The SCARD platform: security and compliance
Is it secure?
With the regular reports of data breaches worldwide, security and compliance for SCARD is a daily focus for us.
This post aims to provide you with some information on the technologies used by SCARD and how each component is independently secure and contributes to the overall compliance of SCARD. Since SCARD is also between versions (Version 4 > Version 5), we’re including details about both the legacy platform as well as the new system that is undergoing trials with users.
MySQL, Windows with IIS and RHEL with Apache
The critical component behind SCARD is MySQL. This is one of the most popular open-source relational database management systems and is well-regarded for its features that facilitate secure data storage and management. Its security features begin with user account management, providing a robust framework that allows administrators to set explicit user permissions at various levels – global, database, table, and even down to individual columns within tables. This granularity of access control ensures that users and applications only have the necessary privileges, limiting the potential damage from security breaches.
Versions 1 to 4
Since the introduction of the online version, SCARD has been a PHP and MySQL-based platform with a custom build of PHP on IIS for 64-bit processing before mainstream releases were available.
Internet Information Services (IIS) is a web server created by Microsoft for use with Windows Server. IIS has a strong emphasis on security, offering a variety of built-in mechanisms to help secure your websites and applications. Features like request filtering allow administrators to limit or reject specific HTTP requests, providing a defensive layer against harmful requests or potential attacks. Version 4 of SCARD is based on this platform running Internet Information Services (IIS) on Windows Server 2019.
Version 5
While still based on PHP and MySQL, Version 5 moves from a Windows-based OS to Red Hat Enterprise Linux and Apache, with Percona as the MySQL engine.
Red Hat Enterprise Linux (RHEL) is widely respected as a robust and secure platform for web servers. Its security starts with the solid foundation of the Linux kernel, renowned for its stable and secure design. RHEL has built-in security features such as SELinux, which offers mandatory access control (MAC) to limit potential exploits. It further augments system security through secure boot, firewall controls, and system auditing tools. RHEL follows a proactive approach to security with timely patches and updates released in response to discovered security vulnerabilities.
Beyond these in-built features, the value of RHEL as a secure web server platform is significantly enhanced by the strong support infrastructure provided by Red Hat. The Red Hat Security Response Team rapidly responds to emerging security threats, issues patches, and includes detailed information to administrators.
Regarding the database engine, Percona is a robust, open-source database management system that has gained popularity as a reliable alternative to MySQL. While Percona and MySQL are based on the same core technology, Percona offers several enhancements and optimizations designed to improve performance, scalability, and stability. One key differentiating factor is Percona’s focus on providing high-performance solutions for demanding and heavily loaded database environments.
Monitoring and compliance
Our RHEL servers are continuously tested against Health Insurance Portability and Accountability Act (HIPAA) “RHEL9” requirements as well as the Australian Cyber Security Centre (ACSC) “RHEL9” and “Essential 8” requirements through Red Hat’s security and compliance portal (Insights).
Physical location
The SCARD platform operates on privately-owned equipment and does not store any data in Amazon AWS, Microsoft Azure or with other public cloud providers. This equipment is housed in a Tier-III datacenter with Defense Industry Security Program accreditation.
The Defense Industry Security Program (DISP) is an initiative to ensure that companies working with Defense or other security-related government departments comply with security regulations. These standards are in place to protect classified and sensitive defence information.
Network security
Like the physical equipment, SCARD operates on a privately-owned network with four routers providing dual-layer protection for SCARD against denial-of-service attacks and intrusion attempts; each running pfSense.
pfSense is a widely used open-source firewall and router distribution based on FreeBSD. It is recognized for its robustness and versatility in managing complex network environments. It features stateful packet inspection (SPI), network address translation (NAT), VPN support, and load-balancing capabilities. The SPI functionality allows pfSense to intelligently track and control the flow of packets across the network, preventing unauthorized data transfers and enhancing the overall security of the network, which Snort complements. Snort is a highly respected open-source network intrusion detection system (IDS) and intrusion prevention system (IPS) developed by Sourcefire & owned by Cisco. As a cornerstone of many network security architectures, Snort’s primary role is to inspect network traffic in real-time and alert or take action on suspicious activity.
Backup
In what may seem unusual for an online platform, backups are stored on LTO magnetic tapes. LTO tapes offer inherent security benefits as they are an offline technology, reducing the risk of unauthorized access or cyberattacks. Additionally, LTO tapes support encryption capabilities, allowing for secure backups and ensuring the confidentiality of sensitive data.