1. Network and Compute Security
1.1 Network and Computing Architecture
Zoliday Network architecture is designed using a multi-tiered security framework with each tier complementing each other in providing a fault-tolerant architecture. All the services and data are hosted in a Virtual Private Cloud (VPC) and are mirrored across multiple availability zones.
1.2 Network and Compute Isolation
All our products are hosted in dedicated VPCs in non-promiscuous mode. The network has been further decoupled and has multiple security groups that reduces the surface of attack in case of any breach. Routing rules hardened are based on pre-established criteria for various permissible transactions across all resources. Zoliday uses a multi-tenant data model to host its customers and each customer is uniquely identified by a tenant ID. The application is engineered and verified to ensure that it always fetches data only for the logged-in tenant. Per this design, no customer has access to another customer's data.
1.3 Proactive Network Monitoring
We have a 24x7 NSOT (Network & Security Operations Team) that monitors various security events and patterns. We have tools that analyses traffic patterns and correlates network events.
1.4 Communication Security
All outbound network traffic is encrypted using FIPS-140-2 standard encryption over a secure socket connection for all accounts hosted on Zoliday. Instances are guarded by security groups which are further segregated by private subnets. All inbound HTTPS calls hit the reverse proxy that acts as the first level of application load balancer. The high availability zones are made resilient with AWS/AZURE-s Elastic Load balancers.
2. Product Security
2.1 Authentication Management
Zoliday has an in-built authentication module where it provides the ability for customers to define user names and assign access roles. Users can be authenticated using the authentication module within Zoliday products or can enable SSO. In case customers are using our own authentication module, the password rules for authentication can be customized covering password length, password complexity, and password history. In addition, customer can restrict support agents and customers who can login to their support portal to certain IP addresses.
2.2 Support for Digital Certificates
By default, Zoliday offers a wildcard SSL for all users who have a support portal on a Zoliday.com domain. This can be used as long as you continue to use the default Zoliday URL you signed up with (for example, yourcompany.zoliday.com). However, the default SSL does not work when you've linked a custom domain name to your support portal (for example, support.yourcompany.com).
3. Information Security Governance
3.1 Senior management support for Information Security
The Information Security Steering Committee (ISSG) comprising of the executive leadership members sets the tone and drives the agenda for information security practices.
- Information Security Road-map: Ensure that the information security road-map is well thought through factoring all customer, regulatory and contractual requirements and is adjusted for internal and external threat vectors.
- Information Security Initiatives: On a monthly basis, the ISSG takes stock of the various information security initiatives or projects and provide recommendations on the direction or resolves any roadblocks.
- Information Security Expertise: Ensure that adequate expertise is available for all the information security initiatives. The ISSG provides the required technical inputs and ensures that Zoliday leverages from the guidance of necessary security mavens from internal and external sources.
- Key Resource Allocation: Ensure that adequate people and financial resources are made available to various initiatives for effective execution.
3.2 Information Security Risk Management Framework
Zoliday has developed a Risk Management Framework as part of the Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2013 standard. The information security team assesses security risks annually and on an ongoing basis when major changes occur. The various feeder channels that are factored for risk management includes findings from audits, incidents, changing threat landscape, and changing contractual / regulatory.
3.3 Compliance of Standards and Frameworks
Zoliday is aligned to working as per the ISO/IEC 27001:2013 standards. We will be applying for the certification soon and will be communicated to the customers when completed.
4. Incident & Breach Management
4.1 Incident and Breach Management
Zoliday has defined the Security incident management process to classify and handle incidents and security breaches. The Information Security team is responsible for recording, reporting, tracking, responding, resolving, monitoring, reporting, and communicating about the incidents to appropriate parties in a timely manner. The process is reviewed as part of periodic internal audit and is audited as part of ISO 27001 assessment.
4.2 Breach Notification process
We have processes established for early identification and reporting of incidents/breaches. The Information Security Office is responsible for internally coordinating with the relevant internal teams to ensure that the customers are reported about the incident / breach with any undue delay.
5. Information Governance
5.1 Access Controls of Platforms
Different environments are in use for development and testing purposes, and access to systems are strictly managed, based on the principles of need to do/know basis as appropriate to the information classification, and with Segregation of duties built in, and reviewed on a periodic basis.
5.2 Segregation of Duties
Through the Risk Management framework, conflicting responsibilities are avoided or controlled while defining roles and responsibilities. An Identity and Access Management (IAM) solution has been defined to manage user access through role-based access profiles that support the implementation of accesses based on the principles of need to know basis and support segregation of duties. Privileges relating to Administration of user access privileges and role configurations are different from the authorized approver that approves access requests. The approvers are either the Product Heads or respective function Heads are their authorized delegates. Developers do not have access to the production environment (including no access to migrate changes). Access to migrate changes is limited to very limited number of designated and authorized individuals.
5.3 Administrative access
Yes. Privileged users are provided only with the elevated access that is required for their job function. Segregation of roles is in place for management operations to ensure there is a clear separation of roles based on applications.
6. Third-party Service providers
6.1 Engagement of third-party service providers
Zoliday partners with organizations, that like itself adhere to global standards and regulations. These organizations include sub-processors or third-parties that Zoliday utilizes to assist in providing its products.
6.2 Management and monitoring service providers
Regular assessments are conducted on such service providers to ensure data is processed in a fair manner, and that data is processed only for purposes it was collected. Apart from evaluation for technical requirements, an examination for data protection measures, compliance with Zoliday- security requirements and security audit report review is conducted before on-boarding the service provider. Various checks on the service provider-s vulnerability, patch management processes for intrusion protection capabilities in AWS/AZURE environments are reviewed. Copies of access management process, third-party vulnerability testing reports, SOC2 reports, ISO 27001 reports, etc. are shared by the service partner, and reviewed by Zoliday. Provision for breach notification in the event of unwarranted data incidents, and necessary security measures for protection and recovery of data is made part of data processing agreements between such service providers and Zoliday.
7. Change Management
7.1 Security embedded in Change Management
Following the principles of Security by Design, at Zoliday, products security is a blueprint and design consideration in every build cycle.
7.2 Centralized management of source code
Source Code is managed centrally with version controls and access restricted based on various teams that are assigned to specific sprints. Records are maintained for code changes and commits.
7.3 Production Environments
We have dedicated instances for development, test and production instances. Access to the production environment is restricted to a limited set of authorized users based on their job responsibilities. Access to the production is restricted to very limited set of users based on the job roles. Access to the production environment for developers and Quality Assurance team members are restricted based on their job responsibilities.
8. Backup and Recovery
8.1 Backup and Recovery Process
Zoliday has a formal backup and recovery process. Application logs are backed up and are maintained for a duration of one year. Customers’ data is backed up in two ways:
A continuous backup is maintained in different datacenters to support a system failover if it were to occur in the primary datacenter. Should an unlikely catastrophe occur in one of the data-centres, businesses would lose only five minutes of data.
Data is backed up to persistent storage every day and retained for the last fourteen days.
8.2 Backup of server configurations
Yes. System state snapshots of baselined configuration are created and saved using Amazon Machine Images (AMI) or Azure System Images. The AMIs/System-Images are periodically updated and are used while creating new instances.
8.3 Backup Encryption
Yes. All backups are encrypted using AES 256-bit encryption with key strength of 1,024 bits and keys being managed through AWS/AZURE Key Management Services (KMS).
8.4 Bespoke Retention Schedules
We follow a uniform backup and retention schedule. By default, all data are retained for the data retention period in the Terms of Service and deleted thereafter. All data from encrypted backup servers are deleted within three months from termination of the account.
9. Business Continuity and Disaster Recovery
9.1 Business Continuity and Disaster Recovery Plan
Zoliday has a formal Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) defined and implemented to enable people and process support during any crisis or business interruptions. Appropriate roles and responsibilities has been defined and documented as part of the BC plan. Zoliday Information Security Office and respective Customer Manager will be responsible for communication and notification during a crisis.
9.2 Business Continuity commitment from third parties
Zoliday partners with organizations, that like itself adhere to global standards and regulations. These organizations include sub-processors or third-parties that Zoliday utilizes to assist in providing its products. Regular assessments are conducted to ensure continuity and availability of services.
8.3 Infrastructure Resilience
We have a highly resilient and fault tolerant architecture that is leveraged further from the disaster resilience provided by AWS/AZURE.