know your customer limited · know your customer limited tel +353 1-2440669 6/f, wyndham place40-44...
TRANSCRIPT
Know Your Customer Limited
Tel +353 1-2440669
6/F, Wyndham Place40-44 Wyndham St., CentralHong Kong
https://www.knowyourcustomer.com [email protected]
Know Your Customer Limited INFRASTRUCTURE & SECURITY OVERVIEW
(IS) V1
Overview of KYC basic infrastructure, security and implementation,
policies and practices.
Table of Contents
Contents
General ____________________________________________________________________ 1
Definitions __________________________________________________________________ 2
Azure and KYC ______________________________________________________________ 3
KYC Infrastructure ____________________________________________________________ 4
Infrastructure details __________________________________________________________ 5
Security ____________________________________________________________________ 7
Monitor, Automation and Maintenance ____________________________________________ 9
Company Information ________________________________________________________ 12
Pg. 01
Infrastructure & Security (IS)
General This Infrastructure and Security Overview for Know Your Customer Limited (this “IS”) forms a
part of your SaaS agreement (the “Agreement”), entered into with Know Your Customer
Limited. Capitalized terms used but not defined in this IS will have the meaning assigned to
them in the Agreement. This IS applies to the Know Your Customer Online Services listed
herein (a “Service” or the “Services”), but does not apply to separately branded services made
available with or connected to the Services or to any on-premises software that is part of any
Service.
Pg. 02
Infrastructure & Security (IS)
Definitions
"KYC" Know Your Customer Limited
"IaaS" an instant computing infrastructure, provisioned and managed over the Internet.
"Azure" Microsoft's public cloud computing platform, KYC elected IaaS
"API" application programming interface, or a set of clearly defined methods of communication
between various software.
"Incident" an circumstance which causes or may cause a Downtime.
"Service Level" means the performance metric(s) set forth in this SLA that KYC agrees to
meet in the delivery of the Services.
"Service Resource" means an individual resource available for use within a Service.
"Success Code" means an indication that an operation has succeeded, such as an HTTP
status code in the 2xx range.
"Support Window" refers to the period of time during which a Service feature or compatibility
with a separate product or service is supported.
"Customer" as defined in the SaaS Agreement.
Pg. 03
Infrastructure & Security (IS)
Azure and KYC
KYC uses Azure for its IaaS architecture
Azure hosts the infrastructure components traditionally present in an on-premises data center,
including servers, storage and networking hardware, as well as the virtualization or hypervisor
layer for all KYC operations.
Azure also supplies a range of services to accompany those infrastructure components. Such
as detailed billing, monitoring, log access, security, load balancing and clustering, as well as
storage resiliency, such as backup, replication and recovery. These services are increasingly
policy-driven, enabling us to implement greater levels of automation and orchestration for
important infrastructure tasks.
Azure is therefore used for all our operations mainly:
Test and development. Our Teams can quickly set up and dismantle test and development
environments, bringing new applications to production faster. Azure makes it quick and
economical to scale up dev-test environments up and down.
Website and App hosting. Running websites using IaaS can be less expensive than traditional
web hosting.
Storage, backup, and recovery. KYC leverages Azure by avoiding the capital outlay for storage
and complexity of storage management, managing data and meeting legal and compliance
requirements. Azure is also useful for handling unpredictable demand and steadily growing
storage needs. It can also simplify planning and management of backup and recovery systems.
Web apps. Azure provides all the infrastructure to support all our web apps, including storage,
web and application servers, and networking resources. We’re able to quickly deploy web apps
on IaaS and easily scale infrastructure up and down when demand for the apps is unpredictable.
Pg. 04
Infrastructure & Security (IS)
KYC Infrastructure A Single customer deployment is composed of an Integrated solution made available upon
customer demand, that is composed of the following items:
- VCD (Virtual Compliance Desktop)
- VCD Upload Portal
- Integrated KYC API V2
- 3rd Party Integration Data Aggregator Service (For real time Company data information
retrieval)
- Identity Verification Checker (For Individual ID Verification)
- AML Updater (twice a day data refresh)
- Mobile App Integration
This infrastructure is deployed OnDemand and made available to a customer for testing,
demonstration purposes before deploying in production.
Pg. 05
Infrastructure & Security (IS)
Infrastructure details
Auditing
KYC systems are backed up and certified by Azure SOC 1, 2 and 3. Reports of audits can be
provided for legal and regulatory requirements.
For specific Audits, 3 types of logs can be provided:
- Control/Management Logs - Data plane Logs - Processed Events
Data Protection
KYC rely on ISO/IEC 27001:2013 Information Security Management Standards for its Data.
GDPR Compliance plan is underway and we expect to have completed and available to all our
customers in the 4Q 2017.
Code and Processes Certifications
KYC is Underdoing implementation of CMMI (SCAMPI A Assessment)
Resilience
Applications, Services and APIs have auto scaling in place to scale by CPU, Service Bus and
Insights. Currently auto scale is set to up to 10 instances of the original customer
implementation, with a 5min cooldown.
Databases aside from auto scaling have elastic pools for provisioning proper resource
allocation for peaks.
All these values and configurations can be optimized to customer needs.
Pg. 06
Infrastructure & Security (IS)
Code base
KYC uses best practices git repository for all code base with audited access. Code repository
is periodically backed up and replicated for failsafe purposes.
Geographical Scalability
KYC can be setup in different geographic locations. It’s in the final process of Localization /
Globalization to have User Interface available aside from English, in different Language.
Disaster Recovery Plan
Business continuity and disaster recovery (BCDR) is setup for all KYC Services using Azure
Recovery Services, a specific Plan can be provided upon SaaS agreement
Used Open Source in all Applications
Software License Html Agility Pack (HAP) MIT PhantmomJS BSD Newtonsoft.Json MIT Log4Net Apache 2 OpenPop CC0 1.0
Pg. 07
Infrastructure & Security (IS)
Security
Identity and Authentication
VCD Web App – Each customer has a set of parametrized groups they can assign users to.
Each group as a set of configurable Permission in the application.
User registration and authentication as well as password recovery is an automated encrypted
process, with no human intervention.
The Authentication and identity processes is done using standard OWIN Authentication.
API – through a pair of REST Access Tokens, for both developer and customer according to
standard OpenID
Mobile App – Access is done through a real time generated access code.
Sub Systems – Client Certificates with OpenID when required.
Azure Layers – Native Azure Active Directory Access
Transport (TLS / SSL)
All Interactions between KYC subsystems, clients and partners uses SSL for communication
security in all environments the systems operate.
Data at Rest
Storage Systems use Azure Storage Service Encryption (SSE) for Data at rest.
As an additional layer of security on last quarter of 2017, AES encryption for images and
customer documents will be put in place for data at rest in storage systems.
Data Backups can be provided on demand from Azure Instances.
Pg. 08
Infrastructure & Security (IS)
Certifications
KYC Systems as part of the Azure follows CSA STAR Certification in all 3 Levels.
As part of this penetration reports can be supplied under the US Federal Risk and
Authorization Management Program (FedRAMP)
Pg. 09
Infrastructure & Security (IS)
Monitor, Automation and Maintenance
KYC Systems are in constant monitoring. We use several techniques and technologies to
monitor not only our infrastructure but also the performance of the entire system.
Azure Application Insights are used to monitor health of all Applications and Services.
Splunk as well as Azure is used to Monitor Infrastructure Availability
Splunk is used to monitor specific services availability like, Jurisdiction data accessibility, Email
and SMS delivery.
Specific Application Telemetry is used in Splunk to monitor Systems Exceptions.
Triggers are put in place to Alert and Monitor in real time both KYC Staff and Customers when
needed.
Internal Realtime JIRA Monitoring System
The System produces Realtime reports, exceptions and incidents to be resolved and fixed by
the Team as tasks in Atlassian JIRA Systems.
Production Incidents are automatically generated and prioritized in 3 Levels for immediate
resolution as:
System Unavailability
Maximum SysOps/Dev Response Time
Examples / Use Cases
2hr
• Apps or services are unavailable
• User is unable to login
Level 1 - Customer is unable to continue working further and is blocked
Maximum SysOps/Dev Response Time
Examples / Use Cases
24hr
• Customer Unable to Create a Case
Pg. 10
Infrastructure & Security (IS)
• Customer is unable to get Reports
Level 2 - Customer has Issue but there is a workaround
Maximum SysOps/Dev Response Time
Examples / Use Cases
48hr
• Customer unable to send SMS, but if using another Role he can
• User is unable to login with a given user, but if given another user he can.
Maintenance, Updates & hotfixes
Maintenance and releases are performed outside of business hours (Monday – Friday, 9AM
to 5PM GMT) on a business day. A business day means any day other than a Saturday,
Sunday or public holiday in the United Kingdom and Republic of Ireland.
Going forward, we are moving to a no-downtime implementation of our SDLC and Continuous
Integration, which will allow us for a faster and improved availability. This is expected to be
implemented within the next quarter.
Notice of maintenance window is communicated through several mechanisms.
In-Solution alerts and notifications will give further details to all users, and major updates will
be accompanied by emails. If a major update includes a change to the user workflow or new
feature, a document detailing the function and how to use it will be sent at least three days
prior to the feature release.
In App Notifications & Monitoring
Real-time in-solution updates and notifications will notify users of technical issues or third-party
provider outages that may impact their work. They will also be notified when the outages have
ceased or been repaired.
Additionally, KYC provides a status page of the health of their systems in http://kycl.status.io .
Subscription can be done for non-users of the KYC Systems to get automatic notified of
systems availability.
Pg. 11
Infrastructure & Security (IS)
Major issues or outages that are expected to take longer than 3 hours to repair will be
accompanied by an email to the company’s point of contact detailing the issue and the steps
being taken to amend it.
If one of our third-party providers is experiencing technical issues or outages, status will be
updated in http://status.knowyourcustomer.com
Additional SMS Notifications can be requested
Pg. 12
Infrastructure & Security (IS)
Company Information Know Your Customer Limited
6/F, Wyndham Place40-44 Wyndham St.,
Central Hong Kong
Tel +353 1-2440669
https://www.knowyourcustomer.com