How Secure is Wovex?
How Secure is Wovex?
Wovex in the cloud hosted by Wovex on Azure is accessed through a SSL certified browser connection (256-bit encryption). Any data uploaded/downloaded has the same level of secure encryption.
If this is not enough for you talk to Wovex as we also offer On-Premise hosting for those with even higher security needs.
Wovex uses servers and services from Microsoft on the Azure platform. We host our customers' data in the region of their choosing. See: https://azure.microsoft.com/en-us/regions/.
Wovex is a cyber-security certified company.
Other technology options are also available to meet the most demanding of needs. Further details on the hosting and security aspects of Wovex are below.
Our Microsoft Azure environment meets a broad set of international, industry-specific, and country-specific compliance standards.
Rigorous third-party audits, such as those conducted by the British Standards Institute, verify adherence to standards-mandated security controls.
Compliance is maintained with leading data protection and privacy laws applicable to cloud services, and the environment complies with international and industry-specific compliance standards, such as ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2, as well as country-specific standards such as Australia CCSL, UK G-Cloud, and Singapore MTCS.
There is more on this here, including a list of security certifications held and video overviews: https://www.microsoft.com/en-us/trustcenter/CloudServices/Azure.
For disaster recovery, Wovex has planned for failures and disasters in the cloud. We will recognise a failure quickly through the alerts we have established. We test/rehearse database recovery.
Our databases have capabilities through Azure that support availability and a variety of disaster recovery scenarios. Azure already has resiliency and disaster recovery built into its services.
Wovex can also provide two or three environments for Enterprise customers. These can be used as live environments, training environments, or testing environments for development project releases.
This provides additional recovery options. The database can be restored quickly to the training environment to minimize the loss of availability.
If a new environment needs to be established, we can automatically deploy it.
One aspect of the secure environment is the use of TDE.
The Azure SQL Database has transparent data encryption (TDE)* that helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files.
TDE encrypts the storage of the entire database using a symmetric key called the database encryption key. In the SQL Database, the database encryption key is protected by a built-in server certificate, which is unique for each SQL Database server. For a general description of TDE, see Transparent Data Encryption (TDE).
For information, the SLA we have with Microsoft is:
Compute – 99.95% (21.6 mins downtime potentially per month)
SQL Database – 99.99% (4.3 mins downtime potentially per month)
Storage – 99.90% (43.2 mins downtime potentially per month)
*Transparent Data Encryption (TDE) encrypts SQL Server, Azure SQL Database, and Azure SQL Data Warehouse data files, known as encrypting data at rest. You can take several precautions to help secure the database, such as designing a secure system, encrypting confidential assets, and building a firewall around the database servers. However, in a scenario where the physical media (such as drives or backup tapes) are stolen, a malicious party can just restore or attach the database and browse the data. One solution is to encrypt the sensitive data in the database and protect the keys that are used to encrypt the data with a certificate. This prevents anyone without the keys from using the data, but this kind of protection must be planned in advance.
TDE performs real-time I/O encryption and decryption of the data and log files. The encryption uses a database encryption key (DEK), which is stored in the database boot record for availability during recovery. The DEK is a symmetric key secured by using a certificate stored in the server master database or an asymmetric key protected by an EKM module. TDE protects data "at rest", meaning the data and log files. It provides the ability to comply with many laws, regulations, and guidelines established in various industries.
Do you enable the data to be stored in the geographic region of our choosing?
Do you enable the data to be stored in the geographic region of our choosing?
Yes, with Enterprise Features add-on to your Plan Wovex enables you to choose the preferred geographic region for your data to be stored in.
Are Wovex servers for different purposes separate? For example, is the web application run by one server, and databases by another?
Are Wovex servers for different purposes separate? For example, is the web application run by one server, and databases by another?
Wovex files and databases are stored in Azure which, by default, copies all data three times within one server rack. Furthermore, the data is also spread to three different physical racks in the same data centre. This is a ‘locally redundant’ solution.
Are Wovex's database servers in a publicly accessible gateway zone?
Are Wovex's database servers in a publicly accessible gateway zone?
That depends on the definition of publicly accessible. To clarify, it is possible to access the Wovex database when (a) its address, (b) database name, (c) username, (d) password are known and (e) client IP address is on the allowed hosts' list.
With some guesswork it might (although it’s highly unlikely) be possible to obtain the database address or name and even with this information is insufficient to access. The connection will be refused as its source is not on the allowed IP list.
Does Wovex use multi-factor authentication?
Does Wovex use multi-factor authentication?
Yes. This can be enabled for customers with the Enterprise Features add-on. The standard password process allows users to make six password attempts before waiting ten minutes to retry. Passwords can be reset using a link from the login screen.
These settings can also be changed with the Enterprise Features add-on.
Do Wovex users have to confirm their mobile number (via a text message code) or email (via an activation link)?
Do Wovex users have to confirm their mobile number (via a text message code) or email (via an activation link)?
Users can invite other users with various role permission levels, and then new users will be asked to verify their identity using two-factor authentication.
For password resets initiated by a user, a reset link is set to the user's registered email address.
Can Single-Sign-On be used with Wovex?
Can Single-Sign-On be used with Wovex?
Yes, using Microsoft Active Directory.
Where are users' passwords stored?
Where are users' passwords stored?
Users' passwords are stored in the Wovex database, which is created specifically for your organisation.
What hashing algorithm (e.g. SHA-256) and meta-algorithm (e.g. bcrypt) is used to protect passwords?
What hashing algorithm (e.g. SHA-256) and meta-algorithm (e.g. bcrypt) is used to protect passwords?
Passwords are hashed with default Microsoft .NET libraries which are considered an industry standard.
On the Wovex cloud platform, is all user input validated on the server side, not just the client side?
On the Wovex cloud platform, is all user input validated on the server side, not just the client side?
Yes. We verify data on the server side and verify it on the client side.
Does Wovex use automated scanning tools on their website or codebase?
Does Wovex use automated scanning tools on their website or codebase?
Yes. Defender for Cloud and Intruder.io.
Does Wovex conduct penetration tests on its website?
Does Wovex conduct penetration tests on its website?
Yes. This is performed twice each year.
Are Wovex's log files protected from tampering?
Are Wovex's log files protected from tampering?
The current application log storing information about logging attempts is in the Wovex database. There are no methods/functions in the code to clear it.
Does the data our Organisation stores in Wovex remain our property?
Does the data our Organisation stores in Wovex remain our property?
Yes.
If we terminated the contract with Wovex, how would our data be made inaccessible and deleted?
If we terminated the contract with Wovex, how would our data be made inaccessible and deleted?
The database would be deleted using the Azure management portal.
Can Wovex employees access customers' data in any way, e.g. for helpdesk purposes?
Can Wovex employees access customers' data in any way, e.g. for helpdesk purposes?
Yes, although only a very limited set of users can do it. We also use specialist software to store the Administration passwords, and access is restricted.
If a data breach occurred, how soon could we expect to be able to speak with a Wovex representative?
If a data breach occurred, how soon could we expect to be able to speak with a Wovex representative?
Wovex response benchmark is within one hour in 98% of cases. Currently, Wovex teams are exceeding this benchmark.
Any call not meeting the one-hour response time is automatically escalated to the duty manager.
Wovex support teams operate 24 hours, 365 days.
Additionally, Wovex has a phone service that our customers can use to contact us at any time. If no one is available, an email gets sent to a distribution list. For critical contact requirements, they are authorized to contact specific Directors at home.