Security Overview
Print
Modified on: Tue, 28 Feb, 2023 at 1:20 PM
Avantus Business Solutions
- Avantus Systems, part of Avantus Business Solutions, are ISO 27001 certified - statement of applicability available on request.
- MyWorkPal has been developed and maintained since 2013.
- Avantus Business Solutions is audited annually by Azets.
Website & Hosting
- Website and database is hosted on the Microsoft Azure cloud, providing capacity scaling capabilities.
- Network traffic rules controlled by Azure Network Security Groups.
- Web, API and Task servers running on fully managed Windows virtual web servers.
- Databases hosted on Azure SQL. TDE Encryption enabled on all SQL Instances.
- Disaster recovery provided by Azure.
- Full daily database backup with 7 day Point in Time restore capability enabled.
- Disaster Recovery Objectives provided by Azure of 15 minute RPO and 15 minute RTO.
- Full technical support and knowledge base provided through online ticketing system.
- Fully documented, audited and reviewed segregation of duties within Avantus determine Avantus' user access to hosted systems for support and releases.
- QA environment for each platform for testing new releases. Also available to platform owners as sandbox environment.
- Guaranteed 99.5% uptime.
System Architecture
- Three tier solution allowing logical and physical separation of concerns (Web UI / Web API / Database)
- Solution is built on Microsoft ASP.NET / MSSQL technology stack.
- Client platforms run as a multi tenanted solution on own database with logical separation of data between tenants.
- Code repository linked to project management system to track changes and enable pull request peer reviews.
Access security
- Connection to the site is encrypted and authenticated using TLS 1.2 with Sha256RSA Signature algorithm and a 2048 bit RSA Public Key. All traffic is routed via https.
- Database media is encrypted at rest using TDE on Azure SQL Managed Instance.
- Password strength and change policy is configurable. All passwords are hashed & salted when stored on the database with no method of decryption.
- Variety of 2 factor authentication such as Google Authenticator, Client Certificate, U2F hardware device or 6 digit PIN
- Account temporary disabled on incorrect login attempts to block brute force attacks.
- User account traversal blocked by the Web API and tested on all development
Did you find it helpful?
Yes
No
Send feedback Sorry we couldn't be helpful. Help us improve this article with your feedback.
