ARCHITECTURE

Channel99 uses Amazon Web Services (AWS) as the primary cloud service. Channel99 utilizes the shared security responsibility model, where the cloud provider is responsible for the security of the underlying cloud infrastructure (i.e. physical infrastructure, geographical regions, availability zones, operating, managing and controlling components from the host system, security of cloud native services, virtualization layer and storage) and Channel99 is responsible for securing the application platform and configuration deployed in the cloud provider’s infrastructure.

CLOUD SECURITY

Channel99 works within the security models provided by our cloud providers. The use of security groups enables the analysis of traffic and determines whether access is allowed based on the rules. Channel99 has adopted a role-based framework. Access is provisioned using Identity and Access Management (IAM) role-based access to resources. Furthermore, access is granted based on the role and context of the entity (grantee) and not just on the sources. Environments are physically and logically separated by function – e.g. development, staging and production. Channel99’s corporate locations are insulated by firewall technologies, utilize active threat monitoring, and provide active traffic and log analysis on central security components and endpoints. 

SYSTEM EVENT LOGGING, MONITORING AND ALERTING

Monitoring tools and services are used to monitor systems including network devices, security events, operating system events, resource utilization, user access audit records, cloud infrastructure and associated event logs, audit and security logs, application operations events and application account audit logs.

Alerting logic processes these events and actions are taken to initiate any applicable remediation. Logs of all production servers are stored and retrievable from a centralized repository.

APPLICATION SECURITY

At Channel99, security is integrated into the software development lifecycle (SDLC) process.

• Design: Security implications are considered as part of the  application design process.

• Development: Peer review of source code is part of the SDLC process. Security checklists are included in the code review template to enable engineers to check for security flaws consistently as part of the review process.

• Testing: Security testing is performed at various stages of the development lifecycle:

• Automated tests: Security testing for business logic is automated as much as possible to catch any regressions to existing features.

• Manual tests: Manual security testing is conducted as part of release testing to flag any security issues.

• Security scans: Static and dynamic application security tests are run regularly in production and development environments to detect and flag any issues.

• Vulnerability management: Security issues are triaged regularly, prioritized based on severity, and tracked to remediation in accordance with published SLAs.

DATA INTEGRITY

Confidential and sensitive data is retained only as long as required for legal, regulatory and business requirements. However, upon request Channel99 will delete customer data within sixty days of written notification.

ENCRIPTYON DURING TRANSIT

Channel99 encrypts traffic during transit with Transport Layer Security “TLS” using Channel99 security standard cipher-suites when communicating across an untrusted network. This applies to external and internal communications. The high entropy and perfect forward secrecy negate the need for the storage of symmetric keys.

ENCRYPTION FOR DATA AT REST

Encryption of data applies to the following use cases:

• Personal and Customer Data: Any data that identifies personal data through unique field values that would reveal personal identity information of a Channel99 customer. Example: customer email or phone number.

• Tag Visit Metadata: Any data that is required to be shared with the Tag events, participating websites, or partners that is abstracted from an individual identity but can be used as an identifying field for analysis. An example of such information is a cookie or first three octets of an IP address.

ENCRYPTION FOR STORAGE/BACKUPS

• Data storage: All Channel99 data stores are encrypted via Amazon S3 encryption via AWS Key Management Service (KMS) regardless of data classification. 

• Key management: Keys used for data encryption or key encryption are stored in the cloud KMS.

• Access management: Identity and Access Management (IAM) roles are used for encrypt/decrypt permissions based on policies of \ least privilege access to data.