Webpower is ISO 9001:2008 and ISO 27001:2013 certified. For our customers, the ISO 27001 certification means compliance with clearly defined technical and security based standards and thereby defined service levels for our services. Regular internal controlling of the processes and provisions detailed in the ISO 27001 is the basis for the further development of internal IT security standards and the continual adaptation according to changing frameworks and tasks.
The information of our European clients is stored in the Netherlands. Similarly, we store customer information for our Chinese clients in China. Every continent deserves its own safe harbour.
Webpower hires external parties frequently to perform code and Security Audits (Pen Tests) like either a black- or white hat penetration test. The external party scans for exploits and tries to gain access. These tests are used to confirm that our solution is indeed able to protect itself from the latest techniques used by intruders.
- The Webpower platform is highly available and reliable, with a guaranteed uptime of 99.7%.
- Customer data is backed up to multiple online replicas, ensuring you will never lose your information.
- Our operations teams monitor platform and application behaviour every hour of the day, whole year round.
- Your campaigns are as critical to us as they are to you. In case of scheduled maintenance, degraded performance or service disruptions, we will make you aware of it on our status website and will keep you continually updated. These kind of updates will automatically appear on your log in screen in case of an issue. You can also subscribe to updates, which will automatically be sent to your inbox.
- Your sessions on our platform are always protected with powerful encryption algorithms (TLS 1.x) to ensure no eavesdropping or man-in-the-middle attack is possible.
- Web Application Firewall (WAF) technologies identify and block attacks before they reach the front door.
- Our third party Distributed Denial of Service (DDoS) services protect your site and access to your products from attacks designed to keep you out.
- Next to regular users, some Webpower employees have access to customer licenses and other central management functionalities necessary to support our customer. For this type of access, the Webpower platform Software-as-a-Service (SaaS) environment uses an alternative authentication and authorisation scheme than it does for regular users.
- Each Webpower employee that should be given additional access rights is given a personalised PKI certificate which has to be installed on their own computer. Each time the employee wants to access the system, the certificate is requested to validate the authentication of the employee trying to gain access.
- In case no certificate can be provided, for example when this employee is demonstrating the product on external equipment, a text message is sent to the registered mobile phone of this employee. The text message provides a one time-use and short time valid access code which can be used to log in.
- To which licenses, with which access level and which central management functions a Webpower employee has got access, is managed centrally. Only the operations team can grant or revoke access rights.
Infrastructure & Data Center Security
- Webpower’s European data are hosted by Dutch, third party data centers. Access to these data centers is strictly controlled and monitored by 24×7 on-site security staff, biometric scanning and video surveillance. These data centers are SSAE-16 SOC II and ISO 27001 certified.
- An Intrusion Prevention Systems acts (IPS) as a gatekeeper and checks everyone and everything that wants network access to the platform. If network traffic does not meet predefined rules, the IPS will prevent this traffic from passing. Webpower has a redundant IPS in place with multilayer access control.
- Responsive incident management process. Proprietary systems feed anomalies to 24×7 security & operations teams, eliminating security concerns at the first sign.
- Webpower’s software department is responsible for building and maintaining the SaaS offering and its infrastructure. Other organisational units within Webpower do not have any other way of accessing information stored in the SaaS environment other than through the SaaS application.
- Direct access to data on the platform is restricted to members of the operations team that is responsible for day-to-day operations of the SaaS application and the needed infrastructure.
- The development teams, which are responsible for core development and custom specific solutions, do not have access to the production platform. They do have, restricted, access to (acceptance) testing environments and dedicated production logging systems.
Backup & recovery
- To keep data safe, backup and recovery policies are put in place. Within Webpower, a combination of full- and incremental backups are made on daily, weekly and monthly bases. This allows for us to be able to recover data up to 6 months old. Data can be recovered for each of our customers individually when required.
- The backup is duplicated and stored in another physical location away from the original backup location for safety reasons. In case of a calamity affecting the physical location of the backup, the second back up remains safe in another location.
- Currently each customer is able to store all information in the Webpower platform for an unlimited amount time. All data is retained and integrity is safeguarded over time.
- All critical components of the Webpower (databases, servers as well as backend support services) are available redundant, have multiple failover instances to prevent outage from single points of failure. Our backup setup ensures that our customers can access their information quickly after a major incident.
- Components exist out of at least two components for fail-over reasons. In case one component fails, the remaining components have the capacity to take on the workload of the failing components.
Information technology security
As our SaaS takes full advantage of being integrated into the cloud and doesn’t rely on any hard- or software at the customer, it is available for everyone.
By having the right procedures in place and ensure that access to the system by authorised users is properly setup and monitored, the risk of misuse by authorised users is reduced to a minimum. Possible abuse of the system by unauthorised users, especially coming from unknown sources, has to be prevented but needs different measures. In order to minimise the risk of any part of our solutions being accessed by unauthorised people, systems or intruders, several measures have to be taken in order to strengthen security at all levels.
OSI 7 layer model
Looking at the well known OSI 7 layer model, several precautions are in place at each level of the model. Possible intruders are aware of this model and attack an application to look for any openings at each of the levels.
Once an intruder gains access on a certain level, this opening is often exploited to try to gain access to other levels in order to gain access and control at all levels.
Each attack starts with gathering information. The goal is to find any information which tells something about the technology used on each level in order to create an attack strategy. Therefore, it is key to reveal as little information as possible.
Network (Layer 1,2 and 3)
As a result of today’s cloud possibilities everything is connected through the internet. The network transports requests and replies anywhere. Furthermore, it is the basic access point to our SaaS solution and the first line of security at this level.
An Intrusion Prevention Systems (IPS) acts as a gatekeeper and checks everyone and everything that wants to access the solution. If network traffic does not meet predefined rules, the IPS will prevent this traffic from passing. Webpower has implemented several IPS’s for both fail-over/ redundancy reasons and multilayer access control.
Hardware and operating system (Layer 4 and 5)
Our cloud architecture consists of a large number of physical hardware and accompanying operating systems (Layer 4 and 5). By standardizing these layers by working with proven vendors for the hardware and operating system, security at these layers is managed. The approved vendors are patching and updating their systems regularly in order to stay up to date. SysOps follows the security recommendations of vendors closely and applies these recommendations when applicable.
Standard software and tools (Layer 5,6 and 7)
Modern software such as Webpower’s SaaS does not only use custom created tools, it also uses commonly available components (standard software and tools (Layer 5,6 and 7). Although most of these components are widely used, they still can introduce risks. When vendors/creators update their components, SysOps will analyze these updates case by case and if necessary replace the vulnerable component.
A large amount of communication takes place on these OSI layers between several components, both internal and external. If necessary the communication uses strong encryption algorithms (TLS 1.x) to ensure no eavesdropping or man-in-the-middle attack is possible.
Webpower’s own software (Layer 6 and 7)
As for Webpower’s own software (Layer 6 and 7) the Webpower SaaS offering is developed fully in house. During the process of developing, the software is tested repeatedly using several testing techniques. Our test-driven developing method ensures us that the software continues to work as intended even though changes are being made. The OWASP testing guide is used as a guideline for defining security oriented