Included in InvestiFi Web Services:
- Quantum Ledger (keeping track of the individual user balances)
- Service Operations Center
- Integrations with Liquidity Providers and Custodians
- Integrations with front-end SDKs (Alkami, Q2, etc.)
CWS Application, Data and Network Security
- All data and PII is stored in U.S. based data centers.
- All data at rest and in transit is always encrypted.
- Regardless of where data is in any CWS application, it will be encrypted. At rest, in flight or in a snapshot all are encrypted. The encryption occurs on the servers that host the physical servers, providing encryption of data as it moves between servers and disk systems. Cloud encryption for InvestiFi applications is based on the IT industry standard AES-256 cryptographic algorithm.
- Server-side encryption provides data-at-rest encryption for data. With Server-side encryption, our system encrypts user data assets at the object level, stores the encrypted objects, and then decrypts them as they are accessed and retrieved.
- With client-side encryption, data objects are encrypted before they are written to the database.
- Server-side and client-side encryption can be combined for the highest levels of protection.
- Multi-layered security design allows only authenticated CWS users to access with minimum two factors authentication.
- CWS applications securely communicate between mobile and desktop users using industry standard Secure Socket Layers (SSL) / Transport Layer Security (TLS) encryption using SHA-2. Once an SSL/TLS session is established between the client and the InvestiFi application, all traffic is protected.
- Quantum Ledger Transaction Log: CWS’s Quantum Ledger uses blockchain technology to implement a log-based architecture. All actions taking place in the system on documents, user history, everything are appended to a blockchain in chronological order. A log-based architecture based on blockchain provides a transparent, immutable, and cryptographically verifiable transaction log owned by a central trusted authority.
- All updates to the CWS application data have historical information to tell where it came from, who created the record, who modified the record, and are marked with a date and time stamp for actions including but not limited to:
- Actions taken by any individual with administrative privileges
- Access to all audit trails
- Invalid access attempts
- Use of identification and authentication mechanisms (from a mobile, API or website)
- Creation and updates of application objects (users, documents)
- Infrastructure logging is protected by encryption and role-based access control. All activity is monitored with SMS and email alerts for any activity that falls out of standard, such as more than x number of login attempts.
- CWS applications are designed to meet Federal Information Processing Standard (FIPS) 140-2 and Common Criteria EAL4+ standards and supports a variety of industry-standard cryptographic algorithms.
- CWS system infrastructure logging enables governance, compliance, operational auditing, and risk auditing.
- CWS systems log, continuously monitor, and retain account activity related to actions across the AWS infrastructure.
OSI Model
Multiple layers of network security protect networked assets, data and end points, just as multiple layers of physical security can protect high-value physical assets. With a defense-in-depth approach CWS system security is purposely designed into the infrastructure from the beginning. There are multiple hurdles to stop potential attackers at each stage.
The hurdles include the following layers:
Physical layer includes the storage, transmission and reception of raw bit data over physical mediums (cables, wireless, hard drives, memory)
- Advanced Encryption Standard (AES) with 256-bit cipher keys protects stored information by converting it into unreadable code that cannot be deciphered by unauthorized people. In the unlikely event the physical storage is compromised, the data is not readable without the decryption keys.
Data link layer provides error-free transfer of data from one place to another over physical mediums
- Locking of physical access with deactivation at the logic level of unused ports, in order to prevent fraudulent connections which could lead to eavesdropping, flooding attacks, or ARP spoofing.
Network layer controls the operations of the subnet deciding which physical path the data takes using Internet Protocol version 4 (IPv4)
- Through geo-restriction capability, you can prevent users in specific geographic locations from accessing content
- White list API access for integrations to plant networks only
- Black list foreign networks, known compromised networks, filter access based on reputation
- Activating firewalls on the network layer can reduce such attacks, as these devices can delineate the inside of the network from the outside, making its internal/external ports correspond with the assigned address space. That is, a firewall can detect a packet that claims to come from inside, but in fact came in through the external port, and can therefore reject it or generate the corresponding warning.
Transport layer ensures that messages are delivered error-free, in sequence and no losses or duplicates
- External white list access to CWS system components
- Internal traffic white lists which map to business flows, and then have the visibility to the application, the user and the data.
- Allow communication to only trusted applications
- Rate limiting is used to control the amount of incoming and outgoing traffic to or from a network. Layered security perimeter protects against multiple types of attacks including network and application layer DDoS attacks.
Session layer allows session establishment between processes running on different servers
- Concerns at this level relate to encryption of the data transferred, authentication of the parties involved, prevention of tampering with data integrity, and avoidance of replay attacks.
- The Transfer Layer Security protocol (1.2) aims primarily to provide privacy and integrity assurances to data in motion. It does this by using a shared secret. The negotiation of a shared secret is both secure (the negotiated secret is unavailable to eavesdroppers and cannot be obtained, even by an attacker who places themselves in the middle of the connection) and reliable (no attacker can modify the communications during the negotiation without being detected).
- Ensure the servers and applications are who they say they are. Prevents man in the middle.
Presentation layer formats the data presented to the application layer. It can be viewed as the translation for the network
- Data integrity is achieved by using Avro (version 1.8.2) to define and enforce data schemas.
- Prevents illegal characters and invalid data from being committed to the application.
Application layer serves as the window for users and application processes to access the network services
- Traffic between CWS system and clients (mobile, desktop, API) is transferred encrypted
- HTTPS (HTTP over SSL/TLS) with server certificate authentication.
- Lightweight Directory Access Protocol (LDAP) for Authentication, Single Sign On and User based access control
Protection of Assets
- For the applications stored on AWS, the cloud data centers are monitored using global Security Operation Centers, which are responsible for monitoring, triaging and executing security programs.
- They provide 24/7 global support by managing and monitoring data center access activities, equipping local teams and other support teams to respond to security incidents by triaging, consulting, analyzing, and dispatching responses.
- CWS applications will correlate information gained from logical and physical monitoring systems to enhance security on an as-needed basis.
- Access to the various environments are controlled through IAM security rights as part of the cloud infrastructure. The higher the environment, the more secure the access is and controlled. Only key identifiable personnel would have access to production.
- As for company devices, all will have the standard security controls and software required to ensure data is protected at all times. No devices will hold raw secure data unless it is part of an investigation or deemed necessary as determined by management.
- Data centers are designed to anticipate and tolerate failure while maintaining service levels. In case of failure, automated processes move traffic away from the affected area. Core applications are deployed to an N+1 standard, so that in the event of a data center failure, there is sufficient capacity to enable traffic to be load-balanced.
- AWS also aligns with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). Developed originally to apply to critical infrastructure entities, the foundational set of security disciplines in the CSF can apply to any organization in any sector and regardless of size.
User Security Controls
- Security permissions are set up to allow access to PII only to those who have been authorized and deemed Trustworthy & Reliable and Fitness-For-Duty under 03-01 guidelines.
- We have granular control over which roles are granted which privileges to fields in the system. We can now assign roles only to users that require this level of access to the most sensitive data.
- Administrative users will be required to click a button to view PII on mobile devices and on computers, so it isn’t readily viewable if the administrative users are viewing CWS applications on their mobile device or in public.
- All CWS employees with access to any data or PII have went through a comprehensive background investigation.
- There are no saved passwords or autocomplete features for signing on.
- Inactivity time out is 5 minutes and can be modified upon industry request.
- The following system policies are in effect:
- Password change interval: 90 days
- Password history: 3
- Minimum password length: 8
- Password complexity: at least 1 upper case, 1 lower case, 1 number and 1 special character
- Access to the user activity log is restricted to administrator access only.
Application Development Methodologies for Security
- Given the sensitivity to our industry, security is always a high priority of our application development team which is addressed in each step of the SDLC.
- When a new version of the application has been complete, it will undergo dynamic testing in a staging environment where security vulnerabilities are addressed prior to launching a new version into production.
- All technical team members who are part of the development, testing and cyber security processes have gone through a comprehensive background investigation.