PAM Security and Availability Architecture
Mediabank Pty Ltd’s (Mediabank) Progressive Asset Management solution (PAM) has been architected to provide security and availability service capabilities required by government and corporate entities.
The PAM solution is a SaaS (software as a service) application developed and operated by Mediabank that executes in an Amazon Web Services (AWS) Virtual Private Cloud. Clients of Mediabank access PAM using the public internet.
Following sections detail key aspects of PAM’s architecture as they relate to security and availability to enable clients to evaluate the level of security and availability provided.
Where applicable, PAM aligns to best practices for OWASP and ISO27001 as well as the AWS Well Architected Framework.
Information and Records Management
PAM allows clients to manage digital content (drawings, images, etc) and information relating to the management of physical & virtual assets. No Personal Identifiable Information is stored in PAM. Client data is stored by PAM in a Multi-Tenant database and a digital asset database. Data is physically located in AWS data centres, in regions and availability zones, as agreed with the client.
Access to client data is predominantly via the PAM application. Mediabank can also supply a complete copy of a client’s data in a format and timeframe, as specified within the Service Level Agreement.
If a client terminates their account with Mediabank, their data will be made available in the agreed format, for 90 days after termination. After 90 days from termination, all client data will be removed from the PAM solution, or as agreed with the client.
PAM holds no PCI DSS eligible data.
Access to client data via the PAM application is done by using a secure network connection over the public internet. Industry standard SSL (HTTPS) protocols are used.
Once a client is established within PAM they are provided with a set of PAM user details that is able to create other users of the PAM solution with access to their data. It is the responsibility of the client to add and remove users within their client account.
User passwords salted and encrypted using one-way hashing algorithms the results of which are stored in the database. These algorithms are re-executed each login to confirm a user’s password. Passwords are not stored in clear text anywhere. This, and other password functions, ensures PAM aligns to OWASP best practices for password strength.
All client data items are associated with a client identifier when data is recorded with PAM. Retrieval of client data items within PAM requires a valid client user identifier to which a client identifier has been associated. Each client user within PAM can only access data relating to their entity.
Access to client data by non-client users is restricted to members of Mediabank’s information technology team. Information technology team members will only access client data for backup / recovery purposes, defect investigation or when a client requests a copy of their data an agreed format. Access to AWS resources that contain client data by members of the information technology team is protected by two factor authentication, detailed logging and application of the principle of least privilege (POLP) that limits access to the minimal level that will allow duties to be carried out.
From a physical security perspective, the AWS infrastructure has put strong safeguards in place to protect client data. All data is stored in highly secure AWS data centers. All data is encrypted at rest and in transit. This includes non-production environments.
PAM’s availability is enhanced by Mediabank’s adoption of a fully automated approach to the configuration and management of AWS resources used to execute the PAM application. AWS configuration details are managed using source code management tools and these configurations are applied using automated scripts to AWS resources. This approach dramatically reduces chance of human error present in non-automated infrastructure management environments and ensure systematic application of backups, logging, systems software updates, database software updates, security patches and other required resource updates.
Availability is further enhanced by the fact that PAM application software has been specifically written to execute in a distributed environment. The PAM application executes and replicates data concurrently across two physically separate AWS data centres (AZ’s), at all times. In the unlikely event that one data centre becomes unavailable, application execution and data access is able to continue, uninterrupted, on the other data centre.
Even though PAM has been architected for high levels of security and availability, incidents may occur. Mediabank adheres to selected ITIL policies and processes. ITIL’s Incident Management process is followed for Incidents that impact PAM security and availability. Each client will be notified of all incidents that affect the security and availability of their data outside of agreed service levels.
Terms used here are defined in the following table. Definitions are based on US National Institute of Standards and Technology (NIST) and Australian Signals Directorate (ASD) definitions.
Amazon Web Services – Amazon Web Services (AWS) is a secure cloud services platform, offering compute power, database storage, content delivery and other functionality. AWS cloud products, services and solutions are utilised to host & run applications in a secure, scalable and highly available manner.
Cloud-based services – On-demand delivery of ICT services over a network, commonly over the internet, from a shared pool of computing resources. “Cloud” usually refers to where the solution is provided. Key characteristics of cloud-based services are:
- On demand self-service
- Broad network access
- Resource pooling
- Rapid elasticity
- Measured service with unit based pricing
- IaaS – Infrastructure as a service – The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources. The consumer is able to deploy and run arbitrary software, which can include operating systems and applications. Computing power, networking and storage is provided.
- Incident – An unplanned interruption to a PAM service or reduction in the quality of a PAM service. Failure of a configuration item that has not yet impacted service, but has the potential to impact service, is also an incident. For example, one of the two AWS availability zones (AZ’s) becomes unavailable.
- Industry Standard Data Format – Digital assets are provided in archive (zip, gzip, bzip) bundles in the format that was used by a client to upload into PAM. Client data stored in PAM’s relational database is provided as text based structured query language export.
- ITIL – ITIL (the IT Infrastructure Library) is essentially a series of documents that are used to aid the implementation of a lifecycle framework for IT Service Management. This customisable framework defines how Service Management is applied within an organisation. It also aligned with the international standard, ISO 20000. See http://www.itil.org.uk.
- Multi-Tenant – Multiple clients using the same database. Each client’s data is discriminated by associated each item of data with a client identifier. Multi-tenancy streamlines database operations which enables higher levels of security and availability to be delivered for each client.
- Personal Information – Information that identifies a person. Personal information could be: a record which may include your name, address and other details about you photographs, images, video or audio footage.
- Private cloud – Provided solely for the use of one organisation and managed by that organisation or by a third party, provided at the organisation’s premises or off-site.
- Public cloud – The cloud infrastructure is shared via the internet with many other organisations and members of the public.
- SaaS – Software as a service – The capability provided to the client is to use the provider’s applications running on a cloud infrastructure. Full application functionality is delivered.
- Virtual Private Cloud – Amazon Web Services specific term, An elastic network populated by infrastructure, platform, and application services that share common security and interconnection.