Ownership and Control
-
DaDesktop is written by NobleProg Tech and maintained and developed fully in-house - any issues are dealt with by own specialist team of Security Ops, Devs and DevOps staff. Only NP Tech staff have access to the underlying DaDesktop system.
-
NobleProg has access and rights to use and modify all source code
Redundancy and Failure recovery
-
Trainer and users can choose to replicate real time entire desktop via 'remote replica' option
-
When experimenting, automatic snapshots of a desktop can be enabled. In case of crash, system can restore last working version
-
Servers are maintained in redundant datacentres, in case of failure of a datacentre, other datacentre is available with low latency distance
-
DaDesktop infrastructure uses a number of datacenters located worldwide, with comprehensive physical and IT security policies in place
-
DaDesktop uses QEMU/KVM to create and run virtual machines; both QEMU/KVM are part of the Linux operating system. As both QEMU and KVM are built in components of the Linux OS, this makes security updates both very easy and quick to be deployed, as there is no third party reliance to be concerned about. QEMU/KVM has an excellent security and performance record, beating those of commercial solutions
At NobleProg, a zero-trust policy is implemented
-
We allow only NP Tech staff users who have their IP address pre-registered, to access the NobleProg and DaDesktop systems that we have in place. IP tables firewall rules are used to firewall off access for SSH and other ports.
-
Each system is protected by Two Factor Authentication and password, i.e. attacker who obtained password only will not be able to access the system as their IP would not be whitelisted and they would not have One Time Password
-
On a DaDesktop course, each desktop network is isolated from other desktops and the public access
-
NobleProg staff employees all use a MFA system to login to NobleProg or DaDesktop systems; access is withdrawn immediately if a member of staff leaves to protect our systems from unauthorised access
Linux Hardening
-
DaDesktop servers (nodes) system is minimized by installing only needed packages a custom, stripped down version of Ubuntu that we make and operate to reduce any added complexity and overhead. This in turn means fewer security holes as there are fewer packages needed to run, and thus fewer services running at any one time. The installed base is normally only 250MB for each DaDesktop server node.
-
Access to the 'root' account is disabled in ssh
-
The DaDesktop infrastructure uses newest version of stable Ubuntu Linux as a base and automatically upgraded and patched automatically, therefore reducing the risk of a zero day vulnerability
-
Servers are monitored for known vulnerabilities
-
Unused packages and files are removed
-
NobleProg has access to all source code used in the project. Shall vulnerability be discovered but patch is not available, NobleProg security team can patch it immediately
-
Systems are automatically updated (unattended-upgrades)
-
All connections to from our servers to dark-web are monitored and can be automatically blocked
Monitoring
-
NobleProg monitors all its servers including DaDesktop servers, and alerts are created for any issues that need to be addressed. Alerts are followed up and fixed. Reviews are regularly taken of alerts or issues to ensure we fully address each issue to avoid them occurring again.
-
We monitor all DaDesktop servers and trainer / participant machines for CPU, memory and network activity, etc. Additionally, all DaDesktop nodes and the underlying DaDesktop system are monitored for any CVE’s which bring up a flag on the monitoring system to be checked. Normally any security updates are applied automatically, but in case of any exceptions picked up here, these are patched manually, and/or other mitigating measures can be taken
-
Recordings are automatically taken of the Fresh Start machines on courses which can be used to check for any issues when a Trainer prepares a course. Recordings can be optionally made of the Trainer machine and Training Room during a course. This is fully controllable in the UI and can be switched off if this is not required
-
DaDesktop Operating System Templates are updated usually every couple of weeks, with the latest security updates added.