How we keep your data secure
Q&A with Marina Assist CTO
We are working in an increasingly digital world. The days of writing letters, posting invoices and handling cash are almost over. Most marina operators use some form of customer database, either hosted on the Cloud or on a local server. So how is all of this data kept secure from accidental or malign misuse?
We had a chat with Graham Laidler, the Chief Technology Officer for Marina Assist.
Q: How does Marina Assist security compare?
A: Our cloud-based model gives us a huge security advantage – agility. As new threats evolve, we can adapt our security model accordingly, and deploy updates across all our customers in a truly automated fashion.
Non-cloud providers simply can’t react as quickly.
Q: How can a small organisation provide the levels of data security we all expect?
A: Right from the start we knew that Marina Assist had to be agile in structure and able to take advantage of global leaders.
Because we’re a small, lean team, we have set-up processes to automate data management tasks. Human error is far less likely when things are automated. Plus we can deliver predictable processes repeatedly.
We choose to use Microsoft hosting, rather than having our own servers. Microsoft hosting means we can absolutely control all security aspects of our platform. Plus we leverage the decades of experience that Microsoft bring to the table.
Microsoft data centers are like Fort Knox. No-one can enter, and no-one can plug a USB drive into any server. They have very tight physical and logical security. Far more security than you would ever find in a ‘normal office’, which is where many of our legacy competitors install their software.
Q: How is your data security tested and audited?
A: We take customer data security very seriously. We we comply with the Payment Card Industry Data Security Standard as a PCI Level 2 service provider, and we are accredited to the UK government’s G-Cloud as an official supplier. Importantly, we work with Microsoft data centers which are certified ISO27001, ISO2000, ISO9001 and CSA STAR assured – providing infinitely greater data security than an on-site or local server.
We follow and are tested against industry leading OWASP guidelines. We use an external cyber-security firm to perform regular penetration tests against Marina Assist. Effectively they act as ‘hackers’ paid by us, actively trying to break the security. Likewise, our hosting partner Microsoft continuously penetration tests their own products.
Q: Where exactly is my data stored?
A: Marina Assist uses Microsoft’s Azure Cloud, located in their Dublin data center.
Q: How is my marina’s data kept separate from my competitors?
A: Each Marina Assist customer (or Tenant) has their own database – our government-sector and large corporate customers require total isolation.
Unlike some cloud providers we don’t mix customer data together – we provision a self-contained SQL server database for each Tenant. This is technically more complex, but it gives us a few advantages:
- Tenants can be added without impact on other Tenants – we can comfortably host every marina on the planet using our architecture.
- Problems with one Tenant causing performance problems on another Tenant (noisy neighbors) is eliminated as each database has its own CPU and memory space.
- Tenants can be versioned independently. This isn’t something we usually do, but if a customer is dying to try the latest and greatest feature, we can allow them Beta Access without other Tenants being affected.
Q: How do marinas assure their customers that the Portal is safe?
A: For the customer (and the marina operative), the key thing to look for the padlock symbol at the top of the browser. The padlock indicates that you are viewing the ‘real’ website, and that all data between your phone/device and Marina Assist is encrypted.
Clicking on the padlock gives the user more information about the encryption used. We use the latest cryptographic keys to ensure the data is secure.
Q: What access do marina staff have to customer bank and financial information?
A: The marina can’t access a customer’s bank account nor view any account or card information. At no point is the card number exposed to a marina staff member unless they are typing it in. As soon as they have typed it, details are hidden from view and non-retrievable.
We use a leading global payment provider to process credit and debit card transactions. One of the features it offers is a card vault, where the provider securely stores a highly encrypted version of the card. This allows the card to be re-used for subsequent transactions without having to retype the card details – similar to how Amazon does it.
We’ve added a further level of security by requiring the 3 digit CVV number to be entered every time a vaulted card is used.
Q: How is data breech by marina staff mitigated?
A major benefit for marinas of unlimited system users means that all marina staff can have a unique username and password, creating an audit trail. Every time a user signs on, all actions are logged with a full audit trail of which customer records each user has viewed.
Each user has a specific set of permissions (set by the local admin) as well as controls over which site (for multi-site operators) they are allowed to see. All updates and creation of records are marked with a flag indicating who made the edit and when.
If you’re looking to improve data security, Marina Assist can help.
Interested? Call us on (410) 834-0559 or email [email protected] and let’s talk about how we can help your marina team to work smarter and connect with customers.
