The web-based application will be deployed from central servers in Kuala Lumpur and the application will be provided via secure connection to satellite offices in Singapore and across regionally on demand.
 

The design of the system is intended to achieve the following security goals:

▪ Data Integrity
▪ Security of Database
▪ User Access Control
▪ Auditing & Monitoring

The servers are protected in a DMZ by a firewall and each server will be hardened as per FIRST.org (Forum of Incidence Response Teams)
 

The user will access the site via HTTPS (Secure HTTP) which is the standard method of connecting to secure sites. This is similar used by e-Commerce systems, for example, when paying for goods using amazon.com. The HTTPS protocol will be used even in a leased line between offices approach. The key encryption will be 128 bit.
 

All users will be required to login using a password and user ID. Each user ID will have an entry in the Access Control list “ACL” (using the LDAP protocol) which will allow fine grained control of which user can edit, add, delete, export or print data.

The database will be held in a physically secure data centre. The data centre will be run on a “lights out” policy providing systems engineers to access the machine physically for maintenance purposes. The database access will be controlled by the ACL as well, enforcing all Database Administrator operations to be both controlled and monitored. The application itself is a Rich Client Application using Macromedia Flash engine to present the data. Thereby creating an impossibility to view data traffic with HTML - just flash objects.

As noted above, all data will be transmitted via encrypted TCP/IP using SSL. New session tokens are calculated for each login. To attempt to try a “brute force” attack would be unrealistically high.
 

All system security patches will be applied rigorously, so that any operating system, database, or other vulnerability is stopped. The Aroma team will transition this role to Udirect staff that will be trained appropriately.
 

Full logging of all system, database and ACL events will be recorded for forensics and service quality analysis.