The Navarik Platform is provided as a Navarik hosted service. The infrastructure provides complete system redundancy, including full disaster recovery through an identical back-up datacenter. Navarik provides very high levels of physical and logical security, along with optimized networking performance and global content delivery. Navarik’s hosting services ensure that the Navarik application is always available, secure and tuned for optimal performance.

Navarik employs state-of-the-art security features to ensure that our customer's data is protected from unauthorized access. Navarik uses Tier N+1 (banking and military grade) hosting facilities that are manned and monitored 24x7 for physical security. The secure infrastructure provides complete system redundancy, along with very high levels of logical security across systems, networks and applications.

Take a tour of Fusepoint's Datacenter

Physical Security

Navarik uses fully managed, redundant facilities located in Toronto and Vancouver. The datacenter environments have redundant main power feeds from separate power stations, UPS diesel groups, and fire suppression mechanisms. The facilities and standard operating procedures are CICA 5970 (Canadian SOX equivalent), SAS 70 Type II, and PCI compliant. The facilities have triple level physical access being controlled via biometric palm reading, PIN, and security cards in addition to 24-hour guards, man-traps, reinforced contract walls, and video recording.

Network Perimeter Defense

Navarik uses a series of best practice security measures to ensure that customers’ communications and data are protected. All traffic broadcast over the Internet is encrypted via SSL. As the traffic enters the datacenter it passes through redundant firewall and intrusion detection system (IDS) network appliances before being segmented out into appropriate VLANs.

Data Encryption

Navarik Inspection uses the strongest encryption products available to protect customer's data and communications. Navarik uses a 128/256-bit SSL certificate for encrypting end users' communication over the Internet, the same technology used in highly confidential applications such as online banking. A VPN tunnel is used to keep our datacenters synchronized. Navarik also makes use of encryption to store user passwords and offsite backups.

User Authentication

Access to Navarik Inspection is controlled by individual usernames and passwords. These are encrypted during login to further protect confidentiality. An encrypted session ID cookie is used to uniquely identify each user and only one unique user instance is permitted. Each user’s permission level is controlled by their role, allowing each user’s access to be customized to restrict access to certain types of information and/or to control the ability to alter or add information. View-only access is easily provided to improve transparency of information while maintaining data integrity.

Application Security

Although the hardware is shared, the system provides an end-to-end logical security structure that flows from the URL to the Linux file system Oracle database. Navarik applications make use of state-of-the-art countermeasures to protect against web application specific attacks such as SQL injection and cross-site scripting. Navarik also manages all system patches to ensure that the latest security patches are applied.

Core Systems Security

Procedures are in place to ensure that the Cope Systems within the infrastructure are running the most recent stable versions of operating systems, firmware, libraries, utilities and applications, with security patches applied and vulnerabilities closed as soon as they are identified by reputable security services. A similar process is in place to deal with any security vulnerabilities as they relate to all network services.

Database Security

The database schemas are secured using Oracle’s built in security mechanisms such as DataGuard. In addition, Oracle databases are setup following best practices for security.

Data Protection

All data entered into Navarik Inspection is owned by that particular customer. To maintain the accountability of inspectors/expeditors for the contents of their worksheet results, customers are unable to modify information submitted directly. If a worksheet result requires updating, the operator can request a retest allowing the originating inspector to make updates. Important user actions, such as editing of data records, are logged with the full name of users making changes. This facilitates traceability and encourages user accountability.

Optimized Network performance

Navarik uses Akamai’s Web Application Accelerator product to optimize network performance in delivering application content. With 20,000 plus servers located around the world, this private network uses multiple performance optimization techniques such as optimized routing and caching on servers closest to a customers location. This means that the Navarik application is delivered at speeds up to 5 times faster than the average Internet speeds for a given location, and is impervious to performance impacting anomalies caused by regional events impacting the Internet flows, such as attack traffic, peering disruptions, or damage from earthquakes to internet cables.

Reliability and Backup

Off site tape backup is done via a management VLAN within the primary datacenter. Full backups occur one time per week with incremental backups done daily. The backup is written to tape in an encrypted format and stored off site. All systems are completely N+1 redundant; both within a single facility as well as across physical facilities. This includes physical servers, application and database servers, data storage filers, power supplies, network appliances, and Internet feeds along with a mechanism to keep the data within datacenters synchronized.

Disaster Recovery

In the event of a disaster at the primary datacenter, the secondary datacenter comes online to take responsibility for delivering the service. Should a catastrophic disaster such as fire or earthquake occur, disaster recovery is provided by fail-over systems across from the primary to secondary facilities located in different cities on opposite ends of the continent. All traffic will route dynamically to the second datacenter via Akamai’s global load balancing capabilities. The second datacenter operates until an assessment can be made on the condition of the failed datacenter and the equipment.