00:00:00 Introduction

Good afternoon. My name is Alex Bertram, I'm the Technical Director at BeDataDriven, the company that runs ActivityInfo. We are very happy to see you here, and it looks like we've got a full house today. Today we're going to cover a number of issues related to data security and ActivityInfo. This is the first time we've given this kind of presentation, so I am very open to questions.

Before we begin, I’d like to do a quick poll. How many people here are using ActivityInfo today? And how many of you are creating your own databases or collecting data with ActivityInfo yourself? Certainly, this presentation is for everybody, but definitely for those people who are entrusting the data that you're collecting with ActivityInfo, I think this is important information to share.

00:03:43 What is data security?

Here at BeDataDriven, we define data security in terms of two commitments to you as users. The first commitment is that the data entered in ActivityInfo should never be lost. This for us is absolutely non-negotiable; it is zero-tolerance. If somebody enters data into ActivityInfo, you need to be able to trust that it is there and go on with your job without worrying about data disappearing.

The second commitment is that your data should never be seen or changed by people who aren't authorized by you. If you create a database on ActivityInfo, you decide who gets to see that data, who is allowed to change that data, and which data they can access. We are 100 percent committed to making sure that nobody else gets to see it, that it is not misused or abused, and that it strictly stays with people who you have authorized. Today, I am going to focus on this second commitment and talk about the steps we take to ensure your data stays confidential.

00:06:19 Security by design

The first step is security by design. We have built ActivityInfo from the ground up to allow you to decide who is allowed to see your data. If you create a database as a database owner, you can go into the design view and choose exactly which users to invite and what permissions they have. For example, are they allowed to view the data or edit the data? Are they allowed to view all of the data or just the data that belongs to their group? This is important for case management or protection issues where you may only want a caseworker to see the data they have entered.

ActivityInfo is unique in allowing you to set record-level security. For each individual case, distribution, or clinic, you can choose on a record-by-record basis who has access to that database based on the user group. We also have a number of things on our roadmap supported by UNRWA, such as making it possible to assign users to multiple groups and setting permissions for specific operations like exporting or deleting.

00:09:31 Infrastructure security

We made a decision early on to run our own data center but to take advantage of a commercial offering from Google: the Google Cloud Platform. This allows us to rent servers from Google, which means our team can focus on developing the application while the task of running the infrastructure is contracted out to a global leader. Concretely, this means we store multiple copies of your data across Europe to ensure it is safe. Google Europe has data centers in Frankfurt, Belgium, the Netherlands, and London. All of your data is stored behind lock and key in Google's data centers, where they implement strict physical security.

This protects us from natural disasters and other wide-scale disasters. Even if an entire city or power grid goes down, we have three backup countries where your data is safely stored and ready to failover instantly. Furthermore, all of your data is encrypted in transit with the highest levels of SSL security from the moment it leaves your laptop.

00:13:15 Legal framework

Beyond physical security, there is the legal framework that surrounds your data. Just as you rely on employment contracts with your employees to ensure they are good stewards of your data, we have a similar relationship with you. When you create a database on ActivityInfo, you sign a Software as a Service contract with us. This is a legally binding contract that spells out exactly what obligations we owe to you regarding the care of your data. Similarly, we have a contract with Google where they guarantee that the data will be safe in their data centers.

In addition to contracts, we abide by laws such as the General Data Protection Regulation (GDPR), which entered into force in May 2018. Under that law, we are a data processor. We are required by law to report any data breaches, and we are not allowed to do anything with the data that you don't explicitly ask us to do. Contracts define and enforce data ownership; the database owner is the legal owner of all data entered into ActivityInfo.

00:21:16 Threat analysis

It is useful to think about threats to confidentiality in two general groups. The first group consists of people who might have a specific interest in your data. The most common threat in this category is actually disgruntled or rogue staff—people in your organization or partners who already have access to the system. The only confirmed security incident we have had in nearly 10 years involved a staff member who was fired and decided to delete data on his way out. Because we don't immediately erase data from our system, we were able to restore it. Other bad actors in this category could include non-state actors or national governments, depending on the sensitivity of your data.

The second group consists of people who are not specifically interested in your data but have an interest in breaking into computer systems. This includes criminals using ransomware or botnet harvesters looking for vulnerable computers to send spam or undertake criminal activities.

00:26:00 Types of attacks

We generally look at three categories of attacks. The first is vulnerability exploitation. This happens when attackers use mistakes or bugs in software (like web servers or operating systems) to gain unauthorized access. There is a race between attackers discovering these bugs and software makers releasing fixes. Because we use Google's infrastructure, our servers are patched within 25 minutes of a vulnerability being known, 24/7. This is a level of responsiveness that is difficult to match if you are hosting data on your own servers.

The second category is social engineering. This is often used when attackers cannot find technical vulnerabilities. They might send a phishing email asking a user to click a link and enter their password. This is likely the single greatest threat to information security among our customers.

The third category is authorization abuse. This occurs when you grant someone access to the data, and they abuse that trust. The best protection against this is ensuring everyone has their own account and password so that you can revoke authorization if necessary. Shared passwords make it very easy for malicious actors to abuse permissions.

00:32:50 Threat targets and mitigation

Attackers can target three different areas. They could try to attack the Google infrastructure, but there are thousands of engineers working to prevent that. They could attack us at BeDataDriven using social engineering on our staff. We take this seriously; only two individuals on our team can access the production database for testing, and all staff are required to use two-factor authentication.

Based on our experience, the single most vulnerable point is your staff and your partner's staff. You must be careful about who you grant access to, ensure everyone has their own credentials, and educate staff about social engineering and recognizing suspicious emails. Additionally, ensure that laptops are updated and use full disk encryption so that if a device is stolen, the data remains inaccessible.

00:37:33 Business continuity

A common question is: how do we ensure ActivityInfo will still run if BeDataDriven ceases to exist? We have been running ActivityInfo since 2010 and have built a strong company with long-term contracts. We have a development team working daily on the software and a transition plan in place. Furthermore, ActivityInfo is open source, which provides extra assurance. If the company were to cease to exist, we would ensure a transition plan for someone else to take over the software.

00:40:30 Cloud vs. On-Premises

We often get asked if organizations can host the data on their own servers. While ActivityInfo is open source, we do not offer support for self-hosting because we cannot guarantee the same level of service, uptime (99.95%), and security that we can with the cloud infrastructure.

The benefits of the cloud include cost-effectiveness—ActivityInfo would be significantly more expensive if we ran our own physical data center—and safety through geographic replication and disaster recovery. If you host on your own servers, your organization must take on the responsibility of having staff available 24/7 to respond to alerts, handle updates, and manage security patches. We believe we can provide an offering on the cloud that is just as secure, if not more so, than a self-hosted solution.

00:43:50 Conclusion and Q&A

We have several upcoming webinars, including sessions on the ActivityInfo API, Form Design, and Case Management. Regarding questions on integrations: Yes, you can connect ActivityInfo to mobile data collection tools. Specifically, we integrate directly with ODK Collect. You design your forms in ActivityInfo, and the data goes directly into the system. For visualization, you can use our API to connect to tools like Power BI.

Thank you very much for joining. We will share the recording of this video and the slides in an email afterwards. If you have any further questions, please contact us through our website.