Building security in
We don’t look at security as a destination to reach — it’s an ongoing journey. We continually strive to improve our software development and internal operational processes with the aim of increasing the security of our software and services. The secure way should be the easy way, and that’s why security is built into the fabric of our products and infrastructure. Here are a few ways we daily build security in as part of the way we work.
Architecture
Security is front of mind when designing our applications, networks, and business processes
The VoiceSage security architecture is designed with consideration of a broad range of industry standards and frameworks and in tandem with our internal threat modeling process, it’s designed to balance the need for flexibility with the need for effective controls to ensure confidentiality, integrity, and availability of our customers’ data.
Applications
App dev security(OWASP), data security & information lifecycle management.
Security
Crypto & encryption, threat and vulnerability management, security incident management
Infrastructure
Asset management, access control, operations, communications security
Data centre, Cloud & offices
Physical and environmental security
Corporate
Security governance, organization of security, personnel security, supplier & third-party data management, mobile security, business continuity, audit/compliance, privacy.
The security controls that control our architecture are designed to align with a number of different standards, and due to many of the overlaps between these standards, we combine them to give us an over arching framework giving us a single list of areas to focus on and which effectively maps to the various standards that we comply against, as shown in Table 1 below.
Standard |
Sponsor |
Controls |
ISO27001 |
International Organization for Standardisation |
93 requirements |
ISO27018 |
International Organization for Standardisation |
25 requirements |
ISO27701 |
International Organization for Standardisation |
184 requirements |
PCI-DSS |
Payment Card Industries |
247 requirements |
Network
We have strict network controls with a focus on the sanctity of the “production” environment
Traditional network security theory separates the world into “inside“ and “outside” and focuses on the control points between the two areas. While we maintain strict control between our internal networks and the internet, we focus primarily on the delineation between our “production” and “non-production” environments.
We control access to our sensitive production networks through the use of strict firewall rules which require multi-factor authentication and encrypted connections. We’ve also implemented intrusion detection and prevention systems in both our office and production networks to identify potential security issues.
Application
Security by Design
During the product planning and design phase, we include engineers, security engineers, architects, QA engineers, and product managers of an application or service and discuss threats and security concerns. This information feeds into the design process and supports targeted review and testing in later phases of development.
Reliability
The criticality of our products will vary from customer to customer. From talking to our customers, we know that products like Calls and SMS often end up being part of key business processes. We run our business on our own product suite, so we understand the importance of reliability and recoverability.
Platform-wide Availability and Redundancy
We operate in multiple geographically diverse data centres
We host the majority of the VoiceSage platform with Amazon Web Services (AWS), our cloud hosting partners, resulting in optimal performance with redundancy and failover options globally. We maintain the service in the European Union regions and availability zones. Their data centres have been designed and optimized to host applications, have multiple levels of redundancy built in, and run on a separate front-end hardware node on which application data is stored.
We care about the high availability of your data and services. We focus on product resiliency through standards and practices that allow us to minimize downtime. Our resiliency practices are based ISO 27002. Key principles guiding our Disaster Recovery (DR) Program include:
- Continual improvement. We strive to ensure our improvements to resiliency grows through operational efficiencies, automation, new technologies and proven practices.
- Assurance through testing. We only know it works if we test it. With regularly scheduled testing and continual improvements, we are able to keep our DR Program at an optimum.
- Dedicated resources. VoiceSage has dedicated teams to ensure our customer-facing products get the attention they need to make the Disaster Recovery Program possible. We have people on the ground to support our steering committee, risk assessments, business impact analysis, and testing.
Backups
We have an extensive daily and weekly backup regime
In addition to platform-wide resiliency, we also have a comprehensive backup program for our Data Repository Services. However, restore and recovery of these backups will only be provided on our own platform. If the primary storage node has a problem or becomes unavailable, the applications can be switched over to the secondary storage node.
Application database backups for VoiceSage occur on the following frequencies: daily automated backups are performed and retained for 30 days; daily manual snapshots of the standby RDS instance are sent to the secondary region and are retained for 30 days; snapshots of cross-region replicas will provide the ability to restore data in case of AWS region loss and cross-region replica loss. All snapshot and backup data is encrypted.
Business Continuity and Disaster Recovery
We have comprehensive, tested business continuity and disaster recovery plans
We strive to maintain strong Business Continuity (BC) and Disaster Recovery (DR) capabilities to ensure that the effect on our customers is minimized in the event of any disruptions to our operations.
Our Disaster Recovery Program consists of a few key practices to ensure the appropriate levels of governance, oversight, and testing:
- Governance. Leadership involvement is key to how we run our DR Program. With leadership involved, we have both business and technical drivers accounted for in our strategy for resilience.
- Oversight and maintenance. We take a disciplined governance, risk, and compliance approach when monitoring and managing our DR program. It enables us to operate more efficiently and effectively when monitoring, measuring, reporting, and remediating key activities within our DR program.
- Testing. We conduct regular testing and strive for continual improvement as part of our DR lifecycle to ensure your data and the use of your data is highly available and performant.
- We test for levels of resiliency across AWS Availability Zones so we can handle an Availability Zone failure with minimal downtime.
- We copy our data backups across AWS regional data centres. If a region is down, we protect your data in a secondary region in the event of a catastrophic incident.
- We test for AWS region failures. We understand that a complete region failure is highly unlikely. However, we continue to test our ability to fail over services and continue to mature our regional resiliency.
- Backup and restore procedures are in place and tested on a regular basis. This means that when data needs to be restored, we’re prepared to get you up and running with well-trained support staff and fully tested procedures.
In addition to assurance of resiliency through governance, oversight, and testing, VoiceSage emphasizes on continual improvement throughout the DR Program:
We publish our service availability status in real-time to ensure you can access your data when you want.
Product Security
One of our industry’s challenges is to ship secure products while maintaining a healthy speed to market. Our goal is to achieve the right balance between speed and security — after all, we run almost everything on our own software at VoiceSage. There are a range of security controls we implement to keep our products and your data safe.
Encryption and Key Management
All data sent between our customers and our applications is encrypted in transit
All data for our services is encrypted in transit over public networks using Transport Layer Security (TLS 1.2) to protect it from unauthorized disclosure or modification. Our implementation of TLS enforces the use of strong ciphers and key-lengths where supported by the browser.
Content stored within VoiceSage is encrypted at rest in our AWS RDS and EC2 file storage instances. We believe we can rely on the physical controls and management at AWS, as well as transit-level encryption to protect customer data. A minimum of 256-bit Advanced Encryption Standard (AES) is used for data files.
Customer communication is encrypted. Encryption keys created by customers are used for authentication of push and pull requests in our sFTP services.
Due care is given to managing encryption keys within VoiceSage. An owner is assigned for each key and is responsible for ensuring the appropriate level of security controls is enforced on keys.
Product Vulnerability Management
We take innovative approaches to building quality software
We have a Quality Assurance (QA) Team to ensure new features are introduced quickly and safely. We focus on cultivating a “whole team” mentality to quality by changing the role of QA to a facilitator rather than the person who does the actual QA work. We are also actively working to empower and educate developers to test their own features to our quality standards.
Product Security Testing
Internal Testing
This approach spans planning, development and testing phases, each test building on previous work and progressively getting tougher. We have an established approach to static and dynamic code analysis at both the development and testing phases. In the development phase, we focus on embedding code scanning to remove any functional and readily identifiable, non-functional security issues.
In the testing phase, both our development and security engineering team switch to an adversarial approach to attempt to break features using automated and manual testing techniques.
Our security engineering team has developed a wide range of security testing tools to automate common tasks and make specialized testing tools available to our product teams. These tools are beneficial for the security team and they empower developers to “self-serve” security scans and take ownership of the output. Our security engineering team are subject matter experts, but it’s ultimately every developer in our company who is responsible for their own code.
External Testing
Once a release moves to production, external testing takes over. We have an always-on, always-testing model through the use of daily/weekly/monthly/quarterly external vulnerability scanners and penetration tests.
When a vulnerability is identified by one of our clients during standard use of a product, we welcome notifications via our support channels and respond promptly to any vulnerabilities submitted. We keep the submitter updated as we investigate and respond to the issue.
Specialist security consultants are used to complete penetration tests on high-risk products and infrastructure, like a new infrastructure architecture (e.g., our cloud environment), a new product, or a fundamental re-architecture (e.g., the extensive use of micro-services.)
Our approach to penetration testing is highly targeted and focused. Tests will generally be:
White box: Testers are provided design documentation and briefings from product engineers to support their testing.
Code-assisted: Testers have full access to the relevant code base to help diagnose any unexpected system behavior during testing and to identify potential targets.
Threat-based: Testing focuses on a particular threat scenario, such as assuming a compromised instance exists, and testing lateral movement from that starting point.
We don’t make these reports or extracts available externally due to the extensive information made available to the testers in conducting these assessments.
Operational Practices
As much as securing our products is a priority, we also understand the importance of being conscious of the way we conduct our internal day-to-day operations. The concept of “building security in” is the same philosophy we use with our internal processes and influences how our business is conducted.
Access to Customer Data
Access to customer data stored within applications is restricted on a ‘need to access’ basis
Within our platform, we treat all customer data as equally sensitive and have implemented stringent controls governing this data. Awareness training is provided to our internal employees during the on-boarding / induction process which covers the importance of and best practices for handling customer data. Further security and awareness training is provided annually or as the need requires.
Within VoiceSage, only authorized VoiceSage employees have access to customer data stored within our applications. Authentication is done via individual passphrase-protected public keys, and the servers only accept incoming SSH connections from VoiceSage and internal data centre locations.
Unauthorized or inappropriate access to customer data is treated as a security incident and managed through our incident management process. This process includes instructions to notify affected customers if a breach of policy is observed.
Physical access to our data centres, where customer data is hosted, is limited to authorized personnel only, with access being verified using biometric measures. Physical security measures for our data centres include on-premise security guards, closed-circuit video monitoring, man traps, and additional intrusion protection measures.
A broader policy governing access to customer data and metadata is included in our Privacy Policy.
Support Access
Our support teams will only access customer data when necessary to resolve an open ticket
Our support team has access to our systems and applications to facilitate maintenance and support processes. Applications and data are only able to be accessed for the purpose of application health monitoring and performing system or application maintenance, and upon customer request via our support system.
Training and Awareness
Our security training and awareness program doesn’t just check compliance boxes but results in a genuine uplift in knowledge across the company
Our awareness program is built on the premise that security is everyone’s responsibility. These responsibilities are extracted from our internal User Security Policy Program, and the training and awareness program is used as the primary vehicle for communicating these responsibilities to our staff.
Candidates and contractors are required to sign a confidentiality agreement prior to starting with us, and subsequently, during the onboarding process, security awareness courses are delivered to these new hires. Further security and awareness training is provided annually or as the need requires.
Keeping in line with the theme of ‘continuous improvement’, we disseminate security messages through company-wide email messages and blog posts. These messages generally carry a message that is relevant at that time, e.g. a newly discovered and publicised threat, and reinforces the importance of following security good practices.
Security Champions
We recognize that there are some great security thinkers outside the security team, and seek to utilize their enthusiasm and knowledge
Separate to our awareness program, we have also set up an internal “Security Champions” program. The idea behind this program is to try and get security embedded into every team at VoiceSage – to build security in. We also want to make security more accessible, and one of the ways that we’re doing this is by training people across the organization with core security knowledge – whether operational or development. This is about taking subject matter experts with a passion and aptitude for security and drafting them into the team on a part-time basis and to be our advocates in the rest of the company.
Change Management
We have embraced an Agile style change management
Traditional change management processes rely on a pyramid-style change control hierarchy. When someone wants to make a change, it has to be presented to a board that either approves or denies it. We have embraced the SCRUM Agile approach. Any member of the team or a client may add items to a backlog of requests. Every 2 weeks the SCRUM teams met and estimate effort for each task. This list is further refined and prioritised by numerious stack holders within the company. Items are taken off the top of the backlog and put into 2 weekly sprints for completion to a “Ready to Ship” standard.
Employee Hiring
We strive to hire the best
Just like any company, we want to attract and hire the best and the brightest to work for us. During recruiting, we perform employment, visa, background and financial checks (where legally required). On acceptance of an offer, we ensure each new hire has a 90-day on-boarding plan and access to on-going training based on their role.
Security Processes
We acknowledge that there is always margin for error. We want to be proactive in detecting security issues, which allows us to address identified gaps as soon as possible, helping to minimize the damage.
Security Incident Management
Incidents will happen, but our speed and efficiency in response will keep the impact as low as possible.
The security team at VoiceSage aggregates logs from various sources in the hosting infrastructure and makes use of a SIEM platform to monitor and flag any suspicious activity. Our internal processes define how these alerts are triaged, investigated further, and escalated appropriately. Our customers and the wider community are encouraged to report suspected security incidents through VoiceSage Support.
In the event of a serious security incident, VoiceSage has access to the expertise internally – and through external subject matter experts – to investigate incidents and drive them until closure.
Vulnerability Management
We have an extensive vulnerability management program to ensure that we are actively seeking out weaknesses that may be present in our environment
Apart from our product-specific vulnerability management practices (discussed earlier), our security team performs on-going network vulnerability scans of both our internal and external infrastructure using an industry leading vulnerability scanner.
We also use specialist security consulting firms to complete penetration tests on high-risk products and infrastructures. Examples of this might include a new infrastructure set up for us (e.g. our Cloud environment), a new product, or a fundamental re-architecture (e.g. the extensive use of micro-services).
Internal processes are in place to review any reported vulnerabilities and act on them. The process includes predefined SLAs for patching vulnerabilities based on CVSS severity level.
Compliance
We run our security program in compliance with a range of well-known industry standards. We appreciate that these attestations matter, as they provide independent assurance to our customers that we are on the right track.
Currently ISO27001 and PCI DSS are standards that we certify against. More details about these programs are available on our Compliance page.
Standard |
Sponsor |
Status |
ISO27001 |
International Organization for Standardisation |
VoiceSage has been accredited to ISO27001, for the scope of operations described in our certificate of accreditation. In short, our security team is currently certified for its security engineering, security intelligence, and security projects functions. The scope of accreditation is currently being expanded across the organization. |
PCI-DSS |
Payment Card Industries |
VoiceSage is PCI DSS level 1 compliant for handling the transmission of Credit Card information accross our products. However, VoiceSage products are not meant to process or store credit card data for our customers, instead where possible we make use of specialist Third Party Payment gateways to process payments on behalf of users. |
We also perform comprehensive security audits through well-known audit firms, which are done at least annually.
Outputs arising from these audit and certification programs, coupled with our internal process outputs, such as vulnerability management, are all fed into a continuous improvement cycle which helps us keep sharpening the overall security program.
Privacy
We appreciate our customers’ concerns about privacy – and we understand that these concerns are probably the same concerns we ourselves have when using other SaaS-based applications. So, fundamentally, we try to treat your personally identifiable and other sensitive data the same way we would want our service providers to treat our data.
VoiceSage and its subsidiaries complies with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) for the collection, use, and retention of personal information resulting in all data processing occuring in the European Economic Area (EEA).
Our approach to privacy is laid out in detail in our Privacy Policy.
Shared Responsibility
In the cloud, the security of your data on our systems is a joint responsibility. At a high level, VoiceSage handles security of the applications, the systems they run on, and the environments those systems are hosted in. We ensure these systems and environments are compliant with relevant standards including PCI DSS and ISO 27001 as required.
You – our customers – manage the information within your accounts, manage the users accessing your accounts and related credentials. You ensure your business is meeting its compliance obligations in using our systems.
In brief, here are a few things that we would like our customers to consider:
Key Decisions
The decisions you make about how you set up and use our products will have a significant influence on the way security is implemented.
User Access
Being a SaaS solution, our customers are responsible for ensuring the appropriateness of user access to their data. Understanding the classification of the data that goes into the system and ensuring that users that have access to the system are authorized to access that data, are key considerations in this context.
Where applicable, using role-based authentication will make it easy to align with access restrictions that may need to be imposed to comply with data classification and handling requirements.
Encouraging users to practice good password hygiene will also mitigate threats such as password guessing and malicious parties reusing leaked credentials from materializing.