In today's digital landscape, the security of customer data and business information is paramount. At Ticketsolve, we are committed to delivering a platform that is secure, reliable, and compliant with industry standards. One of the key guidelines we follow to achieve this is the UK Cloud Security Principles, which provides a comprehensive framework for safeguarding cloud-based services. In this article, we will explore the UK Cloud Security Principles and demonstrate how Ticketsolve adheres to these best practices to ensure a secure environment for our customers.

What are the UK Cloud Security Principles?

The UK Cloud Security Principles are a set of 14 guidelines published by the UK government's National Cyber Security Centre (NCSC) to help organisations implement secure cloud-based services. The principles cover various aspects of cloud security, from data protection and incident response to supply chain security and identity management. By adhering to these principles, organisations can mitigate risks, protect sensitive information, and maintain the confidentiality, integrity, and availability of their services.

Here is an overview of the 14 principles:

1. Data in transit protection: Secure transmission of data between users and the cloud service.
2. Asset protection and resilience: Ensuring the security and resilience of cloud infrastructure and services.
3. Separation between users: Preventing unauthorised access to data by segregating users and processes.
4. Governance framework: Establishing a robust framework to manage security risks and compliance.
5. Operational security: Implementing procedures for detecting, preventing, and responding to security incidents.
6. Personnel security: Ensuring that staff with access to customer data are appropriately vetted and trained.
7. Secure development: Adopting secure development practices to protect applications from vulnerabilities.
8. Supply chain security: Managing risks associated with third-party suppliers and cloud service providers.
9. Secure user management: Implementing robust identity and access management controls.
10. Identity and authentication: Verifying the identity of users and devices accessing the cloud service.
11. External interface protection: Securing connections between the cloud service and external networks.
12. Secure service administration: Safeguarding administrative access to the cloud service and infrastructure.
13. Audit information for users: Providing customers with access to audit logs and security monitoring data.
14. Secure use of the service: Helping customers understand their responsibilities and securely use the cloud service.

At Ticketsolve, we recognize the importance of adhering to the UK Cloud Security Principles to maintain a secure and resilient platform. Below, we will demonstrate how Ticketsolve diligently adheres to each of these principles:

Principle 1 - Data in Transit Protection

Ticketsolve is committed to ensuring the security of data during transmission between users and our platform. We utilise industry-standard encryption protocols, such as TLS 1.2, to guarantee the confidentiality and integrity of customer data during transit. All sensitive customer and payment information is passed over secure TLS channels, ensuring high levels of security and protection.

In addition to employing TLS 1.2, we also use valid and up-to-date SSL/TLS certificates from trusted Certificate Authorities. These certificates provide authentication and maintain trust between our customers and our services. We regularly review and renew our certificates to ensure continuous secure communication.

For further details on how Ticketsolve implements the Data in transit protection principle, please refer to the 'Using AWS in the context of NCSC UK's Cloud Security Principles' document which can be downloaded at the bottom of this article. This document provides a comprehensive analysis of how Ticketsolve leverages Amazon Web Services (AWS) to adhere to the NCSC's guidelines, further strengthening our commitment to data security.

Principle 2 - Asset Protection and Resilience

Ticketsolve is dedicated to ensuring the security and resilience of our cloud infrastructure and services. To achieve this, we have partnered with Amazon Web Services (AWS), a leading and trusted cloud services provider known for its robust security features and high availability.

Our data warehouse is located in Dublin, within the European Economic Area (EEA), ensuring compliance with relevant data protection regulations and maintaining the confidentiality, integrity, and availability of customer data. By using AWS, we benefit from their state-of-the-art data centres that offer strong physical security measures, environmental controls, and redundancy to protect against potential threats, such as hardware failures, power outages, and natural disasters.

In addition to the security features provided by AWS, Ticketsolve has implemented various measures to enhance the asset protection and resilience of our platform. These include:

• Regularly backing up customer data to ensure timely recovery in case of data loss or corruption.
• Using multiple Availability Zones within the AWS infrastructure to achieve high levels of redundancy and minimise service disruption.
• Continuously monitoring and updating our infrastructure to address potential vulnerabilities and improve performance.
• Implementing strict access controls to limit access to our cloud infrastructure, minimising the risk of unauthorised access or data breaches.

Principle 3 - Separation Between Users

Ticketsolve is committed to maintaining strict separation between user accounts, ensuring that customer data remains secure and isolated from other users. By partnering with Amazon Web Services (AWS), we leverage their advanced virtualization and containerization technologies to create a secure and segregated environment for each venue.

Each venue has its own unique account, which is entirely separated from others within the AWS infrastructure. This separation prevents unauthorised access to data and ensures that each user can only interact with their own account and associated resources.

To further enhance the separation between users and ensure secure access to our platform, Ticketsolve has implemented strong management access authentication protocols. These protocols include:

• Public key authentication (including by TLS client certificate): Public key authentication provides an additional layer of security by requiring users to present a valid cryptographic key pair for authentication.
• Dedicated link (for example, VPN): A virtual private network (VPN) creates a secure, encrypted communication channel between the user's device and our platform, ensuring that data remains protected during transmission.
• Username and password: Ticketsolve requires unique and strong usernames and passwords for each user, making it more difficult for unauthorised parties to gain access.
• 2FA login: Two-factor authentication (2FA) adds an extra layer of security by requiring users to provide two forms of identification. Users would use their regular password and an authenticator app such as Google Authenticator which provides a 6 digit code that changes every 30 seconds. 

Principle 4 - Governance Framework

Ticketsolve is dedicated to establishing and maintaining a robust governance framework to manage security risks and ensure compliance with industry standards. Our security policy is largely derived from our adherence to the latest Payment Card Industry Data Security Standard (PCI DSS) requirements, a set of comprehensive guidelines for securing payment card information.

Our policies and procedures are audited annually by an external auditor, and an Attestation of Compliance is available upon request. The policies cover various aspects of security, including:

• User management procedures: Ensuring proper access control and user authentication for secure access to our platform.
• Service provider compliance validation: Regularly assessing third-party suppliers to ensure they comply with our security standards.
• Security configuration standards for servers: Implementing best practices for secure server configuration and management.
• Data retention and storage procedures: Establishing guidelines for retaining and securely storing customer data.
• Detailed Incident response plan: Developing a comprehensive plan for detecting, managing, and recovering from security incidents.

In addition to these policies, Ticketsolve has implemented several other frameworks and certifications to further strengthen our security posture:

• PCI DSS Compliant: We hold a valid PCI DSS compliance certificate, demonstrating our commitment to payment card security.
• Cyber Essentials: We have obtained the Cyber Essentials certification, showcasing our adherence to essential cybersecurity measures.
• Annual 3rd Party Penetration Testing: We conduct external penetration tests to identify and address potential vulnerabilities in our systems.
• Chief Information Officer (CIO) Responsibility: We have assigned the role of CIO to oversee and ensure the implementation of security measures across our organisation.

With clear roles and responsibilities outlined in our Security Policy, the ultimate responsibility for ensuring adherence lies with the CEO. 

Principle 5 - Operational Security

Ticketsolve places a strong emphasis on maintaining operational security through comprehensive monitoring, change management, and incident response procedures. Here is how we address Principle 5 of the UK Cloud Security Principles:

• Configuration and change management: Our usage of AWS is managed through a combination of Terraform and Chef, which focus on infrastructure and software configuration, respectively. Emphasising configuration as code, our complete configuration and change management process is managed through Git/Github and associated procedures. All code changes for the Ticketsolve platform undergo a strict review process, including security evaluations, before merging.
• Vulnerability discovery and risk ranking: We have a "Vulnerability Discovery and Risk Ranking Process" as part of our security policy. We actively monitor various sources, such as Ubuntu Security Mailing List, AWS Security Bulletins, and GitHub Security Alerts, to identify and address security issues based on risk assessment using CVSS 3 scores. We regularly update our Amazon Machine Images (AMIs) to apply patches and rebuild our infrastructure.
• Antivirus and security scans: We run ClamAV on all servers on a nightly automated schedule. We also conduct annual penetration tests with an external supplier and perform quarterly ASV scans through Qualys for PCI compliance.
• Continuous monitoring: We utilise Amazon GuardDuty, a threat detection service that continuously monitors for malicious activity and unauthorised behaviour. Incidents detected by GuardDuty are posted to our emergency communication channel, triggering automated calls and notifications.
• Log retention: Infrastructure, antivirus, hosts authentication, VPN server, and application logs are retained for 5 years.
• Incident Response Plan: Our security procedures and policies include a defined "Incident Response Plan" that outlines a structured approach to handling security incidents. The plan covers Preparation, Identification, Containment, Eradication, Recovery, and Follow-up/Lessons Learned phases. Security issues are addressed within the first 24 hours, and in case of a security incident, details are communicated directly to the designated representatives through our Zendesk support system within 24 hours of identification and understanding.

Principle 6 - Personnel Security

Ticketsolve recognises the importance of personnel security in maintaining a secure environment for our customers. To meet Principle 6 of the UK Cloud Security Principles, we implement the following measures:

• Background screening checks: All staff members at Ticketsolve undergo background screening checks as part of the hiring process. This helps us ensure that we onboard trustworthy individuals who are committed to maintaining the highest levels of security and integrity within our organisation.
• Continuous security education: We provide ongoing security education and training for all team members to ensure they have a comprehensive understanding of our security protocols and best practices. This includes regular updates on emerging threats, vulnerabilities, and the latest security technologies, ensuring that our team is well-equipped to respond proactively to potential risks and maintain the security of our platform.

Principle 7 - Secure Development 

Ticketsolve is committed to adopting secure development practices to minimise vulnerabilities and maintain the integrity of our platform. To meet Principle 7 of the UK Cloud Security Principles, we have implemented the following measures:

• In-house development team: All software development at Ticketsolve is carried out by our in-house development team, ensuring a high level of control and oversight on the development process.
• Strict code review process: We enforce a stringent code review process for both infrastructure and application-level code. This process includes a thorough evaluation of any security issues, ensuring that our platform remains secure and resilient against potential threats.
• OWASP Top 20 guidelines: For code reviews, our development team utilises the OWASP Top 20 guidelines as a reference to identify and address the most critical security risks in web applications.
• Annual penetration test: As part of our annual penetration testing process, we grant access to our source code, allowing it to be evaluated from a security perspective by external experts.
• PCI DSS compliance: Ticketsolve is fully PCI DSS compliant, which involves undergoing a yearly audit by an independent PCI consultant. This compliance ensures that our platform adheres to the highest security standards for payment card information processing.

Principle 8 - Supply Chain Security 

Ticketsolve is dedicated to ensuring the security and integrity of our supply chain by carefully selecting suppliers and maintaining strict control over the flow of information. To meet Principle 8 of the UK Cloud Security Principles, we have implemented the following measures:

• No information sharing with third parties: Ticketsolve does not share customer information with any third-party suppliers. All information is encrypted at rest, during communication, and when stored in our database.
• Minimal and trusted suppliers: We purposefully maintain a minimal set of suppliers and choose industry leaders with a strong security focus. Each supplier is thoroughly evaluated from a security perspective before making a decision.
• Primary service providers: Our primary service providers, such as AWS and GitHub, have established security overviews and compliance levels, ensuring that they meet high-security standards. As we have committed to AWS as a platform, the majority of our systems, from servers to monitoring and alerting, are based on AWS standards.
  • AWS: https://aws.amazon.com/security/, https://aws.amazon.com/compliance/programs/
  • GitHub: https://github.com/security, https://github.com/security/trust
  • Travis: https://docs.travis-ci.com/legal/security/ 
• Hardware verification and software upgrades: Hardware verification is handled through our usage of AWS, as we do not manage any hardware or network infrastructure directly. Software upgrades are handled according to the context: smaller upgrades (e.g., libraries) are managed through our code review, continuous build, and deploy process. For larger upgrades (e.g., major database or framework upgrades), we establish a specific plan and staging environment, deploying into production only after thorough verification. All large upgrades include a rollback plan.

Principle 9 - Secure User Management 

Ticketsolve is committed to providing a secure and controlled environment for user management and access control. To meet Principle 9 of the UK Cloud Security Principles, we have implemented the following measures:

• Secure authentication: Users can only access the system through a secure login process, ensuring that only authorised individuals can access the platform.
• Role-based authorisation: Authorisation to different aspects of the system is controlled by the roles assigned to a user. Users can access specific functionalities based on their assigned roles, providing a granular level of control over system access.
• Support query management: When clients raise support queries, they submit tickets within the application using their pre-authorised email addresses. Upon resolving the query, a ticket is sent to the pre-authorised email address, detailing the progress and marking the issue as complete. Full reporting is available for all tickets raised.
• Multi-tenancy architecture: The Ticketsolve platform is built on a multi-tenant architecture, ensuring strict partitioning of each account. Each account is accessible only through its designated website (e.g., venuename.ticketsolve.com) and corresponding user logins.
• Account-managed access: Access to the Ticketsolve platform is managed by each account, allowing them to control which users can log in and the level of privilege assigned to them based on their roles. For example, a user with a minimal role can only sell tickets from the box office, while a box office manager or higher role is required to create new events.
• Management interfaces and auditing: Management interfaces, such as setting up events and users, are accessible only to users with relevant assigned roles. All sensitive changes are audited and logged, ensuring traceability and accountability.

Principle 10 - Identity and Authentication

Ticketsolve prioritises user identity and authentication security to ensure that only authorised individuals can access the platform. To meet Principle 10 of the UK Cloud Security Principles, we have implemented the following measures:

• Secure login and role-based access: All access to the Ticketsolve platform is granted through a secure login process, and user access is determined by their assigned roles. This provides a controlled environment for managing user access to various functionalities.
• Secure connections: Access to the platform is browser-based and only allowed over a secure connection using TLS 1.2+ to protect data integrity and confidentiality.
• Robust password policies: Passwords must be at least 9 characters long, including a minimum of 1 number and 1 symbol, and cannot be a dictionary word. This ensures that user passwords are strong and resistant to brute-force attacks.
• Inactive user deactivation: Inactive users are automatically deactivated after a configurable number of days, reducing the risk of unauthorised access through dormant accounts.
• Account lockout: The system enforces a lockout policy, disabling a user's login for 60 seconds after three failed login attempts within a 60-second window. This helps prevent brute-force attacks and unauthorised access attempts.
• User management: Ticketsolve users for a given account are managed by the account itself. Only users with the appropriate roles are allowed to add new users, ensuring a higher level of control over user access.
• Two-factor authentication (2FA): Ticketsolve supports two-factor authentication, allowing users to utilise authenticator apps such as Google Authenticator for an additional layer of security. This ensures that even if a password is compromised, unauthorised access to the platform is still prevented by requiring a secondary verification method.

Principle 11 - External Interface Protection

Ticketsolve is committed to ensuring that external interfaces are protected from unauthorised access and security risks. To meet Principle 11 of the UK Cloud Security Principles, we have implemented the following measures:

• User training and best practices: During initial training, users are guided through usage best practices, including adding, changing, and deleting users; creating and resetting passwords; user usage statistics; and access to audit trails. These best practices are reinforced through our online help manual and refresher training courses.
• Restricted data access: Council data is accessible only to users of the respective council's account on the Ticketsolve platform. Access to this data is provided through the reporting module and is limited to users with the appropriate roles, ensuring that sensitive information is kept secure and confidential.
• Annual penetration testing: Ticketsolve undergoes annual penetration testing conducted by an independent third party. This ensures that the platform remains secure and protected from potential vulnerabilities. A summary letter of engagement and results can be provided upon request, demonstrating our commitment to maintaining a secure external interface.

Principle 12 - Secure User Management

To ensure that user access to the Ticketsolve infrastructure is secure and controlled, we adhere to Principle 12 of the UK Cloud Security Principles. We have implemented the following measures:

• Restricted infrastructure access: Ticketsolve's infrastructure is only accessible through a VPN with SSH access, ensuring a secure connection for authorised users.
• Two-factor authentication (2FA): 2FA is required for infrastructure access, adding an additional layer of security to prevent unauthorised access.
• Limited access to authorised personnel: Access to the Ticketsolve infrastructure is limited to a tightly controlled, small number of staff, reducing the risk of unauthorised access and potential security breaches.

Principle 13 - Audit Information for Users

Ticketsolve is committed to providing transparency and accountability to its users, in line with Principle 13 of the UK Cloud Security Principles. To achieve this, we have implemented the following measures:

• Access to audit information: Ticketsolve can and does provide relevant audit information upon request. Much of the necessary information is readily available within the platform through automated audit trails.
• Customised information provision: If specific audit information is not directly available within the platform, it can be made available upon request, ensuring that users have access to the data they need for auditing purposes.
• Long-term log storage: All logs are maintained and archived for a period of 5 years, ensuring that lower-level information is accessible if required for more in-depth investigations or audits.
• Proven track record: Based on historical examples, Ticketsolve has successfully facilitated accounts in investigating misuse and incidents, demonstrating our commitment to providing accurate and relevant audit information for our users.

Principle 14 - Secure System Management 

Ticketsolve is dedicated to providing a secure and user-friendly platform for its customers and partners in line with Principle 14 of the UK Cloud Security Principles. We have implemented the following measures to ensure secure system management:

• Browser-based access: All access to the Ticketsolve platform is through browser-based interaction, requiring a login over a secure connection. This ensures that the system is protected and accessible only to authorised users.
• Comprehensive training and support: All staff are provided with usage training and process guidance as part of the installation process. Additionally, Zendesk articles are available for partner organisations to understand correct usage, ensuring a secure and efficient user experience.
• Partnership organisation access: Partnership organisations can be granted access to the Ticketsolve platform through logins and the assignment of appropriate roles. This allows them to monitor specific activities, such as event sales, while maintaining a secure environment.
• User-friendly design for customers: As an e-commerce ticketing system, Ticketsolve is designed to be easily accessible and usable by first-time customers without prior training. Customers agree to terms and conditions during the checkout process, ensuring their understanding of the platform's guidelines.
• No specialised hardware required: Ticketsolve does not require any specialised hardware for access, making it a convenient and easily accessible platform for users across various devices.

Summary 

In summary, this article outlines how Ticketsolve adheres to the UK Cloud Security Principles, ensuring a secure and reliable platform for its customers. By implementing robust measures such as secure data transmission and storage, strong access controls, continuous monitoring, and regular audits, Ticketsolve demonstrates its commitment to maintaining a high level of security.

Furthermore, Ticketsolve provides comprehensive training and support to staff and partners, and has designed a user-friendly platform for ticket-buyers. The system is built to be easily accessible and usable without specialised hardware, making it a convenient choice for all users.

If you have any further questions or require additional information, please feel free to contact our support team, who will be more than happy to assist you.