Scope
This policy covers the data security practices that Data Systems International, Inc. and its subsidiaries and affiliates (collectively “DSI” or “we”) employ when providing Cloud Inventory® services and support to our customers ("you" or "your"). DSI established this policy to inform you the data security measures we have in place to protect your data. This policy also provides information to help control how your data is accessed, encrypted, and communicated from your
back-end system of record, through the DSI MASP (Mobile Application Service Provider), and then sent to web browsers and mobile devices.
Architecture
The DSI Cloud implementation for Cloud Inventory® leverages cloud-based application servers hosted in Amazon Web Services (AWS) infrastructure. These application servers provide Cloud Inventory® customers access to their own independently managed and isolated instance of the Cloud Inventory® platform. Within the tenant instance, the customer controls most aspects of the system including user management, application development, and access to remote resources within their back office.
Application developers, administrators, and mobile application users connect to the cloud-based application servers using a web browser or mobile device with the DSI Client. The traffic is routed over HTTPS with SSL encryption. Access to back-office systems of record from the cloud based MASP is provided through the use of the AES encrypted Cloud Connect Gateway installed on a server (physical or virtual) within the customer's data center. The gateway server requires that a single port be opened between the DSI Cloud infrastructure and the customer’s data center.
This diagram represents the DSI Cloud implementation architecture for Cloud Inventory®.
Figure 1: Cloud Infrastructure Diagram
In Transit and Mobile Data Security
To protect data while it is in transit between the DSI Cloud application servers and an application hosted on a mobile device, the platform encrypts all communication messages. Any at-rest data stored on the device is encrypted as well.
DSI utilizes a 256-bit AES encryption algorithm for all device-to-server and server-to-device communications, as well as data at-rest on the device.
Remote Access Control
To limit access to back-office information within the customer's data center, the DSI Cloud application servers utilize the Cloud Connect Gateway server and system service accounts to provide the application servers with access to each system of record, database, or API provider with which Cloud Inventory® will interface.
System service accounts are configured and managed by the customer's administrator(s) and only those users have access to the account information and passwords. The platform uses two types of service accounts for normal system operations. These include accounts to fulfill the following requirements.
Access systems of record through use of validated functional interfaces.
Access the database that supports the systems of record.
These are used typically for read-only database operations.
Note: An LDAP (Lightweight Directory Access Protocol) User account is also required if Cloud Inventory® will be authenticating users with the customer's LDAP identity management system.
Data Segregation
DSI Cloud implementation is based in a multi-tenant cloud configuration. All business data replicated to the cloud from the customer’s local system of record, as well as transactional data, are segregated into their own separate database hosted in Amazon RDS (Relational Database Service). All other data (e.g., users, organizational structure, applications) is separated by customer ID, and stored in a data store which is not directly accessible by the customer or third- party system.
DSI uses Amazon Web Services (AWS) as the hosting provider for all DSI Cloud implementations. These AWS data centers are state of the art and utilize innovative architectural and engineering approaches in securing their locations.
AWS data centers are housed in nondescript facilities. Physical access is strictly controlled, both at the perimeter, and at building ingress points, by professional security staff utilizing video surveillance. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. AWS only provides data center access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to data centers by AWS employees is logged and audited routinely.
Data Center Certifications
Amazon is a Tier 4 data center provider. It is our expectation that they will continue to maintain these critical certifications as technology evolves. DSI will routinely review Amazon’s infrastructure certifications to verify that they are maintaining top tier certifications.
AWS data center certifications include:
SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70)
SOC2
FISMA, and FedRAMP
DOD SRG Impact Levels 2-6
PCI DSS Level 1
ISO 27001
FIPS 140-2
MTCS Level 3D
Audit Reporting and Logging
Cloud Inventory® has a built-in auditing and logging system, in addition to standard security and data auditing. This system is configurable by the Customer’s Administrator and is capable of audit logging including, but not limited to, the following items:
User login/logout
Transaction date and time
Transaction data
Change in audit state
Application errors
Event data and type (these are at the system and application levels)
Seven (7) days of logs and audit data are available through the monitor utility using the web based DSI Platform Manager, to which authorized administrators have view access. If additional logging detail is required, the customer can contact the Cloud Inventory® Customer Success team, who can provide additional information on an as-needed basis.
As previously mentioned, data stored in the DSI Cloud infrastructure is hosted in an AWS infrastructure. Amazon EBS volumes are presented to the server operating system as raw unformatted block devices that have been erased or wiped prior to being made available for use. These volumes, once assigned to the server operating system, cannot be reused without first being erased. When a request is received to erase an EBS volume, the DSI Cloud operations team will work with AWS to ensure that all file systems and data on the volume(s) are completely erased, per AWS policy.
256bit AES-encryption is used on the servers that host the platform, providing encryption of data as it moves between EC2 instances and EBS storage.
User Security
Cloud Inventory® provides two identity management methods, both hosted in the DSI user repository. User accounts can be manually entered in Platform Manager or linked through LDAP integration. Both security methods provide system administrators with the ability to create user profiles and assign roles that specify Platform Manager access permissions, Mobile Client access permissions, and application access.
— The DSI-native repository offers a flexible authentication model, beginning with simple user authentication that only require a unique user ID and password to access the Client, to authentication requiring complex and expiring passwords, with or without password retention and/or lockout options.
LDAP integration allows the administrator to map LDAP attributes to DSI user profile fields, and to map Distinguished Name (DN) identifiers to DSI Organizational Units, and Roles which grant their associated privileges to the users belonging to those Organizational Units. The Platform uses an LDAP Extraction Agent which pulls the appropriate user information from the LDAP directory and creates and assigns user information and access within the DSI user repository. Each time the LDAP extraction process is run, the Platform updates the DSI user repository with any new or updated mapped information. If a user or users are disabled or removed from the LDAP system, they will be disable or removed from the DSI user repository. In addition to information pulled from the LDAP system, user profile fields are editable within the Platform. The Platform confines changes to these fields to the system, and they do not influence the LDAP server.
The platform's LDAP integration supports the Microsoft Active Directory and Oracle Internet Directory systems, which are integrated to the cloud platform servers through the Cloud Connect Gateway.
Note: All guest/public user accounts are automatically and permanently disabled.
Note: All passwords throughout the system are encrypted using the AES encryption algorithm and are obfuscated in all user interfaces, even when being entered.
Data Breach Notification
In the very unlikely event that a data breach within the AWS infrastructure occurs, it is important to remember that application specific data related to the client is segregated by the instance within the cloud computing environment. Therefore, no other clients would have access to any of the configuration, setup, transaction, application, or process related data. DSI application data is stored in access-controlled databases and encrypted XML files, therefore even direct access to the file level itself still requires a decryption key to be able to reach or access any data within the encrypted files.
If a breach does occur, notifications related to data breach will be sent to designated instance administrators, or any additional lists, by email. The list is designated by the client and is provided to DSI during initial account setup.
DSI maintains Network and Information Security Liability, Technology Errors and Omissions Liability Insurance.
Effective December 2023, Version 2.4
Customer Support