Image

Secure Hosting Protocols

 

Overview

Tickety Boo treats client data with an exceptional level of importance. The security levels that we maintain are equal to many of the world's leading suppliers of IT services. We understand the growing moral and legal responsibility Tickety Boo has to its clients to ensure their data is as secure as possible.

The current industry standard for a website developer is to host their websites on shared servers with a hosting company. In reality, this means that hundreds of other suppliers share the same server.  We feel this is an insecure approach as one infected website can easily infect other websites on the same server. Their data protection is only limited by the lowest protected website on a shared server. 

Server Security

To combat this threat each website, CRM or SaaS system that Tickety Boo host is hosted on its own servers which insulates it from such vulnerabilities. Each server, in turn, is protected by its own firewalls which specifically relate to the service being provided by the server.  Access is only available by the user's email and secure password. There is NO FTP or route access available, this insulates the data from attack.

In line with best practice, all of our hostings is provided within the United Kingdom with regular backups.

Physical Security

The data centres are managed by one of the premium providers in the world and co-located in some of the most respected data centre facilities. We leverage all of the capabilities of these providers including physical security and environmental controls to secure our infrastructure from physical threat or impact. Each site is staffed 24/7/365 with on-site physical security to protect against unauthorised entry. 

Infrastructure Security

The infrastructure is secured through a defence-in-depth layered approach. Access to the management network infrastructure is provided through multi-factor authentication points which restrict network-level access to infrastructure based on job function utilising the principle of least privilege. All-access to the ingress points are closely monitored and are subject to stringent change control mechanisms.

Systems are protected through key-based authentication and access is limited by Role-Based Access Control (RBAC). RBAC ensures that only the users who require access to a system are able to log in. We consider any system which houses customer data that we collect, or systems which house the data customers store with us to be of the highest sensitivity. As such, access to these systems is extremely limited and closely monitored.

Additionally, hard drives and infrastructure are securely erased before being decommissioned or reused to ensure that your data remains secure.

Access Logging

Systems controlling the management network log to our centralised logging environment to allow for performance and security monitoring. Our logging includes system actions as well as the logins and commands issued by our system administrators.

Security Monitoring

The Data support staff utilises monitoring and analytics capabilities to identify potentially malicious activity within our infrastructure. User and system behaviours are monitored for suspicious activity, and investigations are performed following our incident reporting and response procedures.

Server Security & Employee Access

The security and data integrity of customer servers is of the utmost importance. As a result, the technical support staff do not have access to the backend hypervisors where virtual servers reside nor direct access to the NAS/SAN storage systems where snapshots and backup images reside. Only select engineering teams have direct access to the backend hypervisors based on their role.

Backup Security

Backups are stored on an internal non-publicly visible network on NAS/SAN servers. We can directly manage the regions where backups exist which allows us to control where their data resides within the data centres for security and compliance purposes.

Compliance

United Kingdom Information Commissioner

Tickety Boo is registered and regulated by the Information Commissioner's Office (ICO) to store and handle personal data. Please visit ico.org.uk/register to visit the online register. Certificate ZA151271 

ISO/IEC 27001:2013 Certification

Our hosting is certified in the international standard ISO/IEC 27001:2013. By achieving compliance with this globally recognised information security controls framework, audited by a third-party, our hosting has demonstrated a commitment to protecting sensitive customer and company information. That commitment doesn’t end with a compliance framework but is a necessary baseline for security.

EU-U.S. and Swiss-U.S. Privacy Shield Certification

Our hosts actively participate in and comply with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce and the European Commission. The framework provides the hosts with a mechanism to comply with data protection requirements when transferring personal data.

Data Centre Colocation Attestations and Certifications

All of our data centres are independently audited and/or certified by various internationally-recognised attestation and certification compliance standards.

Summary

We understand that the level of security provided by Tickety Boo is far greater than the average website and hosting provider. But we understand that new data security legislation will force current providers to meet these high standards, much like the GDPR regulations. However, we believe the moral and legal ramifications for losing data are worth our investment now rather than to wait for such legislation.