Security Philosophy Overview
qwikLABS® is committed to providing the highest level of enterprise and information security. We have designed our system based on the principles of Governance, Risk and Compliance (GRC) for enterprise level security and Confidentiality, Integrity and Availability (CIA) for information security in accordance with the state-of-the-art in Cloud and cyber security practices. We explain below our philosophy for each element of GRC and CIA.
Visibility and control is in the hands of the enterprise. They can:
- decide which users are creators or trainers
- decide what the creators and trainers can see, edit and delete. The default behavior is that creators can see their labs and classes, trainers can see their classes and all labs in the organization.
- manage the full lifecycle of labs and classes including creation, editing, and deleting
Trainers fully control when students have access to a lab, when they can start it (activate), when they need to stop (pause) and when the lab is complete (end).
We use industry standard APIs, infrastructure hardware and software. All customer
data is isolated in individual customer instances both in databases as well as deployment. Each lab instance is only available while a student performs the lab. By allocating resources from a datacenter that is physically closest to where the request is coming from, we minimize latency.
We comply with all applicable laws and provide features for implementing the enterprise’s security policies.
Everything is isolated. Customers can't see each other's users, labs or classes. Creators can't see each other's labs, trainers can't see each other's classes and students can only see the labs assigned to the classes that they have enrolled in. The only user data we track is the email address. The lab resources are cleared of all lab specific content (software, data etc.), access to the lab environment is destroyed and the lab environment reset after each lab is completed.
Students are isolated to their own labs. Each lab is a completely separate environment. A student can't impact other student's experience performing a lab. Only a trainer can end a lab, so a student can't accidentally destroy their lab environment. All users are authenticated before they have access to any capabilities. When assigned lab resources students get a randomly generated password which gets destroyed at the end of the lab. Also, all lab resources consumed are wiped clean and deleted at the end of the lab. All access to lab resources is encrypted using ssh and behind an automatic firewall that cannot be changed by the student.
By using public Cloud companies that have distributed data centers around the world, we minimize the risk and exposure to our customers. If one or more data centers come down due to any reason, our software can be executed and labs can be served on any other available data centers.
Role based authentication
qwikLABS™ authenticates each user based on one of 3 account types: Student, Creator or Trainer. The enterprise can select which users they want to be trainers and creators by adding them to a qwikLABS system file. Any other users are students by default.
Students can create a user account, update their profiles, start labs from their student dashboard and browse class and lab details. The only labs a Student can start are labs that are associated with classes that they have registered for and that have been activated by either a qwikLABS™ Trainer or Creator. qwikLABS™Students do not have the ability to end a lab.
In addition to having the ability to do everything that a Student can do, Trainers can also create, edit, manage and delete classes. Trainers can create a new class, modify the class information and add or delete students. Additionally, Trainers can activate a lab in a class which enables students to start using that lab, pause a lab which stops students from accessing or using the lab or end a lab which terminates and stops access for all of the students in a class. Trainers can also select,start and end any of the labs available to them as an individual user.
Creators can do everything a Trainer and a Student can do. Additionally, a Creator can create, edit and manage a lab. This involves the ability to import a lab template and include multiple lab instructions into a qwikLABS™ lab. For more information see Create/Edit Lab.
qwikLABS Incident response plan
qwikLABS™ monitors real time CloudWatch alarms for any incidents. If we receive any notification of an incident or notice any incident then we take the following steps:
- Notify qwikLABS admin or firstname.lastname@example.org of the incident
- Determine the root cause of the incident
- Notify the customer of the incident
- Fix the bug and test the bug fix on staging and cuke
- Deploy the bug fix to master and then notify the customer of a pending update
- Update the customer instance