Shastic is a non-mission critical vendor. Our products, including Elle, Chimera, and the MeridianLink LoansPQ Elle Chat, do not connect to the institution's core or otherwise have access to any account or sensitive member or financial data of any kind.
Security & Infrastructure
Shastic offers fully-hosted and maintenance-free solutions. Shastic's entire IT infrastructure is provided and managed by Amazon Web Services (AWS) at remote undisclosed locations. By leveraging one of the world’s most secure and reliable IT infrastructure providers, we ensure that your data is securely stored and accessed.
The security features of our products have been reviewed and approved by many financial institutions. We support:
- Encrypted (TLS/SSL) connections for all interactions with AWS. We support the following SSL/TLS protocols: TLS 1.3, TLS 1.2, TLS 1.1, SSLv3, SSLv2.
- Secure access. Access points allow secure HTTP access (HTTPS) so that we can establish secure communication sessions with our services using SSL.
- Built-in firewalls.
- Encrypted data storage at rest.
- AWS cloud infrastructure has been designed and managed in alignment with regulations, standards and compliance best-practices.
- Automatic remote backups nightly.
- Encrypted (TLS/SSL) connections for all interactions with IT Infrastructure.
- All access to IT resources is guarded by Asymmetric key-pairs and multi-factor authentication.
Firewalls:
Shastic has built-in firewalls in the Elle web application platform.
Please reference our security & infrastructure documentation for more details on firewall controls.
Security & Infrastructure: http://info.shastic.com/DueDiligence/Shastic-Due-Diligence-and-TCPA-compliance.pdf
Monitoring and Alerting:
Shastic has regular checks and sufficient monitoring in place to alert the company when any piece of its infrastructure has been impacted by server failure, connectivity issues, and application issues.
Amazon CloudWatch provides Shastic with access to metrics about its AWS resources, as well as custom metrics that can be application–centric or even business-centric.
Shastic has setup multiple alarms based on defined thresholds on any of the metrics and, when required, alerts Shastic’s recovery team of unexpected behavior.
Network Security Policies:
Shastic implements a Virtual Private Cloud (VPC) which is a virtual network dedicated to its entire AWS resources. It is logically isolated from other virtual networks in the AWS Cloud. Shastic only launches AWS resources within its VPC and uses subnets and route tables to segment and isolate like-functioning areas of the Infrastructure.
To further protect the AWS resources in each subnet, Shastic uses multiple layers of security, including security groups and network access control lists (ACL).
Testing:
Testing ensures that sufficient documentation is in place to make the process as simple as possible should the real event takes place. A key advantage of deploying on AWS is the ability to test frequently without the need to touch Shastic’s production environment.
Shastic uses AWS AutoScaling to deploy complete environments on AWS. This uses a template to describe the AWS resources and any associated dependencies or runtime parameters that are required to create a full environment.
Shastic differentiates tests to cover against a multitude of different types of disasters including:
- Loss of ISP connectivity to a single site
- Virus impacting core business services that affects multi-sites
- User error that causes the loss of data, requiring a point-in-time recovery
Please reference Shastic’s Business Continuity/Disaster Recovery Plan for more details:
https://s3.amazonaws.com/info.shastic.com/DueDiligence/Shastic-Business-Continuity-Plan.pdf
Comments
0 comments
Please sign in to leave a comment.