Creatrix Campus Infrastructure

and Cloud Platform Security

Disclaimer:
The following description about the general product direction is for informational purpose. Anubavam makes
no commitment of any kind, either express or implied, to deliver any material, code, or functionality for a
particular purpose, or of any other nature are made with respect to the development, release, and timing of
any features or functionality of the Creatrix’s product to which information mentions.
 1. Introduction

Anubavam’s Creatrix product have been used by educational institution and

organizations for learning management systems around the world. Anubavam
realizes that helping to protect our Educational Institution data, ensure proper
security regulations, and mitigate any potential risk is essential to building trust
and delivering a high-level of service. Anubavam takes a risk-based approach
to security and this paper will detail the many different measures and
technologies in place to protect our customers. Anubavam has a strong
security culture and formal security policies.

Creatrix Campus provide the following security capabilities.

1. Assurance: Ability to independently verify how data is being stored, accessed,

and protected against unauthorized access and modification.

2. Control: Security mechanisms to control who can access data and under
which conditions.

3. Visibility: Logs providing visibility into accounts and resources.

4. Auditing: Ability to audit resources to maintain their security configuration.

5. Security: Services that are designed, coded, tested, deployed, and managed
securely.

6. Out-of-the-box integration: Seamless integration with external application

such as identity and access management and other LMS applications.

1. Infrastructure Security

Creatrix Campus platform and learning management system is hosted with

Rackspace cloud service provider. Rackspace provides multi-layered approach
to securing our services and infrastructure that meets the strictest industry
standards - including ISO 27002 and 27001, PCI-DSS, SSAE16, SOC 1, 2, and 3,
Privacy Shield and Content Protection and Security Standard requirements.

Creatrix Campus 2018. All rights reserved.

01
 1.1. Physical Security

Each Rackspace data center is restricted by biometric authentication, key

cards, and 24x7x365 surveillance. This will ensure that only authorized
engineers have access to routers, switches and servers. Entrances are manned
24 hours a day, 365 days a year by security guards who perform visual identity
recognition and visitor escort management.

Rackspace has implemented several physical security measures to secure its

data-centers:

• Data center access is limited to Rackspace data center technicians.

• Biometric scanning and keycards for controlled data center access.
• Security camera monitoring across all data center locations.
• 24X7 onsite support staff provide extra protection against unauthorized entry.
• Unmarked facilities to help maintain low profile.
• Authorized users are only granted access to appropriate systems and
resources.

1.2. Environmental Controls

• Precision Heating, Ventilation and Air Conditioning (HVAC) environments.

• Humidity and temperature control system.
• Redundant HVAC systems for immediate failover.
• N+2 redundant chiller configuration with a combination of centrifugal chillers,
cooling towers, chilled water loop pumps and condenser water loop pumps —
with redundant water sources
.
1.3. Power

• Our power systems with conditioned power protecting against sags, surges,
swells, spikes and electrical noise.
• Uninterrupted power supplies (UPS) with instant failover plans for continuity
during a power outage.
• Diesel generators to pick up the load quickly during extended outages.

Creatrix Campus 2018. All rights reserved.

02
 1.4. Network Security

• Rackspace robust network includes nine backbone providers, allowing to shift

traffic as needed. This configuration, co-developed with Cisco, guards against
single points of failure at the shared network level (extendable to VLAN
environment).
• Rackspace network infrastructure devices are located in physically secure
data centers with tightly controlled access. All visitors and authorized
contractors are logged and escorted, and a host of physical security measures
are in place to protect data.
• Local console access to network devices is restricted to authorized individuals
and requires access to the physical location and the correct username and
password configuration.
• Redundant internal networks
• High bandwidth capacity
• Redundant routers are configured for high availability
• IDS/IPS. Rackspace network is monitored by powerful Intrusion Detection /
Intrusion Prevention Systems.

2. Security Certifications and Standards

The compliance and validation phase is an important collection of audit and

review activities that provide assurances that our implemented controls are
designed and operating effectively and aligned with the policies set by the
security organization. Creatrix Campus application is hosted with Rackspace
cloud service provider and adheres to the following information security and
related certifications and standards.

• ISO 2700

• ISO 27001

• PCI-DSS (PAYMENT CARD INDUSTRY DATA SECURITY STANDARD)

• SSAE1

• SOC 1

• SOC 2

Creatrix Campus 2018. All rights reserved.

03
 • SOC 3

• SAFE HARBOR

• CONTENT PROTECTION AND SECURITY STANDARD (CPS)

3. External Audits (SOC 1 and SOC 2 Reports)

SSAE16 is an AICPA (American Institute of Certified Public Accountants)

auditing standard intended to provide customers and prospects with third
party validated visibility of a service provider's controls.

Creatrix Campus application is hosted with Rackspace cloud service provider

and Rackspace went through a SSAE16 Type II SOC1, SOC2 (Security and
Availability Only), and SOC3 audits covering all data center facilities globally.
The report is available and shared with customers on-demand after signature
of appropriate Non-Disclosure Agreements.

4. System Security

Creatrix is designed to support institution’s own internal security policies and to

provide rigorous protection from internal or external intrusions. Creatrix has
been designed to achieve a high level of security by providing an
uncomplicated, usable approach to user authentication, system access, and
role-based, hierarchical permissions management.

4.1 Identity and Access Management

The Creatrix Campus platform supports Single Sign On (SSO) and integration
with various authentication solutions including Active Directory, LDAP and
SAML/Shibboleth. Additionally, User ID and Password credentials from any
third-party system can be synchronized with Creatrix Campus local
authentication via the API.

For Creatrix Campus, passwords are never stored in plain text. Passwords are
securely hashed via the SHA-512 cryptographic hash algorithm with a

Creatrix Campus 2018. All rights reserved.

04
 randomly generated "salt" value. The resulting signature and salt value are
then stored. When users attempt to authenticate, their credentials are passed
through the same process and the resulting signature is checked against the
stored signature. This process is exclusively unidirectional and passwords
cannot be derived from their stored signature.

4.2. Protocol and Session Security

Connection to the Creatrix platform is via TLS cryptographic protocols with

RSA encryption, ensuring that customers have a secure connection from their
browsers to our service. Individual user sessions are identified and re-verified
with each transaction, using a unique token generated at login.

4.3. Cross-Site Scripting (XSS) Security

Rackspace service provider provides significant protection against traditional

network security issues such as distributed denial of service (DDoS) attacks,
man-in-the-middle attacks, IP spoofing, and port scanning. Hosting service
provider provides unique hardware-based protection system which comes with
hardware-based firewall protection system monitoring, alerting technologies to
identify an attack at network-level packets, and then precision elimination of
DDoS traffic to mitigate its effects.

Continuous monitoring compares current traffic to a custom profile of the

server's normal network and port behavior. Anomalous behaviors immediately
trigger an email alert to the network security team.

Anubavam uses network protection devices, including firewalls, to monitor and

control network communications at the external boundary of the network and
at internal boundaries within the network.

These network boundary devices employ traffic flow policies, or access control
lists (ACLs), that enforce the flow of traffic. Firewalls are deployed in a layered
approach to perform packet inspection with security policies configured to
filter the packets based on protocol, port, source, and destination IP address to
identify authorized sources, destinations, and traffic types.

And we use network vulnerability assessment tools to identify security threats

and vulnerabilities. Formal procedures are in place to assess, validate, prioritize,

Creatrix Campus 2018. All rights reserved.

05
 and remediate identified problems.

4.4. File Upload and Download Security

User uploaded files are stored with unique names and folders in the Files
repository under a storage server. Institution’s admin will have an option to
encrypt and store the uploaded files with hash algorithm and a randomly
generated "salt" value. All file download requests require unique authorization
keys.

4.5. Data Security

Connection to the Creatrix Campus service is via Transport Layer Security

(TLS), ensuring that its customers have a secure connection to their data.
Individual user sessions are uniquely identified and re-verified with each
transaction.

Application logs record the creator, last updated, timestamps, and originating
IP address for every record and transaction completed. Application passwords
are not accessible by Anubavam's persons.

Data to be saved is built using placeholders and a framework for escaping

user input is being used and strings are never directly concatenated or
interpolated. No user can change data arbitrarily and all lookups are scoped to
the appropriate user and context.

Before allowing the user to see anything or save anything, their permission
capabilities are verified. Each permission capabilities are annotated with the
appropriate risks. If appropriate, restriction is enforced according to group user
roles.

4.6. Data Security through Redundancy and Versioning

To protect against malicious or accidental data deletion, Creatrix stores data
redundantly with secondary slave storage server.

Backup of databases are taken hourly, and each hourly backup is retained for
3 days, daily database backups are taken and retained for 3 months. Weekly
snapshots are taken and retained for a month. Monthly snapshots are taken
and retained for a year.

Creatrix Campus 2018. All rights reserved.

06
 Application files are synced to secondary cloud storage on RAID 10 as
separate continuous backup.

5. Data Segregation

Creatrix is is highly scalable and redundant multi-tenant Software-as-a-Service

(SaaS) application.

Creatrix provides an option to share one physical instance of the Creatrix

system with multiple institution while isolating each institution data. Every user
ID is associated with exactly one institution, which is then used to access the
Creatrix application. All instances of Creatrix application objects (such as
Institution, Instructor, Student, etc.) are tenant-based, so every time a new
object is created, that object is also irrevocably linked to the user’s institution.
The Creatrix system restricts access to every object based on the user ID and
maintains these links automatically.

The Creatrix system restricts access to objects based on the user ID and
tenant. When a user requests data, the system automatically applies an
institution filter to ensure it retrieves only information corresponding to the
user’s institution.

6. Encryption of Data at Rest (Database Security)

Creatrix Campus is communicated with a database via a heavily firewalled

virtual network.

To ensure that your data remains protected in storage server, you can enable
encryption of the data in Creatrix Campus. Data encryption in Creatrix Campus
is done using a symmetric key, which is stored in a database and is encrypted
by using an public/private key pair.

When a file is stored in Creatrix Campus, it is first stored in the local disk cache
in its original form. The file is encrypted before it is uploaded to Storage Server.
When a file is retrieved from Creatrix Campus Storage Server, the data is
decrypted while it is being streamed to the local disk cache.

To enable encryption for a file system, you must select the Enable Encryption

Creatrix Campus 2018. All rights reserved.

07
 check box during the creation of new files type field in the Creatrix platform
web console.

Users will have control on what needs to be encrypted by applying encryption

to ensure that only sensitive assets are encrypted, which increases the storage
efficiency.

7. Encryption of Data in Transit (Network Security)

All data traffic in and out of Creatrix Campus is encrypted using TLS to ensure
that no vulnerabilities are present.

• Strong authentication, data privacy, and integrity - TLS can help to secure
transmitted data using encryption. It also authenticates servers and, optionally,
authenticates clients to prove the identities of parties engaged in secure
communication. It also provides data integrity through an integrity check value.
In addition to protecting against data disclosure, it’s used to help protect
against masquerade attacks, man-in-the-middle or bucket brigade attacks,
rollback attacks, and replay attacks.

• Interoperability - Works with most Web browsers, and on most operating

systems, Web servers and a variety of other applications.

• Algorithm flexibility - Provides options for the authentication mechanisms,

encryption algorithms, and hashing algorithms that are used during the secure
session.

8. Data Backup

Database is replicated in real-time to a slave database maintained at an

offsite data center. A full backup of database is taken each day and stored at
the offsite facility. Backups of the database and transaction logs are encrypted
for any database which contains customer data.

Backup of databases are taken hourly, and each hourly backup is retained for
3 days, daily database backup are taken and retained for 3 months. Weekly
snapshots are taken and retained for a month. Monthly snapshots are taken
and retained for a year.

Creatrix Campus 2018. All rights reserved.

08
 Application files are synced to secondary cloud storage on RAID 10 as
separate continuous backup.

9. Disaster Recovery

System and customers' data are backed up on a regular basis using

asynchronous encrypted data transfer to offsite storage to ensure that client
services can be restored quickly in the event of a disaster.

Anubavam maintains a Disaster Recovery environment for Creatrix Campus

with replication of the production environment. In the event of an unscheduled
outage where the outage is estimated to be greater than a predefined
duration, Anubavam executes its Disaster Recovery plan. The database is
replicated to the Disaster Recovery data center, new instances are brought up,
and customers are redirected to the Disaster Recovery data center. And the
Disaster Recovery Plan is tested once in every six months.

10.Unified Security Model

Security within Creatrix Campus is provided on multiple levels: a dynamic

firewall, token-based API calls, user permissions, and SSH-based secure access
to server. The goal is to prevent customer workloads and data from being
accessed by unauthorized users and systems. This includes user access,
system integration, reporting, mobile device, and IT access. Everyone must log
in and be authorized through the Creatrix Campus security model.

IT and DBA personnel cannot bypass the application layer of security to

access the data directly at the database level.

11. Logical Security

Creatrix Campus security access is role based supporting x509 certificate

authentication for both user and web services integrations. Creatrix Campus
provides users to select an authentication type in situations where
organizations wish to use multiple authentication types for users.

Creatrix Campus 2018. All rights reserved.

09
 11.1 Delegated Authentication

The Creatrix Campus platform supports Single Sign On (SSO) and integration
with various authentication solutions including Active Directory, LDAP and
SAML/Shibboleth.

Creatrix Campus supports delegated authentication via an external cloud

on-premise LDAP server such as Microsoft Active Directory, OpenLDAP. This
allows the Institution admin team to disable a user account centrally from the
LDAP server without the need to log in to Creatrix Campus.

11.2. Single Sign-On Support

The Creatrix Campus platform supports Single Sign On (SSO) and integration
with various authentication solutions including Active Directory, LDAP and
SAML/Shibboleth. Single Sign-On (SSO) is configured at the Institution level.
SSO gives the institution full control over which users are authenticated and
how that authentication is performed.

LDAP Delegated Authentication provides institution users to have the same

username and password for both their internal applications and Creatrix
Campus, it still requires the user to login twice. SAML takes the next step and
allows for a seamless, single sign-on experience between the institution’s
internal web portal and Creatrix Campus.

Users log in to their Institution's internal web portal using their

username/password and are then presented with a link to Creatrix Campus,
which automatically gives them access without having to log in a second time.

11.3. Creatrix Native Login

For customers who wish to use Creatrix’s native login, Creatrix only stores their
password in the form of a secure hash as opposed to the password itself.

Unsuccessful login attempts are logged as well as successful login/logout

activity for audit purposes. Inactive user sessions are automatically timed out
after a specified time, which is customer configurable by user or role. Customer

Creatrix Campus 2018. All rights reserved.

10
configurable password rules include length, complexity, expiration, and
forgotten password challenge questions.

12. Authorization

The Creatrix Campus application enforces group policy-based security for

authorization. The application prevents Institution end users from directly
accessing the database. Creatrix Campus security group roles combined with
predefined security policies grant or restrict user access to functionality,
modules, API calls, reports, and data.

Institution configurable security groups are based on users, roles, groups,

institution. Institution admins can thereby tailor these groups and policies to
meet their needs, providing as finely grained access as required to support
complex configurations, including global implementations.

www.creatrixcampus.com | [email protected]

www.facebook.com/CreatrixCampus www.twitter.com/creatrixcampus

www.linkedin.com/company/creatrix-campus