The following sections address common questions that arise regarding the Information Technology structure of Digital AirWare.
Is Digital AirWare Cloud Based?
Yes, all of our hardware is inside the Amazon Government Cloud.
What are the hosting options available and can we host the software?
We host the software on a variety of servers in the Amazon Government Cloud. This allows innovations to occur quicker and not create a burden on your IT staff to allow us access for updates, firewall configurations, email servers, importing information the FAA, flight tracking connections and the other moving parts that is necessary for Digital AirWare. We do not allow for hosting outside of Digital AirWare but we are glad to discuss our infrastructure to ensure we exceed the compliance and regulations needed for your organization.
Is your hosted environment FedRamp compliant?
Digital AirWare is hosted on the AWS Government Cloud which is FedRamp compliant. The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP is mandatory for Federal Agency cloud deployments and service models at the low and moderate risk impact levels. Additional information on FedRAMP, including the FedRAMP Concept of Operations (CONOPS) and Guide to Understanding FedRAMP, can be found at: http://www.fedramp.gov
What are our backup policies?
Amazon Relational Database Service (Amazon RDS):
Primary database backups occur daily from the RDS to cloud storage at 04:00 UTC. Backups persist for 7 days inside the RDS cloud.
Secondary database backups occur daily from the RDS to an offsite location at 04:30 UTC. Backups persist for up to 30 days.
Amazon Simple Storage Service (Amazon S3) [Documents and Images]:
Synchronized daily from the S3 to an offsite location at 04:30 UTC.
Do you allow us to keep a copy of our data?
We encourage services to use our automated data export feature. On the first of each month at 05:00 UTC, we can provide a copy of all records from the database that belong to your service. We also provide all documents and images that are stored on our site. We do not include database functions, stored procedures, views or website code. This backup will be zipped up in a password protected archive and placed on sFTP on our servers.
Are SSL connections required?
Beginning at the login screen, all connections are required to be SSL. We use a 2048-bit RSA key pair.
Is there an Auto-Logout Feature?
Yes, the Auto-Logout feature is configurable from the Administrative page so that we can meet the needs of your organization. The default value is 30 minutes.
What type of database structure is used?
We use Amazon Relational Database Service (Amazon RDS) to store the data. This is a Microsoft SQL server 2012 engine.
What type of storage is used for documents and images?
We use Amazon Simple Storage Service (Amazon S3) to store documents and images uploaded by users.
What information is collected on users?
We have the capabilities to collect basic demographic information including name, address, phone, email, date of birth, and weight. Next of kin information is also able to be stored including name, address, phone, and email for these individuals.
Users can store additional information such as driver’s licenses if they desire.
We do not collect or store Social Security numbers, Credit Card numbers, or Patient names for any clients under any circumstances.
The FAA is a public resource that we utilize to automatically pull information of pilots and mechanics. This includes names, addresses, FAA medical status, and FAA licenses.
What is the policy on Payment Card Industry – Data Security Standards Compliance (PCI DSS)?
Digital AirWare does not store or utilize ATM, debit, or credit cards. Additionally, users are not allowed to store credit card information within Digital AirWare.
What is the policy on Health Insurance Portability and Accountability Act Compliance (HIPAA)?
Digital AirWare does not store any patient names or medical information. Additionally, users are not allowed to store any patient information within Digital AirWare.
What is your User Access Control for the site?
Each user is assigned to one User Role within Digital AirWare. Each User Role is assigned specific permissions (Admin rights, Mechanic, Pilot, Operational Control etc.). Each user has the same permissions in their user profile that allows for additional permissions.
Will you notify me in the case of a data breech?
In the event of a data breech, affected service administrators will be notified with in 24 hours of the event.
What are the sources we pull information from?
We utilize the FAA website to gather information on Pilots and Mechanics as well as FAA Airworthiness Directives (ADs). We pull flight tracking coordinates from a variety of providers include SpiderTracks(TM), Guardian Mobility (TM) and SkyTrac (TM). Electronic flight bag information is pulled/pushed to Life Flight Network(TM) and HeliEFB(TM).
What is our user name / password policy?
User names must meet the following rules:
Must Be Unique With In The Service
Must Be Between 6 To 15 Characters Long
Passwords must meet the following rules:
Password Must Be Changed Every 180 Days (Configurable to 90 Days)
Must Be Between 8 to 15 Characters Long
Must Contain At Least 1 Upper Case, 1 Lower Case And 1 Number
Can Not Be Your Name, User Name
Can Not Be The Same As Your Last 10 Passwords
Can Not Contain Simple Dictionary Words
What is your encryption policies?
Passwords are passed into a Hashbytes SHA2-512 hash and then encrypted using a symmetric key/certificate combination.
What are your maintenance periods?
Maintenance is scheduled to occur at 04:00 UTC to 04:30 UTC. During this period, website access is not restricted but could include delays with page loading. Process include creating database and document backups, Windows updates, site exports, and FAA information sync.
How is the network structured?
Digital AirWare is hosted within the Amazon Government cloud. The hardware exists in it’s own cloud, isolated from other users. All user connections (port 80 & 443) enter the cloud via the load balancer into the public facing subnet. These machines are able to access resources on the private subnet including the database servers. Each item on the network is governed by both Access Control Lists (ACLs) and security groups to allow or dis-allow traffic.
What are the Logging And Auditing Controls in place?
All user interactions (excluding page views) are logged into a System Log, accessible by users with the user role/member profile flag ‘Administration’. Any add/edit/delete database transactions are recorded into the system log. Log are kept at minimum 30 days.
Do we have Application Partitioning?
Digital AirWare is isolated from any other applications and is single tenant environment.
What Anti-virus Controls are in place?
Digital AirWare uses anti-virus (Bitdefender) real-time scanning and a scheduled deep sweep scan at 05:00 UTC.
All users accessing Digital Airware is also required to use computers that are equipped with anti-virus and anti-malware software.
How do we perform Server and Infrastructure Hardening?
All web servers are based on a Windows Server 2012 image specific to Digital AirWare. Each image has Windows Updates installed at 02:00 UTC (Primary) and 03:00 UTC secondary. Windows firewall is utilized on each of these machines. Network ACLs and security groups are reviewed monthly and port scans performed after a network ACL or security group change.
What are our Contingency Plans/Disaster Recovery Plans?
Please see Disaster Recovery Plan