All information related to Gladstone Cloud and the security in place to protect the platform
Is your Cloud platform pen-tested?
Yes - we take this very seriously and have recently engaged with a supplier to start looking at continuous pen-testing rather than fixed scheduled tests. This way we are always one step ahead of the game when a new CVE is released. Current pen-test results are available on request and are currently completed at least yearly.
Do you actively monitor the cloud platform?
We partner with a few partners to help us make sure our platform is as secure as possible, we actively manage logs and leveraging the power of AI we can track and monitor suspicious usage within the platform. We are currently members of the Cyber Security Council which allows us to keep upto date with all relevant threats. Details on exact providers we use can be available on request.
Do you have an architecture diagram I can have?
We fully document our internal infrastructure but cannot provide these externally due to their sensitivity. We can however provide basic network diagrams on request which will show general traffic flow.
How is the platform protected against cyber attacks?
The cloud platform is testing continuously from the development of the products up-to the externally facing areas of the cloud infrastructure. We have partnered with Cloudflare who help us meet the high levels of security we look to provide our customers. Cloudflare has many built in benefits including DDoS protection, bot management and end-to-end encryption. To help reduce the attack surface for our UK based customers, we by default block all external to the UK traffic, if you wish to disable this rule on your environment we can do this via an opt-out process.
Gladstone also employ a dedicated Cyber Security Manager within the Infrastructure team who is responsible for the security of the Gladstone Cloud platform. This includes constant monitoring of CVE's, release patches and external threats against our platform.
Does the platform offer MFA/2FA?
We are pleased to offer MFA/2FA on our Plus2 deployment at this time. If you choose to enable this functionality, you are responsible for the secondary form of authentication e.g phone or email account to allow your users to authenticate into the platform. This functionality is currently in development for Gladstone Go and our 360 platform and will be delivered as part of the SSO work. Currently MFA/2FA is opt-in however as we look to increase the security of our platform, this will be changing in 2024 to be opt-out. If you wish to use this functionality, please reach out to our sales team who can provide you more information.
Does the platform offer SSO?
At this time, the Gladstone platform only offers SSO for its reporting tool Gladstone Reports. SSO functionality in Gladstone Go and the 360 products is currently under development. Please reach out to our sales team to find out more.
What access to Gladstone staff have to my data?
Gladstone uses a least privileged model internally with very few people having access to customer data. This is tightly controlled by our internal Infrastructure team who is a dedicated team to look after your environment ranging from performance management to data security. As we take security very seriously, we feel having a dedicated team to manage this provides the best levels of protection for our customers and their data.
Can the platform anticipate growth and grow with my usage?
The Cloud platform is continuously monitored, both from a performance view and also a security view. As part of this monitoring, we have built in automation which will scale to handle performance spikes, therefore no matter the time your platform gets high load our platform will scale to meet your needs - even if your members are booking a spin class at 2am! This is the power of the Gladstone Cloud platform being in Azure - we have access to unlimited resources within an instant.
How you do maintain performance of my data?
Performance tuning can be a very skilled, expensive and time consuming process. As part of the Gladstone Cloud platform, we take this all off your hands. There is no need to maintain your own SQL server, update your local IT infrastructure or go through painful Infrastructure updates. To make sure all our customers achieve peak performance on our platform we use AI to detect how you are using your platform and automatically add tuning to your database 24/7. This means your environment is finely tuned to you and your usage over time effectively getting faster the more you use it! However we appreciate that sometimes a human touch is needed
Is the platform built for High Availability
Uptime for us is an obsession, we pride ourselves on having built a highly available platform which is protected against outages as much as possible. The cloud platform is split across 3 availability zones protecting it from a large number of data centre failures.
What is your uptime SLA?
We are confident in our Infrastructure and our cloud platform and therefore offer a 99.9% uptime objective over a rolling 90 day period which can be publicly monitored on our status page here. You can also subscribe to updates from this platform along with notifications of RCA reports when unfortunalty issues do occur.
What is your recovery time objective (RTO) & recovery point objective (RPO)?
As part of our disaster recovery exercises, we test to make sure we can meet these once every 6 months as a minimum. However we cannot provide outputs of these due to the sensitive nature of what they may contain.
- RTO - 6 Hours (Applications)
- RPO - 6 Minutes (Data)
What TLS versions do you support?
To maintain the highest levels of security, we only support TLS1.2 upwards. Over 90% of traffic to our platform is automatically upgraded to TLS1.3 if the users system can support it. This happens automatically when using Gladstone Cloud.
Do you use a WAF (Web Application Firewall)?
Yes - this is one of the way we maintain the highest level of security possible. We have a range of default rules in place which are designed to protect our platform and your data.
Do you offer whitelisting?
Yes - by default we always whitelist our 360 platform. We can disable this by exception only as we advise this is locked down as best practice. We also enable geo-whitelisting on every environment by default to add an extra layer of protection to your platform. If you operate or expect to receive traffic from outside the UK we can disable this for you platform on request.
What password polices are in place?
Password expiry is configurable by the customer and can be forced to be as complex as you want. We ship the platform with the highest security mode enabled by default but customers are available to adjust or expand on this as they see fit. Our product set also comes with the ability to set password expiry periods and to flag a user to change their password at any point. We advise you leave the password policy as the default setting for maximum security.
What cookies do you use?
Our applications do not use 3rd party tracking cookies on a standard build. Our products however can be modified and branded so some environments may have been modified at customer request to contain tracking cookies.
By default, our applications use the following cookies:
__AntiXsrfToken - To prevent cross site scripting within our signature products
ApplicationCulture - Store the culture within the Connect application
ASP.NET_SessionId - ASP.net session cookie (secure only) within our signature products
INGRESSCOOKIE - Used for loadbalancing within our Go application suite
.AspNetCore.Antiforgery - Part of our authentication flow within the Go application suite