Sondar Technologies Pty Ltd (ABN: 19 656 306 428)Sondar is a customer intelligence platform that uncovers valuable insights from your customer feedback, thus empowering your teams to make data-driven decisions. As we manage and retain your data, ensuring it is protected is a top priority. We’re committed to being transparent about our security practices and helping you understand our approach.The National Cyber Security Centre (NCSC) has created Cloud Security Principles to help organisations configure, deploy and use cloud services securely. This document outlines how Sondar meets those principles.
Document format
Each NCSC Cloud Security Principle is represented by a heading. Some Cloud Security Principles also contain NCSC Considerations, which are also represented by subheadings. All principles and considerations are followed by NCSC Guidance, which are formatted in italics. Please note that all principles, considerations and guidance are taken from NCSC’s documentation and are not written by Sondar. Sondar’s responses to NCSC’s principles, considerations and guidance can be found under the subheadings Sondar responsibility and Customer responsibility.
NCSC Guidance:
User data transiting networks should be adequately protected againsttampering and eavesdropping. This should be achieved through a combination of:
• Network protection - denying your attacker the ability to intercept data
• Encryption - denying your attacker the ability to read data
Sondar’s responsibility:
All data transmitted between clients and the Sondar service is done so using strong encryption protocols. Sondar supports the latest recommended secure cipher suites to encrypt all traffic in transit, including use of TLS 1.2 protocols, AES256 encryption and SHA2 signatures, whenever supported by the clients.
Within Sondar networks, with Enterprise Key Management (EKM) enabled, all data is encrypted prior to transmission. Without EKM, data may be transmitted without encryption between certain hosts within Sondar’s virtual private cloud (VPC). Data routed through the public internet is never transmitted unencrypted.
NCSC Guidance:
User data, and the assets storing or processing it, should be protectedagainst physical tampering, loss, damage or seizure.
The aspects to consider are:
• Physical location and legal jurisdiction
• Data centre security
• Data at rest protection
• Equipment disposal
• Physical resilience and availability
NCSC Guidance: In order to understand the legal circumstances under which your data could be accessed without your consent you must identify the locations at which it is stored, processed and managed.
You will also need to understand how data-handling controls within the service are enforced,relative to UK legislation. Inappropriate protection of user data could result in legal andregulatory sanction, or reputational damage.
Sondar's responsibility:
Sondar will access data in the services in accordance with our policies. All customer data resides entirely in our AWS production environment, physically located within AWS data centres in Australia. Sondar provisions services in accordance with the laws applicable to it as a service provider.
NCSC Guidance: Locations used to provide cloud services need physical protection against unauthorised access, tampering, theft or reconfiguration of systems. Inadequate protections may result in the disclosure, alteration or loss of data.
Sondar's responsibility:
All customer data resides entirely in our AWS production environment. Physical protections are entirely provided by AWS, which has a wide range of security certifications and attestations to its physical security. More data on AWS data centre security can be found here.
NCSC Guidance:
To ensure data is not available to unauthorised parties with physical access to infrastructure, user data held within the service should be protected regardless of the storage media on which it’s held. Without appropriate measures in place, data may be inadvertently disclosed on discarded, lost or stolen media.
Sondar's responsibility:
At Sondar, we are committed to ensuring that your data is protected. By default, Sondar encrypts data at rest and data in transit as part of our foundational security controls.
Data at rest in Sondar’s production network is encrypted using FIPS 140-2 compliant encryption standards, which applies to all types of data at rest within Sondar’s systems—relational databases, file stores, database backups, etc. All encryption keys are stored in a secure server on a segregated network with controlled and very limited access.
Sondar has implemented appropriate safeguards to protect the creation, storage, retrieval, and destruction of secrets such as encryption keys and service account credentials.
NCSC Guidance:
Once equipment used to deliver a service reaches the end of its useful life, it should be disposed of in a way which does not compromise the security of the service or user data stored in the service.
Sondar's responsibility:
Sondar’s hosting providers are responsible for ensuring that equipment is disposed of in a responsible manner. More information about AWS hardware disposal can be found in the Device Management section here.
NCSC Guidance: Services have varying levels of resilience, which will affect their ability to operate normally in the event of failures, incidents or attacks. A service without guarantees of availability may become unavailable, potentially for prolonged periods, regardless of the impact on your business.
Sondar's responsibility:
Sondar utilizes services deployed by its hosting provider to distribute production operations across four separate physical locations. These four locations are within one geographic region, but protect Sondar’s service from loss of connectivity, power infrastructure and other common location-specific failures. Production transactions are replicated among these discrete operating environments to protect the availability of Sondar’s service in the event of a location-specific catastrophic event.
Sondar also retains a full backup copy of production data in a remote location significantly distant from the location of the primary operating environment. Full backups are saved to this remote location at least once per day and transactions are saved continuously. Sondar tests backups at least quarterly to ensure that they can be successfully restored. Further physical resilience is ensured by our hosting providers.
NCSC Guidance:
A malicious or compromised user of the service should not be able to affect the service or data of another. Factors affecting user separation include:
• where the separation controls are implemented – this is heavily influenced by the service model (e.g. IaaS, PaaS, SaaS)
• who you are sharing the service with - this is dictated by the deployment model (e.g. public, private or community cloud)
• the level of assurance available in the implementation of separation controls.
Sondar's responsibility:
Sondar is hosted in an Amazon Web Services Virtual Private Cloud. It is a multi-tenant solution where data is logically separated. Every API call at all layers of the technology stack uses a Tenant_ID as the primary key. When a user logs into Sondar, credentials are checked with our user database and a secret token is generated per User Agent session. This ensures that all calls from the user are directed to the correct tenant. Logical separation ensures that customers can only access their own data and no one else’s.
NCSC Guidance:
Where service provider personnel have access to your data and systems you need a high degree of confidence in their trustworthiness. Thorough screening, supported by adequate training, reduces the likelihood of accidental or malicious compromise by service provider personnel.
The service provider should subject personnel to security screening and regular security training. Personnel in these roles should understand their responsibilities. Providers should make clear how they screen and manage personnel within privileged roles.
Sondar's responsibility:
Sondar endeavors to ensure that background verifications are completed for all people working at Sondar prior to beginning work. These activities are performed within the legal limits of the local jurisdiction.
The concept of least privilege is applied to all Sondar systems as they are all able to scope permissions based upon a defined profile.
Access to customer data is restricted specifically to a select group of privileged engineers. The exact roles and job requirements of these individuals are outlined in Sondar's internal Access Matrices. Sondar performs quarterly access reviews to ensure that system authorization is always backed by a necessary business justification. In the event that an employee is terminated or leaves, Sondar revokes all system access as soon as possible (always within 24 hours).
NCSC Guidance:
Your provider should make the tools available for you to securely manage your use of their service. Management interfaces and procedures are a vital part of the security barrier, preventing unauthorised access and alteration of your resources, applications and data.
The aspects to consider are:
• Authentication of users to management interfaces and support channels
• Separation and access control within management interfaces
NCSC Guidance:
In order to maintain a secure service, users need to be properly authenticated before being allowed to perform management activities, report faults or request changes to the service.
These activities may be conducted through a service management web portal, or through other channels, such as telephone or email. They are likely to include such functions as provisioning new service elements, managing user accounts and managing consumer data.
Service providers need to ensure that all management requests which could have a security impact are performed over secure and authenticated channels. If users are not strongly authenticated then an imposter may be able to successfully perform privileged actions, undermining the security of the service or data.
Sondar's responsibility:
Sondar provides customers with controls to manage their users and admin users.
NCSC Guidance:
Many cloud services are managed via web applications or APIs. These interfaces are a key part of the service’s security. If users are not adequately separated within management interfaces, one user may be able to affect the service, or modify the data of another.
Your privileged administrative accounts probably have access to large volumes of data. Constraining the permissions of individual users to those absolutely necessary can help to limit the damage caused by malicious users, compromised credentials or compromised devices.
Role-based access control provides a mechanism to achieve this and is likely to be a particularly important capability for users managing larger deployments. Exposing management interfaces to less accessible networks (e.g. community rather than public networks) makes it more difficult for attackers to reach and attack them, as they would first need to gain access to one of these networks.
Sondar's responsibility:
Sondar provides customers with controls to manage their users and admin users.
NCSC Guidance:
All access to service interfaces should be constrained to authenticated and authorised individuals.
Weak authentication to these interfaces may enable unauthorised access to your systems, resulting in the theft or modification of your data, changes to your service, or a denial of service.
Importantly, authentication should occur over secure channels. Email, HTTP or telephone are vulnerable to interception and social engineering attacks.
Sondar's responsibility:
Sondar provides customers with controls to manage their identity and authentication.
NCSC Guidance:
Systems used for administration of a cloud service will have highly privileged access to that service. Their compromise would have significant impact, including the means to bypass security controls and steal or manipulate large volumes of data.
The design, implementation and management of administration systems should follow enterprise good practice, whilst recognising their high value to attackers.
Sondar's responsibility:
The concept of least privilege is applied to all Sondar systems as they are all able to scope permissions based upon a defined profile. Sondar utilizes a Role-Based Access Control (RBAC) model to assign system users' access. The RBAC access is defined based on users' roles and job function and adhere to the Default Access Standard.
Sondar employees with access to production environment, internal tools and customer data are reviewed on a quarterly basis to ensure that their access is appropriate based on job roles and responsibilities. Any discrepancies (users no longer requiring access) are triaged accordingly.
Access to Sondar’s production environment requires users to log in to a Bastion Host via SSH keys and two-factor authentication. All of the system commands that the privileged engineers need to execute in order to view customer data are logged and many would alert the security team. The security team has automated alerts that are designed to detect the unauthorized activity of a malicious actor, insider or otherwise, who is attempting to view customer data with no clear business need. Such activity would be detected and treated as a potential breach.