Based on experience, research, and conversations with Apex Innovations’ clients and partners, we have become keenly aware of industry concerns with the security and continuity of Internet-based systems. Apex understands these concerns and considers client data security and accessibility top technological priorities.
This document explains the measures Apex has taken from a technological perspective to secure our clients’ data and intellectual capital while providing for 24x7 system availability.
Apex also understands that Internet technology is ever changing and must be revisited constantly, therefore we consider this a living document and a means of communicating our intentions to our clients and partners. The detail contained in this document applies to the Apex Innovations i-INFO™ hosted product suite.
Securing Apex Systems
Anatomy of an Internet Transaction
Internet transactions tend to follow a generic flow and generally contain similar technological components. The following diagram depicts a high level view of an Internet transaction and the points of the transaction that are normally considered areas of risk.
| Area 1:
Your Browser
|
Area 2:
Your Internet Connection
|
Area 3:
The Internet
|
Area 4:
Application Internet Connection
|
Area 5:
The Application
|
 |
As shown above, a typical Internet user will access the Internet through a browser, such as Internet Explorer, running on a personal computer. The connection to the Internet will typically be a modem for home use or a router for business use. At this point, the user enters the complex cloud known as the Internet where requests and traffic follow numerous paths to and from destinations. User information routes through the Internet via telecommunication equipment to the destination site, usually an Internet site running a commercial or private application. These applications serve various purposes such as project management and reporting requests like Apex Innovations’ sites.
Security Concerns
Hacking, or the illegal compromise of Internet and private systems, has become highly sophisticated over the past several years. To prevent hacking, the goal is to identify points of risk and to mitigate the risk of system intrusion by employing comparable techniques. A subcomponent of the overall goal of mitigation is to maintain reasonable response time for online users. As telecommunications technology continues to support accelerated access speeds, user performance becomes easier to support while providing secure data.
As we consider the previous diagram we can begin from left to right and observe the most likely points of compromise:
- Area 1 - The physical user computer may be the area that is most susceptible to compromise. Internet hackers are constantly trying to crack usernames and passwords by utilizing high powered computers and complicated cracking software so they can log directly into systems. In addition, many hackers are quite capable of hacking unprotected systems via a browser’s URL.
- Area 2 – Sophisticated hackers may try to penetrate a user’s network (routers/modems/firewalls) remotely using complex software tools.
- Area 3 – Hackers may attempt to intercept data while it traverses the Internet.
- Area 4 – Some hackers will try to access Internet sites by penetrating network routers/firewalls that are in place. They may also physically attempt to gain access to production systems.
- Area 5 – Hackers will try to access servers via a user login or through the web server without having a valid user-ID and password.
Our Security
While it is true that hacking has become sophisticated, the techniques available to defend information against malicious attacks have also become extremely sophisticated and effective. To address our clients’ needs and concerns, Apex has implemented several measures to provide our clients with peace of mind while transacting business on our sites. The following list details measures instituted to protect our clients’ intellectual capital:
- Area 1 – In order to access confidential system data, each Apex user must have a unique username and password. These usernames and passwords are stored securely in a database behind Apex firewalls and intrusion detection systems. In addition, Apex intrusion detection systems are constantly identifying trends in user and system activity to identify suspicious activities. If a suspicious activity is identified, Apex system administrators are made aware of this and the intrusion detection systems automatically blocks further access by the suspected individual.
- Area 2 and Area 3 – Apex does not have the ability to secure specific user routers or other Internet connections. However, we can encrypt data that is transmitted from the client browser to our web site. Essentially this means that while using our production systems, any sensitive information will be encrypted using 128-bit encryption, unlike some systems that pass data in a clear text fashion. This technique is called secured sockets layer (SSL). Apex uses Verisign™ technology for this mechanism. Verisign is the leader in Internet SSL solutions. Apex has chosen 128-bit SSL encryption for its sites as this is the most secure form of SSL encryption.
- Area 4 – Next we secure the environment that physically houses the Apex production systems. To achieve this, Apex has teamed up with Sprint for state-of-the-art facilities and firewalls. Apex’s production facility is a completely secure facility with environmental controls, conditioned power, earthquake prevention, and backup generator capabilities. Physical access to Apex systems is limited to a specific list of administrators controlled by a single Apex contact. Also in place are dedicated Cisco PIX firewalls that monitor all traffic to and from Apex production systems. Cisco is the recognized world leader in Internet network technologies.
- Area 5 – There is the actual application layer of Apex production systems. i-INFO has a unique application security, which is patent pending. The application security allows each subscriber administrator to assign security role(s) to persons. These roles have security permissions that are setup per entity (e.g. person, project, bid, contract, etc.) that control:
- View / Update / Delete permissions per entity data form
- Copy / Move / View Private permissions on specific trees (e.g. project, org)
A person can have one or many security roles (e.g. project manager, bid administrator, estimator) assigned by one or many organizations. Depending upon which organization is currently “active”, the person receives the combination of permissions for those roles assigned by that organization.
Each project, bid, contract and other entity has a personnel list. This list controls who holds what role in the project (e.g. project manager, estimator, utility contact, contractor) and thereby, based on these roles, who holds specific security permissions for that project. The personnel list also includes beginning and ending effectivity dates.
The i-INFO application security also includes functionality to handle viewing rights across organizations. This is called “sharing”, which gives view-only rights to those who need access to the project information but are not on the personnel list for a project, bid, contract, or other entity.
The application security in i-INFO is a combination of ownership, permissions and sharing, resulting in true, multi-organizational security found in no other system in the marketplace. This security allows different organizations to work in the same system, while each organization controls the permission rights they assign to all persons that are accessing their information.
Maintaining System Uptime
Security concerns are just part of what it takes to operate a world class Internet system. Apex Innovations has very aggressive SLAs with our clients and consequently take great pains to ensure maximum availability of our commercial systems. In order to realize maximum uptime, Apex has experienced continuity planners on staff who have put together comprehensive multi-phased continuity plans. This section will describe some of those details.
The key to any system continuity program is to have a comprehensive plan that is immediately initiated in the unlikely event of an unrecoverable system outage. Apex has a copy of such a plan in electronic and hard copy both on site at Apex offices and off site. Some of the key principles of this plan are as follows:
- Apex production systems are housed at one of Sprint’s Tier One data center facilities. This facility resides directly on a Sprint sonnet ring on their primary data backbone. This facility has complete logical and physical security protection twenty-four hours a day seven days a week. All power, electrical, data, and HVAC components within this facility have been configured in a one for one failover configuration in the event that any primary components experience difficulty. This facility has been earthquake and tornado protected in support of local seismic codes and tornado categories.
- All Apex hardware internally houses redundant components including hard drives, power supplies, and network interfaces. All physical hard drives utilize RAID technology.
- All production systems are monitored on a 24x7 basis. This task is performed by Apex, as well as an independent company, to provide redundancy in monitoring. In the event of a system outage, emails and pages are sent to several Apex system administrators immediately. Apex administrators have remote login and diagnostic capability that allows them to respond immediately regardless of their location.
- Apex maintains a fully redundant server and selected parts at the production site. This inventory will minimize any downtime should an unforeseen hardware failure occur, by having the needed parts immediately available.
- All system data is backed up on site via Oracle standby databases and nightly tape backups. Production data is also backed up to the Apex office headquarters via Oracle standby databases to provide for physically separated backups. All standby databases are current within five minutes of production. All tape backups occur nightly.
- Also included in the Apex Continuity Plan is a description of the continuity team, partner/municipal utility contacts, escalation/communication procedures, restoration procedures, and more.
Apex has designed and implemented i-INFO so that our clients will receive maximum system availability. We have selected one of the most secure facilities in the nation to serve as host to our system. Our implementation includes redundancy at the most vulnerable system locations, and in the unlikely event our automatic interruption avoidance and recovery system aren’t enough, we have documented disaster/recovery plans to get our clients back to normal operations in the shortest time possible.
|
