Data storage, geography, encryption, security practices etc

A summarisation of security protocols implemented by Mediref for data security. Note - We use AWS infrastructure to provide Mediref's services.

AWS has been provided the highest data security certification available in Australia for cloud service providers, by the Australian Cyber Security Centre (ACSC):

"The Australian Cyber Security Centre (ACSC) has certified Amazon Web Services (AWS) for hosting Australian Government data classified up to the PROTECTED classification level, providing assurance to Australian Government agencies that AWS complies with Australian Government security requirements."

  • ISO Certifications
    These are in place and refer to the security management standards that specify security management best practices
  • Data geography 
    All Mediref code and data is housed in AWS servers in Sydney. Code and data is replicated over a minimum of two, geographically separated, locations to provide redundancy. AWS has a total of three availability zones in Sydney (so as per the OAIC requirements, data does not leave Australian borders)
  • Encryption at rest
    Mediref and AWS both use 256-bit AES encryption for storing data at rest. This is, currently, one of the strongest encryption block ciphers available. This may change in the future if and when required - cryptography and the best practices around it are constantly evolving as computers get more powerful, security exploits continue to be discovered and new cryptographic protocols are created
  • Encryption in transit
    Due to the nature of data in transit, AES encryption (as per above) cannot be used. The current industry standard, and what Mediref uses, is SHA2 (specifically SHA-256). As above, this will likely change and evolve over time
  • Two-factor authentication/rotating API keys
    All access to AWS itself (Mediref's servers/database) are secured via two-factor authentication and/or rotating API keys
  • White-listed IP addresses
    Database access is further protected by an IP address whitelist. While this security practice is slowly being phased out (e.g. with the advent of serverless computing architecture) we still use it where possible to add an additional layer of data security
  • Data physical security
    The following are all in place from a physical security standpoint (for all Mediref data/code):
    • Security guards
    • Fencing
    • Security feeds
    • Fire suppression equipment
    • Backup power

    • More detail and a comprehensive list can be found here

If you have any specific questions about any of the above, or further questions that the above does not cover, please reach out to us.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us