Security is our top priority !

We take security of your system and data as our top priority. Our track record is proven with ZERO security incidents and we are serious about keeping it that way.

Your academic data is safe with AEFIS with our “Zero Compromise Security” commitment.

Zero Compromise Security with AEFIS

AEFIS_Complete_Assessment_Solution_on_your_campusZero Compromise Security Commitment 

We are committed to security and safe keeping of your valuable academic data and we take it very seriously. As such, we have created the “AEFIS Zero Compromise Security” commitment, which is a set of rules and protocols we uphold through all our activities.

 

Single Tenant SaaS

AEFIS uses separate databases and application instances for each client for the SaaS hosted solution. Thus AEFIS data for a university is not only physically separated from others, also different resources can be allocated for the application server or database instances based on the performance requirements of the installation.

 

AEFIS Security Infrastructure

AEFIS security infrastructure is broken into three main areas; AEFIS Application Security, AEFIS System Security and AEFIS Physical Security.

  1. AEFIS Application Security
    • AEFIS application security was designed based on the principle of least privilege. AEFIS has a hierarchical role based authentication and authorization framework where the users are granted access to specific business functions and data based on their role in the organization hierarchy. The definition of access in terms of both data and business function is extremely granular. A user might be given access to a single business operation i.e. Course Finalization operation, while he might be denied access to edit any attributes of the course. This access might be limited to a single Course, a group of Courses, all courses within a department or any similar grouping.
    • AEFIS checks application level access control at multiple layers within the architecture. The access checks are:
      1. At the UI level where each user has his own customized view of the data based on his privileges
      2. At the business process level where each business function requires authorization from the user to run
      3. At the data access level where each record is checked for access rights while the business process is accessing/updating that record
    • AEFIS is developed using a in-house built application development framework which encapsulates security functionality and authorization verification, thus minimizing the risk of developer error. Developers do not need to write custom code per business function to implement application security. The framework they use enforces all security checks.
    • AEFIS framework provides an extended logging framework, where each request and response are logged automatically as a request goes through the processing pipeline. Thus any malicious activity will be similarly logged. AEFIS system logs are continuously monitored and security related (or other critical level) logs create notifications to the security administrators so that they can be proactively monitored.
    • AEFIS system ensures any data transmitted through any communication channel is secured during transmission. All data between the user and server is encrypted using SSL. All AEFIS passwords are hashed using PBKDF2 and for University personal, native authentication system for the university is used. All data transfers for the data feeds are done through SFTP or FTPS with proper channel security configuration.
  2. AEFIS System Security

    • The AEFIS cloud-based SaaS solution is managed within a secure datacenter. The perimeter of the datacenter network is protected by a Cisco firewalls and security appliances. This Cisco equipment not only separates the datacenter network from the rest of the world, but provides a granular approach to security and protection.
    • Only necessary data ports are opened for each interface, and any attempted attacks or possible breaches of security are monitored and dealt with accordingly. The standard procedure is for an IP address to be blocked indefinitely after a certain number of failed login attempts or failed access attempts on any port on any IP address, whether internal or external. IPSec VPN tunnel access is used for remote administration when necessary.
    • For the Software as a Service (SaaS) AEFIS Solution, only ports 80 and 443 are used for global access. Additional port-based communication (such as LDAP, LDAPS, etc) may need to be opened between the AEFIS application and the University’s server(s) to allow for successful and reliable user authentication, etc.
    • All external web communication is secured using a domain-verifying SSL certificate. All other communication is on the internal network on which the AEFIS Solution servers reside. Server operating system and application security is monitored via remote log files and all system and application patches and security updates are applied on a regular basis to ensure the highest security as well as application reliability.
    • AEFIS application server and database server setup is made using the security hardening on the operating system and application server and database server systems utilized. All systems are set up with minimal set of required services, removing every unnecessary system software or service. All user configurations, impersonation configurations and file access configurations use the principle of least privilege. All passwords used in the system are governed through a password policy.
  3. AEFIS Physical Security
    • The Untra datacenter is protected by 24x7 keyed access and is constantly monitored by video surveillance. Entry requires a magnetic access card as well as a unique PIN number. All servers, hardware, and other equipment are protected by FM200 fire suppression and environmental monitoring (water, temperature, humidity, etc.), as well as 120V or 208V dedicated breaker power with integrated UPS (battery back-up) power feeds and dual 1500KW diesel generators for power continuity. The Untra datacenter facility also features a raised access floor with downflow N+1 Leibert cooling to maintain an ideal operating environment for all equipment.
    • AEFIS application server and database server setup is made using the security hardening on the operating system and application server and database server systems utilized. All systems are set up with minimal set of required services, removing every unnecessary system software or service. All user configurations, impersonation configurations and file access configurations use the principle of least privilege. All passwords used in the system are governed through a password policy.

Information Security Program  

AEFIS has an established Information Security Program and this program defines security related policies including system level security measures, application level security measures, risk assessment, incident response and business continuity. The incident response policy includes processes related to:

  • Preparation: Deploy tools and provide training for incident preventation.
  • Identification: Identify incidents thoroughly; analyzing all the information related to the incident.
  • Containment: Contain the issue immediately and prevent any collateral damage including preventions such as revoking user accounts, blocking access to the servers.
  • Eradication: Get rid of the malicious code, unauthorized access, or bad employee that caused the incident.
  • Recovery: Make sure the issue is resolved and system is updated in the right way, before returning it to service. Continue to monitor the system for any similar behaviors to ensure that incident has been fully resolved.
  • Lessons Learned: Put together a report detailing what happened, why it happened, what could have prevented it, and what you’ll be doing to prevent it from happening again. Update relevant policies to ensure the issue will not happen again.

 

Quality Assurance

AEFIS Quality Assurance process aims to maximize the quality of software and service provided to the customer using an aggressive and development team supported mechanism.

The whole QA process starts from the development of the code and integrated into AEFIS SDLC processes. Part of the process is testing of pre-release software utilizing a technology stack representative of typical customer use. This type of testing includes multiple browser versions and platforms as well as hardware (i.e. mobile devices, PCs, etc.).  While a goal of AEFIS during development of new software releases is to provide the best solution possible, part of the QA process is to ensure reasonable compatibility and support of customer utilized tools and technologies.

 

Let us introduce you to AEFIS
and help you innovate your
assessment processes.