Security Assessment

SECURITY ASSESSMENT

DFE EARWIG SERVERS SECURITY APPRAISAL 2025 - EARWIG -SELF-APPRAISAL

ASSET PROTECTION AND RESILIENCE

Data, and the assets storing or processing it, should beprotected against physical tampering, loss, damage or seizure.  Thisincludes the following;

1. Data Centre –  Physical Location and Legal Jurisdiction

Please document the locations atwhich School data is stored, processed and managed from.

  • The Earwig servers are provided and supported by Amazon Web Services and are     located in London. All data is held onshore, using cloud servers with     maximum power backup and physical security.
  • Earwig data is backed-up to servers provided by Amazon a3, based in London.

2. Data sanitisation

If the process of provisioning,migrating and de-provisioning resources is ever needed during the Earwigservers provision, what measures will be taken to protect the data?  ForExample, when resources are moved or re-provisioned, is all data securelyerased?

  • In this rare event. Yes.

3. Equipment disposal

Is all equipment potentiallycontaining School data, credentials, or configuration information for theEarwig servers identified at the end of its life and are components containingsensitive data sanitised, removed or destroyed as appropriate?

Yes

4. Physical resilience and availability

What are the availabilitycommitments of the Earwig servers provider, including their ability to recoverfrom outages?

  • All the servers used by Earwig guarantee 99.999% availability.

DATA PROTECTION IN TRANSIT

Data transiting networks should be adequately protectedagainst tampering (integrity) and eavesdropping (confidentiality).

Is all data in transit protected between all end userdevices and the Earwig servers?  If so, what technology is used to achievethis?

Is all data in transit protectedinternally within the Earwig servers?  If so, what technology is used toachieve this?

If applicable, is all data intransit protected between the Earwig servers and other services (e.g. whereAPIs are exposed)?  If so, what technology is used to achieve this?

SEPARATION BETWEEN CONSUMERS

Separation between different consumers of the Earwig serversprevents one malicious or compromised consumer from affecting the service ordata of another.

Please document the deployment model of the Earwig serversi.e. public, private or community cloud.

  • Earwig  is not a publicly accessible service. Every user has to be approved and to log in to the system with their unique identifier to gain access to anything. It is a Closed User Group.

Please document the service model of the Earwig servers i.e.IaaS, SaaS, PaaS.

  • The service is provided in the form of SAAS.

Please articulate how the Earwig servers provides sufficientseparation of the School data and service from other consumers of the Earwigservers.

  • Each user’s unique login gives them access only to the data for one school and then only to data that they are approved to see.  There are four user grades
  • ADMINISTRATORS     – selected senior staff at each school who can edit pupil, staff and other reference data.
  • STAFF     – who can access only data relevant to the school to which they are attached.
  • CURATED STAFF – who can only see data related to records that they have themselves created.
  • PARENTS     – who can access only data relevant to the pupils to which they are attached.

Which other consumers are likely to share theplatform\service with the School?

  • The Earwig service is available only to schools and school approved parents.

OPERATIONAL SECURITY

The service provider should have processes and procedures inplace to ensure the operational security of the Earwig servers. The Earwigservers will need to be operated and managed securely in order to impede,detect or prevent attacks against it. This includes:

1.      Configurationand change management

Is the status, location and configuration all componentstracked throughout their lifetime within the service? How is this achieved?

·        Yes.  Automatic logging.

Are changes to the service assessed for any potentialsecurity impact? How is this achieved?

·        Yes.  Review before deployment.

Are changes managed and tracked through to completion? Howis this achieved?

·        All new releases are tested for security impactbefore release.

2.   Vulnerabilitymanagement

Please explain how potential new threats, vulnerabilities orexploitation techniques which could affect the service are assessed and how theappropriate corrective action is taken.

·        Public security forums are monitored. Nocorrective action has ever been necessary.

Are sources of information relating to threat, vulnerabilityand exploitation technique information monitored?  If so, please list themost common sources used.

·        We use Trendmicro –http://www.trendmicro.co.uk/technology-innovation/cloud/

Are known vulnerabilities within the service tracked untilsuitable mitigations have been deployed through a suitable change managementprocess?

·        Known vulnerabilities are dealt with immediately

3.  Protectivemonitoring

What analysis system do you have in place to identify andprioritise indications of potential malicious activity?

·        We monitor logs for unusual activity

4  Incident management

Does the incident management policy include pre-definedprocesses for responding to common types of incident and attack?

·        We do not experience any common types ofincident.

Does the policy include a defined process and contact routefor the reporting of security incidents by consumers and external entities?

·        Yes.  All users have a Contact Us button ontheir dashboards.

Would all security incidents with relevance to the School bereported to us within agreed timescales and format?

·        Security incidents relevant to individualschools would be reported to the Earwig Administrator at that school within 24hours.

SECURE DEVELOPMENT

Earwig servers should be designed and developed to identifyand mitigate threats to their security.

Is all development of the service carried out in line withindustry good practice regarding secure design, coding, testing and deployment?

  • Yes.

What configuration management processes do you have in placeto ensure the integrity of the solution through development, testing anddeployment?  Do you follow any frameworks for this?

  • Our developers use a cut-down version of OWASP

SECURE CONSUMER MANAGEMENT

The School may expect to be provided with the tools requiredto help securely manage its service. Management interfaces and procedures are avital security barrier in preventing unauthorised people accessing and alteringresources, applications and data.

  1. Authentication of School staff to management interfaces

What controls are in place so that only authorisedindividuals from the School are able to authenticate to and access managementinterfaces for the service?

  • The only people who have access to this system are staff employed by client schools who are already included in the school database.

What additional controls are inplace so that only authorised individuals from the School are able to performactions affecting the consumer’s service through support channels such astelephone and email?

  • This is not a consumer service.  Authorised users have access to a support helpline during office hours –  0333 6666 166.
  1. Separation and access control within management interfaces

What management interfaces areavailable, how are they protected and what functionality is available via thoseinterfaces.

  • Only school administrators and Earwig staff can only add school staff or parents to the system.  All additions and deletions are loggeed.     Parents have very limited access and can only view (and purchase) images and records related to children which the school administrator has     approved them to view.

What controls are in place sothat other consumers cannot access, modify or otherwise affect the School’sservice management?

  • This is not a consumer system.

IDENTITY AND AUTHENTICATION

Consumer and service provider access to all serviceinterfaces should be constrained to authenticated and authorised individuals.

What identity and authentication controls are in place toensure users are authorised to access specific interfaces?

  • Each user is identified through their login and the interface to which they have access are defined by their status – Administrator, Staff or Parent.

Does all authentication occur over secure channels?

  • Yes.

EXTERNAL INTERFACE PROTECTION

All external or less trusted interfaces of the Earwigservers should be identified and have appropriate protections to defend againstattacks through them.

How will access to the Earwig servers be securely achievedby School staff?  Are there any client requirements and what protocolswill be used to facilitate the access?

  • School staff are sent their login data automatically once the Earwig system has received the relevant user details by synchronising with the school database.

What physical and\or logical interfaces will the serviceinformation be available from?

  • Any online device, subject to login.

What additional controls are in place to protect and controlaccess to School data via these interfaces i.e. Firewalls, Intrusion PreventionSystems?

  • The Earwig system sits behind a Firewall provided by Amazon Web Services, currently the biggest provider of hosting services in the UK.

SECURE SERVICE ADMINISTRATION

The methods used by the service provider’s administrators tomanage the operational service should be designed to mitigate any risk ofexploitation that could undermine the security of the service.

What technical approach\management model is taken by theservice provider to manage the Earwig servers?

  • Only a small number of authorised people have full service management access.      
  • All Earwig employees and agents have current DBS Certificates.