Security Approach & tools

Security-First Software Development Framework

nexquare is created following a Secure Software Development Life Cycle (SDLC) which is compliant with the Open Web Application Security Project (OWASP) best practices controls. Using Secure SDLC, application and operating system vulnerabilities, as well as secure default configurations, are addressed during application development. Coupled with rigorous functionality and security-based testing, security and performance are evaluated with each release.  Security risks avoided during application development and deployment include Injection, Broken Authentication, Sensitive Data Exposure, XLS External Entities, Broken Access Control, Security Misconfiguration, Cross-Site Scripting, Insecure Deserialization, Using Components with Known Vulnerabilities, Insufficient Logging & Monitoring

Infrastructure Security

nexquare provides several security capabilities and services to increase privacy and control network access. These include:

• Firewall to protect the Virtual Network resources, with built-in high availability and unrestricted scalability
• Encryption in transit with SSL across all services

DDOS Mitigation

• Distributed denial of service (DDoS) attacks are some of the largest availability and security concerns facing customers today. A DDoS attack attempts to exhaust an application’s resources, making the application unavailable to legitimate users. DDoS attacks can be targeted at any endpoint that is publicly reachable through the internet.
• DDoS protection combined with application design best practices, provide defense against DDoS attacks
• Always-on traffic monitoring, and real-time mitigation of common network-level attacks, provide the same defenses utilized by online services. The entire scale of global network can be used to distribute and mitigate attack traffic across regions. Protection is provided for IPv4 and IPv6 public IP addresses.

Data Masking and Encryption

Advanced data masking and encryption features to protect students, staff and school data. All data in-transit is protected via a secure SSL connection that encrypts and decrypts their requests and responses. Individual user sessions are identified and re-verified with each transaction, using a unique token created at login.

Backups and Disaster Recovery

Using advanced secure backup technologies, data replication and failover facilities, we help perform daily backups and retain each day's backup up to 6 months. This provides quick recovery, data integrity and availability in the event of a recovery incident on any day of up to 6 months.

Access Control

• Application Access: Role based privilege allocation to provide access to relevant features and functions only. Users are mapped to any of the available roles (customizable), and the access privileges defined against it. This ensures that parts of the application outside the authorization are not accessible for a particular user.
• Menu Access: Similar to application access, menu access is also controlled by role-based privileges. Users are mapped to any of the available roles (customizable), and the access privileges defined against it.
• Field Access: View and edit privileges are configured at a role or individual level for all key fields in the system. This allows only people with appropriate privileges to view or edit those fields.
• Record Access: In addition to Application. menu and field access, records restriction across the system is achieved based on defined ‘hierarchy’ access i.e. teachers from class A are unable to see data from class B and vice versa; primary supervisors can only see data for primary classes etc. In addition, records can be restricted via data masking feature
• Querying/Reporting Access: Access to the BI layer and analytics dashboards is given on a privilege basis similar to the rest of the features in the application. Data access is given based on hierarchy (similar to record access)
• Security Profiles: Only the Administrator has the privilege to define the security profiles. The security profiles - permission groups - are created at a role level or at an individual level. The above detailed Application, menu, field and record access restrictions are applied based on the security profiles.

Application Level

• Firewall to protect the Virtual Network resources, with built-in high availability and unrestricted scalability
• Capability to ensure Intrusion Detection and Intrusion Prevention.
• Firewalld and Iptables to filter out traffic and allow only necessary traffic.
• Malware detection and removal tools to detect and remove malwares and rootkits
• OpenVPN for tunneling and encryption to create a secure private network between hosts on the Internet or private insecure LAN. All applications are secured using SSL. SFTP for file transfer instead of plain FTP
• Fail2ban to identify and block brute force login attempts to services
• Firewall: Access to services and applications are restricted to only IP’s/Regions where the services are applicable
• All open ports are regularly monitored, and not used ports are either disabled or restricted
• OWASP Compliance standards are adhered to throughout the application to detect and arrest broken authentication and session management, sensitive data exposure, XML external entity, broken access control, cross site scripting, insecure deserialization among others.
• Penetration Testing completion certificate through detailed Security Audit from Vul9
• Spring Security in Application - Authentication and access control framework for Application

User Level

• OTP mechanism for logging on the platform in addition to the static password
• Role based privilege allocation to provide access to relevant data only
• Customisable security policies, including:some text
  • Password creation (length, characters, case, reset link expiration, reuse)
  • Password verification (expiry, account lock, account deactivation)
  • Session timeout

Centralized Logging & Auditing

• Infrastructure logs and Application logs are collected at the OS level. These are forwarded on a secure connection to the centralized logging server. This includes:some text
  • all system logs,
  • application logs and
  • mysql audit logs.
• mysql audit plugin to generate the audit logs where all the db operations are logged for audit, covering the logging of:some text
  • all data change/update operations
  • all data insert operations
  • all delete operations
• activity logs for key pages to track changes done in rules, settings and configurations, covering the following:some text
  • changes in privilege configurations
  • changes in component configurations
• activity logs covers key parameters like:some text
  • timestamp of the change activity, along with the school time zone
  • user who committed the change
  • the nature of the activity - is it a new data insertion or data update
  • the fields involved in the change activity: input fields, filters, checkboxes, toggle switches
  • the data in the field before the change incident
  • the data in the field after the change incident
• All the above logs and entries are stored in Elastic Search in the Central logging server.
• Using the Elastic search + Fluentd + Grafana, the data is available for audit and monitoring.