Overview

Solis solutions aim to be architected inline with industry-standard security technology and have also been designed to embody the latest security standards and protocols. The production infrastructure of Solis solutions is hosted by Amazon Web Services (AWS). AWS data centres and AWS services deliver the physical infrastructure, environmental controls, access control mechanisms, and monitoring systems to enable the highly secure and highly available offerings from Solis. Through our relentless commitment to excellence and relationships with AWS and Apple, Solis provides enterprise-grade offerings to organisations of all sizes in its pursuit of enabling digital transformation.

Security Governance

Security and Control Environment

The InformationSecurity Team is responsible for ensuring the confidentiality, integrity, and availability of systems. Specific methods used to achieve these objectives include but are not limited to, development and distribution of security policies and procedures, security assessments, monitoring and processing of security alerts, and responding to security incidents.

People, Policies, and Training

Solis is committed to hiring individuals that are committed to the key principles of the organisation of honestly, respect, confidentiality, and compliance. To guide its professionals, Solis maintains a set of policies, standards, and guidelines to serve as the body of requirements and guidelines for implementing highly secure and highly available systems.  Based on the policies, standards, and guidelines of the organisation, personnel are required to complete new hire and annual security awareness trainings. Those with responsibilities that impact the security of Solis products and compliance efforts receive additional training on a variety of topics.

Technical Security

Solis solutions leverage global security frameworks to guide its security processes and controls. Key topics, such as Physical Security, Authentication,Encryption, Network Security, and System Hardening are detailed below.

Physical Security and Environmental Controls

Solis uses Amazon Web Services (AWS) for its hosting needs. AWS has obtained a SOC 2 TypeII certification over the services used by Solis, including the physical and environmental security control of its data centres. Additionally, Solis through partnership with Apple, leverages some of Apple’s IT services.

Additionally, Solis through partnership with Apple, leverages some of Apple’s IT services.

Authentication Controls

The security of Solis systems, devices, and accounts starts with secure credential creation and management.

Multi-factor authentication

Administrative access to the Solis environments is limited to administrators through multi-factor authentication. Within the Solis environment, Solis systems deploy the concept of least privilege. Through role-based access control features within AWS, Solis is able to provide highly granular permissions to different types of administrators at Solis (e.g. server administration, database administration, network administration).

OAuth identity provider authentication

OAuth 2.0 is used to authenticate system users that sign into Solis apps via a third-party identity provider such as Amazon,Google, or Microsoft Azure.

Administration

DataEncryption

Encrypting data in transit and at rest is one of the primary tools Solis employs as a key part of its commitment to customers:
• In transit: Client connections require the use of the TLS 1.2 protocol.
• At rest: System utilise several AWS data storage environments for data persistence. Across these data platforms, Solis utilises AWS KeyManagement Service (KMS) for the encryption of data at rest.
• Disk: Solis leveragesAWS KMS with AES 256-bit encryption.

Network Security

Firewalls are an important part of any security effort. In generic terms, a firewall refers to a control that can be used to prevent certain network traffic from entering a private network. Solis leverages firewalls throughout the network and between different zones in the network including application firewalls, web application firewalls, and network-layer firewalls. Additionally, network traffic is continuously monitored. Refer to the Logging & Monitoring section for further details.

System Hardening

Hardened baseline configurations help drive consistency within the operational environment and provide assurances that systems are built leveraging software approved by Solis, while minimising the attack surface for a potential malicious code event to exploit.  As part of a baseline configuration, Information Security-approved tools for malicious software detection are default requirements within configuration baselines.These applications provide system-level detection, monitoring, and alerting of potential security events and can prevent malicious code from executing. These tools also have defined integration paths to enterprise monitoring and event management capabilities, allowing the Information Security Team to aggregate themes and activities across the environment, invoke incident response actions, and support forensics investigations.

Security Assessments and Vulnerability Management

Security assessments, performed by the Information Security Team, are performed before production deployments of new or updated features, services, configuration, or code changes. Security testing of infrastructure, including network devices and operating systems, is supported through vulnerability scanning and subsequent remediation.

Threat Management & Incident Response

Logging Processes and Pipeline

Logging is a critical part of the information security management we do at Solis because logs help ensure the security of Solis systems. The Information Security Team provides product teams with standard methods and tools to easily transmit logs from any system at Solis to the Information Security Team. The event pipeline receives logs from different sources and aggregates them into a single location globally available to authorised incident response personnel.

Incident Response

Our incident response is triggered by alerts and sent to the information security team to initially identify security events and triage incoming alerts. Events are tracked in a centralised tracking tool where details of the event are captured and an impact of the potential business impact of the event. Additional teams are included for remediation of events through a standardised and streamlined process.

Incident Management

Based on a documented Incident Response Plan, security events are assigned to appropriate personnel for analysis prior to an event being designated as an incident. Once identified as an incident, Solis applies a standardised approach of assigning a severity level to the incident to properly classify, prioritise, and respond to the incident. Additionally, the organisation has documented its incident communication plan to document and define the roles, responsibilities, compliance obligations, and communication procedures for an incident.

System Availability

Business Continuity

Solis uses Amazon Web Services (AWS) for its hosting needs. Solis has architected its environment to be highly redundant and provide high availability to its customers. For Disaster Recovery Solis Digital uses Amazon Web Services Elastic Compute Cloud (AWS EC2) snapshots to back up system storage volumes (snapshots are stored and replicated in the customers AWS local geo).

Retention includes the following:
• Every twenty (20) minutes (a day’s worth of backups (72) are stored)
• Most Recent 24 (The last 24 hour of Snapshots)
• 7 Daily (The “last” Snapshots for each of the last 7 days)
• 4 Weekly (The “last” Snapshots for each of the last 4 weeks –Saturday Night)
• 3 Monthly (The “last” Snapshots for each of the last 3 Months –Last Day of the Month)

Once each limit is reached, the oldest backups are deleted in sequence. Our standard hosting offering aims to provide a 24x7x 365 99% uptime. We aim to meet a 2 hour recovery time object with a maximum RPO of 4 hours.

Uptime

The average uptime for our hosted servers is currently is 99.8%. However, as part of this proposal Solis Digital guarantees that the server shall have minimum 99% Availability.

If the availability falls below 99% in any month, Solis Digital will credit the customer with one day’s free Service for each accumulated hour when the system is not available, subject to the maximum of the standard monthly service charge for that Service. The maximum overall service credit payable due to Downtime in any calendar month will be 100% of the month's Service Fee.

For the purposes of this provision, Downtime excludes:
• Any period during which any service or Web Site is unavailable as a direct consequence of any breach of the Agreement by the Customer, the negligence of the Customer or its employees, servants or agents.
• Any defect in any of the Web Sites (other than any defect caused by an act or omission of SolisDigital)
• Any incompatibility between platform software and content and any defect in any software provided by the Customer to Solis Digital under the Agreement.
• Any period of Downtime is deemed to commence from the time it is reported by the Customer to Solis Digital until the incident is resolved by Solis Digital.