Onvia relies on Serverius IT Infrastructure for WAF and load balancing

Onvia migrates SaaS application to Scala Solutions and relies on Serverius WAF and load balancing

Scala Solutions, an ICT company based in Huizen, has been a Serverius IT Infrastructure customer for many years. During 2019 it was approached by Humannet to build and migrate their absence en medical registration SaaS applications to a new platform. The migration was executed in December 2019. Scala Solutions now hosts the SaaS applications in the data centers of Serverius. Serverius provides the required IT security, including the Web Application Firewall (WAF) with build-in load balancing.

At the end of December, a meeting took place in the Serverius data center in Apeldoorn with Harry Immeker, senior consultant at Scala Solutions, Jelmer Hoekstra, operations director, and Mark van der Werf, Business Information Manager, both from Onvia as well as  Hidde van der Heide, head of R&D at Serverius. After the successful  migration, Humannet decided to  continue its activities under the new brand: Onvia.

History

Onvia delivers an absence registration application and a filing system for medical professionals. The applications are used by absence supervisors and by external Health and Safety services and Physicians. Between 10,000 and 15,000 professionals use the applications every day to organize their own tasks and agendas. The filing system is also the basis for medical records and matters such as communication with Employed Person’s Insurance Administration Agency (UWV). By using the SaaS solution, users can meet the requirements of the Absenteeism Reduction Act (Wet Poortwachter). Hoekstra: “This Act prescribes all the steps that organizations must take. A group of entrepreneurs saw that a customized application could meet the requirements for actions and documentation in a more efficient and faster way than manual tracking or by using a  generic application.” The absence application saw a quick uptake and adoption by the market and is considered the first SaaS application in the country.

The data processed and stored within the application must be well protected because of the personal nature of the data and in the case of medical data – a special category of personal data. Hoekstra points out that the GDPR (AVG) requires additional security measures. “Data security is crucial and the demands of legislators and users are increasing”.

Use case: Scala Solutions

Immeker: “When Onvia approached us to provide the hosting for the SaaS applications, two things quickly became clear. The hosting issue as such could be perfectly taken care of by us. However, there was also a serious number of requirements for security. For this we have directly contacted Serverius. We knew that they had a lot to offer in the field of IT Security. The question was whether that would fully meet the requirements of Onvia.”

At the same time, it was Onvia’s own wish to do business with a company that is closely aligned with its own working method. Hoekstra: “We are very focused on providing services to customers. We pick up the phone quickly and provide answers to all questions. We are renowned for our service-oriented focus and personal support, both of which we also found in Scala Solutions and Serverius.”

Web Application Firewall and load balancing

Onvia required as a condition before the migration that in the new situation the applications had to highly secure and highly scalable. So Immeker approached Van der Heide  with the announcement that Scala Solutions could sign a new customer for a heavy cloud application across multiple servers, if Serverius could provide the appropriate load balancing and web application firewalling.

Serverius started developing a WAF service more than a year ago. The first operational version was based on open source software. Van der Heide and his colleagues quickly concluded that this was insufficient for a WAF on Internet scale. A new solution was started from scratch, fully developed in-house using the modern programming language Golang. Van der Heide: “We were already well on the way with the API-based version 2.0 when Immeker called. It soon became apparent that his requirements were already on our roadmap. By shifting some  priorities, it should be possible to meet these requirements on time.”

Speed

Typical for the process that followed is that there was were no long communication lines. Hoekstra: “In the beginning we met with  Serverius in Meppel twice with a group of our engineers. The three teams, Serverius, Scala Solutions and Onvia, sat together and made an immediate start, followed by  direct consultations between the developers. Since then there are regular contacts between our people and those of Serverius, which is faster and more efficient.” Scala Solutions was of course kept informed of all progress made. The speedy work meant that a first version could be tested within a few weeks. The teams then gradually added rules to the test environment. Per line, the parties monitored whether the application remained usable.

Traffic

Step-by-step adding rules to the WAF specifically for Onvia was necessary because the application has a very different traffic pattern than the websites to which the standard WAF rules apply. Van der Heide: “A Joomla or WordPress site is primarily one-way traffic where users usually request data. The SaaS applications from Onvia are by definition two-way traffic. Users not only receive data, they also send data to the application. Furthermore, data must always be stored encrypted and the application must be available at all times. ”

Van der Werf: “Onvia is an absence registration application, to which many other systems of our customers are connected and rely upon. The data should be available to authorized personnel only.

We therefore  ensure at application level that no malicious uploads are possible. The WAF ensures that the data on the servers and the databases is really secure.”

Hoekstra mentions another aspect: “We ensure that nobody has access to more than what they are entitled to. Furthermore, we must be legally compliant by recording who saw what and when. That means, for example, that we have to keep track of every file that has been read, even if no changes were made.” What Hoekstra describes has been important since GDPR became effective, because the stored data consists of regular and special categories of personal data.

The Serverius WAF offers the possibility to monitor and log all traffic to and from the application 24/7. That data is made available via an API to Scala Solutions, the IT operator of the SaaS platform. It processes the data in its own monitoring tooling. Scala Solutions is therefore constantly informed of the performance, security threats or incidents. This information is also forwarded to Onvia on a real-time basis.

Deadlines and Certifications

The speed at which Serverius was able to add the requested load balancing functionality to the WAF was repeatedly discussed. Immeker and Hoekstra explain why this was so important to them. “When we got the request from Onvia, they made it clear that the solution had to be up and running before January 1st,  2020,” says Immeker. “I relayed that prerequisite to the Serverius team from the start. If the deadline would be a problem, we needed to opt for an alternative. But luckily it wasn’t necessary, because within a few weeks there was already a first test version and it looked promising.”

“Immeker is correct on this point,” says Hoekstra and addresses the reason for the hard deadline. Humannet became an independent organization as of mid-2019. That means little for business operations, but for IT it is a different story. The hosting was still on the platform of the company of which it  was previously part of. Migration was therefore necessary  but had to be completed before January 1st, 2020. “To be able to offer our services, we must be ISO 27001 and NEN 7510 certified. We have been that for years. The annual audit starts in January 2020, and by finalizing  the migration before the end of the year, the audit could take place based on the new situation,” adds Hoekstra.

100% Dutch stack

The requirements that both legislator and customers have on the Onvia applications go beyond  the ISO and NEN certifications. Hoekstra and Van der Werf state that the data may be migrated and stored within the boundaries of the EU, but certainly not outside. The choice for a Dutch IT supplier and a Dutch data center was not a strict requirement, but turned out to be the only practical solution. Hoekstra: “Dutch legislation is simply much more easy to understand for customers and ourselves. As soon as you put the application and data across the border or in a global cloud, conditions and SLAs must be translated. That would make it unnecessarily difficult for all of us.”

Van der Werf explains that this decision has worked well for the company in the past. “We have always used the fact we use Dutch IT services as an USP. The Serverius services are also certified and with the addition of the WAF, our applications have become even better.” Van der Heide confirms this and adds that the entire stack of Onvia is now 100% Dutch. “The application is Dutch, the IT organization that does the management and the data center as well. All data remains guaranteed in the Netherlands. That is a very strong USP. ”

Because the entire stack is Dutch, the safety of the service can also be increased in another way. Van der Heide: “The WAF of Serverius is the only one in the market that offers the option of explicitly allowing or excluding countries.” Access to Onvia’s services is limited to the Netherlands and a number of countries immediately surrounding  it. According to Hoekstra, the latter is particularly desirable during the holiday periods because reports and changes can, if needed, also be processed by authorized users who are then on holiday.

Rebranding to Onvia

At the end of the interview, participants were asked what went best during the process. Everyone praised the collaboration and the speed of the whole process. The deadline was met effortlessly. At the time of the interview, it was two weeks since the migration and there have been no incidents so far.

At that time, Van der Werf’s response also proved why the deadline was even more important. As an independent entity,  Onvia could operate under its new chosen name. “We have been officially rebranded to Onvia since December. This was intensively communicated, and we also informed the market that a technical migration took place under water, because logins had to be made via a different URL.” It is the timing of the announcement of the new name Onvia and the need for certification audits that set the deadline for migration and the activation of the Serverius WAF.

“There were no incidents. It was the dream scenario for which we all worked together”

Dream scenario

Hoekstra: “I scaled up big for the day of the migration. The teams at Scala Solutions and Serverius were also ready to identify and resolve incidents as quickly as possible. But there were no significant incidents whatsoever. This was the dream scenario for which we all worked so hard.”

The Onvia application has become faster, which was not a specified requirement. The platform that Scala Solutions offers is both flexible and robust. It is now a device and location redundant platform. Safety has been brought to the highest levels by the Serverius WAF. The three parties all indicate that it is the perfect basis to continue building upon. Van der Werf: “It has become better and safer for existing customers.” Hoekstra expects it will now be easier for Onvia to compete in tenders. “Requirements for infrastructure and security can be checked without reservation. The preparation of the processor agreements has also become a lot easier. This is all extremely positive for our business.”