Versions Compared

Version Old Version 1 New Version Current
Changes made by

Kimberly Onnen

Kimberly Onnen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Updated:

Insert excerpt

...

Security Document Update Date

...

Security Document Update Date
nopaneltrue

Overview

The WennSoft solution is a SAAS (Software as a service) solution. SAAS is a software licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted. WennSoft utilizes Amazon Web Services (AWS) to host our software solution. Since none of the software is hosted at WennSoft facilities, we will defer to certain security processes, disaster recovery/business continuity processes, and certifications maintained and achieved by AWS. A current and more detailed explanation and description of AWS Cloud Security can be reviewed at https://aws.amazon.com/security.

...

Amazon Web Services is responsible for protecting the global infrastructure that runs all the services offered in the AWS cloud. This infrastructure is comprised of the hardware, software, networking, and facilities that run AWS services. Protecting this infrastructure is AWS’s number one priority, and while you can’t visit AWS data centers or offices to see this protection firsthand, AWS provides several reports from third-party auditors who have verified compliance with a variety of computer security standards and regulations. For more information, visit aws.amazon.com/compliance.

...

AWS’s data centers are state of the art, utilizing innovative architectural and engineering approaches. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
AWS only provides data center access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to data centers by AWS employees is logged and audited routinely.

...

Automatic fire detection and suppression equipment has been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms, and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems. Power1

...

AWS monitors electrical, mechanical, and life support systems and equipment so that any issues are immediately identified. Preventative maintenance is performed to maintain the continued operability of equipment.

Storage Device Decommissioning

When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. AWS uses the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry-standard practices.

...

These customer access points are called API endpoints, and they allow secure HTTP access (HTTPS), which allows you to establish a secure communication session with your storage or compute instances within AWS. To support customers with FIPS cryptographic requirements, the SSL-terminating load balancers in AWS GovCloud (US) are FIPS 140-2-compliant.

...

As important as credentials and encrypted endpoints are for preventing security problems, logs are just as crucial for understanding events after a problem has occurred. And to be effective as a security tool, a log must include not just a list of what happened and when, but also identify the source. To help with after-the-fact investigations and near-real-time intrusion detection, AWS CloudTrail provides a log of all requests for AWS resources within our environment. For each event, we can see what service was accessed, what action was performed, and who made the request.
CloudTrail captures information about every API call to every AWS resource being used, including sign-in events.

...

Non-disclosure agreements (NDA) and licensing agreements between WennSoft and our customers are normally signed during the sales process and purchase process. If WennSoft’s records indicate these documents have not been signed when a customer decides to subscribe to WennSoft’s SAAS solutions, the appropriate documents will be provided for authorized signatures.

...