Cloud Security FAQs

This solution answers commonly asked questions regarding Cloud security

TABLE OF CONTENTS

• Where (physically) is the data hosted? 
• Does the data (including backups) remain in Australia at all times? 
• Will the data be accessed by foreign nationals or copied offshore e.g. by a support team, when resolving issues/testing new functionality? 
• How is the data protected (e.g. backed up)?
• What multi-tenancy arrangements are in place and how does this work?
• What is the TLS protocol used in the transmission of information between the cloud and endpoints via parallels?
• How are passwords administered? Is it self-serve or are the policies set by Chintaro? 
• Is MDB Consulting/ Chintaro SOC2 compliant?
• Can we store operational data in the Chintaro Cloud environment? I.e. Tenancy documentation, Photos, etc.
• What is the SLA for the availability of the solution?
• Are users able to take a regular offline backup of our data?
• Is it possible to enable geo-filtering so access is only available within Australia? 
• What security standards do you comply with? E.g. ISO27001, IRAP assessed, Essential Eight.   
• What information can you share about your security, disaster recovery, and data breach policies? 
• Do you carry any form of cyber security insurance? 
• Is there a process by which a data breach or a critical security event is communicated to customers?
• Do you perform security audits, at least annually, against the services we will be subscribing to, using a reputable third party auditor and against a known standard? (e.g. ASAE3402, PCIDSS or ISO27001) 
• Do you encrypt all data at rest including backed up/replicated data with at least AES 256-bit encryption or greater? 
• Are audit logs kept of actions taken within the system? How are these accessed?
• Are audit logs kept of actions taken by the vendor, including accessing back-end databases?  How are these accessed? 
• How do you manage vulnerabilities in third-party tools and software utilised by the product e.g. Log4J?  
• How do users authenticate? Is Multifactor Authentication available? 
• Can the service be configured to allow my users to Single Sign On with Active Directory Credentials using technologies like SAML 2.0? 
• What happens to data if the partnership ends?
• When data is deleted, is it permanently erased?
• How is data recovered in the case of loss? 
• Will any third parties have access to our data? 
• Have you had any breaches or security issues in the past? 
• What system monitoring procedures are in place? 
• Who is responsible for cyber security?
• How often do you provide training to your security team?
• How do you assess the knowledge of your security team?
• How do you receive information on cyber security?
• Do you have a disaster recovery or business continuity plan?
• Do you have cyber security or liability insurance?

Where (physically) is the data hosted? 

Chintaro Cloud is hosted by AWS Servers in Sydney.  

• How Chintaro keeps your data safe 
• AWS Australia Data Privacy 
• Using AWS in the Context of Australian Privacy Considerations 

Does the data (including backups) remain in Australia at all times? 

Yes.

Will the data be accessed by foreign nationals or copied offshore e.g. by a support team, when resolving issues/testing new functionality? 

No, all support and testing is performed by Chintaro staff here in Australia.

How is the data protected (e.g. backed up)?

Customer data is backed up and stored on a different server from where your live data is and we have a security company monitoring all servers. Chintaro Cloud customers have their data backed up according to the following schedule: 

• Daily incremental (encrypted)
• Weekly full backup (encrypted) 
• Monthly full backup archived for 12 months (encrypted) 
• Annual full backup archived indefinitely, and a copy provided to the client (encrypted) 
• Daily snapshots of data to ensure < 4 hours of loss of data (encrypted) 
• Quarterly test restore of data 

• How Chintaro keeps your data safe 
• How is Chintaro Cloud data backed up and stored?

What multi-tenancy arrangements are in place and how does this work?

Customer data is partitioned within a Windows network environment and controlled by domain security and access control (ACL and GPO). No organisation can access another organisation’s data in any way. 

What is the TLS protocol used in the transmission of information between the cloud and endpoints via parallels?

How are passwords administered? Is it self-serve or are the policies set by Chintaro? 

Is MDB Consulting/ Chintaro SOC2 compliant?

Can we store operational data in the Chintaro Cloud environment? I.e. Tenancy documentation, Photos, etc.

What is the SLA for the availability of the solution?

This is included in the End User Licence Agreement:

“The Licensor warrants that the Software will have an uptime of 99.5% during the hours of 7 am to 7 pm Monday to Friday and an uptime of 99% outside these hours.“

Are users able to take a regular offline backup of our data?

Yes, this can be set up for your organisation and is done as transfers via SFTP or direct to a SharePoint site. 

Is it possible to enable geo-filtering so access is only available within Australia? 

Yes, we have a conditional access policy in place blocking offshore access.

What security standards do you comply with? E.g. ISO27001, IRAP assessed, Essential Eight.   

Chintaro is not compliant with any known standard, however, we are currently working with our security company for ISO27001, and the core vendors of the Chintaro service adhere to a set of certifications. For example, our security company adheres to Essential Eight and is undergoing the process to become ISO27001 certified.

What information can you share about your security, disaster recovery, and data breach policies? 

We have these policies in place and work closely with our security company to ensure they are updated regularly. 

Do you carry any form of cyber security insurance? 

Yes

Is there a process by which a data breach or a critical security event is communicated to customers?

Yes, if your data was breached, or a critical security event had occurred, you would be notified in writing.

Do you perform security audits, at least annually, against the services we will be subscribing to, using a reputable third party auditor and against a known standard? (e.g. ASAE3402, PCIDSS or ISO27001) 

Not at this stage. 

Do you encrypt all data at rest including backed up/replicated data with at least AES 256-bit encryption or greater? 

Yes

Are audit logs kept of actions taken within the system?  How are these accessed?

Device-level events on the servers which host the virtual desktop environments that Chintaro users run the application off of are captured. Our security company can see user activity on the servers including logon events, file events, read/write executions, registry events and network events. These logs are accessed via Microsoft Sentinel and Microsoft 365 Defender. An agent runs on each device which captures operating system events that are forwarded to Azure Sentinel and Microsoft 365 Defender. Chintaro’s managed security operations centre provides 24/7 monitoring of these logs via automated queries and manual threat hunting. In terms of Chintaro, there is an audit screen available to users that logs activity.

Are audit logs kept of actions taken by the vendor, including accessing back-end databases?  How are these accessed? 

Yes. All Azure Active Directory logon events as well as network logon events are tracked and ingested into Microsoft Sentinel. User activity on servers and in Azure are audited and logs are ingested into Microsoft Sentinel. User devices such as laptops and computers have their device-level logs ingested into Microsoft 365 Defender. Chintaro’s managed security operations centre provides 24/7 monitoring of these logs via automated queries and manual threat hunting. 

From a Chintaro perspective, all user activity (including Chintaro staff) is logged in the Audit history.

How do you manage vulnerabilities in third-party tools and software utilised by the product e.g. Log4J?  

Chintaro’s managed security operations center provides continuous monitoring of all known vulnerabilities (based on CVE databases) cross-referenced against Chintaro’s software stack. Notable vulnerabilities are reported as they become known, and once a month Chintaro receives an export of all known vulnerabilities across devices, software, and third-party tools. 

 
For vulnerabilities that do not have patches available, Chintaro’s managed security operations center provides mitigation steps for Chintaro to implement. In addition, 24/7 security monitoring is in place via bespoke automated alerts that are written to detect exploits of known vulnerabilities.

How do users authenticate? Is Multifactor Authentication available? 

Organisations choose from standard (username/password), MFA or SSO 

Can the service be configured to allow my users to Single Sign On with Active Directory Credentials using technologies like SAML 2.0? 

Yes

What happens to data if the partnership ends?

At the cessation of your agreement with Chintaro you will be sent a copy of your data, all cloud access will be revoked and your data will be permanently deleted from our Cloud environment. We can retain a backup for historical purposes at your request.

When data is deleted, is it permanently erased?

Yes.

How is data recovered in the case of loss? 

Depending on the circumstances and the extent of the loss, we have processes in place to restore from a backup or image.

Will any third parties have access to our data? 

No, there is no access to customer data by any unauthorized people or third parties. This is covered in your End User License Agreement (EULA) under section 9.4:

Have you had any breaches or security issues in the past? 

No.

What system monitoring procedures are in place? 

Chintaro’s managed security operations center provides us with 24/7 security monitoring.

Who is responsible for cyber security?

Oliver Naylor (Infrastructure Manager & Lead Developer) oversees the engagement of our relationship with our security company. They provide Chintaro with security monitoring of our environment, incident response capability in the event of a cyber security incident, perform threat hunting during business hours, with an on-call roster after hours to respond to serious alerts. They also scan the Chintaro environment for vulnerabilities and provide that information to Chintaro for remediation.

How often do you provide training to your security team?

Chintaro's security company is a specialist Australian provider of IT security, privacy and risk services. They have expertise in IT security, privacy and technology risk is unique and is drawn from a range of industries including banking and financial services, retail, technology, government and management consulting.

How do you assess the knowledge of your security team?

Chintaro's security company adheres to Essential Eight and is undergoing the process to become ISO27001 certified. 

How do you receive information on cyber security?

Chintaro's security company provides a monthly meeting to Chintaro leadership, covering the general cyber threat landscape for situational awareness, as well an overview of what we have seen in the Chintaro environment, any alerts they may have responded to vulnerabilities that have been detected. 

Do you have a disaster recovery or business continuity plan?

Yes.

Do you have cyber security or liability insurance?

Yes.