Security Overview

Data Center Security

All main WebsiteAlive services are hosted by and located within Amazon Web Services (AWS), a leading cloud computing provider.

AWS is certified by following standards:

SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70 Type II), SOC 2, FISMA, DIACAP, and FedRAMP, PCI DSS Level 1, ISO 27001, ITAR, FIPS 140-2.

• Only approved tech personnel have the clearance to connect to the network through a bastion host that restricts access to network devices and other cloud components, logging all activity for security review.
• Both WebsiteAlive and AWS incident management teams follow industry standard diagnostic procedures and provides 24x7x365 coverage to detect incidents and to manage the impact and resolution.
• All network devices, including firewalls, are under monitoring and control connections at the external boundary of the network and at key internal boundaries within the network.
• Proprietary DDoS mitigation techniques are used. Additionally, AWS’s networks are multi-homed across a number of providers to achieve Internet access diversity.
• Personal login information with restricted access is used to manage services by WebsiteAlive via the Amazon web console.
• There is a strict process of decommissioning storage devices in place. This process is to prevent customer data from being exposed to unauthorized individuals. It is based on DoD 5220.22-M “National Industrial Security Program Operating Manual” and NIST 800-88 “Guidelines for Media Sanitization”.

Server and Network Security

• All AWS services are deployed behind a network firewall that routes all deployment into isolated private networks.
• Servers have access to the Internet only via Network Access Translation (NAT).
• IDS/IPS handled by various vendors across network instances.
• WAF is applied to log and filter malicious requests.
• Remote access to the servers is granted only via Virtual Private Network (VPN) with personal (not shared) login information.
• User’s authentication and authorization is handled by various identity management technologies.
• Operating System software security updates are installed on a weekly basis. The most critical updates are installed within one business day.
• All servers' resources are monitored by two separated monitoring systems.
• Remote access to the servers is logged continually.
• The WebsiteAlive IT team is in place 24/7 to handle issues and receives urgent requests via notifications to staff.
• Data backups are performed daily with a minimum 2 week retention.

Software Security

• All sensitive information in WebsiteAlive is accessible only via HTTPS protocol (Industry standard 128-bit encryption provided by DigiCert High Assurance CA-3).
• All web services are located behind an application firewall.
• Commercial external service runs both network and application-level scans of web services for security vulnerabilities on a daily basis.
• Enterprise level antivirus with central management has been installed on all WebsiteAlive servers.
• A Central logging system is used to store real-time software errors for review.
• Sensitive web content is encrypted with industry standard algorithms across web, database, and cache instances. Passwords are encrypted and hashed.
• Penetration tests are performed on an as-needed or annual basis.