SCSB Security

Owned by SK
Last updated: Aug 10, 2016
1 min read

The AWS infrastruture and application architecture takes into consideration various aspects of Software as a Service (SaaS) model of which Security is paramount. The following considerations have been taken into account and implemented. 
 

Image Reference (View larger image):https://www.lucidchart.com/documents/view/e69eb1aa-aeb2-46b2-800a-e1b72ad7d61d

  1. Availability and Failover Monitoring
    1. Availability:
      1. Minimum: 99%
      2. Target: 99.9%
    2. Exceptions:
      1. Planned upgrades, maintenance.
      2. AWS outages, although SCSB will have failover strategies to minimize the downtime.
    3. Reporting:
      1. Metrics on uptime, any upgrades etc will be made available.
  2. Backups:
    1. Nightly
    2. Amazon Machine Images (AMIs)
  3. Failover:
    1. N+1 redundancy setup
    2. AWS Elastic Load Balancer (ELB).
    3. Multiple AZs (Availability zones) to increase fault tolerance.
  4. Monitoring:
    1. Amazon Cloud Watch
  5. DDOS Risk mitigation:
    1. Whitelisting IPs
    2. Blacklisting IPs
  6. User Security and Monitoring
    1. User Data: SCSB doesn't store any confidential/private or sensitive information about the users.
  7. Identity Services:
    1. Authentication via SSO/Apache Shiro
    2. Authorization via local roles/permissions in SCSB
  8. Vulnerability Scanning:
    1. Acunetix: Security vulnerability scanner.
  9. SSH Security Groups:
    1. Secure access for support personnel to do maintenance/upgrades/support
  10. Information Security - Data:
    1. SCSB does not store any patron sensitive information.
    2. SCSB stores library collection information (Bibliographic, Holdings, Items) which are public records and not deemed sensitive.
    3. Audit trail information available showcasing who has accessed/modified data restricted by permissions.
  11. Application Level Security :
    1. Data encryption to be enforced by partners while invoking SCSB REST services.
    2. SCSB will deploy SSL certificate for data encryption for SCSB UI.
    3. JSON webtoken for RESTful services
  12. Monitoring Services: Acunetix: Application security vulnerability scanner.
  13. Platform and Infrastructure Security :
    1. Amazon is responsible for this part as the cloud hosting provider.