Your data security
Q&A with Harbour Assist Chief Tehnology Officer, Graham Laidler
We are working in an increasingly digital world; the days of writing letters, posting invoices and handling cheques are rapidly receding. Most marina operators use some form of customer database either hosted on the Cloud or on a local server, and of course, we all handle card payments.
How is all of this data kept secure from accidental or malign misuse? We had a chat with Graham Laidler, the Chief Tecnology Officer for Harbour Assist.
Q: How does Harbour Assist’s security compare with other marina management or CMS systems?
A: Our cloud-based model gives us a huge security advantage; agility. As new threats evolve, we can adapt our security model accordingly, and deploy updates across all our customers in a truly automated fashion.
Non-cloud providers simply can’t react as quickly as us simply due to the number of deployments they must manage on different networks.
Q: How can a small organisation provide the levels of data security we all expect?
A: Right from the start we knew that Harbour Assist had to be agile in structure and able to take advantage of global leaders.
Because we’re a small, lean team, we have set-up processes to automate data management tasks. When things are automated, human error is far less likely and we can deliver predictable processes repeatedly.
We choose to use Microsoft hosting, rather than having our own servers. Microsoft hosting means we can absolutely control all security aspects of our platform; we leverage decades of experience that Microsoft bring to the table.
Their data centres are like Fort Knox; no-one can enter, and no-one can plug a USB drive into any server (see the videos below). They have very tight physical and logical security. Far more security than you would ever find in a normal office environment, which is where many of our legacy competitors install their software.
Q: How is your data security tested?
A: We are accredited to the UK government’s G-Cloud as an official supplier and we comply with the Payment Card Industry Data Security Standard, as a PCI Level 2 service provider. Importantly, we work with Microsoft data centres which are certified ISO27001, ISO2000, ISO9001 and CSA STAR assured – providing infinitely greater data security than an on-site or local server.
We follow and are tested against industry leading OWASP guidelines. An external cyber-security firm is employed to perform regular penetration tests against Harbour Assist – effectively they act as ‘hackers’ paid by us, and actively try to break the security. Likewise, our hosting partner Microsoft continuously penetration tests their own products.
“We take data security very seriously.”Graham Laidler, CTO
Q: Where exactly is the data stored?
A: Harbour Assist uses Microsoft’s “Azure” Cloud, located in their Dublin data centre. If regulations change after Brexit and we need to move to a UK-based data centre, Microsoft has the capability to provide a continuous service.
Q: How is my marina data kept separate from my competitors?
A: This gets a bit technical, but it is all about separation. Each Harbour Assist customer (aka ‘Tenant’) has their own database – our public-sector and large corporate customers require total isolation.
Unlike some cloud providers we don’t mix customer data together with a ‘Tenant-identifier’ against each record telling the system which Tenant the record belongs to – we provision a self-contained SQL server database for each Tenant. This is technically more complex to do in an automated fashion, but it gives us a few advantages:
- Problems with one Tenant causing performance problems on another Tenant (‘Noisy Neighbours’) is eliminated as each database has its own CPU and memory space.
- New Tenants can be added without any impact on existing Tenants; we can comfortably host every marina on the planet using our architecture.
- Tenants can be versioned independently. This isn’t something we usually do, but if a customer is dying to try the latest and greatest feature, we can allow them Beta Access without other Tenants being affected.
Q: How do marinas assure their customers that the portal is safe?
A: For the customer (and the marina operative), the key information is to look for the ‘padlock’ at the top of the browser; this indicates that you are viewing the ‘real’ website, and that all data between your phone/device and Harbour Assist is encrypted.
Clicking on the padlock gives the user more information about the encryption used – we use the latest cryptographic keys to ensure the data is securely encrypted.
Q: What access do marina staff have to customer bank and financial information?
A: The marina can’t access a customer’s bank account nor view any account or card information. At no point is the card number exposed to a marina member of staff unless they are typing it in – as soon as they have typed it, it’s hidden from view and is non-retrievable.
We use a leading global payment provider to process Credit and Debit card transactions. One of the features it offers is a ‘Card Vault’, where the provider securely stores a highly encrypted version of the card. This allows the card to be re-used for subsequent transactions without having to retype the card details – similar to how Amazon does it.
We’ve added a further level of security by requiring the 3 digit CV2 number to be entered every time a vaulted card is used.
Q: How is data breech by marina staff mitigated?
A: A major benefit of having unlimited users means that all marina staff can have a unique username and password, creating an audit trail. Every time a user signs on, all actions are logged with a full audit trail of which customer records each user has viewed.
Each user has a specific set of permissions (set by the local admin) as well as controls over which Site (for multi-site operators) they are allowed to see. All updates and creation of records are marked with a flag indicating who did the modification and when.
How can we help your business?
If you’d like to talk about how Harbour Assist can help your business to operate more securely, email Nick direct firstname.lastname@example.org