Cyber-crime is one of the largest risks to businesses globally with both the private and public sector under constant attack. As the fundamental contract between employer and employee, the reliability of an organisation’s payroll can make or break its reputation. With this risk environment, payroll security is a key area of concern for all employers.
As a trusted partner to hundreds of business, not-for-profits and government bodies, security is built into everything we do. Because the Aurion Cloud Platform (ACP) is our most popular deployment type, we want to share with you how we secure your payroll data in the cloud.
Layered security approach
The ACP is powered by Amazon Web Services (AWS) data centres and network architecture, which are a foundation for our security. AWS meets the requirements of the globe’s most security-sensitive organisations and is regularly audited to ensure compliance. In turn, all Aurion systems, upgrades and updates are subject to rigorous testing and require multiple internal approvals prior to deployment.
Organisations can no longer rely on putting all their eggs in the “network perimeter security” basket. A multi-faceted security approach is required where we can Anticipate, Prevent, Detect and React to security threats.
Anticipate vulnerabilities
We align our risk management framework to the ISO31000 risk management standard and are certified to the ISO9001:2015 standard for a quality management system, and we methodically manage risk by anticipating, understanding and then deciding how the risk should be treated.
We use threat intelligence to focus our resources on areas that an adversary is more likely to target. Numerous sources of information feed into our threat intelligence capability, including our Security Information and Event Management (SIEM) system and knowledge bases of real-world adversary behaviours.
As part of our Information Security Management System (ISMS), Aurion has a vulnerability assessment and penetration testing program in place, which aims to validate current security controls and identify vulnerabilities that could be exploited.
Prevent intrusion
The ACP leverages AWS to provide comprehensive availability protection against common, frequently occurring network and transport layer attacks. Here’s some additional information about compliance programs and features delivered by AWS technology.
Our own web application firewalls detect and block malicious web requests that could impact availability, compromise security or result in excessive resource consumption.
Aurion customer data is stored and backed-up within Australia, ensuring that it never leaves Australian jurisdiction. Sensitive data (and, where practical, all other persistent data) is encrypted at rest using industry-standard encryption algorithms. Data in transit between a customer’s device and the ACP is encrypted using the industry-recommended transport security protocol.
The principle of ‘least privileged’ has been implemented throughout the ACP. This means that the access granted to a software application for other components or services is restricted to the absolute minimum. For example, the application would have write-only access to a specific database, rather than administrator access to the entire server.
Security is a shared responsibility, and our customers should ensure that their usage of the Aurion product is compliant with their own security policies and applicable laws and regulations.
In the ACP, our customers don’t have the burden of ensuring the operating systems, supporting applications and infrastructure are kept up to date. That’s Aurion’s responsibility, and we also ensure that when an Aurion software update is released, it’s applied to their environments in a timely manner.
Detect and React
Every ACP customer has the capability to audit their service. From a platform perspective, events generated by its various components are streamed to a centralised and secure location. The ACP threat detection and management architecture is key for ACP administrators to analyse these events and detect anomalous activity.
We have a formal, documented incident response process that addresses how we detect, investigate, contain, eradicate, recover, report (also to customers) and remediate a security incident.
Recent amendments to the Privacy Act require Aurion Corporation to notify the Office of the Australian Information Commissioner if a data breach of personal information occurs that is likely to result in serious harm to any individual impacted.
Test until best
As an independent endorsement of our solutions’ quality and security, Aurion goes through a rigorous assessment process to maintain range of certifications, including ISO27001:2013 – which specifies an information security management system and provides a mechanism for our continual improvement.
Even beyond the cloud, for our customers who host their Aurion solution on their own infrastructure (on-premises), every year we test the effectiveness of the security controls implemented at the various layers of the Aurion solution.
Aurion completed the most recent round of penetration testing between November 2020 and March 2021. Given the scope of our testing, the independent security organisation considered Aurion’s security posture to be above the industry average, and in most cases, represented a high-level of security maturity.
Do you do enough to protect your IT systems? Measure your organisation against the benchmark advice for resisting cyber threats with the Australian Government Information Security Manual.
Find out more about our secure services: read the other blogs in the Security Series – How Aurion Secures Your Company Payroll and How Aurion Gives Staff A Secure Payroll Experience – and an overview of new security features released in June 2020, An Even More Secure Experience with Aurion.
