Security design
Datacentre protection is the cornerstone of our security proposition. It forms the basis for best practice, for our operations and for our infrastructure design, architecture and procurement. These are fundamental in the delivery of a world class solution for our enterprise customers.
Datacentre protection has a primary purpose of avoiding, preventing and detecting external threats and hacking attempts on our platform. As with most Internet facing infrastructures, we constantly scan IP addresses and ports which occasionally escalate into more invasive attempts to compromise our systems. Our security framework is structured to prevent security breaches resulting from this traffic. The primary concerns of our Datacentre protection include:
- DDoS and WAF mitigation services Firewall, network segregation, log aggregation and IDS
- Monitoring of devices and incidents using Threat Management tools
- Physical controls and redundancy within the datacentre
Our security policy incorporates
Vulnerability scanning and penetration testing
We run annual penetration tests on the whole platform by an independent CREST accredited tester. The results of these test reports are available to all stakeholders in our trust centre which can be found on our website trust.kurtosys.com. We also support clients wishing to do their own specific tests to their sites. Client testing is subject to appropriate consent and prior approval. We will assist and cooperate with in any findings that these tests produce.
In addition, we run monthly vulnerability scans on all our production end points and have a vulnerability program for remediation of these findings. We have real time monitoring systems (IDS, Threat Management and WAF) which provide further mitigation of exploitation and automatic exclusion of malicious activity. Details of these scans and monitoring are available through monthly client reporting provided by our ISOC team.
Application architecture and software development processes
Kurtosys provides a multi-tenanted architecture designed to scale elastically, offering resilience and flexibility to accommodate growth and handle performance loads effectively. Environmental deployments provide Dev, Staging, UAT, pre-Production and Production systems which segregate user activity and secure client data. They include failover and rollback strategies for applications and application servers.
Kurtosys development approach focuses on creating an API through microservices , with each service specialising in a specific task. This division of the application into smaller services simplifies updates and scalability, crucial for modern cloud-native applications. These services and applications are purposefully engineered to be scalable and resilient.
Security features prominently in the development processes encompasses the following:
- Secure environments and software development methodology.
- Controlled design, QA and analysis. Security checkpoints within the project milestones.
- Managed repositories, patch management and version control.
- Training, peer review, code analysis.
- Change management and authorisation procedures.
- Evaluation and testing of third party components.
Application hosting, network and infrastructure
Kurtosys applications, the products and services we offer to clients, are hosted using infrastructure services provided by the most reputable vendors using the highest standards of security features available. We utilise Amazon Web Services Public Cloud for websites and storage of data backups and documents.
All of our Production environments are fronted by Cloudflare’s external WAF, DDoS and Bot Management services for protection against first line cyber-attacks. This also includes DNS protection and certificate issues. In addition to security protection, Cloudflare also provide edge caching and performance enhancement for our clients end users.
We ensure that Load Balancing, Firewall and Reverse Proxy rules are applied to application endpoints. All data is encrypted in transit and at rest.
These hosted services are administered directly by Kurtosys employees with no 3rd party intervention.
