Data Security

Data Security

1. Environment

Overview

The Atmail software is hosted in secure data centres hosted by Amazon AWS in our various regions. Each application is deployed in logical groups and isolated by suitable firewall rules. External edges are protected by best practice application firewall rules and DDoS protection mechanisms. Internal communication is handled on private network interfaces.

Where and how is the data stored?

All data is stored in encrypted formats. Mail data is stored in either block or object storage. Most meta data is stored in encrypted databases only accessible via private networks from application services.

How is sensitive information stored, and do you have processes in place in the event of a data breach?

AWS traffic cannot be seen by other instances, and all transmission will be encrypted at the application layer wherever possible. AWS standard services are being utilised for such storage and will operate in accordance with AWS policy and access controls. Atmail uses a least privileged access methodology for all its staff and contractors. All access is audited and reviewed on a regular basis.

 

2. Security

What technical provisions are in place to defend against cyber-attacks?

Atmail has numerous defences in place to protect our systems and services from cyberattacks, including:

  • XSS protection;
  • SQL injection protection;
  • DDoS protection;
  • Antimalware, antispam, antiphishing, antivirus protection (for mailbox level protection – some are optional add-ons);
  • Brute-force protection; and
  • Information leak protection.

Do you have a dedicated security team?

Atmail employs a matrix resource structure, which means that our Atmail Security Team also perform other duties. The Atmail Security Team educates relevant Atmail staff on new and emerging security threats, which are informed by industry experts.  The Atmail Security Team is managed by the Atmail Technology and Governance team.

Do your systems undergo regular penetration testing?

Atmail carries out regular penetration testing across all our production platforms, services and software offerings. We welcome additional penetration testing carried out by, or at the request of, our customers.

How often do you perform vulnerability scans?

Atmail carries out regular vulnerability scanning across all our production platforms, services and software offerings. We welcome additional vulnerability scanning carried out by, or at the request of, our customers.

Do you scan traffic coming into your network for viruses?

Yes. The Atmail cloud platform has antivirus technologies in the SMTP transmission path.

How do you protect your systems against newly-discovered vulnerabilities and threats?

The Atmail Security Team is responsible for researching and identifying technology and/or trends which may have an adverse effect on our Atmail systems. Risk is mitigated via various security measures that are incorporated into (a) the software development and release process (e.g. vulnerability scanning and assessment as part of the quality assurance stage of the release process) and (b) our service operations. Atmail promotes a culture of ‘security by design’ and enforces this process through our standard employment terms for all staff. Additionally, Atmail partners with leading email security and threat protection companies to provide the most up-to-date threat detection and prevention mechanisms for customers’ emails and attachments.

Do you protect your application with IDS/IPS, application firewall?

Yes, see above.

Do you follow common security best practices such as SANS or NIST?

We use CIS level 2 hardening standards as one component of our overall security practices, and track our practices against the following frameworks:

  • ISO 27002-2013
  • NIST Cybersecurity Framework
  • NIST 800-82 rev2
  • NIST 800-171
  • CIS Level 1 and 2
  • ASD Top 35
  • PCI-DSS
  • ACSC Essential Eight

Do you apply common standards like PCI DSS for sensitive data storage?

Our suppliers and partners maintain these certifications where such information is held.

Are audit logs or other reporting mechanisms in place on all platforms?

  • Access logs: Atmail retains detailed access logs to all our systems.
  • Admin logs: the Atmail administration interface has detailed audit logs for all access and operations.
  • Attempted login logs: Atmail captures access logs (including failed attempts) for all services.
  • Other logging is available to support operational activities, problem identification and remediation.

 

3. Access

Who has access to sensitive customer information?

Access is controlled in a fine-grained manner on a least privilege basis.

How is access assigned and revoked?

Access is centrally controlled, with staff being granted access to roles or groups. Once revoked, all access is automatically blocked.

How are non-employees (e.g. contractors) granted access to network resources?

Contractors and employees have consistent access controls applied. For all intents and purposes, Atmail contractors are employees. The employment status is usually a requirement of the geographical region or legal framework, as opposed to contractors being temporary workers with less privileges.

Do you enable any remote administration capabilities on your servers and network devices? If so, which protocol(s) do you use?

All Atmail services are remotely operated and administrated. A secure VPN is deployed within Atmail and used for all remote operations.

 

4. Backups

Is the data encrypted when stored? Is the data encrypted in transit?

All data at rest and in transit is encrypted.

Where is data stored? What about backups?

Data and backups are stored across multiple logical data centres (availability zones) within the same region (or facility).

 

5. Development

Have your developers been trained in secure coding techniques?

The Atmail Security Team educates relevant Atmail staff on new and emerging security threats, which are informed by industry experts.

Do security specialists conduct technical reviews of application designs?

Atmail development adheres to our ‘Security by Design’ principle. Any new development goes through rigorous testing (including detailed reviews of the design and implementation by the Atmail Security Team members).

 

6. Certification

Are Atmail’s security practices and information security management system certified?

Yes. Atmail’s operations of cloud email services (including development and support) are ISO 27001 certified.  You may download a copy of our certification here.

Want to learn more?

Compliance HQ