Your browser is unsupported and may have security vulnerabilities! Upgrade to a newer browser to experience this site in all it's glory.
Skip to main content

Quantum: Information Security

Serverless architecture

The application is implemented using serverless technologies and is hosted at Amazon Web Services (AWS).

The application makes use of the following AWS services:

  • Identity and Access Management (IAM)
    Amazon API Gateway
    Amazon Simple Storage Service (S3)
    AWS Lambda
    Amazon Cognito
    Secrets Manager
    AWS Key Management Service (KMS)

Further information on the security characteristics of each of these services can be found in the AWS Security Portal.

Control of confidential information

Information is classified and labelled to indicate both the level of confidentiality and organisational compartmentalisation.

Users are authenticated using an email, password and Two Factor Device by Amazon Cognito. Users are authorized to access only confidential information labelled for their organisation.

Organisation associations are stored and managed by Amazon Cognito.

Information compartmentalisation is provided using Amazon Cognito and AWS Key Management Service together. A unique cryptographic key is created for each organisation and all confidential information provided by that organisation is encrypted with their unique key.

Access to the KMS key is provided only to users who are members of the organisation. No other users are authorised to decrypted confidential information provided by another organisation.

Administrative users are not authorised to decrypt confidential information.

Data Sovereignty

All data is held in the UK and all processing is conducted within the UK

User Access control

User access provisioning

There is no self-registration process. Users are invited to the system by Class Legal administrators. Users are assigned to organisations by system administrators at the point of invitation.

User deprovisioning

All access roster management is provided by Class Legal. When a user leaves an organization, or no longer requires access, Class Legal should be informed to disable the associated user account.

Authentication

Users are authenticated by Amazon Cognito using an email address, password and two factor device.

Two Factor Authentication will be enabled by default for Organisations and uses the standard Time-based One-Time Password algorithm (TOTP).

Password management

Passwords are stored securely within Amazon Cognito and Class Legal have no access to extract passwords.

Protection from compromised credentials

Amazon Cognito helps protect users from unauthorised access to their accounts using compromised credentials. When Amazon Cognito detects users have entered credentials that have been compromised elsewhere, it prompts them to change their password.

Password policy

Passwords are required to have a minimum length of eight characters. This is enforced by Amazon Cognito.

Cryptographic controls

Encryption in transit

All data is encrypted with Transport Layer Security (TLS) version 1.2. Less secure versions of TLS will be rejected.

Encryption at rest

All data is encrypted at rest using the Amazon Key Management Service using the KMS SYMMETRIC_DEFAULT configuration profile. Currently, this represents a symmetric algorithm based on Advanced Encryption Standard (AES) in Galois Counter Mode (GCM) with 256-bit keys, an industry standard for secure encryption. The ciphertext that this algorithm generates supports additional authenticated data (AAD), such as an encryption context, and GCM provides an additional integrity check on the ciphertext. For technical details, see the AWS Key Management Service Cryptographic Details whitepaper.

Penetration testing

The application is penetration tested by a third party on a quarterly basis and the results are reviewed and remediated as necessary.

Data durability

All data is held within Amazon S3, which provides 99.999999999% durability of objects within a given year.

Administration

Network Intrusion Detection Systems

As a purely serverless application there are no dedicated network resources to monitor.

Required levels of intrusion detection are provided by continuous compliance tools.

Continuous compliance

AWS Config provides compliance monitoring.

AWS Cloudtrail monitors activity within the AWS environment and alerts for defined suspicious activity.

AWS GuardDuty provides continuous threat monitoring and alerts for suspicious activity or changes in the cloud environment.

Patch management

As a serverless application there are no dedicated computer resources that require patching.

All patch management is therefore provided by AWS.

Software vulnerability management

Software dependencies are actively monitored for known security vulnerabilities using third party vulnerability management software. Known vulnerabilities are regularly triaged and updated as necessary.