Data Security
Paua Servers
Production
The Paua production server is hosted in a data centre in central Auckland. The only way to login to the server is by the SSH or Secure Shell Protocol. This requires the person connecting to hold a private key which will be accepted by the server. Only Paua Software hold these keys.
What this means is that no connection is possible to be made to the server by standard Username and Password login. It also means that all communication with the server is encrypted.
Staging / Backup
The Paua staging / backup server is hosted in a data centre on the North Shore in Auckland. The server is essentially a copy of the production server and is secured in the same way with the use of SSH keys. The server holds several weeks of nightly database backups in addition to a working copy of Paua for use in testing Paua changes and enhancements prior to release to the production server.
Inter Server Data Transfers
When data is transferred between the servers, for example when copying database backups from the production server to the staging / backup server, it is transferred using rsync connected over SSH and thus cannot be intercepted by a third party.
Paua Application
The Paua application runs entirely under SSL (Secure socket layer encryption) which is the same way that the connection is managed when you connect to a secure site such as a banking system.
This security can be verified by looking at the address bar in the browser when connected to Paua. The actual appearance will vary depending on the browser that you are using but the crucial thing is that the address starts with https rather than http. The s at the end signifies that the connection is using SSL.
Passwords
There is a preference where a password validity duration may be set thus forcing users to change their passwords after a certain time if required.
Passwords are stored in encrypted form in the Paua database and as such are not human readable.
Prevention of brute force dictionary attacks by bots to get access to the system is done by briefly locking access to an account after several failed login attempts.
Backups
Server Locations
The Paua production server is hosted by SiteHost and located in a data centre in central Auckland. The staging/backup server is hosted by RimuHosting and is located in a different data centre in Auckland’s North Shore.
Server Backups
SiteHost make a backup image of the entire production server every day and store the backups in a secure offsite location on a seven day rotation. RimuHosting make a backup image of the staging/backup server once a week.
Production Database Backups
Every night there is an automatically scheduled backup of the Paua database. Seven days of database backups are kept on the production server.
Transfer From Production to Staging server
Every night all new attachments created on the production server are copied across to the backup server. In addition the latest database backup of production is copied to the backup server. Thirty days of database backups are kept on the backup server.
Data Replication on the Backup server
Every night after the transfer of the latest database backup from the production server the data is restored into the active Paua database on the backup server. This means that the backup server is always running on data only one day old.
Agency Backups
In addition to the backups outlined above there is a facility for individual agencies to download a database backup for their specific agency. This feature is setup in the application preferences.