Secure and scalable infrastructure to meet all your requirements
All the software features in the world aren’t going to amount to a great system if it isn’t secure and scalable.
Achieving great all-round security on a SaaS/cloud-based system isn’t something that can be done by simply sticking some firewalls in front of your web-servers. At Brandworkz we have built security into everything we do as a company, right from our employee recruitment processes, through our coding practices as well as of course our hosting.
Similarly, the fact that a vendor is using e.g. Amazon Web Services or Azure as their hosting provider does not necessarily mean that their system is scalable or secure as it is in large part down to the vendor how these hosting services are used. This article summarises what we do here at Brandworkz to achieve a high level of security and scalability.
Our certifications, audits and 3rd party testing
Brandworkz is ISO 27001 certified, the main global standard for information security. The certification includes protecting the confidentiality, integrity, and availability of our web-apps including hosting, all assets incl client files, processes, offices and staff in all the standard’s 114 controls. We undergo an external audit every year to ensure we maintain this high standard in our controls.
Our hosting provider Amazon Web Services has the following certifications: ISO 27001, PCI DDS, SOC 1/2/3, HIPAA, FISMA, DIACAP, FedRAMP, ITAR, FIPS 140, MTCS, CSA, MPAA, and many more…
Our web-app is penetration tested by an independent testing company before each release. Our pen testing company is of course ISO 27001 certified as well as certified with Crest, Crest Star, PCI DDS, Check and Government Procurement Service
3rd party vulnerability testing performed every day by Tenable.io/Nessus on both external attack surface and internal network.
AWS Inspector used for internal scanning of internal server/stack for detection of out-of-date components and insecure configs (CVE and CIS compliant).
Our hosting partner is Amazon Web Services, the largest hosting company in the world, giving us near-infinite scalability, high availability, global reach as well as certified hosting security.
We utilize the following of their data centres for primary hosting and DR.
All clients furthermore benefit from utilizing AWS CloudFront their Content Delivery Network (CDN) for delivering file downloads to users globally with low latency and high transfer speed through almost 200 local caching-nodes, bringing popular files closer to the end-users wherever they are located in the world including inside China.
Brandworkz web-app architecture
In summary, our web application is architected to industry best practices in terms of:
- Separate environments for Dev, QA, and Production, including completely separate AWS account for Dev and QA
- Multiple protections around network perimeter – see subsequent sections
- All files and DBs encrypted at rest with AES-256 and in transit with TLS 1.2+
- Real-time replication of uploaded files across 3 x availability zones providing 99.999999999% file durability
- Real-time backup of all uploaded files in a different country in case of full DR to different country, or corruption/deletion of files in primary DC.
- Databases replicated in real-time across multiple data centres
- Storage is compliant with PIC-DSS, HIPAA/HITECH, EU GDPR, FedRAMP and FISMA
- All components clustered both within an Availability Zone/DC and across multiple DCs
- Automatic auto-scaling of clusters based on load/traffic either through EC2 servers or
AWS Lambda/Fargate, e.g. if there is a peak in web-traffic or peak in video transcodes needed
- Multiple caching layers including AWS CloudFront CDN
Packet filtering for e.g. SQL Injection, Cross-scripting
Protection against DDOS attacks
Threat Detection and continuous monitoring for malicious activity, incl. threat feeds from Crowdstrike and Proofpoint.
Anti-malware for both hosting-related servers and office/employee workstations
Encryption and authentication
We employ the following encryption and authentication protocols/features
All data at Rest: AES-256
All data in Transit: HTTPS/TLS 1.2+
Management and renewal of employee credentials
2-Factor Authentication enforced both on workstations and for hosting platform
Brandworkz web-app can be configured for SAML2.0 single sign-on Federated Authentication including support for multiple identity providers – e.g. if through a recent company merger or multiple divisions/brands you have multiple, disparate networks. Including support for these common SSO/Identity services:
Brandworkz can also be configured to allow for hybrid authentication, SSO/SAML for internal users and internal login/password for external users such as agencies, etc. For internal users we have the following authentication features:
- Forced password change after x days
- A minimum timespan between password changes
- Password expiry on a chosen date
- X number of passwords remembered to stop password reuse
- Enforced password complexity
- X number of failed attempts before lockout (max 10)
Backup and disaster recovery
- Near real-time backup of all uploaded files and database transactions
RPO – 1-2 minutes
- 90-day retention (optional extended retention available as an add-on)
- Optional backup to your own Cloud storage as an add-on (e.g. AWS, Azure, Google)
- Data centres:
- US customers: Primary DC AWS Northern Virginia, DR AWS Oregon
- EU/ROW customers; Primary DC AWS Ireland, DR AWS Frankfurt, Germany
- APAC customers: Primary DC AWS Sydney, DR AWS Singapore
- All infrastructure and server builds are 100% scripted (infrastructure as code), so can be rebuilt in different data centre automatically. RTO for infrastructure = 3 hours
From a security point of view then as mentioned we encrypt both in transit (TLS1.2+) and at rest (AES-256).
However, having reliable, fast file transfers both for admins uploading and end-users downloading is critical for any software which has file-transfer/DAM capabilities, especially if you have large files such as HD videos or Photoshop artwork and/or have end-users that are geographically dispersed across the globe.
- Support for files up to 10GB through web-browser or larger
- File transfer acceleration across large geographical distances through File Transfer Acceleration
- Optional/further File Acceleration through UDP transfers via IBM Aspera. If you have globally dispersed users uploading large files then this can accelerate the file transfer speeds with up to 50x for users who are geographically far away from the main hosting data centre
- AWS Cloudfront CDN included for all clients for download acceleration and caching popular files closer to end-users around the world. See “Hosting provider” section above
- Support for bulk-downloads through zipping:
- up to 5GB
- 500 files per batch
- Ability to share albums/files with ad-hoc users
- Ability to create public links for file downloads, e.g. to place on public website or in press releases – optionally with date curfew/expiry
Secure coding standards
Even with an iron-clad hosting infrastructure with no back doors, the front door could be wide open so to speak if the software itself is not coded in a secure way. This is what we adhere to ensure that our web-app is coded in a secure way.
Adherence to OWASP secure coding guidelines
Enforced peer-reviews of every commit
Source code analysis including OWASP, linting, code smells, etc.
Automated deployment pipelines through Jenkins
Infrastructure-as-code through with Terraform and Chef
- 98+% track record
- SLA to 99.9% provided
- Active monitoring per site: We poll your site every 1 minute for an actual snippet of HTML from a different physical location to make sure it responds properly
- We continually monitor all internal components of our infrastructure stack via CloudWatch, PagerDuty, GeckoBoard and Splunk
- Production data centres:
- 24 x 7 video surveillance
- Biometric entry controls
- Two-factor authentication by all site staff
- Equipment decommissioning to DoD 5220.22-M and NIST 800-88 standards
- Further, detailed info here:
- Office location (software development and client services/implementation):
- Electronic keyfob access
- 24 x 7 security guard and video surveillance
- Strong physical perimeter
- No servers/master files kept on site
- Firewalls with NAT and Intrusion Prevention
Information security policies
We have extensive information security-related policies as part of our ISO 27001-certified ISMS which you can request for detailed information on specific topics after signing an NDA:
- ISO 27001 Certificate Brandworkz Limited
- Brandworkz Limited ISO 27001 external stage 2 audit report
- BW-IS-R-4.3 – Schedule of Interested Parties, Legal and Contractual Requirements
- BW-IS-5.2 – Information Security Policy
- BW-IS-6 – Information Security Risk Management
- BW-IS-7.2 – Competence Procedure
- BW-IS-C-6.1.5 -Project Management Policy
- BW-IS-C-6.2 – Mobile Device and Teleworking Policy
- BW-IS-7.2 – Competence Procedure
- BW-IS-R-7.4 – Communication Plan
- BW-IS-C-6.2 – Mobile Device and Teleworking Policy
- BW-IS-C-7 – Human Resource – Security
- BW-IS-C-8 – Asset Management Policy
- BW-IS-C-8.1.3 – Acceptable Use Policy
- BW-IS-C-9 – Access Control Policy
- BW-IS-C-10 – Cryptographic Policy
- BW-IS-C-11 – Physical and Environmental Security
- BW-IS-C-12 – Operating procedures for IT Management
- BW-IS-C-13 – Network and Information Transfer Policy
- BW-IS-C-14 – System Acquisition, Development and Maintenance Policy
- BW-IS-C-15 – Supplier Third Party Management Policy
- BW-IS-C-16 – Information Security Incident Management Policy
- BW-IS-C-17 – Business Continuity – Disaster Recovery Plan for hosting platform
- BW-PO-C-17 – Business Continuity Policy – Overall business – Summary
The options for integration with other systems are as follows
- Login integration
The system can out of the box be integrated with SAML 2.0 Federated Authentication for single sign-on
- API integration
Brandworkz has a RESTful API with JSON responses. Please see https://apidocs.brandworkz.com for further details
Brandworkz has several connectors to other popular MarTech applications. Please see this page for an up-to-date list: https://www.brandworkz.com/integrations/