Cloud Security
Questions
Answers
Is your infrastructure in the cloud, SDDC, co-location, or on-premise? Please state provider name, unless it is on-prem.
We have deployed our application on AWS Virtual platform cloud - Singapore region.
Is your Data Security Architecture designed using an industry standard (e.g., CDSA, MULITSAFE, CSA T`rusted Cloud Architectural Standard, FedRAMP, CAESARS)?
Data Security Architecture designed using an industry standard and best practices. We are adhered to CSA, ISO 27001, SOC 2 TSP. We have deployed our application on AWS Virtual platform cloud - Singapore region. The cloud infrastructure providers have high levels of physical and network security and hosting provider vendor diversity.
Do you inventory, document, and maintain data flows for data that is resident (permanent or temporary) within the services' applications and infrastructure network and systems?
All our customer data is stored on AWS Virtual platform cloud. And we collect the data only throguh our application platform. We do not store any customers data locally.
Are file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis, and response to incidents?
File integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation.
Does the virtual machine management infrastructure include a tamper audit or software integrity function to detect changes to the build/configuration of the virtual machine?
AWS CloudTrail helps to detect changes to the build/configuration of the virtual machine
Does your system's capacity requirements take into account current, projected, and anticipated capacity needs for all systems used to provide services to customers?
Our solution is using state of the art Cloud Native infrastructure technologies along with microservices architecture allows us to scale our operations as per the demands.
Are system and network environments protected by a firewall or virtual firewall to ensure business and customer security requirements?
We use Web application firewall (WAF) and pfSense firewall for security reasons. 1. The Cloudflare Web Application Firewall (Cloudflare WAF) checks incoming web requests and filters undesired traffic based on the set of rules. 2. pfSense helps to monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules
Have you implemented the necessary measures for the appropriate isolation and segmentation of customers' access to infrastructure system and network components?
We isolate our machines, network and storage with respect to the AWS Standards in order to keep it safe and secure.
Are system and network environments protected by a firewall or virtual firewall to ensure protection and isolation of sensitive data?
We use Web application firewall (WAF) and pfSense firewall for security reasons.
Do you implement technical measures and apply defense-in-depth techniques (e.g., deep packet analysis, traffic throttling and black-holing) for detection and timely response to network-based attacks associated with anomalous ingress or egress traffic patterns (e.g., MAC spoofing and ARP poisoning attacks) and/or distributed denial-of-service (DDoS) attacks?
As part of Web Application Firewall (WAF), rate limiters are installed to block multiple requests from specific IPs in order to prevent DDOS-type attacks. These are powered by intelligent daemons that detect other identifiers like URLs accessed or other client properties to automatically blacklist possible threats either temporarily or permanently.
Do you select and monitor outsourced providers in compliance with laws in the country where the data is processed, stored, and transmitted?
Yes. We monitor the compliance programs of AWS As we have stored the data on their cloud.
Do you have the capability to restrict the storage of customer data to specific countries or geographic locations?
No. Currently, all the data is stored on AWS VPC - Singapore region.
Can you provide the physical location/geography of storage of a customer’s data upon request?
Yes, we inform the customer on the data storage location.
Do you make standards-based information security metrics (CSA, CAMM, etc.) available to your customers?
We are CSA STAR Level 1 compliant. Please click here to know more - https://cloudsecurityalliance.org/star/registry/nreach-online-services-pvt-ltd-xoxoday
Do you use industry standards (i.e. OWASP Software Assurance Maturity Model, ISO 27034) to incorporate security requirements into your Systems/Software Development Lifecycle (SDLC)?
We use OWASP Software Assurance Maturity Model
What services are contracted for appropriate disposal of hardware? Please provide a sample certificate of physical destruction?
Since we have deployed our application on AWS Cloud its not applicable for us.
What services are contracted for appropriate disposal of paper documents? Please provide a sample certificate of physical destruction?
Since we have deployed our application on AWS Cloud its not applicable for us. We provide certifite of destruction of data once the data is purged/deleted from all the places upon request from the customer.
Is physical access to data processing equipment (servers and network equipment) restricted?
We have deployed our product on AWS Cloud virtual platform. AWS provides physical security to the data center as a part of our subscription. AWS physical security - https://aws.amazon.com/compliance/data-center/controls/
Are Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) used by your organisation?
We have implemented IDS/IPS to facilitate timely detection, investigation by root cause analysis and response to incidents
Are computer systems (servers) backed up according to a regular schedule?
Data backups are done on daily basis and in a secured way on AWS
Copy link