DfE Earwig servers Security Appraisal 2018 - Earwig - Self-appraisal
Asset protection and resilience
Data, and the assets storing or processing it, should be protected against physical tampering, loss, damage or seizure. This includes the following;
- Data Centre – Physical Location and Legal Jurisdiction
- Please document the locations at which School data is stored, processed and managed from.
- The Earwig servers are located at Fasthosts server centre in Gloucester. All data is held onshore, using dedicated servers with maximum power backup and physical security. www.fasthosts.co.uk.
- Earwig data is backed-up to servers provided by Amazon a3, based in London.
- Data sanitisation
- If the process of provisioning, migrating and de-provisioning resources is ever needed during the Earwig servers provision, what measures will be taken to protect the data? For Example, when resources are moved or re-provisioned, is all data securely erased?
- In this rare event. Yes.
- Equipment disposal
- Is all equipment potentially containing School data, credentials, or configuration information for the Earwig servers identified at the end of its life and are components containing sensitive data sanitised, removed or destroyed as appropriate?
- Physical resilience and availability
- What are the availability commitments of the Earwig servers provider, including their ability to recover from outages?
- All the servers used by Earwig guarantee 99.999% availability.
Data protection in transit
Data transiting networks should be adequately protected against tampering (integrity) and eavesdropping (confidentiality).
- Is all data in transit protected between all end user devices and the Earwig servers? If so, what technology is used to achieve this?
- Yes – See attached EARWIG DATA SECURITY POLICY
- Is all data in transit protected internally within the Earwig servers? If so, what technology is used to achieve this?
- Yes – See attached EARWIG DATA SECURITY POLICY
- If applicable, is all data in transit protected between the Earwig servers and other services (e.g. where APIs are exposed)? If so, what technology is used to achieve this?
- Yes – See attached EARWIG DATA SECURITY POLICY
Separation between consumers
Separation between different consumers of the Earwig servers prevents one malicious or compromised consumer from affecting the service or data of another.
- Please document the deployment model of the Earwig servers i.e. public, private or community cloud.
- Earwig is not a publicly accessible service. Every user has to be approved and to log in to the system with their unique identifier to gain access to anything. It is a Closed User Group.
- Please document the service model of the Earwig servers i.e. IaaS, SaaS, PaaS.
- The service is provided in the form of SAAS.
- Please articulate how the Earwig servers provides sufficient separation of the School data and service from other consumers of the Earwig servers.
- Each user’s unique login gives them access only to the data for one school and then only to data that they are approved to see. There are four user grades
- ADMINISTRATORS – Selected senior staff at each school who can edit pupil, staff and other reference data.
- STAFF – who can access only data relevant to the school to which they are attached.
- CURATED STAFF – who can only see data related to records that they have themselves created.
- PARENTS – who can access only data relevant to the pupils to which they are attached.
- Which other consumers are likely to share the platform\service with the School?
- The Earwig service is available only to schools and local authorities in the UK.
The service provider should have processes and procedures in place to ensure the operational security of the Earwig servers. The Earwig servers will need to be operated and managed securely in order to impede, detect or prevent attacks against it. This includes:
- Configuration and change management
- Is the status, location and configuration all components tracked throughout their lifetime within the service? How is this achieved?
- Yes. Automatic logging.
- Are changes to the service assessed for any potential security impact? How is this achieved?
- Yes. Review before deployment.
- Are changes managed and tracked through to completion? How is this achieved?
- All new releases are tested for security impact before release.
- Vulnerability management
- Please explain how potential new threats, vulnerabilities or exploitation techniques which could affect the service are assessed and how the appropriate corrective action is taken.
- Public security forums are monitored. No corrective action has ever been necessary.
- Are sources of information relating to threat, vulnerability and exploitation technique information monitored? If so, please list the most common sources used.
- We use Trendmicro – http://www.trendmicro.co.uk/technology-innovation/cloud/
- Are known vulnerabilities within the service tracked until suitable mitigations have been deployed through a suitable change management process?
- Known vulnerabilities are dealt with immediately
- Protective monitoring
- What analysis system do you have in place to identify and prioritise indications of potential malicious activity?
- We monitor logs for unusual activity
- Incident management
- Does the incident management policy include pre-defined processes for responding to common types of incident and attack?
- We do not experience any common types of incident.
- Does the policy include a defined process and contact route for the reporting of security incidents by consumers and external entities?
- Yes. All users have a Contact Us button on their dashboards.
- Would all security incidents with relevance to the School be reported to us within agreed timescales and format?
- Security incidents relevant to individual schools would be reported to the Earwig Administrator at that school within 24 hours.
Earwig servers should be designed and developed to identify and mitigate threats to their security.
- Is all development of the service carried out in line with industry good practice regarding secure design, coding, testing and deployment?
- What configuration management processes do you have in place to ensure the integrity of the solution through development, testing and deployment? Do you follow any frameworks for this?
- Our developers use a cut-down version of OWASP
Secure consumer management
The School may expect to be provided with the tools required to help securely manage its service. Management interfaces and procedures are a vital security barrier in preventing unauthorised people accessing and altering resources, applications and data.
- Authentication of School staff to management interfaces
- What controls are in place so that only authorised individuals from the School are able to authenticate to and access management interfaces for the service?
- The only people who have access to this system are staff employed by School schools who are already included in the school database.
- What additional controls are in place so that only authorised individuals from the School are able to perform actions affecting the consumer’s service through support channels such as telephone and email?
- This is not a consumer service. Authorised users have access to a support helpline during office hours – 0333 6666 166.
- Separation and access control within management interfaces
- What management interfaces are available, how are they protected and what functionality is available via those interfaces.
- School administrators can only add parents to the system. Parents have very limited access and can only view (and purchase) images and records related to children which the school administrator has approved them to view.
- What controls are in place so that other consumers cannot access, modify or otherwise affect the School’s service management?
- This is not a consumer system.
Identity and authentication
Consumer and service provider access to all service interfaces should be constrained to authenticated and authorised individuals.
- What identity and authentication controls are in place to ensure users are authorised to access specific interfaces?
- Each user is identified through their login and the interface to which they have access are defined by their status – Administrator, Staff or Parent.
- Does all authentication occur over secure channels?
External Interface protection
All external or less trusted interfaces of the Earwig servers should be identified and have appropriate protections to defend against attacks through them.
- How will access to the Earwig servers be securely achieved by School staff? Are there any client requirements and what protocols will be used to facilitate the access?
- School staff are sent their login data automatically once the Earwig system has received the relevant user details by synchronising with the school database.
- What physical and\or logical interfaces will the service information be available from?
- Any online device, subject to login.
- What additional controls are in place to protect and control access to School data via these interfaces i.e. Firewalls, Intrusion Prevention Systems?
- The Earwig system sits behind a Firewall provided by Fasthosts, currently the second biggest provider of hosting services in the UK.
Secure service administration
The methods used by the service provider’s administrators to manage the operational service should be designed to mitigate any risk of exploitation that could undermine the security of the service.
- What technical approach\management model is taken by the service provider to manage the Earwig servers?
- Only a small number of authorised people have full service management access. All Earwig employees and agents have current DBS Certificates.