Security practices at VoiceSage

Architecture

Security is front of mind when designing our applications, networks, and business processes

The VoiceSage security architecture is designed with consideration of a broad range of industry standards and frameworks and in tandem with our internal threat modeling process, it’s designed to balance the need for flexibility with the need for effective controls to ensure confidentiality, integrity, and availability of our customers’ data.

Applications

App dev security(OWASP), data security & information lifecycle management.

Security

Crypto & encryption, threat and vulnerability management, security incident management

Infrastructure

Asset management, access control, operations, communications security

Data centre, Cloud & offices

Physical and environmental security

Corporate

Security governance, organization of security, personnel security, supplier & third-party data management, mobile security, business continuity, audit/compliance, privacy.

The security controls that control our architecture are designed to align with a number of different standards, and due to many of the overlaps between these standards, we combine them to give us an over arching framework giving us a single list of areas to focus on and which effectively maps to the various standards that we comply against, as shown in Table 1 below.

Network

We have strict network controls with a focus on the sanctity of the “production” environment

Traditional network security theory separates the world into “inside“ and “outside” and focuses on the control points between the two areas. While we maintain strict control between our internal networks and the internet, we focus primarily on the delineation between our “production” and “non-production” environments.

We control access to our sensitive production networks through the use of strict firewall rules which require multi-factor authentication and encrypted connections. We’ve also implemented intrusion detection and prevention systems in both our office and production networks to identify potential security issues.

Application

Security by Design

During the product planning and design phase, we include engineers, security engineers, architects, QA engineers, and product managers of an application or service and discuss threats and security concerns. This information feeds into the design process and supports targeted review and testing in later phases of development.

Platform-wide Availability and Redundancy

We operate in multiple geographically diverse data centres

We host the majority of the VoiceSage platform with Amazon Web Services (AWS), our cloud hosting partners, resulting in optimal performance with redundancy and failover options globally. We maintain the service in the European Union regions and availability zones. Their data centres have been designed and optimized to host applications, have multiple levels of redundancy built in, and run on a separate front-end hardware node on which application data is stored.

We care about the high availability of your data and services. We focus on product resiliency through standards and practices that allow us to minimize downtime. Our resiliency practices are based ISO 27002. Key principles guiding our Disaster Recovery (DR) Program include:

1. Continual improvement. We strive to ensure our improvements to resiliency grows through operational efficiencies, automation, new technologies and proven practices.
2. Assurance through testing. We only know it works if we test it. With regularly scheduled testing and continual improvements, we are able to keep our DR Program at an optimum.
3. Dedicated resources. VoiceSage has dedicated teams to ensure our customer-facing products get the attention they need to make the Disaster Recovery Program possible. We have people on the ground to support our steering committee, risk assessments, business impact analysis, and testing.

Backups

We have an extensive daily and weekly backup regime

In addition to platform-wide resiliency, we also have a comprehensive backup program for our Data Repository Services. However, restore and recovery of these backups will only be provided on our own platform. If the primary storage node has a problem or becomes unavailable, the applications can be switched over to the secondary storage node.

Application database backups for VoiceSage occur on the following frequencies: daily automated backups are performed and retained for 30 days; daily manual snapshots of the standby RDS instance are sent to the secondary region and are retained for 30 days; snapshots of cross-region replicas will provide the ability to restore data in case of AWS region loss and cross-region replica loss. All snapshot and backup data is encrypted.

Business Continuity and Disaster Recovery

We have comprehensive, tested business continuity and disaster recovery plans

We strive to maintain strong Business Continuity (BC) and Disaster Recovery (DR) capabilities to ensure that the effect on our customers is minimized in the event of any disruptions to our operations.

Our Disaster Recovery Program consists of a few key practices to ensure the appropriate levels of governance, oversight, and testing:

1. Governance. Leadership involvement is key to how we run our DR Program. With leadership involved, we have both business and technical drivers accounted for in our strategy for resilience.
2. Oversight and maintenance. We take a disciplined governance, risk, and compliance approach when monitoring and managing our DR program. It enables us to operate more efficiently and effectively when monitoring, measuring, reporting, and remediating key activities within our DR program.
3. Testing. We conduct regular testing and strive for continual improvement as part of our DR lifecycle to ensure your data and the use of your data is highly available and performant.
   1. We test for levels of resiliency across AWS Availability Zones so we can handle an Availability Zone failure with minimal downtime.
   2. We copy our data backups across AWS regional data centres. If a region is down, we protect your data in a secondary region in the event of a catastrophic incident.
   3. We test for AWS region failures. We understand that a complete region failure is highly unlikely. However, we continue to test our ability to fail over services and continue to mature our regional resiliency.
   4. Backup and restore procedures are in place and tested on a regular basis. This means that when data needs to be restored, we’re prepared to get you up and running with well-trained support staff and fully tested procedures.

In addition to assurance of resiliency through governance, oversight, and testing, VoiceSage emphasizes on continual improvement throughout the DR Program:

We publish our service availability status in real-time to ensure you can access your data when you want.

Encryption and Key Management

All data sent between our customers and our applications is encrypted in transit

All data for our services is encrypted in transit over public networks using Transport Layer Security (TLS 1.2) to protect it from unauthorized disclosure or modification. Our implementation of TLS enforces the use of strong ciphers and key-lengths where supported by the browser.

Content stored within VoiceSage is encrypted at rest in our AWS RDS and EC2 file storage instances. We believe we can rely on the physical controls and management at AWS, as well as transit-level encryption to protect customer data. A minimum of 256-bit Advanced Encryption Standard (AES) is used for data files.

Customer communication is encrypted. Encryption keys created by customers are used for authentication of push and pull requests in our sFTP services.

Due care is given to managing encryption keys within VoiceSage. An owner is assigned for each key and is responsible for ensuring the appropriate level of security controls is enforced on keys.

Product Vulnerability Management

We take innovative approaches to building quality software

We have a Quality Assurance (QA) Team to ensure new features are introduced quickly and safely. We focus on cultivating a “whole team” mentality to quality by changing the role of QA to a facilitator rather than the person who does the actual QA work. We are also actively working to empower and educate developers to test their own features to our quality standards.

Product Security Testing

Internal Testing

This approach spans planning, development and testing phases, each test building on previous work and progressively getting tougher. We have an established approach to static and dynamic code analysis at both the development and testing phases. In the development phase, we focus on embedding code scanning to remove any functional and readily identifiable, non-functional security issues.

In the testing phase, both our development and security engineering team switch to an adversarial approach to attempt to break features using automated and manual testing techniques.

Our security engineering team has developed a wide range of security testing tools to automate common tasks and make specialized testing tools available to our product teams. These tools are beneficial for the security team and they empower developers to “self-serve” security scans and take ownership of the output. Our security engineering team are subject matter experts, but it’s ultimately every developer in our company who is responsible for their own code.

External Testing

Once a release moves to production, external testing takes over. We have an always-on, always-testing model through the use of daily/weekly/monthly/quarterly external vulnerability scanners and penetration tests.

When a vulnerability is identified by one of our clients during standard use of a product, we welcome notifications via our support channels and respond promptly to any vulnerabilities submitted. We keep the submitter updated as we investigate and respond to the issue.

Specialist security consultants are used to complete penetration tests on high-risk products and infrastructure, like a new infrastructure architecture (e.g., our cloud environment), a new product, or a fundamental re-architecture (e.g., the extensive use of micro-services.)

Our approach to penetration testing is highly targeted and focused. Tests will generally be:

White box: Testers are provided design documentation and briefings from product engineers to support their testing.
Code-assisted: Testers have full access to the relevant code base to help diagnose any unexpected system behavior during testing and to identify potential targets.
Threat-based: Testing focuses on a particular threat scenario, such as assuming a compromised instance exists, and testing lateral movement from that starting point.

We don’t make these reports or extracts available externally due to the extensive information made available to the testers in conducting these assessments.

Access to Customer Data

Access to customer data stored within applications is restricted on a ‘need to access’ basis

Within our platform, we treat all customer data as equally sensitive and have implemented stringent controls governing this data. Awareness training is provided to our internal employees during the on-boarding / induction process which covers the importance of and best practices for handling customer data. Further security and awareness training is provided annually or as the need requires.

Within VoiceSage, only authorized VoiceSage employees have access to customer data stored within our applications. Authentication is done via individual passphrase-protected public keys, and the servers only accept incoming SSH connections from VoiceSage and internal data centre locations.

Unauthorized or inappropriate access to customer data is treated as a security incident and managed through our incident management process. This process includes instructions to notify affected customers if a breach of policy is observed.

Physical access to our data centres, where customer data is hosted, is limited to authorized personnel only, with access being verified using biometric measures. Physical security measures for our data centres include on-premise security guards, closed-circuit video monitoring, man traps, and additional intrusion protection measures.

A broader policy governing access to customer data and metadata is included in our Privacy Policy.

Support Access

Our support teams will only access customer data when necessary to resolve an open ticket

Our support team has access to our systems and applications to facilitate maintenance and support processes. Applications and data are only able to be accessed for the purpose of application health monitoring and performing system or application maintenance, and upon customer request via our support system.

Training and Awareness

Our security training and awareness program doesn’t just check compliance boxes but results in a genuine uplift in knowledge across the company

Our awareness program is built on the premise that security is everyone’s responsibility. These responsibilities are extracted from our internal User Security Policy Program, and the training and awareness program is used as the primary vehicle for communicating these responsibilities to our staff.

Candidates and contractors are required to sign a confidentiality agreement prior to starting with us, and subsequently, during the onboarding process, security awareness courses are delivered to these new hires. Further security and awareness training is provided annually or as the need requires.

Keeping in line with the theme of ‘continuous improvement’, we disseminate security messages through company-wide email messages and blog posts. These messages generally carry a message that is relevant at that time, e.g. a newly discovered and publicised threat, and reinforces the importance of following security good practices.

Security Champions

We recognize that there are some great security thinkers outside the security team, and seek to utilize their enthusiasm and knowledge

Separate to our awareness program, we have also set up an internal “Security Champions” program. The idea behind this program is to try and get security embedded into every team at VoiceSage – to build security in. We also want to make security more accessible, and one of the ways that we’re doing this is by training people across the organization with core security knowledge – whether operational or development. This is about taking subject matter experts with a passion and aptitude for security and drafting them into the team on a part-time basis and to be our advocates in the rest of the company.

Change Management

We have embraced an Agile style change management

Traditional change management processes rely on a pyramid-style change control hierarchy. When someone wants to make a change, it has to be presented to a board that either approves or denies it. We have embraced the SCRUM Agile approach. Any member of the team or a client may add items to a backlog of requests. Every 2 weeks the SCRUM teams met and estimate effort for each task. This list is further refined and prioritised by numerious stack holders within the company. Items are taken off the top of the backlog and put into 2 weekly sprints for completion to a “Ready to Ship” standard.

Employee Hiring

We strive to hire the best

Just like any company, we want to attract and hire the best and the brightest to work for us. During recruiting, we perform employment, visa, background and financial checks (where legally required). On acceptance of an offer, we ensure each new hire has a 90-day on-boarding plan and access to on-going training based on their role.

Security Incident Management

Incidents will happen, but our speed and efficiency in response will keep the impact as low as possible.

The security team at VoiceSage aggregates logs from various sources in the hosting infrastructure and makes use of a SIEM platform to monitor and flag any suspicious activity. Our internal processes define how these alerts are triaged, investigated further, and escalated appropriately. Our customers and the wider community are encouraged to report suspected security incidents through VoiceSage Support.

In the event of a serious security incident, VoiceSage has access to the expertise internally – and through external subject matter experts – to investigate incidents and drive them until closure.

Vulnerability Management

We have an extensive vulnerability management program to ensure that we are actively seeking out weaknesses that may be present in our environment

Apart from our product-specific vulnerability management practices (discussed earlier), our security team performs on-going network vulnerability scans of both our internal and external infrastructure using an industry leading vulnerability scanner.

We also use specialist security consulting firms to complete penetration tests on high-risk products and infrastructures. Examples of this might include a new infrastructure set up for us (e.g. our Cloud environment), a new product, or a fundamental re-architecture (e.g. the extensive use of micro-services).

Internal processes are in place to review any reported vulnerabilities and act on them. The process includes predefined SLAs for patching vulnerabilities based on CVSS severity level.

Key Decisions

The decisions you make about how you set up and use our products will have a significant influence on the way security is implemented.

User Access

Being a SaaS solution, our customers are responsible for ensuring the appropriateness of user access to their data. Understanding the classification of the data that goes into the system and ensuring that users that have access to the system are authorized to access that data, are key considerations in this context.

Where applicable, using role-based authentication will make it easy to align with access restrictions that may need to be imposed to comply with data classification and handling requirements.

Encouraging users to practice good password hygiene will also mitigate threats such as password guessing and malicious parties reusing leaked credentials from materializing.