Hosting and Security

Secure and scalable infrastructure to meet all your requirements

Security White

All the software features in the world aren’t going to amount to a great system if it isn’t secure and scalable.

Achieving great all-round security on a SaaS/cloud-based system isn’t something that can be done by simply sticking some firewalls in front of your web-servers. At Brandworkz we have built security into everything we do as a company, right from our employee recruitment processes, through our coding practices as well as of course our hosting.

Similarly, the fact that a vendor is using e.g. Amazon Web Services or Azure as their hosting provider does not necessarily mean that their system is scalable or secure as it is in large part down to the vendor how these hosting services are used. This article summarises what we do here at Brandworkz to achieve a high level of security and scalability.

Our certifications, audits and 3rd party testing

ISO Logo Dark

Brandworkz is ISO 27001 certified, the main global standard for information security. The certification includes protecting the confidentiality, integrity, and availability of our web-apps including hosting, all assets incl client files, processes, offices and staff in all the standard’s 114 controls. We undergo an external audit every year to ensure we maintain this high standard in our controls.

aws_logo_smile_1200x630

Our hosting provider Amazon Web Services has the following certifications: ISO 27001, PCI DDS, SOC 1/2/3, HIPAA, FISMA, DIACAP, FedRAMP, ITAR, FIPS 140, MTCS, CSA, MPAA, and many more…

PEN

Our web-app is penetration tested by an independent testing company before each release. Our pen testing company is of course ISO 27001 certified as well as certified with Crest, Crest Star, PCI DDS, Check and Government Procurement Service

Tenable.io-300x150-colour

3rd party vulnerability testing performed every day by Tenable.io/Nessus on both external attack surface and internal network.

AWS Inspector

AWS Inspector used for internal scanning of internal server/stack for detection of out-of-date components and insecure configs (CVE and CIS compliant).

Hosting provider

Powered by AWS

Our hosting partner is Amazon Web Services, the largest hosting company in the world,  giving us near-infinite scalability, high availability, global reach as well as certified hosting security.

We utilize the following of their data centres for primary hosting and DR.

Brandworkz AWS Hosting

All clients furthermore benefit from utilizing AWS CloudFront their Content Delivery Network (CDN) for delivering file downloads to users globally with low latency and high transfer speed through almost 200 local caching-nodes, bringing popular files closer to the end-users wherever they are located in the world including inside China.

AWS world maps

Brandworkz web-app architecture

In summary, our web application is architected to industry best practices in terms of:

Confidentiality/security

  • Separate environments for Dev, QA, and Production, including completely separate AWS account for Dev and QA
  • Multiple protections around network perimeter – see subsequent sections

Integrity

  • All files and DBs encrypted at rest with AES-256 and in transit with TLS 1.2+
  • Real-time replication of uploaded files across 3 x availability zones providing 99.999999999% file durability
  • Real-time backup of all uploaded files in a different country in case of full DR to different country, or corruption/deletion of files in primary DC.
  • Databases replicated in real-time across multiple data centres
  • Storage is compliant with PIC-DSS, HIPAA/HITECH, EU GDPR, FedRAMP and FISMA

Availability

  • All components clustered both within an Availability Zone/DC and across multiple DCs
  • Automatic auto-scaling of clusters based on load/traffic either through EC2 servers or
    AWS Lambda/Fargate, e.g. if there is a peak in web-traffic or peak in video transcodes needed
  • Multiple caching layers including AWS CloudFront CDN
Brandworkz AWS Hosting
AWS WAF

AWS WAF

Packet filtering for e.g. SQL Injection, Cross-scripting

AWS Shield

AWS Shield

Protection against DDOS attacks

AWS GuardDuty

AWS GuardDuty

Threat Detection and continuous monitoring for malicious activity, incl. threat feeds from Crowdstrike and Proofpoint.

LOGO_bitdefender_black_white

Bitdefender GravityZone

Anti-malware for both hosting-related servers and office/employee workstations

Encryption and authentication

We employ the following encryption and authentication protocols/features

REST

All data at Rest: AES-256

All data in Transit: HTTPS/TLS 1.2+

LastPass

Management and renewal of employee credentials

MFA Logo

2-Factor Authentication enforced both on workstations and for hosting platform

SSO

Brandworkz web-app can be configured for SAML2.0 single sign-on Federated Authentication including support for multiple identity providers – e.g. if through a recent company merger or multiple divisions/brands you have multiple, disparate networks. Including support for these common SSO/Identity services:

Logos-SSO

Brandworkz can also be configured to allow for hybrid authentication, SSO/SAML for internal users and internal login/password for external users such as agencies, etc. For internal users we have the following authentication features:

  • Forced password change after x days
  • A minimum timespan between password changes
  • Password expiry on a chosen date
  • X number of passwords remembered to stop password reuse
  • Enforced password complexity
  • X number of failed attempts before lockout (max 10)

Backup and disaster recovery

Backup

  • Near real-time backup of all uploaded files and database transactions
    RPO – 1-2 minutes
  • 90-day retention (optional extended retention available as an add-on)
  • Optional backup to your own Cloud storage as an add-on  (e.g. AWS, Azure, Google)

Disaster Recovery

  • Data centres:
    • US customers: Primary DC AWS Northern Virginia, DR AWS Oregon
    • EU/ROW customers; Primary DC AWS Ireland, DR AWS Frankfurt, Germany
    • APAC customers: Primary DC AWS Sydney, DR AWS Singapore
  • All infrastructure and server builds are 100% scripted (infrastructure as code), so can be rebuilt in different data centre automatically. RTO for infrastructure = 3 hours

File transfers/bandwidth/speed

From a security point of view then as mentioned we encrypt both in transit (TLS1.2+) and at rest (AES-256).

However, having reliable, fast file transfers both for admins uploading and end-users downloading is critical for any software which has file-transfer/DAM capabilities, especially if you have large files such as HD videos or Photoshop artwork and/or have end-users that are geographically dispersed across the globe.

Upload

  • Support for files up to 10GB through web-browser or larger
  • File transfer acceleration across large geographical distances through File Transfer Acceleration
  • Optional/further File Acceleration through UDP transfers via IBM Aspera. If you have globally dispersed users uploading large files then this can accelerate the file transfer speeds with up to 50x for users who are geographically far away from the main hosting data centre

Download

  • AWS Cloudfront CDN included for all clients for download acceleration and caching popular files closer to end-users around the world. See “Hosting provider” section above
  • Support for bulk-downloads through zipping:
    • up to 5GB
    • 500 files per batch
  • Ability to share albums/files with ad-hoc users
  • Ability to create public links for file downloads, e.g. to place on public website or in press releases – optionally with date curfew/expiry

Secure coding standards

Even with an iron-clad hosting infrastructure with no back doors, the front door could be wide open so to speak if the software itself is not coded in a secure way. This is what we adhere to ensure that our web-app is coded in a secure way.

OWASP

Adherence to OWASP secure coding guidelines

Gitflow

Enforced peer-reviews of every commit

SonarQube

Source code analysis including OWASP, linting, code smells, etc.

Jenkins

Automated deployment pipelines through Jenkins

Terraform-Chef

Infrastructure-as-code through with Terraform and Chef

Availability/SLA

  • 98+% track record
  • SLA to 99.9% provided
  • Active monitoring per site: We poll your site every 1 minute for an actual snippet of HTML from a different physical location to make sure it responds properly
  • We continually monitor all internal components of our infrastructure stack via CloudWatch, PagerDuty, GeckoBoard and Splunk

Physical security

  • Production data centres:
    • 24 x 7 video surveillance
    • Biometric entry controls
    • Two-factor authentication by all site staff
    • Equipment decommissioning to DoD 5220.22-M and NIST 800-88 standards
    • Further, detailed info here:
  • Office location (software development and client services/implementation):
    • Electronic keyfob access
    • 24 x 7 security guard and video surveillance
    • Strong physical perimeter
    • No servers/master files kept on site
    • Firewalls with NAT and Intrusion Prevention

Information security policies

We have extensive information security-related policies as part of our ISO 27001-certified ISMS which you can request for detailed information on specific topics after signing an NDA:

Certificate/audit reports:

  • ISO 27001 Certificate Brandworkz Limited
  • Brandworkz Limited ISO 27001 external stage 2 audit report

Clauses:

  • BW-IS-R-4.3 – Schedule of Interested Parties, Legal and Contractual Requirements
  • BW-IS-5.2 – Information Security Policy
  • BW-IS-6 – Information Security Risk Management
  • BW-IS-7.2 – Competence Procedure
  • BW-IS-C-6.1.5 -Project Management Policy
  • BW-IS-C-6.2 – Mobile Device and Teleworking Policy
  • BW-IS-7.2 – Competence Procedure
  • BW-IS-R-7.4 – Communication Plan

Controls:

  • BW-IS-C-6.2 – Mobile Device and Teleworking Policy
  • BW-IS-C-7 – Human Resource – Security
  • BW-IS-C-8 – Asset Management Policy
  • BW-IS-C-8.1.3 – Acceptable Use Policy
  • BW-IS-C-9 – Access Control Policy
  • BW-IS-C-10 – Cryptographic Policy
  • BW-IS-C-11 – Physical and Environmental Security
  • BW-IS-C-12 – Operating procedures for IT Management
  • BW-IS-C-13 – Network and Information Transfer Policy
  • BW-IS-C-14 – System Acquisition, Development and Maintenance Policy
  • BW-IS-C-15 – Supplier Third Party Management Policy
  • BW-IS-C-16 – Information Security Incident Management Policy
  • BW-IS-C-17 – Business Continuity – Disaster Recovery Plan for hosting platform
  • BW-PO-C-17 – Business Continuity Policy – Overall business – Summary

Integration options

The options for integration with other systems are as follows

  • Login integration
    The system can out of the box be integrated with SAML 2.0 Federated Authentication for single sign-on
  • API integration
    Brandworkz has a RESTful API with JSON responses. Please see https://apidocs.brandworkz.com for further details

Connectors

Brandworkz has several connectors to other popular MarTech applications. Please see this page for an up-to-date list: https://www.brandworkz.com/integrations/

Brandworkz Brand Management Software features

DAM

Digital Asset Management

Everything in one place so everyone can find the stuff they need when they need it

W2P

Web-to-Publish

Stop spending valuable time, money and resources on manual, low-level artwork changes

Workflow

Workflow & Annotation

Streamline, track and audit your marketing production processes – however complex

Logo Finder

Logo Finder

Let everybody find the right logo, every time – cutting out endless, tedious logo requests

Guidelines

Brand Guidelines

Educate all employees and partners on what makes you different from the competition

Reporting

Reporting & Analysis

Make better decisions from insights into your brand assets, people and processes

MS Doc Management

MS Doc Management

Every Office document on-brand and up-to-date across the whole company, sounds good right?

Showcase

Brand Showcase

Show people what good looks like and stop them reinventing the wheel by promoting best practice

Multi-Lingual

Multi-lingual

Bonjour, ¡Hola, 你好. Are you in or expanding overseas? Make them feel welcome

Multi-brand Purple

Multi-brand

Manage all your brands and their assets in one Brand Management System

Insights Purple

Brand Insights

Show people what good looks like and stop them reinventing the wheel by promoting best practice

Security White

Hosting & Security

Brandworkz industry-leading security features keep your valuable brand assets safe

Menu