Security Architecture and Operating Model

2020.1

In the digital age, cyber attacks are inevitable. At FlowTrack, we are taking a “zero trust”, “minimal infrastructure” approach to managing risk and information security.

This document describes our guiding principles and aspirations in managing risk and the building blocks of our security model.

Policy Statements

FlowTrack policy requires that:

(a) FlowTrack's security program and operations should be designed and implemented with the following objectives and best practices:

  • data-centric, cloud-first
  • assume compromise therefore never trust, always verify
  • apply controls using least-privilege and defense-in-depth principles
  • avoid single point of compromise
  • automate whenever possible, the simpler the better, less is more
  • prompt self management and reward good behaviors

(b) Security shall remain a top priority in all aspects of FlowTrack's business operations and product development.

Controls and Procedures

FlowTrack Security Principles

(1) Data-centric model; zero-trust architecture

“Zero Trust” is a data-centric security design that puts micro-perimeters around specific data or assets so that more granular rules can be enforced. It remedies the deficiencies with perimeter-centric strategies and the legacy devices and technologies used to implement them. It does this by promoting “never trust, always verify” as its guiding principle. This differs substantially from conventional security models which operate on the basis of “trust but verify.”

In particular, with Zero Trust there is no default trust for any entity — including users, devices, applications, and packets—regardless of what it is and its location on or relative to the corporate network. In addition, verifying that authorized entities are always doing only what they’re allowed to do is no longer optional; it’s now mandatory.

Summary

  • No internal network. (Almost) 100% cloud.
  • Fully segregated with Granular policy enforcements.
  • Individually secured devices. No production access by default.

(2)) Least-privilege temporary access

Cyber attacks are inevitable. When it comes to preparing for potential attacks, FlowTrack security operations take the approach that assumes a compromise can happen at any time, to any device, with little to no indicators. This is also an extension of the “zero trust” model. When building security operations, we carefully perform risk analysis and threat model, to identify potential single point of compromise and to avoid having the “keys to the kingdom”.

In other words, compromise of any single system or user or credential, should not easily lead to a broad or full compromise of the entire infrastructure or operations. For example, if an attacker gains access to a admin credential (e.g. App Server Admin User), it should not directly lead to the compromise of all systems and data in the environment.

Summary

  • Need-based access control for both employees and computing services.
  • Access to critical systems and resources are closed by default, granted on demand.
  • Protected by strong multi-factor authentication.
  • No “keys to the kingdom”; no single points of compromise.
  • "Secrets" (such as SSH Keys) must remain secret at all times.

(3) Infrastructure as code builds and deploys

The FlowTrack platform leverages a multi-service architecture. This means that the system has been decomposed into numerous components that can be built and deployed individually. Before these components get deployed to our production environments, we thoroughly test and validate the changes in our lower environments which are completely isolated from production. This allows us to test upcoming changes while ensuring there is no impact to our customers.

Once a build has been validated in our lower (non-production) environments, we then deploy it to our production environment where the change will be available to FlowTrack customers and end-users.

Changes to our infrastructure (database schema changes, storage buckets, load balances, DNS entries, etc.) are also described in our source code and deployed to our environments just like the applications. This architectural approach to managing infrastructure is referred to as infrastructure as code and is a key requirement for fully automated deployments with minimal human touch.

Summary

  • Infrastructure as code with active protection.
  • Automated security scans and full traceability from code commit to production.
  • “Hands-free” deployment ensures each build is free from human error or malicious contamination.

(4) End-to-end data protection and privacy

It is of the utmost importance that FlowTrack provides for confidentiality (privacy), integrity and availability of its customer's data. Your data is protected with end-to-end encryption, combined with strong access control and key management. We also have controls on our internal employees to access our business customers data directly in production. So your data remains safe and private at all times. We will never use or share our business customers data without your prior consent.

Summary

  • Data is safe both at rest and in transit, using strong encryption, access control and key management.
  • No internal user access is allowed to customer data in production.

(5) Strong yet flexible user access

We all know by now that "Passw0rd" makes a terrible password. Access control is so important we must get it right. That's why we leverage tried-and-true technology such as Bastion Host with multi-factor authentication, and short lived temporary authorizations from our Certificate Authority that signs users personal Keys and logs each request , both for our internal staff to access business resources and for our customers to access FlowTrack platform and services.

Summary

  • Utilizing a Certificate Authority to authorize and log access.
  • Multi-factor authentication.
  • Fine-grain attribute-based or role-based authorization.

(6) Watch everything, even the watchers

You can’t protect what you can’t see.

As the famous strategist, Sun Tzu, once said, “Know thy self, know thy enemy. A thousand battles, a thousand victories.” It all starts with knowing ourselves. This applies to the infrastructure, environments, operations, users, systems, resources, and most importantly, data. It is important to inventory all assets, document all operations, identify all weaknesses, and visualize/understand all events.

This includes conducting various risk analysis, threat modeling, vulnerability assessments, application scanning, and penetration testing. Not only that, this requires security operations to keep an eye on everything, and someone should also "watch the watchers".

At first, this would require significant manual effort and may seem impossible to keep up-to-date. Our goal is to automate security operations, so that this can be achieved programmatically as our operations evolve to become more complex.

Additionally, FlowTrack security team will actively monitor threat intelligence in the community, with feeds from NH-ISAC and CISA stay abreast of the attacker activities and methodologies.

Summary

  • All environments are monitored; All events are logged; All alerts are analyzed; All assets are tracked.
  • No privileged access without prior approval or full auditing.
  • We deploy monitoring redundancy to “watch the watchers”.

(7) Centralized and automated operations

As much as possible, FlowTrack security will translate policy and compliance requirements into reusable code for easy implementation and maintenance. This allows us to truly be able to enforce policy and compliance in a fast and scalable way, rather than relying solely on written policies and intermittent manual audits. For example, end-point device policies may be translated into DockerFiles or Bash run scripts and compliance may be enforced through the agent. Access Control policies for production environments are translated into AWS IAM JSON policies and implemented via CloudFormation code.

Automation makes it truly possible to centralize security operations, including not only event aggregation and correlation, but also the orchestration and management of previously siloed security controls and remediation efforts.

Summary

  • Cloud-native security fabric that
  • centrally monitors security events,
  • visualizes risk management,
  • automates compliance audits, and
  • orchestrates near real-time remediation.

(8) Usable security

Security benefits from transparency, and should operate as an open-book. This allows the entire organization to take responsibility for and accountability of adopting security best practices. Similar to code reviews and pull requests in the development process, FlowTrack security team makes security standards and practices available to all employees for feedback prior to adoption.

We emphasize on the usability and practicality of security. A security solution or process is not effective, if it is not being used, no matter how good it may be. Having impractical security would only generate noise, provide a false sense of security, and incur unnecessary cost. Nothing is perfect, but we embrace an agile mindset to test and try, and to continuously improve.

Summary

  • All employees receive security awareness training at least annually.
  • Simple policies, processes, and procedures.
  • No “Shadow IT”.
  • DevSecOps with common goals and an integrated team.
  • Processes that encourage self management and reward good behavior.

(9) Regulatory compliant

Security != Compliance. We cannot have one without the other.

Summary

  • Regulatory Compliant;
  • Assessed and Compliant;

Security Architecture

FlowTrack developed a security architecture on top of its main infrastructure environment AWS.

Architecture Diagrams

Detailed architecture diagrams of the in-scope networks, endpoints, applications as well as the security operations are developed and maintained Internally.

Cloud Architecture

Cloud Native
  • Designed for the cloud using true multi-tenant architecture
  • Auto scaling across multiple data centers in multiple regions
  • FlowTrack services deployed inside private subnets of Virtual Private Cloud (VPC)
  • Comprehensive security and compliance testing via AWS
  • Ongoing security testing by AWS and internally
Customer Benefits
  • Infrastructure is tailored to our customer's goals and usage patterns
  • "Shared use" model reduces cost
  • Nearly infinite compute and data capacity via AWS cloud provider
  • Customers can focus on solving business problems and not worry about infrastructure
  • Automatic backup and easy recovery
  • Continuous improvements via change control process
  • Faster adoption of new technology
Evolution of Cloud Computing
  1. Baremetal

    • A computer in someone else's data center
  2. Virtual Machine

    • A portion of a computer in someone else's data center
    • In AWS, a Virtual Machine is created from Amazon Machine Image (AMI)
  3. Container

    • A package of essential application libraries and code but not the core OS libraries - Simpler to scale a docker image because - No duplication of core OS processes (networking, filesystem, etc) - Typically a Docker container

FlowTrack strives to leverage containers as the primary building blocks for our platform because:

  • Containers standardize our development and security practices across environments
  • AWS automatically scales containers based on workload
  • Containers are constantly redeployed in our release process providing automated patching to minimizes attack surface

Metrics, Measurements and Continuous Monitoring

A set of metrics / KPIs have been defined to assist in the measuring, reporting and optimizing the security program and the controls in place.

A security scorecard is produced every with updates to key metrics of the FlowTrack information security program, to measure its adoption and effectiveness.

The reports and scorecards are maintained by FlowTrack.

Quality of Service

FlowTrack strives to provide a high quality of service to all of its customers. This is accomplished through a security architecture that encompasses all of FlowTrack's operations and provides high data confidentiality, integrity, and availability.

An overview of FlowTrack's architecture can be found in Security Architecture. FlowTrack uses a highly scalable cloud architecture to provide system quality at all times.

All systems are monitored and measured in real time as described in Application Service Event Recovery.

FlowTrack uses DevOps methodology as described in Software Development Process to ensure a smooth delivery process of all systems and applications.

Status for external facing, customer applications and systems is published at .