IScreenYouScreen.com (ISYS) is a Software-as-a-Service (SaaS) product.
The production service is hosted in the cloud on Amazon Web Services (AWS), which is the most mature and feature rich Cloud computing platform currently available, and complies to a vast array of security and compliance standards.
ISYS has been designed with cloud architecture principals in mind, providing automatic horizontal scaling, disposable virtual servers, always-on resilience, redundant data storage, and security-by-design. All of this means that a good service will be provided at all times, no matter how busy the system gets, or what kind of hardware failures may crop up.
ISYS Cloud Architecture Principals
- Auto-scaling – Servers are created and removed automatically so performance keeps up with demand.
- Load balancing – Redundant load balancers distribute workload between the scaling group of servers.
- Built to fail – failure of one or more components provides little degradation of service. The service recovers or rebuilds failed components.
- Data is replicated to multiple datastores for redundancy.
- Stateless web services – Session data is centrally managed for scaling.
- Application and Database servers are on secure isolated private subnets.
- DNS, CDN, Object Storage and load balancers have full redundancy
ISYS Infrastructure Architecture
- CDN Edge Servers provide caching of slow changing and static data for optimal performance.
- Static web content is delivered from durable Object Storage.
- Auto-scaling group of web servers across at least two datacenters.
- Elastic Load Balancer delivers web requests to the auto-scaling group.
- Master and slave configuration of databases across two AZs
- Data recovery is available to any point in time over the last 10 days
- Serverless components use API Gateway and Functions to serve dynamic page assets
The application has been built with security at it’s heart:
- PenTested - the system is professionally penetration tested, by an independent CREST certified security consultant, for all known vunerabilities and exploits, with every minor point risk assessed and remediated.
- Infrastructure Security – ISYS is entirely hosted on AWS which complies with a vast array of security standards, including: ISO 27001, PCI DSS Level 1, SOC 1,2&3.
- Client Isolation – client access controls are enforced at a domain level within the codebase, preventing accidental or malicious cross-client access.
- Network Segregation – web servers sit on public subnets with restricted ports enabled, application and database servers sit on private subnets with security groups (firewalls) restricting access to known web and application servers and ports.
- Data Security – databases are on private subnets; backups are held within a secure repository; attachments are held in a private object store and released through a temporary signed url valid for 10 minutes.
- Transport Encryption – all internet facing traffic is encrypted in transit using TLS 1.0 or later.
- Data Encryption at Rest – The Database repository and all uploaded attachments are protected with AES-256 Encryption.
- Web Application Firewall - protects the service with content and connection filtering.
- Sensitive data (NI, Passport, Driving Licence, etc.) are wiped on completion of the screen.
- Backups of this data are kept for up to 6 months before being securely deleted
- Retrieval of attachments and sensitive data items are recorded in the audit log.
- Attachments are archived after 3 months and automatically permanently deleted 6 months from the upload date.