Cloud hosting on Microsoft Azure
Where Avantus Systems hosts client platforms the production environment is hosted on the Microsoft Azure Cloud.
The MWP platform consists of a Front-End Web service hosted on Windows/IIS, ASP.Net, a Mid-Tier Task Service role, and a backend Database service hosted on Azure SQL . Whilst the Front-End and Mid-Tier services is hosted on Virtual Machine instances, the MSSQL service is hosted on Azure SQL.
Azure Files are incorporated to provide SMB file shares to the Web Tier servers. Azure files are deployed with Geo-redundant storage which ensures that the data stored within the file shares is resilient both in-region and across regions to a separate location for recoverability purposes.
Active Directory is deployed on 2 Domain Controllers, the AD environment is isolated to Azure and not part of an On-Prem extension.
Availability Zones
Availability Zones is a high availability offering that protects applications and data from datacentre failures. Availability Zones are unique physical locations within an Azure region. Each zone is made up of one or more datacentres equipped with independent power, cooling, and networking. To ensure resiliency, there’s a minimum of three separate zones in all enabled regions. The physical separation of Availability Zones within a region protects applications and data from datacentre failures. Zone-redundant services replicate applications and data across Availability Zones to protect from single-points-of-failure. With Availability Zones, Azure offers industry best 99.99% VM uptime SLA.
The image below demonstrates a highly available service with the Frontend provided through Azure Web App instances and the Backend provided by Azure SQL databases. Both tiers are deployed across all three zones within the region thus ensuring business continuity even two datacentres within the region were affected by an unexpected outage.
Availability Zones are used for the following workloads:
- Single Tenant Web Servers
- Multi-Tenant Web Servers
- Task Service Vm Scale Set
- AD Domain Controllers
The deployment is in UK South with any replicated storage being held within the UK West Azure region. Replicated Storage is configured for Azure Files.
Geo redundant backup storage is enabled on databases. This means the 24 hr differential and 4 x weekly backups
are replicated in UK West region.
Security
Security Network Security Groups(NSGs) are the main tool used to enforce and control network traffic rules at the networking level. We control access by permitting or denying communication between the workloads within a virtual network, from systems on our networks via cross-premises connectivity, or direct Internet communication.
In the diagram below, both VNETs and NSGs reside in a specific layer in the Azure overall security stack, where NSGs, UDR, and network virtual appliances can be used to create security boundaries to protect the application deployments in the protected network.
Network Security Groups (NSG’s) are applied to each subnet boundary, enforcing traffic flow access control rules (ACL’s) from the internet into Azure and between VMs across subnet boundaries.
Connectivity
All Avantus connectivity will transit over the internet to connect to the platform. Point to Site VPN connectivity is used for a small number of users such as Development and Deployment team members. VPN capability is provided to appropriate users and locked to user machines with client certificate.
Encryption in transit
All data in transit is encrypted using 2048 bit encryption. We support only TLS 1.2 and lower versions are deprecated. Traffic between front and and web API is also secured in transit.
Avantus use Certify The Web to maintain HTTPS certificates sourced from the Let's Encrypt certificate authority. Certificates are refreshed bi-monthly. Let's Encrypt is a free, automated, and open certificate authority maintained by the non-profit organisation Internet Security Research Group (ISRG).
Avantus can utilise client sourced secure certificates on request.
Backup & Disaster Recovery
Azure Files
User documents such as contracts, files, images, along with tenant files such as documents and images uploaded to build the tenants are all stored on the production environment as "Azure Files".
Azure Files are backed up with the native backup service which are deployed as a geo-replicated storage service which will ensure data survivability even in a regional failure event.
SLA (availability targets, i.e. 99.9% SLA) | 99.99% |
Availability Management
| Inbuilt as part of the service |
Disaster Recovery Objectives (RTO/RPO objectives) | RTO – N/A RPO – last Backup State |
Disaster Recovery Approach | Geo-Replicated Storage to be used to ensure recoverability |
Scaling Options | Application code to be updated to use the new storage accounts |
Support
| New Orbit are contracted by Avantus as Cloud Service Provider to support the Azure resource and its configuration |
Backups | Azure Files Backup (Preview feature) |
Monitoring | Azure Standard monitoring |
Security Approach | Encryption is enabled on the storage account Transport encryption of traffic traversing storage account network endpoints is enabled. |
Data Tier
Avantus host databases on native Azure SQL, providing near 100% compatibility with the latest SQL Server on-premises (Enterprise Edition) Database Engine, providing a native virtual network (VNet) implementation that addresses common security concerns, and a business model favourable for on-premises SQL Server customers. The managed instance deployment option preserves all PaaS capabilities (automatic patching and version updates, automated backups, high-availability ), that drastically reduces management overhead and TCO.
AZURE SQL Backup
SLA (availability targets, i.e. 99.9% SLA) | 99.99% |
Availability Management | In built as part of the service |
Disaster Recovery Objectives (RTO/RPO objectives) | RPO - 5 minutes |
Scaling Options | Automated scaling options available |
Support
| New Orbit are contracted by Avantus as Cloud Service Provider to support the Azure resource and its configuration |
Backups | Azure manage backups taken automatically as part of the inbuilt service: (7 Days PITR) 24 hour differential Weekly snapshots saved up to 4 weeks Monthly snapshots saved up to 6 months |
Monitoring | Azure Standard monitoring |
Security Approach | Transparent Data Encryption enabled |
Monitoring and alerting
Avantus use tools provided in Azure Portal to configure monitors for thresholds and security events. Alerts trigger messages to our ticket system Fresh Desk for the support team to pick up and distribute to the appropriate developer resource. Alert rules are configured and maintained in the Azure Portal in the monitoring section.
Patch Management
Service Level Agreements
Service level agreement between Avantus and clients is detailed in the client contract.
Server Performance
ASL Server Performance will be Available for not less than 99.95% of each calendar month. Availability will be calculated and reported in accordance with the rules set out below.
If in any calendar month ASL does not meet this standard of Availability, ASL will compensate the Client. The amount of compensation will be determined in accordance with the rules set out below.
ASL will provide this compensation by making further Maintenance Services or discounts available to the Client up to the amount of compensation at the applicable rate. This compensation will be the only remedy available to the Client in the event of the non-availability of the Service.
Frequently Asked Questions
How is capacity managed?
Disk, memory and processor capacity is monitored on the Azure portal security centre. Avantus are alerted when monitors are triggered so appropriate action can be taken.
Is data encrypted at rest?
MyWorkPal data is stored on an Azure SQL databases and which are encrypted at rest with Transparent Data Encryption (TDE) by default.
Transparent data encryption (TDE) helps protect Azure SQL Database, Azure SQL Managed Instance, and Azure Synapse Analytics against the threat of malicious offline activity by encrypting data at rest. It performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest without requiring changes to the application.
Are backups encrypted
All backed-up data is automatically encrypted when stored in the cloud using Azure Storage encryption, ensuring our security and compliance commitments. This data at rest is encrypted using 256-bit AES encryption, one of the strongest block ciphers available, and is FIPS 140-2 compliant. In addition to encryption at rest, all backup data in transit is transferred over HTTPS. It always remains on the Azure backbone network.
More details here: https://docs.microsoft.com/en-us/azure/backup/backup-encryption
Is a web application firewall (WAF) installed to protect applications running on the production environment?
MyWorkPal does not implement or support use of a Web Application Firewall.
What is a Web Application Firewall
A Web Application Firewall (WAF) is distinct from a normal "Firewall". A WAF is "layer 7" service that works at the http protocol layer.
A WAF essentially analyses http traffic and uses a combination of rules and heuristics to detect potential attacks, such a SQL injection and cross-site injection amongst many others. It is very useful when the application code is likely to have security bugs.
In essence, a WAF offers an additional layer of protection against bugs that compromise security. The value of the WAF is proportional to the likelihood of such bugs being deployed to the production environment.
A WAF is also a Reverse Proxy, which offers certain security benefits in itself, and may also offer DDoS Protection as a related service. However, these features are separate and this note only relates to the layer 7 http filtering.
What are the downsides?
- It risks breaking the application in production. Due to its nature, false positives sometimes occur with WAFs, which means a user's request will be denied when it shouldn't be. This can be mitigated by first running the WAF in "reporting only" mode and disabling any rules that give false positives before changing the WAF to blocking mode. However, with a managed WAF, the rulesets will be updated from time to time, which can unexpectedly break the application. The probability of this is low, but very real.
- Performance can be negatively impacted, though this is less likely to be a problem in practice, for most types of application.
- There is a cost to running a WAF.
My Work Pal
The My Work Pal platform is a modern, well-tested application written in modern frameworks that offer a high degree of protection from the kinds of bugs that a WAF is most likely to protect from.
There is always a risk that a security bug will make it to production and a WAF might be able to protect from that. For My Work Pal, when weighing the pros and cons of deploying a WAF, the verdict is that it is not beneficial to deploy a WAF in front of Engage.
Note that My Work Pal is deployed to Azure PaaS and uses a range of other security features which cover many of the non-WAF-specific security benefits of deploying a dedicated WAF, such as DDoS protection etc.
MyWorkPal is protected by Azure Network Security Groups (NSG). NSG is is a fully managed offering from Microsoft that helps refine traffic from and to Azure VNet. The Azure NSG consists of certain security rules that we configure to allow or deny inbound and outbound traffic appropriately. Evaluation of these rules is done through a 5-tuple hash. The 5-tuple hash takes values from the Source port number, IP Addresses, Destination IP address and port number, etc. It allows to associate Network Security Groups with a VNet or a VM network interface very easily, and it works on layers 3 and 4 of the OSI model.
Referring to Cross Site Scripting Prevention - OWASP Cheat Sheet Series: Web Application Firewalls - These look for known attack strings and block them. WAF’s are unreliable and new bypass techniques are being discovered regularly. WAFs also don’t address the root cause of an XSS vulnerability. In addition, WAFs also miss a class of XSS vulnerabilities that operate exclusively client-side. WAFs are not recommended for preventing XSS, especially DOM-Based XSS.
We currently use HTML encoding and Content Security Policies to mitigate against XSS attacks. Please note that the nature of the application could allow XSS attacks. For example, an admin could put a malicious script into a page template which could load for an employee
Does the hosted solution provide protection against denial-of-service attacks against its Internet presence?
Avantus benefits from the Azure DDos Basic which is deployed across the whole cloud estate. Client's own dedicated DDoS solution can be implemented on a client solution via Web Application Firewall if required.
What anti-virus solution is in place and how often are the anti-virus signatures updated?
Windows Defender is installed on Avantus office devices, signatures are updated monthly. Security updates are installed automatically with a mandatory reboot requirement within 12 days from the update being released.
Security update deferral period is set to 0 - Available to be installed the day they are released from Microsoft
Deadline for security updates is set to 5 - Automatically installed within 5 days
Grace period is set to 5 - Once installed, if the device is not restarted (to complete the update installations) by the user manually after 5 days from install, a restart will be forced.
Clam AV is also installed on the web servers to scan files uploaded to the platforms by admins or employee users, and is updated daily with new signatures.
Are production systems and services monitored to alert down time?
Azure provide system and hardware monitoring as part of their proactive managed service. This monitoring provides alerts for potential down time hardware degradation or capacity triggers.
Avantus separately track availability of websites and Web API through a third party monitoring tool. This also provides alerts direct to Avantus support desk when a site is not responding.