SITS:Vision Annual Conference@ the Hilton Deansgate Hotel, Manchester

Mike Fisher – Technical Services Team Leader

Security and Hosting12-13 July 2011

Introduction

■ We have undertaken a review of all our software with specific reference to security

■ As a result we have:■ Made changes to the applications to enhance security■ published security recommendations for all Maytas and eTrack

configurations, some of these are things we have always setup as standard

■ Made general infrastructure recommendations around the applications and associated servers

Security Recommendations

■ We have published a document (sent with each release) outlining our recommendations for:

■ Database Servers■ Maytas 3■ Maytas 5■ eTrack Online■ eTrack Offline■ Web and Application Servers■ General Network Setup

Database Server

■ The Maytas 3 user account■ Configured with a default password■ Can be changed to conform with local IT policies on passwords■ Each application must be told of the password change

■ Database Server location■ Should sit secured within a LAN■ Must not public face

■ Database Encryption■ Certain contracts specify that databases must be encrypted■ Tribal practice database disk level encryption

Maytas 3

■ Application directory security ■ Can be locked down to stop users accessing the application files■ Some permissions are required and are documented■ Extra important when Maytas 3 is run over a terminal server

■ Maytas 3 User Editor■ Ensure permissions set are as required■ The ‘stever’ account…

■ Password Policies

Maytas 5

■ M5 Data Services■ When using a file store switch the user to a domain account with

appropriate permissions

■ Services Access Groups■ Restricts who can run a ‘First Time Setup’ against the service

■ Client Machine Encryption■ To encrypt any data local to the machine

■ Password Policies

eTrack General

■ The eTrack evidence file store■ Location and user access

■ web.config encryption

■ System Configurations■ Blocked File Types■ Account Lockouts■ SSL Server Settings

eTrack

■ eTrack Online■ The IIS user■ Application Directory Security■ Configurable Session Timeouts■ Password Policies

■ eTrack Offline■ Local Data and Evidence files■ Laptop encryption■ Password Policies

General (Applicable to All)

■ Password Policies can be set in the database which then apply to all user accounts

■ Password expiration times

■ Options for■ Password length■ # of CAPITAL letters■ # of lowercase letters■ # of numeric■ # of Special Characters (!@#$%^&*()_+|~-=\`{}[]:";'<>?,./)

Network Diagram

Tribal Data Policies

When transmitting data to Tribal:

The local Tribal office will inform customers of a Tribal FTP site to which they can electronically submit data. A username and password will be issued to each customer as required. It is the responsibility of the customer to install and manage the necessary software to transmit and receive data to Tribal.

Files sent to Tribal must be encrypted to at least the FIPS140-2 standard. This standard is not met by Winzip or 7-Zip; two widely used commercial compression/encryption packages. Tribal use an encryption product, SecureZip**

for the secure encryption of files, which meets the FIPS140-2 standard when used correctly.

Hosting

■ As part of our hosted service we manage all application upgrades as standard

■ The environment and our hosting team conform to ISO27001 standards on security

■ We can supply a hosted service from 1 user upwards hosting any combination of M3, M5 and eTrack

■ We build dedicated farms for larger setups■ Currently we run:

■ The MAYTAS shared service for smaller customers (< 20 users)■ 10 designated farms for larger organisations■ A separate DWP security cleared farm■ Currently our largest environment has upwards of 2500 users

SITS:Vision Annual Conference@ the Hilton Deansgate Hotel, Manchester