

We continuously test our latest software release for all known OWASP vulnerabilities.  These scans automatically crawl through a deployed production like environment and tests endpoints for any weaknesses or misconfigurations.  The vulnerabilities are scored using the CVSS and are actioned as per SLA (see Appendix A). 

2.6 Independent Third-Party Security Testing

The AMCS Cloud is subject to a regular security test carried out by an independent CREST certified provider.  The results of the tests are reviewed by the AMCS Cyber Security team and are actioned as per SLA (see Appendix A).

2.7 Endpoint Protection

All endpoints are protected using best in class security software to provide real-time protection against malware, spyware and other malicious software.  

2.8 Update Management

OS updates and patches are rolled out automatically across all servers and this happens on a monthly schedule.  Significant vulnerabilities such as zero-day attacks are handled on a case-by-case basis.

3. Appendix

3.1 Appendix A – SLA on CVSS Rating