Skip to main content
Sign in Menu

System Architectural Overview

Heather C.
  • Updated

Overview    

Catalyst hosts all application services within the Windows Azure platform. Using Azure's services enables us to fully meet or exceed HIPAA standards for infrastructure security and reliability.     

 

User Identity Management

User identities within the Catalyst infrastructure are controlled by Microsoft Active directory. Access to production servers and customer data is limited to the 3 most senior engineers within Catalyst. All Catalyst employees must authenticate against Active Directory in order to log into any production application, including Catalyst.

Customer and employee passwords must meet complexity requirements and also must be reset every 45 days. Currently, Catalyst utilizes single-factor authentication but is exploring options for multi-factor.

 

Access Control

Staff currently has access to physical office space, data centers, and computer resources based on their role within the company—That is, we currently utilize role-based access control mechanisms.

 

Secure Audit

Currently, every action within Catalyst is logged and tied to a specific user. We capture information about user logins, data changes, and what data have been accessed by each user account.

 

Encryption & Key Management

The Catalyst infrastructure currently is encrypted using AES_128_CBC, with SHA1 for message authentication and RSA as the key exchange mechanism. Encryption keys are stored under lock and key within the Catalyst offices and backed up to safety deposit boxes. Encryption keys are currently managed by the Chief Technology Officer and Director of IT. Our public key has never been revoked and GoDaddy provides the trust chain. 

 

Security

Windows Azure uses industry-leading best practices for its design and operational security.

  • 24-hour monitored physical security. Datacenters are physically constructed, managed, and monitored to shelter data and services from unauthorized access as well as environmental threats.
  • Monitoring and logging. Security is monitored with the aid of centralized monitoring, correlation, and analysis systems that manage the large amount of information generated by devices within the environment and provide timely alerts. In addition, multiple levels of monitoring, logging, and reporting are available to provide visibility to customers.
  • Patching. Integrated deployment systems manage the distribution and installation of security patches. Customers can apply similar patch management processes for Virtual Machines deployed in Azure.
  • Antivirus/Antimalware protection. Microsoft Antimalware is built-in to Cloud Services and can be enabled for Virtual Machines to help identify and remove viruses, spyware, and other malicious software and provide real-time protection. Customers can also run antimalware solutions from partners on their Virtual Machines.
  • Intrusion detection and DDoS. Intrusion detection and prevention systems, denial of service attack prevention, regular penetration testing, and forensic tools help identify and mitigate threats from both outside and inside of Azure.
  • Zero standing privileges. Access to customer data by Microsoft operations and support personnel is denied by default. When granted, access is carefully managed and logged. Data center access to the systems that store customer data is strictly controlled via lock box processes.
  • Isolation. Azure uses network isolation to prevent unwanted communications between deployments, and access controls block unauthorized users. Virtual Machines do not receive inbound traffic from the Internet unless customers configure them to do so.
  • Azure Virtual Networks. Customers can choose to assign multiple deployments to an isolated Virtual Network and allow those deployments to communicate with each other through private IP addresses.
  • Encrypted communications. Built-in SSL and TLS cryptography enable customers to encrypt communications within and between deployments, from Azure to on-premises datacenters, and from Azure to administrators and users.
  • Private connection. Customers can use ExpressRoute to establish a private connection to Azure datacenters, keeping their traffic off the Internet.
  • Data encryption. Azure offers a wide range of encryption capabilities up to AES-256, giving customers the flexibility to implement the methods that best meet their needs.
  • Identity and access. Azure Active Directory enables customers to manage access to Azure, Office 365 and a world of other cloud apps. Multi-Factor Authentication and access monitoring offer enhanced security.

 

Infrastructure

Catalyst's platform design is broken down into 4 main areas (web application, web API, mobile clients, and database).

Web Application

The web application is used to set up and report for all Catalyst clients. All traffic is encrypted with industry-standard SSL.

Web API

The web API is used by all Catalyst mobile clients to sync data to and from the devices. All traffic is encrypted with industry-standard SSL.

Mobile Client

Our mobile clients are used in the field to render treatment and collect data.

Database

The database holds database all securely data and is inaccessible from the Internet. Industry-standard backups are stored within the Windows Azure platform.

image.png

Related articles

Powered by Zendesk