Didasko Security Statement (including use of Didasko Cloud Service)
16 March 2018
Didasko International Pty Ltd (t/a as Didasko Learning Resources and LearnCheckTest) (Didasko) uses SoftLayer ®, an IBM Company which provides cloud infrastructure services including private cloud solutions, virtual servers, networking and turnkey data solutions. Headquartered in Dallas, Texas, SoftLayer provides on-demand cloud infrastructure as a service through its Platform Services system in providing a cloud service to its clients (Didasko Cloud Service). SoftLayer permits its clients to create bare metal, virtual server, or hybrid computing environments, leveraging global data centres and points of presence (PoP).
SoftLayer infrastructure includes providing Platform Services from 25 data centers located within the USA and in locations outside of the USA including Sydney, Melbourne, Hong Kong, Singapore and Tokyo.
The primary Network Operations Center (NOC) is based in Houston, Texas. In the event of a failure at the NOC any other data center can resume operations. Through the NOC, SoftLayer provides 24 hours per day monitoring to support all data centers. Each data center also has its own local Data Center Room (DCR), which is used to monitor and resolve any potential issues locally.
SoftLayer’s global network offers more than 2,000 gigabits per second of bandwith (Gbps) of connectivity between data centers and networks. These locations each have ten Gbps transit connections as well as peering links to additional service providers and access networks. The SoftLayer production network delivers scalability and control because of its unique topology as a ‘network of networks’. Public, private and management traffic travel across separate network interfaces, segregating and securing traffic while streamlining management functions.
Every data center and network PoP has multiple ten Gbps connections to top tier transit and peering network carriers. Network traffic from anywhere in the world will connect to the closest network PoP and it will travel directly across the network to its data center, minimising the number of network hops and handoffs between providers.
All SoftLayer data centers and PoPs are connected by SoftLayer’s private network backbone. This private network is separate to the public network and provides a seamless connection to clients’ servers (bare metal or virtual) in SoftLayer data centers around the world.
In addition to the public and private networks, each SoftLayer server is connected to an out-of-band management network. This management network, accessible via Virtual Private Network (VPN), allows access to each server independently of its CPU, enabling the client to perform Operating System (OS) reloads, power-cycle the server, or use the Intelligent Platform Management Interface (IPMI) connection to watch the server boot up as though the client was physically present in the data center.
Network Design for Availability and Information Management System (IMS) Impact on Clients’ Environments
Based on SoftLayer’s ‘Network-within-a-Network’, with three network interfaces, if an outage occurs at a data center on the public network, the traffic will be routed and can traverse through the other established networks to provide continuity of access to data and availability of the server. The Infrastructure Managed Services (IMS) is connected to the client’s bare metal and virtual servers, and any outage in the IMS that may occur will have no impact on a client’s environments as it is set up separately such that public and private traffic will route even if IMS becomes unavailable.
Under the agreement between Didasko and SoftLayer, services provided by SoftLayer are not designed to any specific security requirements other than the physical security of the computing resources containing Didasko’s content (or any client of Didasko’s content). Neither IBM nor SoftLayer will access Didasko’s content except i) when it is expressly authorised in connection with requested support; ii) as mutually agreed between the parties; iii) to the extent required by law or as necessary to comply with the request of a governmental or regulatory body or order from a court of competent jurisdiction.
Facility Management Services Supporting SoftLayer
The controls the SoftLayer implements at its data centers either within or outside the USA include:
- Physical access to the Data Center, including sensitive areas, is restricted;
- Access to the Data Center is restricted to authorised personnel;
- Surveillance cameras are located at strategic locations at the Data Center as a deterrent to unauthorised access;
- Failed access attempts to the Data Center are logged for follow-up as necessary;
- Visitors and contractors to the Data Centers are signed in. Visitors are escorted by authorised personnel and contractors escorted as necessary;
- Fire detection and suppression systems, including dry pipe, fire extinguishers, smoke and fire alarms, exist in the Data Center;
- Backup power, including UPS and generators, exist in the Data Center;
- Heating and cooling (HVAC) mechanisms, such as CRAC/CRAH units, air handlers and chillers, exist in the Data Center to monitor and control temperature and humidity;
- Power distribution units and electrical panels exist in the Data Centers; and
- Periodic maintenance is performed over: a) fire detection and suppression systems, b) generator and UPS, and c) HVAC.
[Note: Didasko Cloud physical and environment security, fire detection and suppression, and power-related security matters are managed by IBM SoftLayer Cloud Services.]
Roles and Responsibilities between Client, Didasko Cloud, and IBM SoftLayer
The following chart sets out a summary of various roles and responsibilities under this Data Security Statement:
||Data Center Management
||Hypervisor Provisioning & Management
||Virtual Provisioning & Management
||Data Security (Including Backup, Anti-virus, & Storage Security)
||LMS Web and Database Services Provisioning & Management
||Customer LMS site Management (Including user accounts & assessments management, and course Delivering)
||Customer LMS site Additional unit creation, upload, and local Data Security
|Customer LMS Administrator
|Didasko LMS Conline courses Provider (Virtualized, Didasko Cloud)
|Public & Private Cloud Service Provider (Virtualized, Sydeney Data Center, IBM Softlayer)
|| Customer LMS Administrators or Customer's authorized agent
|| Didasko LMS Online Courses Provider
|| IBM Softlayer Cloud Service Provider
Cloud Network Security
Cloud Network Architecture and Asset Management
Didasko Cloud Service is paid by Didasko on a monthly access basis. All hardware and software on the Didasko Cloud are leased from IBM SoftLayer Cloud Services.
Internal Network Architecture
Didasko Cloud infrastructure is designed in a High Available (HA) network infrastructure to service Didasko Web Learning Management Systems (LMS) and the eCampus Training platform. The Cloud infrastructure is designed and implemented with dual firewalls, dual Bare Metal Servers and dual load balancers for web server Virtual Machines (VM) and Database VM. It provides both hardware and software level fault tolerance for Didasko Cloud Service.
Cloud Network Monitoring and Protection
The following steps are taken by Didasko in relation to network monitoring and protection:
- Running monthly vulnerability scans on all VMs on the IBM SoftLayer portal.
- Automatically configuring a service ping on each VM with the Didasko Administrator notified immediately if any VM is down.
- Automatically configuring email services on the Didasko Cloud Service to notify the Didasko Administrator immediately if there are any issues.
- On request, Security Compliance Reports are available for Didasko clients via the SoftLayer portal.
- Monitoring of Cloud infrastructure is actioned by the Didasko Information Communication Technology (ICT) Team 24 hours/7 days via the SoftLayer smartphone app.
Cloud Data Transmission Protection
- Firewall rules are designed and implemented on both Cloud public and private network interfaces to control network traffic between the internet, the Server Pool Network, the Web Server Network, the Database Server Cluster Network, the Storage Network, eCampus Server Network and eCampus Student Nested Virtualisation Network.
- SSL Certificates are enabled for all our primary domains to provide security for user interactions with Didasko web services.
- Accessing Didasko Cloud infrastructure is configured via a secure SSL VPN session designed to protect against tampering, hacking and message interruption.
- The Didasko (ICT) Team is responsible for managing Didasko Cloud Infrastructure and liaises with the IBM Australian Technical Support Service and IBM SoftLayer Cloud Technical/Customer Service Team.
- The Didasko Systems Team is responsible for designing, managing, developing and troubleshooting Didasko general web and LMS Sites.
- The Didasko Customer Service Team is responsible for responding to service and support requests from any individual LMS Site customer.
- Access to production systems is restricted to approved personnel only via a secure SSL VPN client agent running inside of the IBM SoftLayer Portal. The User Account Management Tool on the IBM SoftLayer Portal provides a range of account security policies in password management, accessing service types, accessing location and also keeping a user accessing log.
Confidentiality and Non-Disclosure Agreements
All Didasko employees are required to sign confidentiality and non-disclosure agreements as part of their employment with Didasko. These obligations survive the termination of employment and are reviewed periodically.
Business Continuity and Disaster Recovery
- Dual firewalls are set up and configured in HA structure to protect the Didasko Cloud Service.
- Dual web load balancers and dual database load balancers are set up and configured to prevent the internet network traffic from directly accessing web and database servers.
- Didasko Cloud device is configured for offshore backup weekly, and testing/configuration restore monthly.
- Disaster recovery for hardware, power and cloud physical environment is managed via IBM SoftLayer.
Physical and Environmental Security
Apart from the security measures in place at all SoftLayer locations referred to above, Didasko has the following physical and environmental security systems in place at its offices:
- Physical access is strictly controlled by a staff security system, including electronic coded staff access to all offices, video surveillance, intrusion detection systems and other electronic monitoring.
- Automatic fire protection, detection and suppression is installed in all offices consistent with applicable legislation including the Building Act 1993 (Vic), the Building Regulations 2006 (Vic) and the Building Code of Australia, unless specifically exempted.
- Didasko has an uninterruptible power supply (UPS) on-site (server room) at its offices in Melbourne. Air-conditioning, security camera together with a 24/7 monitoring service, lock up door and swipe card security system for authorised personnel only, fire extinguisher system and raised floor are provided within the facility.
Didasko maintains vigilant and high-level security of all internal networks and interfaces by:
- Applying security-related web programming technical activities to ensure high secure web service.
- Applying an antivirus plugin for Moodle (LMS) that scans uploaded files for security threats.
- Automatic conversion of plain text password in the external database authentication table to encrypted passwords.
- Installing and configuring antivirus programs on all Didasko web and LMS servers, and running an antivirus scan daily.
- Rigorously testing every new plugin and customisation by the Didasko Systems Team for vulnerabilities.
- Implementing LMS service security procedures based on Moodle security recommendations that include site policies, notifications, password encryption, spam controls and privacy protection.
Ownership and Retention of Data
- SoftLayer is responsible for the physical environment, hardware, physical maintenance and power service availability of the Didasko Cloud Service.
- Didasko is responsible for designing, provisioning, managing, and developing LMS Sites. It includes course material updating, email service, payment portal, antivirus programs, and backup services.
- The Didasko client is at all times responsible for their own user account management, course delivering, assessment and result recording, local data storage management, and creating and uploading their own content/materials.
- Didasko and IBM SoftLayer will continue to pursue any relevant or new compliance and regulatory frameworks to provide the best service to its customers.
Data Sovereignty and Cross-border Data Flows
Didasko is aware of its obligations under the Privacy Act 1988 (Cth) (as amended from time-to-time) (Privacy Act) including in relation to any cross-border disclosures of personal information under Australian Privacy Principle (APP) 8.
Where there is any ‘disclosure’ of personal information to SoftLayer through the use of the Didasko Cloud Service, Didasko undertakes to take such steps as are reasonable in the circumstances to ensure that any overseas recipient does not breach the APPs (other than APP 1) in relation to the information.
Where the provision of services by SoftLayer to Didasko via the Didasko Cloud Service constitutes any ‘use’ of personal information Didasko accepts that any handling of personal information by SoftLayer, including any acts or practices undertaken by it on behalf of Didasko, will be treated as been having done by Didasko.
Didasko takes any data security maintenance outside of the SoftLayer and Didasko Cloud Service framework seriously including:
- Running data backup for all VMs daily and recovery points being merged after a successful backup and by keeping a ten recovery point archiving schedule and running a disk verification schedule weekly.
- Antivirus On-Access Scan/On-Demand Scan is enabled for all Windows VMs and the attached network storage. Both full scan and auto update are scheduled daily at 5 am.
- IBM SoftLayer provides a fault tolerance on hard disk storage, and redundancy on network storage network to make sure of Didasko Cloud data security. (Refer to related IBM Cloud documentations.)
- Didasko has requested that IBM SoftLayer alert it to the details of any ‘eligible data breach’ (as that term is defined under the Privacy Act 1988 ) as soon as reasonably practicable so as to ensure that all parties comply with their lawful obligations under the Notifiable Data Breaches (NDB) scheme which commenced in Australian on 22 February 2018.
Information Technology Liability Insurance
$2M any one claim / $4M in aggregate
General Liability (Product and Public Liability)
Management Liability Insurance