DLR (Digital Learning Resources) Security Statement
(including use of DLR Cloud Service)
Digital Learning Resources Pty Ltd uses Amazon Web Services, an Amazon company which provides cloud infrastructure services including private cloud solutions, virtual servers, networking and turnkey data solutions.
Amazon Web Services (AWS) is the world’s most comprehensive and broadly adopted cloud platform, offering over 175 fully featured services from data centers globally. Millions of customers including the fastest-growing startups, largest enterprises, and leading government agencies are using AWS.
The primary data center used by DLR Cloud Service is based in Sydney with Content Delivery Network in over 100 locations world wide.
AWS has the largest global infrastructure footprint of any provider, and this footprint is constantly increasing at a significant rate. When deploying applications and workloads to the cloud, you have the flexibility in selecting a technology infrastructure that is closest to your primary target of users. You can run your workloads on the cloud that delivers the best support for the broadest set of applications, even those with the highest throughput and lowest latency requirements. And If your data lives off this planet, you can use AWS Ground Station, which provides satellite antennas in close proximity to AWS infrastructure Regions.
The AWS Cloud infrastructure is built around AWS Regions and Availability Zones. An AWS Region is a physical location in the world where we have multiple Availability Zones. Availability Zones consist of one or more discrete data centers, each with redundant power, networking, and connectivity housed in separate facilities. These Availability Zones offer you the ability to operate production applications and databases that are more highly available, fault tolerant, and scalable than would be possible from a single data center. The AWS Cloud operates in over 60 Availability Zones within over 20 geographic Regions around the world, with announced plans for more Availability Zones and Regions.
AWS delivers the highest network availability of any cloud provider, with 7x fewer down time hours than the next largest cloud provider.* Each region is fully isolated and comprised of multiple AZ’s, which are fully isolated partitions of the infrastructure. In addition, AWS control planes and the AWS management console are distributed across regions, and include regional API endpoints, which are designed to operate securely for at least 24 hours if isolated from the global control plane functions without requiring customers to access the region or its API endpoints via external networks during any isolation.
The AWS Global Infrastructure is built for performance. AWS Regions offer low latency, low packet loss, and high overall network quality. This is achieved with a fully redundant 100 GbE fiber network backbone, often providing many terabits of capacity between Regions. AWS Local Zones and AWS Wavelength, with the telco providers, provide performance for applications that require single-digit millisecond latencies by delivering AWS infrastructure and services closer to end-users and 5G connected devices.
Under the agreement between DLR and AWS, services provided by AWS are not designed to any specific security requirements other than the physical security of the computing resources containing DLR’s content (or any client of DLR’s content). AWS will not access DLR’s content except i) when it is expressly authorised in connection with requested support; ii) as mutually agreed between the parties; iii) to the extent required by law or as necessary to comply with the request of a governmental or regulatory body or order from a court of competent jurisdiction.
Facility Management Services Supporting Amazon Web Services
The controls that AWS implements at its data centers either within or outside Australia include:
- Physical access to the Data Center, including sensitive areas, is restricted;
- Access to the Data Center is restricted to authorised personnel;
- Surveillance cameras are located at strategic locations at the Data Center as a deterrent to unauthorised access;
- Failed access attempts to the Data Center are logged for follow-up as necessary;
- Visitors and contractors to the Data Centers are signed in. Visitors are escorted by authorised personnel and contractors escorted as necessary;
- Fire detection and suppression systems, including dry pipe, fire extinguishers, smoke and fire alarms, exist in the Data Center;
- Backup power, including UPS and generators, exist in the Data Center;
- Heating and cooling (HVAC) mechanisms, such as CRAC/CRAH units, air handlers and chillers, exist in the Data Center to monitor and control temperature and humidity;
- Power distribution units and electrical panels exist in the Data Centers; and
- Periodic maintenance is performed over: a) fire detection and suppression systems, b) generator and UPS, and c) HVAC.
[Note: DLR Cloud physical and environment security, fire detection and suppression, and power-related security matters are managed by Amazon Web Services.]
Roles and Responsibilities between Client, DLR Cloud, and Amazon Web Services
The following chart sets out a summary of various roles and responsibilities under this Data Security Statement:
||Data Center Management
||Hypervisor Provisioning & Management
||Virtual Provisioning & Management
||Data Security (Including Backup, Anti-virus, & Storage Security)
||LMS Web and Database Services Provisioning & Management
||Customer LMS site Management (Including user accounts & assessments management, and course Delivering)
||Customer LMS site Additional unit creation, upload, and local Data Security
|Customer LMS Administrator
|DLR LMS online courses Provider (Virtualized, DLR Cloud)
|Public & Private Cloud Service Provider (Virtualized, Sydney Data Center, Amazon Web Services)
|| Customer LMS Administrators or Customer's authorized agent
|| DLR LMS Online Courses Provider
|| Amazon Web Services Cloud Service Provider
Cloud Network Security
Internal Network Architecture
DLR Cloud infrastructure is designed in a High Available (HA) network infrastructure to service DLR Web Learning Management Systems (LMS) and the training platform. The Cloud infrastructure is designed and implemented with dual firewalls, multiple content delivery networks and dual load balancers for web server Virtual Machines (VM) and Database VM. It provides both hardware and software level fault tolerance for DLR Cloud Service.
Cloud Network Monitoring and Protection
The following steps are taken by DLR in relation to network monitoring and protection:
- Running monthly vulnerability scans on all VMs on the AWS portal.
- Automatically configuring a service ping on each VM with the DLR Administrator notified immediately if any VM is down.
- Automatically configuring email services on the DLR Cloud Service to notify the DLR Administrator immediately if there are any issues.
- Monitoring of Cloud infrastructure is actioned by the DLR Information Communication Technology (ICT) Team 24 hours a day, 7 days a week.
Cloud Data Transmission Protection
- Firewall rules are designed and implemented on both Cloud public and private network interfaces to control network traffic between the internet, the Server Pool Network, the Web Server Network, the Database Server Cluster Network, the Storage Network, Student Nested Virtualisation Network.
- SSL Certificates are enabled for all our primary domains to provide security for user interactions with DLR web services.
- Accessing DLR Cloud infrastructure is configured via a secure SSL VPN session designed to protect against tampering, hacking and message interruption.
- The DLR (ICT) Team is responsible for managing DLR Cloud Infrastructure and liaises with the AWS Cloud Technical/Customer Service Team.
- The DLR Systems Team is responsible for designing, managing, developing and troubleshooting DLR general web and LMS Sites.
- The DLR Customer Service Team is responsible for responding to service and support requests from any individual LMS Site customer.
- Access to production systems is restricted to approved personnel only via a secure SSL VPN client agent running inside of the AWS Infrastructure. The Identity Access Management Tool on the AWS Portal provides a range of account security policies in password management, accessing service types, accessing location and also keeping a user accessing log.
Confidentiality and Non-Disclosure Agreements
All DLR employees are required to sign confidentiality and non-disclosure agreements as part of their employment with DLR. These obligations survive the termination of employment and are reviewed periodically.
Business Continuity and Disaster Recovery
- Dual firewalls are set up and configured in HA structure to protect the DLR Cloud Service.
- Highly Available application load balancers and dual database load balancers are set up and configured to prevent the internet network traffic from directly accessing web and database servers.
- DLR Cloud device is configured for offsite backup daily, weekly and monthly.
- Disaster recovery for hardware, power and cloud physical environment is managed via Amazon Web Services.
Physical and Environmental Security
Apart from the security measures in place at all AWS locations referred to above, DLR has the following physical and environmental security systems in place at its offices:
- Physical access is strictly controlled by a staff security system, including electronic coded staff access to all offices, video surveillance, intrusion detection systems and other electronic monitoring.
- Automatic fire protection, detection and suppression is installed in all offices consistent with applicable legislation including the Building Act 1993 (Vic), the Building Regulations 2006 (Vic) and the Building Code of Australia, unless specifically exempted.
- DLR has an uninterruptible power supply (UPS) on-site (server room) at its offices in Melbourne. Air-conditioning, security camera together with a 24/7 monitoring service, lock up door and swipe card security system for authorised personnel only, fire extinguisher system and raised floor are provided within the facility.
DLR maintains vigilant and high-level security of all internal networks and interfaces by:
- Applying security-related web programming technical activities to ensure high secure web service.
- Applying an antivirus plugin for Moodle (LMS) that scans uploaded files for security threats.
- Automatic conversion of plain text password in the external database authentication table to encrypted passwords.
- Installing and configuring antivirus programs on all DLR web and LMS servers, and running an antivirus scan daily.
- Rigorously testing every new plugin and customisation by the DLR Systems Team for vulnerabilities.
- Implementing LMS service security procedures based on Moodle security recommendations that include site policies, notifications, password encryption, spam controls and privacy protection.
Ownership and Retention of Data
- AWS is responsible for the physical environment, hardware, physical maintenance and power service availability of the DLR Cloud Service.
- DLR is responsible for designing, provisioning, managing, and developing LMS Sites. It includes course material updating, email service, payment portal, antivirus programs, and backup services.
- The DLR client is at all times responsible for their own user account management, course delivering, assessment and result recording, local data storage management, and creating and uploading their own content/materials.
- DLR and AWS will continue to pursue any relevant or new compliance and regulatory frameworks to provide the best service to its customers.
Data Sovereignty and Cross-border Data Flows
DLR is aware of its obligations under the Privacy Act 1988 (Cth) (as amended from time-to-time) (Privacy Act) including in relation to any cross-border disclosures of personal information under Australian Privacy Principle (APP) 8.
Where there is any ‘disclosure’ of personal information to AWS through the use of the DLR Cloud Service, DLR undertakes to take such steps as are reasonable in the circumstances to ensure that any overseas recipient does not breach the APPs (other than APP 1) in relation to the information.
Where the provision of services by AWS to DLR via the DLR Cloud Service constitutes any ‘use’ of personal information DLR accepts that any handling of personal information by AWS, including any acts or practices undertaken by it on behalf of DLR, will be treated as been having done by DLR.
DLR takes any data security maintenance outside of the AWS and DLR Cloud Service framework seriously including:
- Running data backup for all VMs daily and recovery points being merged after a successful backup and by keeping ten recovery point archiving schedule and running a disk verification schedule weekly.
- Antivirus On-Access Scan/On-Demand Scan is enabled for all Windows VMs and the attached network storage. Both full scan and auto update are scheduled daily at 5 am.
- AWS provides a fault tolerance on hard disk storage, and redundancy on network storage network to make sure of DLR Cloud data security. (Refer to related AWS documentations.)
- DLR has setup AWS systems to alert it to the details of any ‘eligible data breach’ (as that term is defined under the Privacy Act 1988 ) as soon as reasonably practicable so as to ensure that all parties comply with their lawful obligations under the Notifiable Data Breaches (NDB) scheme which commenced in Australian on 22 February 2018.
Information Technology Liability Insurance
General Liability (Product and Public Liability)