Deployment & Infrastructure Security Controls

eXpress badging® enforces layered security measures across the Veonics® Portal and supporting infrastructure.

🏗️  This includes encryption, firewall segmentation, intrusion prevention, and endpoint protection, all aligned with NIST CSF 2.0.


     

    🔒 Encryption in Transit

    Q: Is there encryption in place to transmit the data securely over public networks?

    • Answer: Yes

    • All data and photos transmitted over public networks are protected with TLS 1.2+ encryption.

    • Applies to web sessions, APIs, and file transfers.

    • AWS-managed certificates ensure current, strong ciphers.

    📄 Supporting Documentation: Need-to-Know / Least-Privilege Access Policy


    ☁️ Encryption in Cloud Storage

    Q: Is there encryption of confidential information on public cloud networks?

    • Answer: Yes

    • Data and photos are encrypted at rest in AWS S3 and RDS using AES-256 encryption.

    • Keys are managed via AWS KMS.

    📄 Supporting Documentation: Veonics® Portal Cloud Security & Data Management Policy


    🌐 DMZ Environment

    Q: If there are external connections from Internet, is there a DMZ environment within the network that transmits, processes or stores data?

    • Answer: Yes

    • AWS networking enforces segmented VPC design with a DMZ between external-facing services and internal databases.

    • Only necessary ports are opened, reducing attack surface.

    📄 Supporting Documentation: Firewalls & Network Security Controls


    🔥 Internal Firewall Segmentation

    Q: Is there an internal firewall that separates the Web server from an application server or a database server?

    • Answer: Yes

    • AWS Security Groups and internal firewalls separate web layer, application services, and databases.

    • Communication is allowed only on approved protocols/ports.

    📄 Supporting Documentation:


    🔗 Web Services & Authentication

    Q: Do you use Web Services? If so, how do they authenticate and identify callers?

    • Answer: Yes

    • Web services (APIs) use API keys and token-based authentication.

    • Each call is tied to the requesting organization and user permissions in the Veonics® Portal hierarchy.

    📄 Supporting Documentation: Veonics Portal API Overview


    🛡️ Intrusion Prevention System (IPS)

    Q: If there are external connections from Internet, is there an Intrusion Prevention System deployed?

    • Answer: Yes

    • AWS native Intrusion Detection & Prevention services are in place.

    • Additional monitoring is provided by our managed SOC for 24/7 anomaly detection.

    📄 Supporting Documentation: Endpoint Protection Policy


    🖥️ Antivirus on Server Infrastructure

    Q: Is antivirus deployed on the server infrastructure used for the application?

    • Answer: Yes

    • Servers are protected with Datto EDR/AV and Microsoft Defender for Cloud.

    • Managed SOC monitors alerts and remediation.

    📄 Supporting Documentation: Endpoint Protection Policy
    📷 Supporting Evidence: Screenshots from Datto AV & Defender dashboards (available under NDA).


    📊 NIST CSF 2.0 Alignment

    Function Example Practice
    Identify (ID) Network architecture documented
    Protect (PR) TLS encryption, DMZ segmentation, RBAC
    Detect (DE) SOC monitoring, IPS, antivirus alerts
    Respond (RS) Managed SOC triage & ticketing
    Recover (RC) Backup and restoration processes (Datto & AWS)

    ✅ With this single KB article, you can answer:

    • Encryption in transit & at rest

    • DMZ/firewall segmentation

    • Web services authentication

    • IPS presence

    • Antivirus coverage