LCPtracker has contracted with Microsoft to host our application infrastructure. LCPtracker’s applications are hosted on Microsoft’s Azure cloud platform, which provides a robust, highly scalable and highly available virtual infrastructure. Scalability, high-availability, backup and recovery, multi- region data replication, and disaster recovery are built-in. Microsoft’s Azure cloud platform is a FedRAMP, SOC1, SOC2, as well as ISO 27001 certified service, and LCPtracker is AZRamp Authorized for confidential State data.
LCPtracker guarantees at least 99.5% availability for our SaaS software solutions over a one-year period. Downtime calculations do not include failures of LCPtracker’s or the customer’s Internet Service Provider, Microsoft Azure, or any planned LCPtracker maintenance time. Our trend over the last several months has been >99.9% availability. Production workloads are run from the WEST US region Azure datacenter (California). All data is replicated to the EAST US region Azure datacenter (Virginia).
Azure SQL runs back-ups periodically and runs consistency checks to recover from a hardware failure. This is a built-in internal operation that supports the overall health of the service and provides for automatic recovery. Additionally, LCPtracker backs-up all data on a nightly basis to a separate data store in the EAST US region Azure datacenter. Daily backups are retained for one month. Monthly backups are retained for one year. Backup integrity is tested at least annually.
Access to LCPtracker’s SaaS software solutions is controlled by Web Application Firewalls provided by Imperva. Access to the databases backing LCPtracker’s applications is further controlled by firewalls within the Azure platform. These firewalls are configured to allow controlled access to the databases for users via the LCPtracker program only, and from specific trusted IP addresses including LCPtracker development in California.
Data Transmission Security
The lock icon in the browser when connected to our web applications indicates that all data is fully encrypted while in transit. LCPtracker uses TLS 1.3 and the AES encryption algorithm with 256-bit key length to encrypt all data in transit.
Online Services Security and Compliance (OSSC) manages the physical security of Microsoft’s data centers. Industry-leading procedures in security design and operations are utilized for each facility. Microsoft ensures the establishment of outer and inner perimeters with increasing controls through each perimeter layer.
The security system applies the combined use of technology solutions including cameras, biometrics, card readers, and alarms with traditional security measures such as locks and keys. Operational controls are incorporated to facilitate automated monitoring and early notification if a breach or problem occurs, and enables accountability through the provision of auditable documentation of the data center’s physical security program. The following list provides additional examples of how Microsoft applies controls to physical security:
- Restricting access to data center personnel – Microsoft provides security requirements upon which data center employees and contractors are reviewed. In addition to contractual stipulations about site staff, a further layer of security within the data center is applied to personnel that operate the facility. Access is restricted by applying a least privilege policy, so that only essential personnel are authorized to manage customers’ applications and services.
- Addressing high business impact data requirements – Microsoft has developed more stringent minimum requirements for assets categorized as being highly sensitive than for those of low or moderate sensitivity within the data centers used to provide online services. Standard security protocols regarding identification, access tokens, and logging and surveillance of site entry clearly state what type of authentication is needed. In the case of access to highly sensitive assets, multifactor authentication is required.
- Centralizing physical asset access management – As Microsoft continues to expand the number of data centers used to provide online services, a tool was developed to manage access control to physical assets, which also provides auditable records through the centralization of workflow for the process of requesting, approving, and provisioning access to data centers. This tool operates using the principle of providing the least access needed and incorporates workflow for gaining approvals from multiple authorization parties. It is configurable to site conditions and enables more efficient access to history details for reporting and compliance with audits.
The data security of LCPtracker is established in several layers. These layers include:
- Encryption in transit using TLS 1.3 and the AES encryption algorithm with 256-bit key length
- Multiple Stateful and Web Application Firewalls
- Critical data is encrypted at rest using Azure’s standard AES encryption with 256-bit key length
- Multi-Factor Authentication required for access to sensitive data
- Limits on login attempts
- A minimum password complexity requirement
- Separation of concerns among Technology and Product Development staff
Each client has isolated, secure data storage locations. Social Security numbers are optional in our databases. In cases where Social Security numbers are collected and entered by customers, we encrypt the Social Security number at the field level. All public reports referencing Social Security numbers have redacting capabilities. Only one report lists Social Security numbers: the CPR report (PDF only) and it is optional on that report. Only two forms display Social Security numbers: the contractor employee setup form and the administrator employee review form. This approach provides access to Social Security numbers as required by various enforcement agencies while preventing misuse.
Additionally, LCPtracker imposes the following internal security steps:
- Access to database is limited to a small set of highly vetted, senior employees
- Background checks are performed at time of hiring on all employees
- Tools built into LCPtracker limit the amount of data that can be accessed at one time except for those with direct database access.
Azure is a multiply redundant server environment.
The primary level of recovery is not having a failure in the first place. The system is fully redundant so that failure of any one component will not cause entire system failure. LCPtracker has automatic notification of failures so corrective action can begin immediately.
Disaster Recovery Plan
The LCPtracker Disaster Recovery plan assumes that an Azure datacenter can go down at some time. The goal is to recover from a disaster in an acceptable time while minimizing the loss of data.
1. Web application
To mitigate lcptracker.net (web app) downtime during a datacenter outage an Active/Passive deployment topology has been implemented.
Traffic Manager is a service from Microsoft that allows LCPtracker to keep multiple web app instances in different datacenters. In the event that a datacenter goes down, users will be redirected to a healthy LCPtracker instance in a different datacenter. LCPtracker production/active applications and data are hosted in Azure’s WEST US region datacenters.
Redundant Web App Instances
Redundant instances of the web app and all its supporting services are maintained at a secondary Azure datacenter within the US. The failover web app instances are always live and up to date. LCPtracker DR/passive applications and data are hosted in Azure’s EAST US region datacenters.
To mitigate data loss:
Databases Geo Replication
All LCPtracker databases are geo-replicated. In the event that the datacenter hosting the live/primary database servers goes down, the replicated database will be live in a separate datacenter with only a few seconds of data loss.
In the event of an outage in the WEST US datacenter the following steps will be followed to bring the service back up.
- Traffic Manager starts redirecting traffic to secondary (failover) instance of web app. This is done automatically once Microsoft Azure declares a datacenter down.
- In the event that Traffic Manager does not fail over automatically, DNS settings are swapped to disaster recovery IP addresses.
- Geo-replicated databases become primary
- Geo-replicated storage becomes primary
- Disaster recovery web app instances in secondary data center become primary
- LCPtracker is available online within minutes with only a few seconds of data loss.
The recovery time objective (RTO) is the maximum amount of time allocated for restoring application functionality. LCPtracker RTO is up-to 30 minutes.
The recovery point objective (RPO) is the acceptable time window of lost data due to the recovery process. LCPtracker’s RPO for account databases is 1 minute or less.
Disaster Recovery Testing
Testing of the Disaster Recovery plan is carried out on at least an annual basis. Tests are conducted and reviewed to verify the effectiveness of the recovery plan. Over and above the annual test frequency, additional tests are performed when material changes are made to the hosted infrastructure.
Highly Reliable Service
Microsoft Azure is considered the top web-hosted service in the industry. This service provides inherent advantages: there is multiple redundant backup and disaster recovery built into the base service. LCPtracker may choose to move its primary choice of data center as other locations become available in search of optimal performance. Every client database is configured separately for scalability and security and each is hosted in a separate machine in Microsoft’s data center. Data is replicated to 2 other locations, one of which is guaranteed to be at least 100 miles away to provide failover and disaster recovery. Databases are backed up at 11pm PST Monday through Friday to storage accounts within a separate subscription in the data center that are themselves replicated to 2 other locations. Note that this means primary LCPtracker service is in three locations and backup of LCPtracker is in three different locations. Any of these six locations is capable of supporting the LCPtracker service.
24 hours a day, 7 days a week all systems are monitored from several locations across the country. If performance, latency, or availability is degraded in any way, the DevOps group is automatically notified for immediate resolution.
McAfee SECURE Site Designation
Our LCPtracker site has been tested for external vulnerabilities and is certified as a McAfee SECURE site.
“Sites which are McAfee SECURE are tested daily to pass all external vulnerability audit recommendations of the Department of Homeland Security’s National Infrastructure Protection Center (NIPC), the SANS/FBI Top 20 Internet Security Vulnerabilities list as well as the vulnerability audit requirements of Visa’s CISP and AIS, MasterCard’s SDP, American Express’ DSS and Discover Card’s DISC security standards.
McAfee SECURE sites are also certified to be in compliance with the network perimeter security criteria mandated in such regulations as: the Health Insurance Portability & Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Sarbanes-Oxley Act (SOA) and the Government Information Security Reform Act (GISRA), as well as Canada’s Personal Information Protection and Electronic Documents Act.