eXpress badging® enforces layered security measures across the Veonics® Portal and supporting infrastructure.
🏗️ This includes encryption, firewall segmentation, intrusion prevention, and endpoint protection, all aligned with NIST CSF 2.0.
🔒 Encryption in Transit
Q: Is there encryption in place to transmit the data securely over public networks?
-
Answer: Yes
-
All data and photos transmitted over public networks are protected with TLS 1.2+ encryption.
-
Applies to web sessions, APIs, and file transfers.
-
AWS-managed certificates ensure current, strong ciphers.
📄 Supporting Documentation: Need-to-Know / Least-Privilege Access Policy
☁️ Encryption in Cloud Storage
Q: Is there encryption of confidential information on public cloud networks?
-
Answer: Yes
-
Data and photos are encrypted at rest in AWS S3 and RDS using AES-256 encryption.
-
Keys are managed via AWS KMS.
📄 Supporting Documentation: Veonics® Portal Cloud Security & Data Management Policy
🌐 DMZ Environment
Q: If there are external connections from Internet, is there a DMZ environment within the network that transmits, processes or stores data?
-
Answer: Yes
-
AWS networking enforces segmented VPC design with a DMZ between external-facing services and internal databases.
-
Only necessary ports are opened, reducing attack surface.
📄 Supporting Documentation: Firewalls & Network Security Controls
🔥 Internal Firewall Segmentation
Q: Is there an internal firewall that separates the Web server from an application server or a database server?
-
Answer: Yes
-
AWS Security Groups and internal firewalls separate web layer, application services, and databases.
-
Communication is allowed only on approved protocols/ports.
🔗 Web Services & Authentication
Q: Do you use Web Services? If so, how do they authenticate and identify callers?
-
Answer: Yes
-
Web services (APIs) use API keys and token-based authentication.
-
Each call is tied to the requesting organization and user permissions in the Veonics® Portal hierarchy.
📄 Supporting Documentation: Veonics Portal API Overview
🛡️ Intrusion Prevention System (IPS)
Q: If there are external connections from Internet, is there an Intrusion Prevention System deployed?
-
Answer: Yes
-
AWS native Intrusion Detection & Prevention services are in place.
-
Additional monitoring is provided by our managed SOC for 24/7 anomaly detection.
📄 Supporting Documentation: Endpoint Protection Policy
🖥️ Antivirus on Server Infrastructure
Q: Is antivirus deployed on the server infrastructure used for the application?
-
Answer: Yes
-
Servers are protected with Datto EDR/AV and Microsoft Defender for Cloud.
-
Managed SOC monitors alerts and remediation.
📄 Supporting Documentation: Endpoint Protection Policy
📷 Supporting Evidence: Screenshots from Datto AV & Defender dashboards (available under NDA).
📊 NIST CSF 2.0 Alignment
| Function | Example Practice |
|---|---|
| Identify (ID) | Network architecture documented |
| Protect (PR) | TLS encryption, DMZ segmentation, RBAC |
| Detect (DE) | SOC monitoring, IPS, antivirus alerts |
| Respond (RS) | Managed SOC triage & ticketing |
| Recover (RC) | Backup and restoration processes (Datto & AWS) |
✅ With this single KB article, you can answer:
-
Encryption in transit & at rest
-
DMZ/firewall segmentation
-
Web services authentication
-
IPS presence
-
Antivirus coverage