SECURITY SUMMARY

Amazon Web Services (AWS)Amazon Web Services (AWS) is a leading provider of cloud-based services and solutions. There are several important reasons thatTurning Technologies chose AWS to be our cloud hosting provider for the ExamView Cloud system: • Secure: In order to provide end-to-end security and end-to-end privacy, industry experts AWS build services in accordance with security best practices, provide the appropriate security features in those services, and document how to use those features. • Scalable and Elastic: Turning Technologies can quickly add and subtract AWS resources to their applications in order to meet customer demand and manage costs. We ensure our products are of the highest quality with the most responsible pricing for our clients. • Experienced: When using AWS, organizations can leverage Amazon’s leadership in the industry, with more than 15 years of experience delivering large-scale, global infrastructure in a reliable, secure fashion to some of the mostprolificweb-basedcommercecompanies.

SECURITY SUMMARY

SecuritySecurity is one of the fundamental design requirements of the ExamView Cloud application. This requirement is comprised of several key aspects that, when combined, create a secure system.

Data PrivacyThe protection of customer data is a very important requirement of the ExamView Cloud system.ExamViewCloudcontainsPersonalIdentifyingInformation(PII)intheformoffirstandlastname,and(potentially)studentidentifierslikeemailandIDnumber.InordertosecurethisPIIdataatrest,thesefieldsareencryptedwithintheAWSRelationalDataStore(RDS)databaseusingindustry“bestpractice”encryptiontechnologies.

Network SecurityAll communication between the end user and the ExamView Cloud application is performedovertheHTTPS“SecureSocketLayer”(SSL)protocol.Intheeventthatanend user makes a regular HTTP request, ExamView Cloud will automatically rewrite the non-secure HTTP request into an HTTPS request before allowing the end user to access theinformation.ExamViewCloudutilizesAWSfirewallsandsecuritygroupstolimitcommunication between service layers and between individual servers. ExamView Cloud is hosted by our own Virtual Private Cloud (VPC) within the AWS infrastructure. This VPC architecture provides additional isolation for the ExamView Cloud application.4

Service SecurityIndividual AWS services and hosted servers are secured using AWS Identity and Access Management (IAM). IAM provides a role-based system for controlling access to services and servers. The ExamView Cloud architecture utilizes IAM roles to limit the group of administrators that are authorized to sign in to the hosted services and servers. IAM roles are also utilized to control the actions that each type of hosted server is allowed to perform within the AWS service environment.5

Physical SecurityPhysical security encompasses limiting access to actual hardware computing infrastructure. This is one of the most important tenants of application security, as a failure at this levelcanrendersecuritycontrolsatotherlevelsuseless.Law#3ofthe“Microsoft10ImmutableLawsofSecurity”articlestates:“Ifabadguyhasunrestrictedphysicalaccesstoyourcomputer,it’snotyourcomputeranymore.”2

SECURITY SUMMARY

AWStakesmanystepstoensurethephysicalsecurityoftheirdatacenters.Thefirstofthesemeasuresinvolves“limitingknowledgeofthelocationofthedatacenterstothosewithinAmazonwhohavealegitimatebusinessreasonforthisinformation.”1 Foremployeesthatareauthorizedtoaccessthedatacenter,“physicalaccessisstrictlycontrolled both at the perimeter and at building ingress points by professional security staffutilizingvideosurveillance,intrusiondetectionsystems,andotherelectronicmeans.Authorizedstaffmustpasstwo-factorauthenticationaminimumoftwotimestoaccessdatacenterfloors.Allvisitorsandcontractorsarerequiredtopresentidentificationandaresignedinandcontinuallyescortedbyauthorizedstaff.AWSonlyprovidesdatacenteraccess and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to data centers by AWSemployeesisloggedandauditedroutinely.”3

Inadditiontotheseaccesscontrols,AWSprovidesfiredetectionandsuppression,uninterrupted power supplies, climate and temperature management and preventative buildingmaintenance.Theseitemsaredetailedinthe“AmazonWebServices:OverviewofSecurityProcesses”whitepaper.3

ScalabilityDuetotheoftenlarge,butalwaysvaryingsizeoftheparticipantuserbase,itisimportantthat the ExamView Cloud application is able to scale to meet user demand. AWS provides two mechanisms that help ExamView Cloud meet this requirement.

Auto Scaling GroupsThe ExamView Cloud application is hosted on application servers. Each application server is able to provide service to a limited number of clients. AWS Auto Scaling Groups (ASG) allow the system to automatically increase or decrease the number of available application servers to meet user demand. ASGs utilize AWS performance metrics, such as average response time, CPU utilization and request counts in order to provide a high quality of service for the user while minimizing excess capacity.6

Elastic Load BalancingTheAWSElasticLoadBalancer(ELB)isanessentialcomponentoftheautoscalingprocess. All requests that are destined for the ExamView Cloud application pass through theELB.TheELButilizesperformancemetricstodistributetherequestworkloadamongstthe available application server instances.7

SECURITY SUMMARY

References

1.Varia,J.&Mathew,S.(2014,January).OverviewofAmazonWebServices. Retrieved from http://media.amazonwebservices.com/AWS_Overview.pdf

2.Microsoft10ImmutableLawsofSecurity.(2014,January). Technet.Microsoft.com. Retrieved from http://technet.microsoft.com/library/cc722487.aspx#EIAA

3.Amazon,Inc.(2014,November). Amazon Web Services: Overview of Security Processes. Retrieved from http://d0.awsstatic.com/whitepapers/Security/AWS%20Security%20Whitepaper.pdf

4.AmazonVPC.(2014,January). AWS.Amazon.com. Retrieved from http://aws.amazon.com/vpc/

5.AWSIdentityandAccessManagement(IAM).(2014,January).AWS.Amazon.com. Retrieved from http://aws.amazon.com/iam/

6.AutoScaling.(2014,January).AWS.Amazon.com. Retrieved from http://aws.amazon.com/autoscaling/

7.ElasticLoadBalancing.(2014,January).AWS.Amazon.com. Retrieved from http://aws.amazon.com/elasticloadbalancing/

8.RegionsandAvailabilityZones.(2013,October).Docs.AWS.Amazon.com. Retrieved from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html

ReliabilityThe ExamView Cloud application is designed to be a highly available and reliable system. ExamView Cloud utilizes multiple AWS availability zones to meet this requirement.

Availability ZonesWithineachregion,AWSoffersmultipleavailabilityzones.Eachavailabilityzoneisanisolated infrastructure segment that is connected via a low-latency link to the other availability zones in the region.8 In the event of an infrastructure failure, it is unlikely that thefailurewouldaffectmultipleavailabilityzones.ExamViewCloudisdesignedtoutilizeservicesinmanydifferentavailabilityzonestominimizeapplicationservicedisruption.