Sentinel Platform Security

Data protection by design

Data security is of paramount importance, which is why all Sentinel's solutions feature in-built data protection and settings to help organisations comply with the General Data Protection Regulation (GDPR), the Caldicott Principles and other controls relating to the use and sharing of personal or sensitive personal information.

Built using a ‘Data Protection by Design’ approach, all our systems, services, solutions and products safeguard individuals’ privacy and security and ensure compliance by ensuring access is strictly controlled and audited.

The Sentinel Data Platform is designed and built, in accordance with the ICO Principles of Data Protection by Design. These principles have always remained the underlying foundation of our evolving technology through-out the passing of GDPR and the DPA 2018.

Key elements of our Data Protection by Design approach

• All data in transit and data at rest are encrypted as required
• Sentinel's Data Integrated Platform is made up of two levels: the underlying Data Hub and the Portal Application layer. There are partitions built into the connection between these two levels as part of the in-built Cyber Security controls
• The Data Platform Hub - which holds the data - can only be accessed through secure and encrypted channels
• User access to the Data Platform Hub is controlled by the Portal layer and is managed via a User ID, Strong Password and Multi-Factor Authentication
• User access within the Portal is restricted via a roll-based security model
• User access within the Portal is subject to a full audit trail, which includes display access as well as creation, maintenance, and deletion
• User Portals are configured on the strict principle that user can only see what they need to see
• All automated data processing is subject to configurable and transparent rules
• There is a full audit trail and exception reporting for each active data rule
• Data processing through our Data Hub is subject to a strict sequence whereby data must be validated and approved for quality before any attempt is made to match it with other records
• Role-based access control at database level via username and password plus IP address whitelisting

Key features and benefits

Built-in data protection

All data collected by our platform is protected by default and can be fully encrypted.

Data Residency

Control where the data is stored and processed.

Controlled access

Standard users never see or gain access to, the central hub. Instead, they view the information they need via individually configured portal screens.

Data in one place

No data is downloaded or stored on remote devices. Instead, it is held centrally within the Sentinel Data Platform.

Automated alerts

Portal screens can be set up to issue alerts and warnings, without revealing potentially confidential source data.

Secure hosting

Like all our solutions, the Sentinel Data Platform can easily be integrated, either with existing IT networks or a secure cloud that is hosted remotely.

Full access history

All data access history is logged enabling clients to track which records have been viewed, any amendments that have been made and when new records have been created.

Fully Accredited

We offer PGA-accredited hosted environments to provide Official (IL2 - IL3) services for personal and sensitive personal solutions, using our G-Cloud framework hosting partners. The data centres we use are accredited to IL3 and appropriate to IL4 for physical security.

Safe, Secure, Trusted

• Over 10 Years of experience in security and compliance requirements for handling personal and sensitive data
• Specialists in providing data solutions to support vulnerable people or children
• All products and solutions built in accordance with ICO Data Protection By Design
• ISO 27001, ISO 9001 and Cyber Essentials Plus accredited

Multi-Factor Authentication

Implements multi-factor authenicatioin to prevent unauthorised access. SMS, Email and Active Directory access available.

IP Blocking

IP Blocking by range or location at Platform level and web infrastructure level (Cloudflare)

Role Based Access Control

Role-Based Access Control (RBAC) to control user permissons across the platform

Just-in-time Access

Personalised Access, No Generic User, Just-In-Time role-based user access

Encrypted at rest and in transit (VPN, BGP)

• We apply all standard Azure security features including Multi-layer Firewall, Encryption at Rest and dedicated VPN connection
• Data transfer is only conducted through dedicated VPN (IPSEC) and SFTP connections
• As a standard for all user portal connections and any on-line service calls and require the use of SSL certificates (online encryption)

Microsoft Azure Security

User access controls

All data in Azure irrespective of the type or storage location is associated with a subscription. A subscription is a resource isolated within a tenant.

A cloud tenant can be viewed as a dedicated instance of Azure Active Directory (Azure AD) that your organization receives and owns when you sign up for a Microsoft cloud service. The identity and access stack helps enforce isolation among subscriptions, including limiting access to resources within a subscription only to authorized users.

Compute isolation

Azure provides both logical and physical compute isolation for processing. Logical isolation is implemented via:

• Hypervisor isolation for services that provide cryptographically certain isolation by using separate virtual machines and using Azure Hypervisor isolation
• Drawbridge isolation inside a virtual machine (VM) for services that provide cryptographically certain isolation for workloads running on the same virtual machine by using isolation provided by Drawbridge. These services provide small units of processing using customer code
• User context-based isolation for services that are composed solely of Microsoft-controlled code and customer code is not allowed to run. In addition to robust logical compute isolation available by design for all Azure-based tenants, if a solution needs physical compute isolation, Azure offers Dedicated Host or Isolated Virtual Machines which can be deployed on server hardware dedicated to a single customer

Networking isolation

Azure Virtual Network (VNet) helps ensure private network traffic is logically isolated from traffic belonging to other customers. Services can communicate using public IPs or private (VNet) IPs. Communication between VMs remains private within a VNet. VNets can connect via VNet peering or VPN gateways, depending on project connectivity options, including bandwidth, latency, and encryption requirements. We can also use Azure network security groups (NSGs) to achieve network isolation and protect resources from the Internet while accessing Azure services that have public endpoints. Azure offers Virtual Network service tags to define network access controls on network security groups or Azure Firewall. A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, thereby reducing the complexity of frequent updates to network security rules. Azure also offers Private Link to access Azure PaaS services over a private endpoint within a VNet, ensuring that traffic between VNet and the service travels across the Microsoft global backbone network – this eliminates the need to expose the service to the public Internet. Finally, Azure also provides options to encrypt data in transit, including Transport Layer Security (TLS) end-to-end encryption of network traffic with TLS termination using Key Vault certificates, VPN encryption using IPsec, and Azure ExpressRoute encryption using MACsec with customer-managed keys (CMK) support.

Storage isolation

To ensure cryptographic certainty of logical data isolation, Azure Storage uses data encryption at rest using advanced algorithms with multiple ciphers. This process relies on multiple encryption keys and services such as Azure Key Vault and Azure AD to ensure secure key access and centralized key management. Azure Storage service encryption ensures data is automatically encrypted before persisting it to Azure Storage and decrypted before retrieval. All data written to Azure Storage is encrypted through FIPS 140 validated 256-bit AES encryption and can use Key Vault for customer-managed keys (CMK). Azure Storage service encryption encrypts the page blobs that store Azure Virtual Machine disks. Additionally, Azure Disk encryption may optionally be used to encrypt Azure Windows and Linux IaaS Virtual Machine disks to increase storage isolation and assure cryptographic certainty of any data stored in Azure. This encryption includes managed disks.

Security assurance processes and practices

Azure isolation assurance is further enforced by Microsoft’s internal use of the Security Development Lifecycle (SDL) and other strong security assurance processes to protect attack surfaces and mitigate threats. 

All of our Azure hosted client tenancies include

• Stand-alone Azure tenancy to host services privetly and securely

• Production and Non-production  environments completely separated

• Secure network design with built-in security