Hosting and Security

MiClub Security Information

This document provides information on the measures in place to secure the infrastructure that hosts MiClub’s golf and membership management products and the club/course data stored in association with the use of those products.

 

SERVER LOCATIONS

MiClub hosts products with Linode/Akamai, a global Cloud Infrastructure Service provider. Sites are deployed in the closest region to the club/course, ie Australian Sites are located in Australia.

Physical access to any server is strictly limited.

 

SERVER OPERATION

A number of policies are in place regarding the operation of our servers:

  • Only essential services and software is installed on servers.
  • All servers are regularly updated with the latest available security and bug fixes.
  • Only authorised technical staff have privileged access on the servers with unique accounts
  • All servers have unique passwords.
  • All servers are only accessible from nominated management servers with military grade key authentication that is only supported from the latest versions of secure shell.
  • All access is logged and audited.

Other mechanisms to reduce the risk of the systems being compromised include:

  • HTTPS SSL/TLS 1.2+ as a minimum.
  • Data Storage separation with the move to encrypted-at-rest.
  • Local (off the wire) communication via services.

 

SERVICES ACCESS

Firewall protection is in place across the hosted infrastructure.

The only services exposed directly to the internet are Apache web services. The Tomcat application and database services are all firewalled off from direct connection to the internet.

Some service access is also locked via GeoIP to limit access and provide protection from unwanted attack and access attempts.

Services are segregated (e.g a compromise of the Apache web service would not compromise tomcat and database services).

All application services run as unprivileged users so in the event of a compromise only limited access would be granted.

 

MONITORING SYSTEMS

The following infrastructure monitoring systems are in place:

  • Grafana/Prometheus – Actively monitors the servers, network and applications for security vulnerabilities.
  • ModSecurity WAF (Web Application Firewall) – Actively monitors and reviews all web based requests to all web servers.
  • Fail2Ban – Actively monitors and reviews all services logs and blocks any IP that attempts unsanctioned requests.

 

PENETRATION TESTING

Penetration tests are run across a range of systems on a quarterly, or more often as required, basis.

The testing processes use industry standards defined by organisations such as OWASP and include tool sets to address current CVE’s (Common Vulnerabilities and Exposures).

 

SYSTEM BACKUPS

Backups are done daily and held offsite in a physical and logically separated environment. These backups are maintained for 90 days.

 

CLIENT DATA ACCESS

MiClub products include different security / access levels to limit access and functionality to different users.

Authorised club/course representatives can be given access for administration tasks which are provided through the product user interface.

Any system administration accounts which have been inactive for a period of 30 days will automatically be de-activated.

Only an authorised representative from the club/course can request / change administration level privileges.

MiClub products enforce a password policy that requires members and club staff to use a password with a minimum length of 8 mixed case, alphanumeric characters, including special characters. This password policy is applied from initial login.

Member contact details are managed on an individual preference basis (from the member view). Dependant on the club’s requested setup, members (by default) have their personal details hidden from other members’ view. Members can opt in to display specific contact details such as phone and email to other members.

A limited number of staff within MiClub, including authorised support and technical staff, can access client data and will only do so when it is required for support or product maintenance.

All member related data transferred to / from 3rd party systems (eg to non MiClub membership systems) is sent using encrypted SSL/TLS connections.

Personal information is collected and stored in accordance with our Privacy Policy.

 

ONLINE PAYMENTS

MiClub products utilise specialist 3rd party payment gateways to process online payments. These include Securepay, Stripe, Payrix and Ezidebit which are all PCI compliant payment providers.

At no time are any credit card details entered/stored directly into the MiClub system. Credit card details for payments are entered/processed via the 3rd party gateways only.

All financial transactions are conducted over SSL (https). MiClub completes an annual PCI-DSS SAQ-D assessment to validate PCI compliance for online payments using the 3rd party gateways with MiClub products. A copy of this can be provided upon request.

 

CLIENT OBLIGATIONS

Refer to our Terms and Conditions for information on client obligations when using MiClub products.

 

CONTACT MICLUB

Should you have any further questions related to security and privacy of the MiClub System, please contact our help team at support@miclub.com.au or call 08 9444 5300.