Veonics® Portal Security at a Glance

The at-a-glance security review is the 30,000-foot view of managing data and users securely in our Veonics® Portal Hosted instance.

aws_access_architecture1

aws_architecture1

Table of Contents

Cybersecurity Protections

Security groups are virtually firewalled.

Network segmentation and configuration controls are enabled.

  • Card Record data is stored with the RDS server SQL tables, and the associated Card Record photos are stored on the S3 server.

In transit encryption using HTTPS and sending TLS protocol versions:

  • TLS 1.3 is currently enabled on the Veonics® Portal live instance.
  • TLS 1.2 is currently enabled on the Veonics® Portal live instance.
  • TLS 1.1 (depreciated)
  • TLS 1.0 (depreciated)

SSL protocol versions (Disabled)

  • SSLv3 (depreciated)
  • SSLv2 (depreciated)

RDS Server Encryption:

  • Generated by AWS KMS (Key Management Service).
  • It uses the SYMMETRIC_DEFAULT encryption, which is the AES-256-GCM protocol.

S3 Server/Buckets:

  • All S3 buckets have Amazon S3 managed keys (SSE-S3) encryption, which is also AES-256

Configured with replication rules that enable system redundancy.

  • Managed using AWS Backup

Development, Hosting, and Security

Security Starts in Development

Veonics Engineering believes that strong security is “baked in” early on and cannot be effectively “bolted on” later. Security issues must be addressed in the early requirements and design phases. In fact, at eXpress badging®, we believe the most effective security plans are drafted before the first line of code is ever written.  Consider the design of the Veonics® Portal, in which Personally Identifiable Information (PII) is carefully safeguarded.

  • The Veonics® Portal software codebase, data, and photos are hosted on Amazon Web Services. 
    • Amazon RDS Server – Data (Encrypted at Rest and In-Transit security)
    • Amazon S3 Server – Photos (Encrypted at Rest and In-Transit security)
    • Amazon EC2 Server – Webservices (Encryption Not Applicable)
  • The Veonics® Portal AWS instance can automate load balancing when needed. However, currently, it is not enabled, as we have plenty of capacity, and it is monitored as needed. 
  • The Veonics® Portal and the internal network at eXpress badging are Vulnerability-tested Quarterly and Pen-tested Annually.
  • The Veonics® Portal has native backup built-in, based on the AWS hosting model; however, we encourage customers to export data, photos, and badge designs quarterly/annually if failure is a concern.
  • The Veonics® Portal-hosted cloud provider (AWS) provides denial-of-service and other perimeter protection regarding the system's monitoring via SNMP-compliant processes. Application firewalls secure/manage session connectivity.  Verbose logging and analytics provide additional monitoring and digital forensics as needed.  
  • The Veonics® Portal, a cloud-based resource, utilizes “HTTPS” protocols and encryption at rest AWS servers
  • Only allows access for authorized customers and eXpress badging users with assigned user rights, valid usernames, and passwords.
  • All Veonics® Portal users must approve the Veonics Portal’s ULA (user license agreement) per Veonics® Portal terms upon initial sign-in and ULA periodic updates

Data and Photo Management

Organization Hierarchy


All customer Veonics® Portal accounts are created by eXpress badging® and start as an "Organization.” No customer is assigned user rights above their Organization hierarchy. Optionally, eXpress badging or trained customer administrative users can enable Child Organizations to restrict user access to their assigned Organization and child Organizations below it.  

Example Organization Hierarchy:

  • ABC Global (sees all child Orgs)
    • ABC Orlando (only sees Orlando records)
    • ABC Miami (only sees Miami records)
    • ABC Dallas (sees Dallas and Fort Worth records)
    • ABC Fort Worth  (only sees Fort Worth records)

Card Properties

Veonics® Portal Card Properties, or Card Group Properties, combines a unique list of data fields and properties to manage ID badge issuance requirements. All Card Properties are created in the Veonics® Portal by eXpress badging and assigned to one Organization. Each child Organization is assigned to its Card Property. Users have the option of multiple Card Properties assignments.

Data within each Card Property is siloed from other Card Properties, requiring users to know what Card Properties to search and work within. This process minimizes PII exposure to those who do not need access to all badge records.  If there is no need to restrict user access to defined data sets, only one Organization and one Card Property is required.

All Veonics® Portal Organization data and photos are managed within a single database environment and not segregated using separate databases.  The above hierarchy is used to firewall data and user access in a very secure process. If a single instance is required, eXpress badging can spin up a dedicated Veonics® Portal account per proposal approval for increased setup and recurring costs.

Data Security

Understanding personally identifiable information (PII) is critical when assessing data.  It is the aggregation of data that increases a PII threshold. eXpress badging uses low, moderate, and high confidential levels to communicate differences easily. To further define the data, it is primarily used to produce photo ID badges and cards to identify employees, students, and memberships.

eXpress badging is documenting its cybersecurity compliance based on NIST 800-171 Cybersecurity Framework 2.0 with a goal of completion and possible certification in 2024. eXpress badging meets most Framework compliances and, as a result, is printing more education, local, and state-issued government credentials. 

eXpress badging recommends only using PII data with low confidentiality impact levels for display use on a photo ID credential. Low-impact data may include first and last name, title, department, photo, employee/student/member ID number, and RFID card number.

Additional data element fields may be required for management and issuance purposes when creating a Veonics® Portal account. Specific moderate-level fields may increase the PII threat level of the account, like email addresses, professional license numbers, license tag numbers, and personal attributes (height, weight, eye, and hair color.)  Photos could be elevated here for card recipients like executives, law enforcement, and others where anonymity is critical to their position.

Data with high confidentiality impact levels, including residential addresses and minor children's data, will require increased user vetting to access only relevant data. The Veonics® Portal can filter data elements by Visibility levels (Public Users, Normal, First and Second tier Management, and Private), restricting who can see various data elements with a screen by user levels. 

As PII data is aggregated, so does the security level.  Thus, no HIPPA or FERPA-relevant data can ever be stored within your Veonics® Portal account. To further state accountability, customer users must understand their internal cybersecurity compliance policies and conduct their use accordingly. eXpress badging can state that all authorized users will also comply with our documented cybersecurity policies. 

Hidden High-level PII Data Protection and Audit Log

We can enable defined high-level PII fields to be screen hidden and only accessed if rights are permitted. When permitted, the PII data is hidden from over-the-shoulder observers until a Review checkbox is selected and a Reason Statement entered for review of the specific field. Most of the functions used within the Portal are tracked per user for audit purposes.  A basic user history log is published for review in each record for those with rights.

Data Retention and Obliteration

When using our Upload Center and contracted printing services (We Print,) cardholder photos and data are deleted after 30 calendar days of ID badge printing unless the customer provides documented retention approval.

When Customers enter data and photos directly into their complementary Veonics® Portal account for contracted printing services (We Print,) cardholder photos and data are deleted after 30 calendar days of ID badge printing unless the customer provides documented retention approval.

When Customers enter data and photos using a paid-for Veonics® Portal account and/or a Veonics Credential Database for contracted printing services (We Print,) cardholder photos and data are NOT deleted after 30 calendar days of ID badge printing unless the customer provides documented obliteration approval.

When customers contract our You Print product and services using a paid-for Veonics® Portal account to print ID badges and cards at their location and with their printers, they are responsible for obliterating/deleting active badge data and photos. All PII data is obliterated/deleted after an account is not renewed and after 30 calendar days or other stated terms.

  • When applicable, eXpress badging obliterates all badge data and photos at all applicable locations
    • Veonics® Portal account
    • On-prem customer file locations (if applicable)
    • Upload Center on our website powered by Citrix ShareFile
    • Any email containing PII data is automatically rejected and never stored for specified accounts.  If, for any reason, PII data files are not filtered, they are deleted in all relevant locations immediately: hosted email server,  desktop download folders, server email folders, etc. (if applicable)
  • Data and photo obliteration by eXpress badging can be delayed or accelerated upon request per contract engagement.
  • The customer is responsible for retaining a backup of all badge data if ever needed for future use.
  • It is not the responsibility of eXpress badging to retain this information regarding ongoing re-issuance. It will be deleted at eXpress badging’s discretion if not stated/documented in engagement. 

Data and Photo Submission 

eXpress badging uses secure processes to exchange your data and photos (information). We offer several methods to create records by authorized users:

  1. Customer  manual/individual entry of data and uploading badge photos per record
  2. Photo Capture using the Veonics CELLfie email request resource for records needing new photos
  3. Secured database integration using our published API rules or an established SFTP process.
  4. Using the Veonics Onboard Wizard to import data and photos at the same time, linking relevant records and photos
  5. Using the Veonics data import and photo import resources separately and batch cropping and linking
  6. Customers can provide their data and photos to eXpress badging via our Upload Center powered by Citrix ShareFile, and authorized staff will create Veonics® Portal records under a professional service engagement.

Data Privacy

Regarding the privacy of customer information that is deemed to be PII sensitive and eXpress badging’s management thereof:

  • eXpress badging will never share or sell customer-provided and owned data, photos, or badge designs. 
  • All data and photos are the customer's property and will never be shared or sold to any third party.
  • Information stored on the Veonics® Portal (PORTAL) is proprietary and sensitive. All customer information entered into and stored on the PORTAL is owned by and is the customer's property, who is solely responsible for the accuracy and maintenance of said information.
  • Because some or all of the information stored in the PORTAL may be sensitive, customers understand that they must take whatever action necessary to preserve and protect against unauthorized use, disclosure, copying, dissemination, or distribution of this information.
  • By accepting the terms of our End User License Agreement (EULA), customers users agree to report directly to their employer, primary administrator, and/or authorized EB employees any breaches, attempted or planned breaches of the PORTAL, its information, and/or any attempts to coerce or compromise other authorized PORTAL users in the administration of the PORTAL or the information stored within it.
  • eXpress badging is not responsible for lost, stolen, or damaged customers' ID cards or badges that contain such data.

User Management & Authentication


Only system users have access to their Veonics® Portal account. The number of users typically numbers less than 10, and we do not have single-sign-on (SSO) or Active Directory user integration. The authorized Veonics® Portal user can manually import a list of users and assigned roles. eXpress badging will enable users for our customers upon request. However, most customers with multiple users self-manage their users: add, enable, edit, and disable. 

No badge recipient requires user credentials to access the Veonics® Portal directly.  The Veonics Portal® does have a feature called the Veonics CELLfie™ that creates a single-use tokenized URL allowing badge recipients to upload a photo from their mobile device and can update enabled Veonics CELLfie™ editable fields with needed data. Once the photo and data are approved, the token is disabled, and the badge recipient can no longer have edit capabilities in their Veonics CELLfie™ facing record.

Secure Login:

Users authenticate and access the Veonics® Portal website using a secure session login, which requires cookies to manage session tracking.
  • User name defaults to first initial and last name
  • Password is auto-assigned and emailed to the user, where the user resets it;
    • Twelve characters in length, one special character, one number, one lower case, and one upper case are required.
  • Inactive login sessions auto-log off after a set period, per user, and is required.
    • Default auto-log-off is set to 10 minutes and can be set up to 60 minutes
    1. User Expiry Dates can be enabled per user if preferred
    2. Two Factor Authentication can be enabled per user if preferred
    3. All Veonics® Portal users and Veonics CELLie™ users must agree to our User Agreement.
    4. Users are assigned roles from a preconfigured list of Veonics® Portal permissions;
      • Administrator User
      • Manager User
      • Basic User
      • Card Manager User
      • Data Entry User… 
    5. User rights are typically assigned using Roles or by selecting individual permissions.
    6. Customer Administrative Users with rights can enroll/edit users  as needed
    7. Passwords encrypted in-transit use, HTTP and at rest use, AES-128 or higher
    8. Users are auto-logged off after 15 minutes of non-use, which is user-configurable
    9. User accounts can expire upon a set date
    10. Single Sign-on (SSO) is a current feature for those who can self-enable it using AuthO, and only limited eXpress badging support is available.
    11. Each badge record stores a history log of all user activity that is date and time-stamped.
    12. The Veonics CELLfie™ remote photo capture email tool does not require user login by using a tokenized URL that can be enabled as single-use or renewed for use in completion reminders.
    13. The Veonics Virtual ID™ also uses tokenized URLs; however, by enabling user login by an Admin, only logged-in users can review the mobile version of the badge.
    14. The Veoncis Portal can send automated user-triggered email notifications to assigned users for:
      • Card Events
      • Batch Events
      • Organization Events
      • User Events
        • Events include adding, deleting, printing, editing, and other record-related actions.
    • The Veonics® Portal does not require any administrative-level MS Windows user rights other than installing the printer driver associated with the project, assuming the Portal user(s) has access to Chrome or another supported browser.

    Certifications

    Veonics software engineers are cybersecurity specialists experienced in incident response, investigations, digital forensics, defensive countermeasures, intrusion detection, penetration testing, malware evaluation, and disaster recovery. Standards compliance they work with include FIPS 201, PIV, HSPD12, FICAM, HIPAA, OMB11-11, FISMA, DIACAP, RMF, and Section 508.  

    The Veonics® Portal is not officially "certified" as compliant regarding SOC II, NIST, FARS, DEERS, GDPR, CCPA, HIPPA, and the many other heavily regulated certifications worldwide. However, eXpress badging built the Veonics® Portal with certification compliance in mind. In other words, the Veonics® Portal software code has security "baked in and not bolted on!" We have built and currently sustain a very secure product regarding:

    • Well-Architected Framework
      • We meet annually with an AWS Gov Cloud team (even though we are not on gov cloud) for an AWS Well-Architected Framework review in our Cocoa Beach Office. 
    • Fair and Lawful Use, Transparency
      • eXpress badging only uses customers' data and photos (data) and never requests the data from the badge recipients (employees, students, contractors, vendors) without customer approval and payment.
    • Specific for Intended Purpose
      • The customer-provided data is only used for photo ID badge management and issuance period and is never distributed or sold to any other entity. The data is the property of our customers.
    • Minimum Data Requirement
      •  Our customers only provide the badge data needed to manage their projects.
    • Need for Accuracy
      • We only use customer-provided data, and they are responsible for data accuracy and privacy.
    • Data Retention Time Limit
      • By default, when eXpress badging use customer-provided data, we obliterate all data instances 30 days after the project ends.
      • When our customers use the Veonics® Portal to print on-premises, they are responsible for data retention regulation compliance until they do not renew their license.
      • Data obliteration happens after customer approval or 30 days after not renewing.

    Behind the eXpress badging Firewall

    • Appliance firewall protects the on-premise network at eXpress badging 
    • Local PCs and Servers are enabled w/Encryption at Rest
    • All eXpress badging employees
      • are trained in PII Best Practices
      • pass background checks with monthly alerts notifications
      • have passed cybersecurity social engineering courseware
    • eXpress badging stores customer-provided RFID card stock in a locked safe
    • eXpress badging professionally shreds all errors and rejected badge prints
    • All of the badge printing services at eXpress badging are in the USA
    • Secured Facility w/Door Access and CCTV
    • E&O Insured; $2M, GL; $2M/$1M, and Workman's Compensation Insurance compliant