DMS is provided as a cloud based service and therefore requires no installation on customer, partner or supplier site. Central to the architecture is a SQL database and web service with both web and Win32 secure SSL based interface connectivity.

For each project managed by DMS an ‘instance’ is created. Each instance runs on its own individual server. The server installation uses an industry standard toolset referred to as LAMP (Linux, Apache, MySQL, PHP), using Ubuntu Server (LTS version) as the Linux component. The other server components either run as a subset of another component or using secure non-interactive accounts. The other components are:

• Apache – provides the web server for the client interfaces.
• MySQL – provides the SQL engine for storing and processing the data. Network access is disabled.
• PHP – provides the scripting engine for the server/client interfaces.
• Postfix – provides SMTP mail services to allow user communications.
• OpenSSH - provides secure server access.
• Bacula – provides backup services.
• Nagios – provides service monitoring alerts.

Linux and all component sources are monitored for patch releases, and new patches are tested in the lab before being released (if appropriate) to live servers.

Access to DMS is provided via a URL which is provided to the services partner when the instance provisioning is complete. This URL is the point of access into the instance for all users of DMS whether end users (should the User Portal by used) or project team members or partners.

The URL provides access to the DMS Web Console which is provided through an SSL network connection ensuring all network traffic is secure and encrypted. All the web (portal) based interfaces run from the DMS Web Console and use a combination of HTML, CSS and Javascript. The DMS Console is also launched from the Web Console, and although it is a Win32 application it does not need to be installed. The DMS Console also uses an SSL network connection to ensure all traffic is secure and encrypted, and it is also digitally signed with a code signing certificate to ensure its authenticity.

DMS servers reside within the data centre facilities of Memset, which meet the criteria of a Tier III data centre as specified by the Uptime Institute. Additionally they have ISO certifications ISO 9001:2008 Quality Management System, ISO 14001:2004 Environmental Management System, and ISO 27001:2005 Information Security Management System. They are also UK Government G-Clould framework level IL2 certified.

There are two identical, state of the art bomb proof facilities both in the south of England. As well as short-term UPS systems there are multiple diesel generators at both sites, with a minimum of 96 hours fuel on-site. There is a 24/7 on-site security presence with 24/7 internal CC-TV monitoring. In addition there are comprehensive security procedures including proximity access control.

Both data centres have independent dedicated gigabit fibre uplinks which take different routes to central London, one into Telehouse North and one into Telehouse East. From there the connections are peered with all the major UK backbones. The two sites also have a gigabit fibre between them so if any one link fails data is automatically routed around the other two sides of the triangle. All critical systems, such as UPS, generators and backup network links are tested on a regular basis to ensure that they are ready in the event of a real failure.

Within the data centres there is also no single point of failure up until the connection reaches the server. To achieve this, equipment such as routers, switches and firewalls are configured in a mirrored setup with a heart-beat monitor between the two sets.

All communications between the DMS Server and both web and Win32 clients use the SSL secure HTTP (HTTPS) port 443, and the services are configured to force any attempt at using HTTP port 80 back to port 443. The SSL certificate used provides 256-bit encryption using a 2048 bit key length.

MySQL is configured to only allow local access and therefore its port, 3306, is not enabled.

DMS is capable of sending project communications to the end user and uses the mail service Postfix to achieve this. Whilst the server uses SMTP port 25 to send email it is configured to reject all incoming mail as a security measure. The fully qualified domain name of the mail server for the instance will be given to the service provider on completion of commissioning so that they can ensure the customer’s mail environment can receive emails from the DMS server.

All the data used by DMS, apart from the emails and the editable content of the web pages defined in the Comms Portal, is stored in a MySQL database. The non SQL data is stored in XML files.

To enable bulk load of project data into DMS the data must be input into an XML template presented in Microsoft Excel. At this stage the data is not secure however the load process uses the Win32 interface which does communicate with the server over SSL.

The SQL database is backed up as a snapshot locally on a daily basis, and binary logging (transaction logs) is enabled so that database changes can be restored from backup to a specific point in time. The snapshot data backup is automatically rotated daily, weekly and monthly, and by default this is 7, 5 and 5 respectively but can be customised. The non-SQL data is backed up using the same process.

The SQL snapshot and non-SQL file data is then backed up to a different server situated within the same VLAN and on a private IP address. The backup is transferred and stored using 256-bit AES encryption.

DMS automatically records all database operations, noting the requesting user, the action requested and its success status. This creates an audit trail so that actions can be attributed to a specific authenticated user if required.

Unless requested otherwise, customer data is only retained until the end of the project.

Once the project is complete the destruction process is as follows:

1. The database and web services are stopped.
2. The database is deleted.
3. The server will then be treated with a ‘secure-delete’ process for all DMS related configuration and data files. This deletion process allows free space, swap files, and memory to be securely wiped with a configurable number of passes.
4. Backups are removed with ‘secure-delete’.
5. Once these processes are complete the server is rebuilt.

Whilst generally the data stored in DMS would not be classified as commercially sensitive, this determination is the responsibility of the service provider and customer to agree. Whilst the storage of the data used within DMS is the responsibility of Modus, the operational use of the data (input, editing, output and delete) is the responsibility of the service provider.

The governance of the data surrounding personal information and any corresponding legal requirements (such as the Data Protection Act) is the remit of the service provider. From time to time Modus may need to handle the data in a support capacity and therefore Modus, under the guidance of the Information Commissioners Office (UK), is registered under the UK Data Protection Act.

The Linux operating system includes a root account. This account is given a secure password and not used in operation. An additional administration account is created which is then used to configure the server, services and applications. No further system user accounts are created within Linux on the server. All other user access is via DMS itself.

Superuser in DMS refers to a system administration account within DMS used for managing the DMS service. This type of account is only available to Modus and is used to support the DMS system.

Administrator in DMS refers to a type of user account within DMS for users of the management interfaces, whether web based portals or the DMS Console. Access to these interfaces is via a user logon and password and the management of these users is the responsibility of the service provider. Administrators can be given access to specific interfaces ensuring they can only manage the types of data within their remit (e.g. the DTL Portal for engineering users), and can also be given read and or read/write permissions to specific parts of the project structure.

Asset Tracking is further secured with the ability to restrict send/receive permissions to and from asset locations.

Administrator user passwords are not stored in the system: a hash is stored using an SHA512 algorithm and a SALT.

User in DMS refers to the customer end users and their access to DMS is via the optional User Portal. When a user has access to this portal they can only see information relating to themselves and no other user. Providing access to the User Portal and the setting/resetting of passwords can be carried for an individual user or for multiple users simultaneously.

Using the User Wizard an administrator can auto-generate a random password (default) or they can chose to create a password manually. If the reset process is for multiple users the auto-generate option will created a unique password for each user in the process.

The password itself is not stored; a hash is stored using an SHA512 algorithm and a SALT. The User Wizard provides an option to additionally store the generated password temporarily as plain text for sending in a password set/reset email.