Data Security. Why you can enjoy peace of mind with KRIS Cloud.
KRIS is built and optimized on an industry leading platform
KRIS Clould utilized the Amazon Web Service (AWS). Amazon promises all the fundamental building of blocks of security. E.g.
- Network firewalls & web application firewall
- Encryption in transit with TLS
- Private or dedicated connections from your office where Data access is open only to specific ip addresses.
- Additional layer of security that encrypts your data at rest in AWS servers and many more.
Most decent web services should provide such options, but what won us over to build and optimize KRIS on the AWS infrastructure was that Amazon has a great track record of delivering on what was promised. With a strong client portfolio to show for it. Amazon was trusted by other big boys such as Adobe, AOL, Bitdefender, British Gas, General Electric, NASA, NASDAQ OMX, Pfizer, Samsung, SAP, Unilever, US Department of State, UK Ministry of Justice… Just to name a few.
On top of that as part of our audits, SQL View arranges for penetration tests on our data in Amazon periodically to ensure service levels are met.
Protection against database being compromise through another system
There is always an inevitable need to provide for other systems, servers and software to connect with the secured database. With this comes the scenario of systems being compromised through another system. This is one of the most prevalent avenue where hackers can get access into a system. No matter how impenetrable a database fortress you have, it still has to allow authorized users or external systems/ software to enter into its premises to draw data and resources.
Here are the scenarios of how a system can be compromised through another
- It poses a problem when the systems or software that are authorized to enter the database fortress are hacked or being controlled by malicious hackers. With these, data are downloaded within the usual parameters and timings, flying under the radar when managers and security software checks for anomaly in the security logs.
- Hackers may enters the external systems and then find the digital keys to the database doors laying around in source codes or configuration files in unencrypted states. Because unlike human users who remembers passwords or secure them using password managers, programmer needs to keep theses security keys online where the automated systems can use them to gain access into the main database.
- There is also the scenario of end users leaving the login credentials in public documents or unencrypted documents.
- Users can also be victims of phishing schemes. With this the main database server can be compromised immediately or an external server that is linked to the main database server.
A real life example within Singapore is the attack on the patient database system of the Singapore Health Services. This is the worst breach of personal data in Singapore history that compromises the data of 1.5 million patients.
It is a multi stage attack. The attacker managed to log in to an external client application through traditional phishing on a user. This gave the attacker a direct connected route to the patient data base in the main database server through the external authorized client. However the attacker still did not have the credentials to log in the database server. The attacker soon found an inherent coding vulnerability in the external client application which allows the attacker to retrieve the database login credentials to finally access the client data base server.
Closing the door
However the industry is actively patching this gap. Password managers for automated systems and app are developed to securely store credential so legitimate automated processes can continue to enter the secured database thorough these password managers without leaving the credentials exposed within the codes.
How these app work is that they store the credentials and encrypt them. Encryption is done both at rest and in transit. After this the app very strictly limits the ip, servers, and programs that can access them.
How KRIS does it differently
- VPN, IP access or even hardware based authentication. For KRIS we give clients the option to allow access to KRIS only via VPN or specific IP. This mitigates most of the risk associated from leaked digital keys. We can also implement hardware authentication.
- Minimum external clients. Out of the box, we have designed the system to have minimum number of external clients connecting to KRIS yet able to cover key use cases of a Record Management System. The one external client that we have is the Microsoft Outlook email client that enables our users to secure emails using a single click from within Outlook. Microsoft outlook by itself is highly secured by the technology of Microsoft.
- Password Managers for automated systems. If need be, we can implement password managers for custom apps that connects via API to KRIS. Systems we recommend includes the Aamazon Web service Secrets Manager or the Microsoft Azure Key Vault to securely store and provide 3rd party apps access to KRIS database.
At SQL View data security of our clients is paramount. Our Document Management System is trusted by enterprises such as Far East Organization, Singapapore Post and Government agencies such as ACRA, CPF and People Association.