The following has information on 'how secure is Wovex' and at the end there is a collection of previously asked security questions.
The Wovex platform has flexibility for cloud and/or desktop use.
When used in desktop mode, then a file is used (like an Excel/MS Word document) to store the data in. This file can be treated as securely as your other documents and is not passed outside of your organization by Wovex. It also is zipped and secret password protected.
When used in cloud mode, then access is through a SSL certified browser connection (256-bit encryption). Any data uploaded/downloaded has the same level of secure encryption.
Wovex uses servers and services from Microsoft on the Azure platform. We host our customers data in the region of their choosing. See: https://azure.microsoft.com/en-us/regions/.
Wovex is a cyber-security certified company.
Other technology options are also available to meet the most demanding of needs and further details on the hosting and security aspects of Realisor are below.
Our Microsoft Azure environment meets a broad set of international and industry-specific compliance standards, as well as country-specific standards.
Rigorous third-party audits, such as those conducted by the British Standards Institute, verify adherence to standards-mandated security controls.
Compliance is maintained with leading data protection and privacy laws applicable to cloud services and the environment complies with international and industry-specific compliance standards, such as ISO 27001, HIPAA, FedRAMP, SOC 1 and SOC 2, as well as country-specific standards such as Australia CCSL, UK G-Cloud, and Singapore MTCS.
There is more on this here including a list of security certifications held and video overviews: https://www.microsoft.com/en-us/trustcenter/CloudServices/Azure.
For disaster recovery, Wovex has planned for failures and disasters in the cloud. We will recognise a failure quickly through the alerts we have established. We test/rehearse the recovery of databases.
Our databases have, through Azure, capabilities that support availability and a variety of disaster recovery scenarios. Azure already has resiliency and disaster recovery built into services.
Wovex will also provide three environments. A live environment, a training environment and an environment with a preview of future versions on.
This proves additional recovery options with the database being able to be restored quickly to the training environment to minimize the loss of availability.
If a new environment does need to be established then we can automatically deploy.
One aspect of the secure environment is the use of TDE.
The Azure SQL Database has transparent data encryption (TDE)* that helps protect against the threat of malicious activity by performing real-time encryption and decryption of the database, associated backups, and transaction log files.
TDE encrypts the storage of the entire database by using a symmetric key called the database encryption key. In the SQL Database the database encryption key is protected by a built-in server certificate. The built-in server certificate is unique for each SQL Database server. For a general description of TDE, see Transparent Data Encryption (TDE).
For information, the SLA we have with Microsoft is:
Compute – 99.95% (21.6 mins downtime potentially per month)
SQL Database – 99.99% (4.3 mins downtime potentially per month)
Storage – 99.90% (43.2 mins downtime potentially per month)
Previously Asked Questions
Are Realisor's different-purpose servers separated? For example, is the web application run by one server, databases by another?
Realisor files and databases are stored in Azure which by default copies all data three times within one server rack. Furthermore, the data is spread as well to three different physical racks in the same datacenter. This is a ‘locally redundant’ solution.
Are Realisor's database servers in a publicly-accessible gateway zone?
That depends on the definition of publicly-accessible. To clarify, it is possible to access Realisor database when (a) its address, (b) database name, (c) username, (d) password are known and (e) client IP address is on the allowed hosts list.
With some guesswork it might (although it’s highly unlikely) be possible to obtain the database address or name and even with this information is insufficient to access. The connection will be refused as its source is not on the allowed IP list.
Does Realisor offer multi-factor authentication?
Not at this moment, although this feature might be implemented in the future.
Do Realisor's users have to confirm their mobile number (via a text message code) or their email (via an activation link)?
Realisor users are set-up by the Administrator of the site who will be working for your Organization, or by Wovex, if we are instructed to do. There is no self registration possible. Wovex will only register users when an email from the owning organization is received from a known contact.
For password resets initiated by a user, there is a reset link set to the users registered email address.
Can Single-Sign On be used with Wovex?
Not at this moment, although this feature might be implemented in the future.
Where are users' passwords stored?
Users' passwords are stored in the Realisor database that is created specifically for your Organization.
What hashing algorithm (e.g. SHA-256) and meta-algorithm (e.g. bcrypt) is used to protect passwords?
Passwords are hashed with default Microsoft .NET libraries which are considered an industry standard.
What would I have to do if I wanted to reset the password of my Wovex account?
Realisor has a "forgotten password" function on the login page where user is prompted to provide their email address. A password reset link is then sent to the user.
On the Realisor website, is all user input validated on the server-side, not just the client-side?
Yes. We verify data on server-side and verify it on the client-side.
Does Wovex use automated scanning tools on their website or codebase?
Does Wovex conduct penetration tests on their website?
Yes. The last test was this year.
Are Wovex's log files protected from tampering?
The current application log storing information about logging attempts is located in the Realisor database. There is no methods/functions in the code to clear it.
Does the data the our Organization stores in Wovex remain the our property?
If we terminated the contract with Wovex, how would our data be made inaccessible and deleted?
The database would be deleted using the Azure management portal.
Can Wovex employees access customers' data in any way, e.g. for helpdesk purposes?
Yes, although a very limited set of users is able to do it. We also use Keepass to store the Administration passwords and access to this is very limited.
Does Wovex conduct background checks on their staff?
Yes. We carry out criminal record checks and for UK based staff, ‘right to work in the UK’ checks.
If a data breach occurred, how soon could we expect to be able to speak with a Wovex representative?
Wovex response benchmark is within one hour in 98% of cases. Currently Wovex team are exceeding this benchmark.
Any call not meeting the one hour response time is automatically escalated to the duty manager.
Wovex support teams operate 24 hours 365 days.
Additionally, Wovex has a phone service that our customers can use contact at any time and if there is no-one available and email gets sent to a distribution list. For critical contact requirements then they are authorized to contact specific Directors at home.
*Transparent Data Encryption (TDE) encrypts SQL Server, Azure SQL Database, and Azure SQL Data Warehouse data files, known as encrypting data at rest. You can take several precautions to help secure the database such as designing a secure system, encrypting confidential assets, and building a firewall around the database servers. However, in a scenario where the physical media (such as drives or backup tapes) are stolen, a malicious party can just restore or attach the database and browse the data. One solution is to encrypt the sensitive data in the database and protect the keys that are used to encrypt the data with a certificate. This prevents anyone without the keys from using the data, but this kind of protection must be planned in advance.
TDE performs real-time I/O encryption and decryption of the data and log files. The encryption uses a database encryption key (DEK), which is stored in the database boot record for availability during recovery. The DEK is a symmetric key secured by using a certificate stored in the master database of the server or an asymmetric key protected by an EKM module. TDE protects data "at rest", meaning the data and log files. It provides the ability to comply with many laws, regulations, and guidelines established in various industries.