Cybersecurity with Rewix: the SaaS application for eCommerce

Cybersecurity is the guarantee of maintaining "integrity", "availability", and "confidentiality" of the data that needs to be managed. The best security comes from prevention and monitoring to prevent potential threats from becoming real, creating negative impacts on one or more of the cybersecurity goals.

The management of security follows the entire lifecycle of a software: it begins with the design of the most appropriate application and system architecture, continues with the development and testing phase, and extends during the usage and maintenance phase of the application by employing best practices and adopting all tools to prevent security breaches. The management of permissions for maintainers and developers is crucial to prevent unauthorized access to data. During the design phase, it is necessary to carefully plan and study the management of roles and permissions that various users will need during data access.

During the database design phase, special attention is always paid to the management of auditing policies, aimed at recording in the database the date, identity, and extent of the modification of particularly sensitive data. In this way, any erroneous or fraudulent operations by operators authorized to make modifications can be traced and attributed to the author.

Furthermore, cybersecurity involves the efficient and effective management of the server and networking infrastructure, which must always respond in the best way to external threats. A cluster architecture of the various application nodes ensures the availability and scalability of the application. A careful backup policy with retention suited to the volume of data to be managed and the punctual verification of these procedures is important. Backup is essential for disaster recovery.

Some of these procedures may be subject to quality certification, but they are often related to the certification of internal procedures of the data centers hosting the servers and data.
Alongside the best practices of programming and developing a web app, cybersecurity is reinforced by regulations such as national and community regulations on privacy protection ("The Personal Data Protection Code" - Legislative Decree June 30, 2003, No. 196) and subsequent ones, as well as national regulations governing the activities of system administrators ("Measures and precautions prescribed for data controllers carrying out electronic data processing concerning the roles of system administrators" - November 27, 2008 - Official Gazette No. 300 of December 24, 2008).
Additionally, if all these practices fail, it is possible to request the provider to sign a civil liability insurance policy that covers damages resulting from the manifestation of one or more of the aforementioned risks.

REWIX Architecture

Rewix is a modern public Web application of enterprise class, written on the J2EE (Java 2 Enterprise Edition) framework with the PostgreSQL database, where there is an effective separation of functions using a layered architecture:

• presentation logic based on a web server in the DMZ
• business logic provided by an application server in another DMS
• data access logic implemented by a database on another server separated by a firewall from the previous layers.

The REWIX architecture and application represents the state of the art in J2EE applications.

Security and Application Architecture

The layered architecture is often enforced as a security policy in many enterprise contexts and is natively adopted by REWIX.

Our detailed knowledge of the systems, along with continuous updates on vulnerabilities, allows us to effectively manage the stability of the information structure in projects based on Rewix.

Alongside application security, it is necessary that all procedures and processes comply with best practices and industry regulations, and that development team members are clearly identifiable.
The following are the conditions in which the application and the software infrastructure supporting it operate.

Web server

The web server’s role in handling requests and responses can be integrated with additional functionalities provided by third-party software, such as web proxies or web firewalls. A web proxy intercepts packets and tracks navigation, while a web firewall intercepts and blocks potentially harmful packets.
The web server is the only element of the infrastructure exposed on a public web architecture. Therefore, firewall services are always applied to manage the protection of publicly exposed ports and to handle potential low-level networking attacks (DOS, MTM attacks, etc.).

Notes:

• The operating system version of the host machine, service packs, and patches are always up to date.
• The highest possible precision is applied to logs, and log analysis procedures are implemented at fixed intervals.
• If possible, third-party software is used to control and validate the data flow passing through the web server.
• Verify and, if necessary, customize or hide all files, folders, or error information exposed by the web server by default. Some software (including web servers) may expose various functionalities externally.

Application server

The application server is essentially a container/interpreter for the application, providing access to data and other functionalities. Its job is to receive requests from the web server, query the data source, and return a response to the web server.

Notes:

• The operating system version of the host machine, service packs, and patches are always up to date.
• Always keep the application server updated to the latest version, patch, or service pack.
• Primarily use native and certified classes for the application server.

Database

Starting from the data source:

• The operating system version of the host machine, service packs, and patches are always up to date.
• The version of the database we are working on is always updated.
• Any application passwords must be stored encrypted in the database.
• The design, development, and implementation of the database must be carried out by competent, trustworthy people, with a focus on both internal and external security.
• The management of database access policies outside the web application that will use it is restricted to as few people as possible, with detailed permissions on instances.
• Where possible, stored procedures are used to perform every operation and create data views, which are always preferable to direct table access.
• Obviously, any machine containing a production data source is protected internally and externally by strict firewall policies (unnecessary ports and services are closed and hidden).
• Application data is recorded without time limitations and will be retained until the legitimate owners request its removal, in compliance with current laws. If the data has been used for transactions, the data related to the transaction owner will be retained to protect the integrity of the database.

Authentication

In a web application, authentication is the fundamental system for data protection; it is the front line separating the exposed part from the protected part. If an authentication system does not work or is poorly implemented or insufficiently secure, all efforts to achieve a reliable application will eventually fail.

Rewix uses the following authentication technologies:

• HTTP Basic and Digest
• Form Based
• SSL Digital Certificates, tokens, etc.
• DNS Names and IP addresses
• Password-based authentication such as username, password storage, quality, lockout, aging, history, reset

Security Controls

To ensure security in a SaaS application like Rewix, various security controls and capabilities must be systematically implemented to protect both the platform and user data. Here is a description of what these controls and capabilities might include, based on standard cybersecurity practices:

Security Controls

1. Strong Authentication: Implementing strong authentication mechanisms, including two-factor authentication (2FA) and Single Sign-On (SSO) for users, especially for those with administrative privileges.
2. Identity and Access Management (IAM): Strict role-based access control, ensuring that users have only the necessary permissions to perform their functions.
3. Data Encryption: Encrypting data in transit and at rest using standards like TLS and AES to protect sensitive and personal information.
4. Endpoint Protection: Utilizing endpoint security solutions to detect and mitigate malware and other threats on devices accessing the platform.
5. Firewall and Web Application Firewall (WAF): Protecting the network perimeter and web applications from common attacks like SQL injection, cross-site scripting (XSS), and other known exploits.
6. Security Configuration: Enforcing strict, standardized security configurations for operating systems, databases, and other infrastructure components.
7. Patch Management: Regular patch management processes to apply security patches to the software and platforms in use.
8. Incident Monitoring and Response: Continuous monitoring of suspicious activity with an incident response team ready to act in case of security breaches.
9. Backup and Recovery: Implementing backup and recovery strategies to prevent data loss and ensure business continuity.

Security Capabilities

1. Threat Detection: The ability to identify potentially harmful activities through intrusion detection systems (IDS) and intrusion prevention systems (IPS).
2. Vulnerability Assessment: Regular system scans to identify and mitigate vulnerabilities before they can be exploited.
3. Security Information and Event Management (SIEM): Using SIEM solutions to collect, analyze, and report on security events.
4. Security Training: Security awareness and training programs for users and staff, educating them on safe practices and threat identification.
5. Penetration Testing: Periodic penetration testing by external security experts to simulate cyber-attacks and assess the platform’s defenses.

Penetration testing, in particular, is a crucial element of Rewix's security strategy. By conducting regular penetration tests, Rewix can identify and address vulnerabilities, improve security policies and incident response procedures, and strengthen the platform's overall security posture against increasingly sophisticated cyberattacks.

Different levels of access to information

REWIX allows for managing differentiated levels of access to information through roles and permissions. The export of records is available only to users with a special password with specific grants on the DB (referred to as the MasterPassword). Session management is handled in such a way as to log access.

Development and support team

Zero11 uses only trusted employees and collaborators for development and support. During development, all best practices are followed to avoid data theft, unauthorized access to data, and theft of application source code. Team activities are logged in time-tracking files. The application's source code is managed using SCM tools and version control for managing releases and versions. Support activities are handled through a ticketing system.

Design phase

The application is compliant with privacy by design principles.

Testing phase

The application undergoes testing and verification to comply with all previously described standards and practices. Periodically, vulnerability and penetration tests are conducted to assess the application’s ability to respond to potential web-based attacks.

Secure data center

Zero11 applications are hosted on Critical Case infrastructure at the ICT Telecom datacenter in Torino, certified ISO 27001. The datacenter has fire protection systems, air conditioning, and fully redundant electrical systems with 99.98% SLA and TIM privilege support. For any access needs, guaranteed 24/7, a TIM technician is always available for assistance. For further information, see the attached document.

Access control and physical security

• 24/7 perimeter security with guards
• Controlled access to the data center and data rooms
• Highest construction and maintenance standards of the building
• Perimeter and internal video surveillance
• Asset movement tracking
• Environmental control
• Humidity and air temperature control
• Redundant cooling and air conditioning system (N+1)

Power supply

• Redundant CPS/UPS systems
• Redundant power distribution units (PDUs)
• Redundant diesel generators (N+1) with on-site fuel reserves

Backup

• All data is backed up daily using an incremental rotation system and full backup
• Data backups are copied to another datacenter in encrypted form, and the key is provided to the customer

Network

Criticalcase is AS48815 and fully manages its own network. We are interconnected to both TOPIX and MIX, as well as 26 national and international carriers, to ensure the highest reliability and performance of our internet services.

85% of the traffic is handled through peering.

85% of the traffic managed by CriticalCase remains intra-carrier. This means that a user from a specific provider can reach our premises directly without using the internet.

The entire network is protected by a WatchGuard XTM 2050 IPS system for identifying and filtering malicious traffic. The entire CriticalCase core network, BGP routers, firewalling, and IPS components are interconnected at 10 Gbps to ensure full traffic management, even in the event of DDOS attacks or traffic spikes caused by events, streaming, and online TV.

Backup Policy

Rewix's backup policy, which implements continuous data replication and intraday backup procedures, can be outlined as follows:

Continuous Replication Policy

Objective: Ensure the resilience and immediate availability of data through continuous replication on a geographically distinct cluster.

Procedure:

1. Real-Time Replication: The primary database data is replicated in real-time on a secondary cluster located in a different geographical area. This ensures redundancy and data access in the event of failures or disasters at the primary site.
2. Monitoring: The monitoring system constantly checks the integrity and latency of the replication, ensuring that the data on the secondary cluster is up-to-date and consistent with the primary cluster.
3. Automatic Failover: In case of DB service interruption in the primary cluster, the system is configured to automatically switch to the secondary cluster, thereby minimizing downtime.

Intraday Backup Policy

Objective: Safeguard data through intraday backups, ensuring that in case of data loss, it can be recovered up to a point very close to the disaster moment.

Procedure:

1. Scheduled Backup: During the day, periodic backups of the data are performed at regular intervals.
2. Dual Location: Each backup is copied to two geographically distinct locations from the primary and secondary clusters to further protect the data from regional catastrophic events.
3. Verification and Testing: After each backup operation, a test is performed to verify the integrity of the copied data. This ensures that the backups are valid and restorable.

Backup Retention

Objective: Retain data backups for a period of six months to meet business and regulatory requirements.

Procedure:

1. Backup Lifecycle: All backups are retained for a period of six months. After this period, backups are automatically deleted according to data retention policies.
2. Data Recovery: If necessary, data can be recovered from any backup within the retention period.
3. Documentation and Compliance: Accurate documentation of all backup operations and retention procedures is maintained to ensure compliance with company policies and current regulations.

Policy Review and Update

Objective: Ensure that the backup policy remains effective and compliant with business needs and technological changes.

Procedure:

1. Periodic Review: The backup policy is periodically reviewed to adapt to new technologies, regulatory changes, and evolving business needs.
2. Procedure Updates: Any significant changes in infrastructure or business requirements lead to an update of backup and retention procedures.
3. Staff Training: Staff involved in the backup process are regularly updated and trained on new procedures and technologies.

This backup policy is designed to ensure that SaaS application data is protected, recoverable, and managed in compliance with industry best practices and standards.

Regulatory Compliance

Zero11 complies with national and EU regulations on privacy protection (“The Code regarding the protection of personal data” - Legislative Decree June 30, 2003, n. 196) and the national regulations governing the activities of system administrators (“Measures and precautions prescribed to the data controllers processing data through electronic means concerning the attribution of system administrator functions” - November 27, 2008 - Official Gazette n. 300 of December 24, 2008).

Insurance

Zero11 has subscribed to a liability insurance policy for data protection and to ensure service continuity. The policy costs are excluded from the presented offer.