On the back of industry-wide transition to cloud computing, Overbond delivers a state-of-the-art technology solution to empower our customers. This document provides a detailed description of the technologies and processes employed at Overbond and our cloud service partner; Amazon Web Services(AWS)
On the back of industry-wide transition to cloud computing, Overbond delivers a state-of-the-art technology solution to empower our customers. This document provides a detailed description of the technologies and processes employed at Overbond and our cloud service partner; Amazon Web Services (AWS)
Trusted by largest corporations & financial institutions
The Overbond platform employs multiple enterprise level software development processes, including rigorous
code-level inspection of all software delivered to our clients. In doing so, we ensure that Overbond is
secure and adheres to all rules and regulations in every jurisdiction we operate in.
Overbond also has the upmost focus on data privacy and security – we employ both systemized and ongoing
user verification and identification protocols.
All data collected and generated within Overbond is encrypted at all layers of our infrastructure
All information that is presented and collected from the end user is encrypted using the Secure Sockets Layer (SSL) standard, that is used to establish an encrypted link between a web server and a browser. Overbond’s implementation of SSL employs connections that are encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.
When a data resource that needs to be persisted reaches our application layer, it is encrypted using
AES-256 [1] before it is stored at rest on Overbond’s distributed storage service.
Furthermore, all communication within Overbond’s infrastructure (application and database layers for example)
is also encrypted using SSL.
Industry-leading cloud partner provides Overbond with a reliable infrastructure
Amazon Web Services (“AWS”) is a secure, durable technology platform with industry-recognized certifications and audits: PCI DSS Level 1, ISO 27001, FISMA Moderate, FedRAMP, HIPAA, and SOC 1 (formerly referred to as SAS 70 and/or SSAE 16) and SOC 2 audit reports. WS ensures highest availability and performance with multiple Availability Zones and data centres within each AWS Region. Availability Zones are connected to each other with fast, private fiber-optic networking, enabling Overbond to architect applications that automatically fail-over between Availability Zones without interruptions. Even some of the most data-sensitive governmental departments have data in the cloud. The cloud allows for them to maintain their compliance requirements with ease.
Antivirus and anti-malware detection on all environments using industry certified tools to ensure stable environment.
Defined and isolated user permission settings, logical data isolation ensure all data remains accessible only to intended permission holders
AWS provides technologies like autoscaling, Amazon CloudFront and Amazon Route 53 to mitigate Distributed Denial of Service attacks. All data generated through the application is encrypted using industry leading techniques: built-in encryption, Secure Sockets Layer (SSL) and hardware-based cryptographic key storage.
Built on Trust
All sensitive data is encrypted using AES 256 bit (Advanced Encryption Standard) and stored offsite with
access restricted by firewalls and access policies. Access to the data by personnel is monitored,
auditable and is secured through multi-factor authentication and enforced by roles.
Our support and security personnel go through a thorough background checks.
Overbond employs the following standards to ensure user verification.
All new user requests are subject to review process and are monitored by Overbond’s security team.
Overbond offers its dealers to grant customized permissions to its members:
Overbond enforces complex password policy to ensure extra layer of security. All passwords are stored in hashed formats and never stored in clear text. Failed user authentication attempts will be monitored and may trigger user account lockout and/or investigation.
The AWS Cloud operates 42 availability zones within 16 geographic regions around the world; some of AWS’s millions of clients include FINRA, National Bank of Canada, NASDAQ, Philips, GE, and Comcast.
AWS operates the global cloud infrastructure that delivers a variety of basic computing resources such as processing and storage. The AWS global infrastructure includes the facilities, network, hardware, and operational software (e.g., host OS, virtualization software, etc.) that support the provisioning and use of these resources. The AWS global infrastructure is designed and managed according to security best practices as well as a variety of security compliance standards.
Amazon Web Services Compliance enables customers to understand the robust controls in place at AWS to maintain security and data protection in the cloud. As systems are built on top of AWS cloud infrastructure, compliance responsibilities will be shared. By tying together governance-focused, audit-friendly service features with applicable compliance or audit standards, AWS Compliance enablers build on traditional programs; helping customers to establish and operate in an AWS security control environment. The IT infrastructure that AWS provides to its customers is designed and managed in alignment with security best practices and a variety of IT security standards, including:
AWS’s data centers are state of the art, utilizing innovative architectural and engineering approaches.
Amazon has many years of experience in designing, constructing, and operating large-scale data centers.
This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in
nondescript facilities. Physical access is strictly controlled both at the perimeter and at building
ingress points by professional security staff utilizing video surveillance, intrusion detection systems,
and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times
to access data center floors. All visitors and contractors are required to present identification and are
signed in and continually escorted by authorized staff.
AWS only provides data center access and information to employees and contractors who have a legitimate
business need for such privileges. When an employee no longer has a business need for these privileges,
his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web
Services. All physical access to data centers by AWS employees is logged and audited routinely.
Automatic fire detection and suppression equipment has been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems.
The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide back-up power for the entire facility.
Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels.
AWS monitors electrical, mechanical, and life support systems and equipment so that any issues are immediately identified. Preventative maintenance is performed to maintain the continued operability of equipment.
When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. AWS uses the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry-standard practices.
The AWS network has been architected to permit the level of security and resiliency appropriate for workloads. To enable the building of geographically dispersed, fault-tolerant web architectures with cloud resources, AWS has implemented a world-class network infrastructure that is carefully monitored and managed.
Network devices, including firewall and other boundary devices, are in place to monitor and control
communications at the external boundary of the network and at key internal boundaries within the network.
These boundary devices employ rule sets, access control lists (ACL), and configurations to enforce the
flow of information to specific information system services.
ACLs, or traffic flow policies, are established on each managed interface, which manage and enforce the
flow of traffic. ACL policies are approved by Amazon Information Security. These policies are automatically
pushed using AWS’s ACL-Manage tool, to help ensure these managed interfaces enforce the most up-to-date ACLs.
AWS has strategically placed a limited number of access points to the cloud to allow for a more
comprehensive monitoring of inbound and outbound communications and network traffic. These customer
access points are called API endpoints, and they allow secure HTTP access (HTTPS), which allows the
establishment of a secure communication session with the storage or compute instances within AWS.
To support customers with FIPS cryptographic requirements, the SSL-terminating load balancers in AWS
GovCloud (US) are FIPS 140-2- compliant.
In addition, AWS has implemented network devices that are dedicated to managing interfacing
communications with Internet service providers (ISPs). AWS employs a redundant connection to more than
one communication service at each Internet-facing edge of the AWS network. These connections each have
dedicated network devices.
Amazon’s infrastructure has a high level of availability and provides the capability to deploy a resilient
IT architecture. AWS has designed its systems to tolerate system or hardware failures with minimal customer
impact.
Data centers are built in clusters in various global regions. All data centers are online and serving
customers; no data center is “cold.” In case of failure, automated processes move customer data traffic
away from the affected area. Core applications are deployed in an N+1 configuration, so that in the event
of a data center failure, there is sufficient capacity to enable traffic to be load-balanced to the
remaining sites.
AWS provides the flexibility to place instances and store data within multiple geographic regions as well
as across multiple availability zones within each region. Each availability zone is designed as an
independent failure zone. This means that availability zones are physically separated within a typical
metropolitan region and are located in lower risk flood plains (specific flood zone categorization varies
by region). In addition to utilizing discrete uninterruptable power supply (UPS) and onsite backup
generators, they are each fed via different grids from independent utilities to further reduce single
points of failure. Availability zones are all redundantly connected to multiple tier-1 transit providers.
Figure 2:Regions and Availability Zones
Note that the number of Availability Zones may change.
AWS utilizes a wide variety of automated monitoring systems to provide a high level of service performance
and availability. AWS monitoring tools are designed to detect unusual or unauthorized activities and
conditions at ingress and egress communication points. These tools monitor server and network usage, port
scanning activities, application usage, and unauthorized intrusion attempts. The tools have the ability to
set custom performance metrics thresholds for unusual activity.
Systems within AWS are extensively instrumented to monitor key operational metrics. Alarms are configured
to automatically notify operations and management personnel when early warning thresholds are crossed on
key operational metrics. An on-call schedule is used so personnel are always available to respond to
operational issues. This includes a pager system so alarms are quickly and reliably communicated to
operations personnel.
The AWS network provides significant protection against traditional network security issues, and can
implement further protection. The following are a few examples:
In addition to monitoring, regular vulnerability scans are performed on the host operating system, web application, and databases in the AWS environment using a variety of tools. Also, AWS Security teams subscribe to newsfeeds for applicable vendor flaws and proactively monitor vendors’ websites and other relevant outlets for new patches.
Physical access to the AWS Production network is highly restricted.
AWS has established formal policies and procedures to delineate the minimum standards for logical access to AWS platform and infrastructure hosts. AWS conducts criminal background checks, as permitted by law, as part of pre-employment screening practices for employees and commensurate with the employee’s position and level of access. The policies also identify functional responsibilities for the administration of logical access and security.
AWS Security has established a credentials policy with required configurations and expiration intervals. Passwords must be complex and are forced to be changed every 90 days.
AWS’s development process follows secure software development best practices, which include formal design reviews by the AWS Security Team, threat modeling, and completion of a risk assessment. Static code analysis tools are run as a part of the standard build process, and all deployed software undergoes recurring penetration testing performed by carefully selected industry experts. The security risk assessment reviews begin during the design phase and the engagement lasts through launch to ongoing operations.
Not only is security built into every layer of the AWS infrastructure, but also into each of the services available on that infrastructure. AWS services are architected to work efficiently and securely with all AWS networks and platforms. Each service provides extensive security features to enable the protection of sensitive data and applications.
Amazon Web Services provides a variety of cloud-based computing services that include a wide selection of compute instances that can scale up and down automatically to meet needs.
Amazon Elastic Compute Cloud (EC2) is a key component in Amazon’s Infrastructure as a Service (IaaS), providing resizable computing capacity using server instances in AWS’s data centers. Amazon EC2 is designed to make web-scale computing easier by enabling the ability to obtain and configure capacity with minimal friction.
Security within Amazon EC2 is provided on multiple levels: the operating system (OS) of the host platform, the virtual instance OS or guest OS, a firewall, and signed API calls. Each of these items builds on the capabilities of the others. The goal is to prevent data contained within Amazon EC2 from being intercepted by unauthorized systems or users and to provide Amazon EC2 instances themselves that are as secure as possible without sacrificing the flexibility in configuration.
Amazon EC2 provides a complete firewall solution; this mandatory inbound firewall is configured in a
default deny-all mode and must explicitly open the ports needed to allow inbound traffic. The traffic may
be restricted by protocol, by service port, as well as by source IP address (individual IP or Classless
Inter-Domain Routing (CIDR) block).
The firewall can be configured in groups permitting different classes of instances to have different rules.
Consider, for example, the case of a traditional three-tiered web application. The group for the web servers
would have port 80 (HTTP) and/or port 443 (HTTPS) open to the Internet. The group for the application servers
would have port 8000 (application specific) accessible only to the web server group. The group for the
database servers would have port 3306 (MySQL) open only to the application server group. All three groups
would permit administrative access on port 22 (SSH), but only from the customer’s corporate network. Highly
secure applications can be deployed using this expressive mechanism. See diagram below:
Amazon Elastic Block Storage (EBS) can be used to create storage volumes from 1 GB to 16 TB that can be
mounted as devices by Amazon EC2 instances. Storage volumes behave like raw, unformatted block devices,
with user supplied device names and a block device interface. A file system can be created on top of Amazon
EBS volumes, or used as a block device (like a hard drive). Amazon EBS volume access is restricted to the
AWS Account that created the volume, and to the users under the AWS Account created with AWS IAM if the user
has been granted access to the EBS operations, thus denying all other AWS Accounts and users the permission
to view or access the volume.
Data stored in Amazon EBS volumes is redundantly stored in multiple physical locations as part of normal
operation of those services and at no additional charge. However, Amazon EBS replication is stored within
the same availability zone, not across multiple zones; therefore, it is highly recommended that regular
snapshots are conducted to Amazon S3 for long-term data durability. For customers who have architected
complex transactional databases using EBS, it is recommended that backups to Amazon S3 be performed
through the database management system so that distributed transactions and logs can be check pointed.
Amazon Web Services provides a range of networking services that enable a logically isolated network, establish a private network connection to the AWS cloud, use a highly available and scalable DNS service and deliver content to users with low latency at high data transfer speeds with a content delivery web service.
Amazon Elastic Load Balancing is used to manage traffic on a fleet of Amazon EC2 instances, distributing traffic to instances across all availability zones within a region. Elastic Load Balancing has all the advantages of an on- premises load balancer, plus several security benefits:
Like Amazon EC2, Amazon VPC supports a complete firewall solution enabling filtering on both ingress and egress traffic from an instance. The default group enables inbound communication from other members of the same group and outbound communication to any destination. Traffic can be restricted by any IP protocol, by service port, as well as source/destination IP address (individual IP or Classless Inter-Domain Routing (CIDR) block).
To add a further layer of security within Amazon VPC, an ACL network can be configured. These are stateless
traffic filters that apply to all traffic inbound or outbound from a subnet within Amazon VPC. These ACLs
can contain ordered rules to allow or deny traffic based upon IP protocol, by service port, as well as
source/destination IP address.
Like security groups, network ACLs are managed through Amazon VPC APIs, adding an additional layer of
protection and enabling additional security through separation of duties. The diagram below depicts how
the security controls above inter-relate to enable flexible network topologies while providing complete
control over network traffic flows.
A virtual private gateway enables private connectivity between the Amazon VPC and another network. Network traffic within each virtual private gateway is isolated from network traffic within all other virtual private gateways. VPN connections can be established to the virtual private gateway from gateway devices at the premises. Each connection is secured by a pre-shared key in conjunction with the IP address of the customer gateway device.
An Internet gateway may be attached to an Amazon VPC to enable direct connectivity to Amazon S3, other
AWS services, and the Internet. Each instance desiring this access must either have an Elastic IP
associated with it or route traffic through a NAT instance. Additionally, network routes are configured
(see above) to direct traffic to the Internet gateway. AWS provides reference NAT AMIs that can be extended
to perform network logging, deep packet inspection, application-layer filtering, or other security
controls.
This access can only be modified through the invocation of Amazon VPC APIs. AWS supports the ability to
grant granular access to different administrative functions on the instances and the Internet gateway,
therefore enabling the implementation of additional security through separation of duties.
Amazon Web Services provides a number of database solutions for developers and businesses—from managed relational and NoSQL database services, to in-memory caching as a service and petabyte-scale data-warehouse service.
Amazon DynamoDB is a managed NoSQL database service that provides fast and predictable performance with seamless scalability. Amazon DynamoDB enables the offloading of administrative burdens of operating and scaling distributed databases to AWS, without the worries of hardware provisioning, setup and configuration, replication, software patching, or cluster scaling.
Amazon RDS allows can be used to quickly create a relational database (DB) instance and flexibly scale the
associated compute resources and storage capacity to meet application demand. Amazon RDS manages the
database instance by performing backups, handling failover, and maintaining database software.
Amazon RDS has multiple features that enhance reliability for critical production databases, including DB
security groups, permissions, SSL connections, automated backups, DB snapshots, and multi-AZ deployments.
DB instances can also be deployed in an Amazon VPC for additional network isolation.
For additional network access control, DB Instances can be run in an Amazon VPC. Amazon VPC enables the
isolation of DB Instances by specifying the IP range, and connecting to the IT infrastructure through
industry- standard encrypted IPsec VPN. Running Amazon RDS in a VPC enables the ability to have a DB
instance within a private subnet. A virtual private gateway can be set up that extends the corporate
network into the VPC, and allows access to the RDS DB instance in that VPC.
DB Security Groups can be used to help secure DB Instances within an Amazon VPC. In addition, network
traffic entering and exiting each subnet can be allowed or denied via network ACLs. All network traffic
entering or exiting the Amazon VPC via the IPsec VPN connection can be inspected by on-premises security
infrastructure, including network firewalls and intrusion detection systems.
Encrypt connections are available between the application and the DB Instance using SSL. For MySQL and SQL
Server, RDS creates an SSL certificate and installs the certificate on the DB instance when the instance
is provisioned. For MySQL, launch the mysql client using the --ssl_ca parameter to reference the public
key in order to encrypt connections. For SQL Server, download the public key and import the certificate
into the Windows operating system. Oracle RDS uses Oracle native network encryption with a DB instance.
Simply add the native network encryption option to an option group and associate that option group with
the DB instance. Once an encrypted connection is established, data transferred between the DB Instance
and the application will be encrypted during transfer. DB instance can be required to only accept encrypted
connections.
Amazon RDS supports Transparent Data Encryption (TDE) for SQL Server (SQL Server Enterprise Edition) and
Oracle (part of the Oracle Advanced Security option available in Oracle Enterprise Edition). The TDE
feature automatically encrypts data before it is written to storage and automatically decrypts data when
it is read from storage. If MySQL data is required to be encrypted while “at rest” in the database, the
application must manage the encryption and decryption of data.
Overbond brings all bond market participants together. It is a digital platform that makes primary bond issuance process easy, transparent and secure. Overbond connects corporate and government issuers with dealers and investors directly. www.overbond.com
[1] http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
[2] https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf
Contact:
Vuk Magdelinic | CEO
+1 (416) 559-7101
vuk.magdelinic@overbond.com