System and Network Security

Access to production systems

Access to all systems is managed on a least privilege basis. All access to core components requires two-factor authentication and access logs are kept for reconciliation against access requests.

All production systems are accessed through bastion hosts with multi-factor authentication and IP whitelisting.

Password policy

All passwords for production systems are randomly generated, 64 characters in length, recycled regularly and are never reused.

Access logs

All access attempts to core components are logged and access to these logs is restricted to the Operations Team. All core logs are centralised for analysis.

Patch policy

Standard security patches are applied within 30 days of release and critical patches are applied as appropriate to the risk. Operating systems are upgraded at least twice annually.

Build configuration

All servers and system components are managed via Ansible and Terraform ensuring a standard build and environment configuration at all times.

Network separation

The production network is entirely separate from all other company networks. Logical components are separated into their own private subnets with strictly controlled communication channels.

Vulnerability scans

Internal vulnerability scans and penetrations tests are carried out biannually by an accredited third-party and we follow OWASP guidelines throughout development and code review.

Firewalls

Firewalls are provided by Amazon Web Services and Security Groups and network ACL usage are designed in accordance with best practice.

Monitoring, logging and alerting

System, access and other logs are centrally managed and collated and inform KPI-driven application-level metrics upon which we will base our automated monitoring and alerting.

Turtl