The at-a-glance security review is the 30,000-foot view of managing data and users securely in our Veonics Portal Hosted instance.
Table of Contents
- Development, Hosting, and Security
- Data and Photo Management
- User Management
- ID Badge Printers
- Reporting Dashboard
- Our Go-live Support Process
- Service Level Agreement (SLA)
- Behind the eXpress badging Firewall
Development, Hosting, and Security
Security Starts in Development
Veonics engineering believes that strong security is “baked in” early on and cannot be effectively “bolted on” later. Security issues must be addressed in the early requirements and design phases. In fact, at eXpress badging®, we believe the most effective security plans are drafted before the first line of code is ever written. Consider the design of the Veonics Portal, in which Personally Identifiable Information (PII) is carefully safeguarded.
- The Veonics Portal software codebase, data, and photos are hosted on Amazon Web Services.
- Amazon RDS Server – Data (Encrypted at Rest and In-Transit security)
- Amazon S3 Server – Photos (Encrypted at Rest and In-Transit security)
- Amazon EC2 Server – Webservices (Encryption Not Applicable)
- The Veonics Portal AWS instance can automate load balancing when needed. However, currently, it is not enabled, as we have plenty of capacity, and it is monitored as needed.
- The Portal and the internal network at eXpress badging are Vulnerability tested Quarterly and Pen-tested Annually.
- The Veonics Portal has native backup built-in, based on the AWS hosting model; however, we encourage customers to export data, photos, and badge designs quarterly/annually if failure is a concern.
Data and Photo Management
All customer Veonics Portal accounts are created by eXpress badging® and start as an "Organization.” No customer is assigned user rights above their Organization hierarchy. Optionally, eXpress badging or trained customer administrative users can enable Child Organizations to restrict user access to their assigned Organization and child Organizations below it.
Example Organization Hierarchy:
- ABC Global (sees all child Orgs)
- ABC Orlando (only sees Orlando records)
- ABC Miami (only sees Miami records)
- ABC Dallas (sees Dallas and Fort Worth records)
- ABC Fort Worth (only sees Fort Worth records)
Veonics Portal Card Properties, or Card Group Properties, combines a unique list of data fields and properties to manage ID badge issuance requirements. All Card Properties are created in the Veonics Portal by eXpress badging and assigned to one Organization. Each child Organization is assigned to its Card Property. Users have the option of multiple Card Properties assignments.
Data within each Card Property is siloed from other Card Properties requiring users to know what Card Properties to search and work within. This process minimizes PII exposure to those who do not need access to all badge records. If there is no need to restrict user access to defined data sets, only one Organization and one Card Property is required.
All Veonics Portal Organization data and photos are managed within a single database environment and not segregated using separate databases. The above hierarchy is used to firewall data and user access in a very secure process. If a single instance is required, eXpress badging can spin up a dedicated Veonics Portal account per proposal approval for increased setup and recurring costs.
Data IntegrationDatabase integration is secured via two processes; by following our published API rules or by using an established SFTP process.
- eXpress badging obliterates all badge data and photos provided for contracted badge projects after 30 calendar days.
- Veonics Portal self-managed customers are responsible for obliterating active badge data and photos.
- Data and photo obliteration by eXpress badging can be delayed or accelerated upon request.
Hidden High-level PII Data Protection and Audit Log
We can enable defined high-level PII fields to be screen hidden and only accessed if rights are permitted. When permitted, the PII data is hidden from over-the-shoulder observers until a Review checkbox is selected and a Reason Statement entered for review of the specific field. Most of the functions used within the Portal are tracked per user for audit purposes. A basic user history log is published for review in each record for those with rights.
User Management & Authentication
Only system users have access to their Veonics Portal account. The number of users typically numbers less than 10, and we do not have Active Directory user integration. The authorized Veonics Portal user can manually import a list of users and assigned roles. eXpress badging will enable users for our customers upon request. However, most customers with multiple users self-manage their users; add, enable, edit, and disable.
No badge recipient requires user credentials to access the Veonics Portal directly. The Veonics Portal does have a feature called the Veonics CELLfie™ that creates a single-use tokenized URL allowing badge recipients to upload a photo from their mobile device and can update enabled Veonics CELLfie™ editable fields with needed data. Once the photo and data are approved, the token is disabled, and the badge recipient can no longer have edit capabilities in their Veonics CELLfie™ facing record.
Secure Login:Users authenticate and access the Veonics Portal website using a secure session login, which requires cookies to manage session tracking.
- User name defaults to first initial and last name
- Password is auto-assigned and emailed to the user, where the user resets it;
- Twelve characters in length, one special character, one number, one lower case, and one upper case are required.
- Inactive login sessions auto-log off after a set period, per user, and is required.
- Default auto-log-off is set to 10 minutes and can be set up to 60 minutes
- User Expiry Dates can be enabled per user if preferred
- Two Factor Authentication can be enabled per user if preferred
- All Veonics Portal users and Veonics CELLie™ users must agree to our User Agreement.
- Users are assigned roles from a preconfigured list of Veonics Portal permissions;
- Administrator User
- Manager User
- Basic User
- Card Manager User
- Data Entry User…
- User rights are typically assigned using Roles or by selecting individual permissions.
- Customer Administrative Users with rights can enroll/edit users as needed
- Passwords encrypted in-transit use, HTTP and at rest use, AES-128 or higher
- Users are auto-logged off after 15 minutes of non-use, which is user-configurable
- User accounts can expire upon a set date
- Single Sign-on (SSO) is currently not a feature due to the limited number of systems users, which rarely exceeds ten. However, it is under consideration for development in 2023
- Each badge record stores a history log of all user activity that is date and time-stamped.
- The Veonics CELLfie™ remote photo capture email tool does not require user login by using tokenized URL that can be enabled as single-use or renewed for use in completion reminders.
- The Veonics Virtual ID™ also uses tokenized URLs; however, by enabling user login by an Admin, only logged-in users can review the mobile version of the badge.
- The Veoncis Portal can send automated user-triggered email notifications to assigned users for:
- Card Events
- Batch Events
- Organization Events
- User Events
- Events include adding, deleting, printing, editing, and other record-related actions.
- The Veonics Portal does not require any administrative-level MS Windows user rights other than installing the printer driver associated with the project, assuming the Portal user(s) has access to Chrome or another supported browser.
Veonics engineers are cybersecurity specialists experienced in incident response, investigations, digital forensics, defensive countermeasures, intrusion detection, penetration testing, malware evaluation, and disaster recovery Standards compliance they work with includes FIPS 201, PIV, HSPD12, FICAM, HIPAA, OMB11-11, FISMA, DIACAP, RMF, and Section 508.
The Veonics Portal™ is not officially "certified" as compliant regarding SOC II, NIST, FARS, DEERS, GDPR, CCPA, HIPPA, and the many other heavily regulated certifications that exist around the world. However, eXpress badging built the Veonics Portal with certification compliance in mind. In other words, the Veonics Portal software code has security "baked in and not bolted on!" We have built and currently sustain a very secure product regarding:
- Well-Architected Framework
- We meet annually with an AWS Gov Cloud team (even though we are not on gov cloud) for an AWS Well-Architected Framework review in our Cocoa Beach Office.
- Fair and Lawful Use, Transparency
- eXpress badging only uses customers' data and photos (data) and never requests the data from the badge recipients (employees, students, contractors, vendors) without customer approval and payment.
- Specific for Intended Purpose
- The customer-provided data is only used for photo ID badge management and issuance period and is never distributed or sold to any other entity. The data is the property of our customers.
- Minimum Data Requirement
- Our customers only provide the badge data needed to manage their projects.
- Need for Accuracy
- We only use customer-provided data, and they are responsible for data accuracy and privacy.
- Data Retention Time Limit
- By default, when eXpress badging use customer-provided data, we obliterate all data instances 30 days after the project ends.
- When our customers use the Veonics Portal to print on-premises, they are responsible for data retention regulation compliance until they do not renew their license.
- Data obliteration happens after customer approval or 30 days after not renewing.
Behind the eXpress badging Firewall
- Appliance firewall protects the on-premise network at eXpress badging
- Local PCs and Servers are enabled w/Encryption at Rest
- All eXpress badging employees
- are trained in PII Best Practices
- pass background checks with monthly alerts notifications
- have passed cybersecurity social engineering courseware
- eXpress badging stores customer-provided RFID card stock in a locked safe
- eXpress badging professionally shreds all errors and rejected badge prints
- All of the badge printing services at eXpress badging are in the USA
- Secured Facility w/Door Access and CCTV
- E&O Insured; $2M, GL; $2M/$1M, and Workman's Compensation Insurance compliant