Accreditations

We have an accreditation system for product assurance. Where ever you see one of our badges, you can be sure the following principles have been applied.

Well Engineered

../_images/well-engineered.png

Well-engineered operating system is one that applies sound software-and-systems-engineering principles throughout its design, implementation, testing and maintenance phases. In practice, that means it exhibits most or all of the following qualities:

  1. Modularity and Abstraction

    • Cleanly separated components (kernel, device drivers, file systems, network stack, user-space services)

    • Well-defined interfaces and APIs so that one module can be changed or replaced with minimal impact on others

    • Layered design (e.g. hardware abstraction layer, core kernel, system libraries, user processes)

  2. Efficiency and Performance

    • Low overhead in context-switching, interrupt handling and system calls

    • Scalable scheduling and memory‐management algorithms that behave well from embedded devices up to many-core servers

    • Optimized I/O and filesystem implementations to maximize throughput and minimize latency

  3. Reliability and Robustness

    • Thorough error-checking and graceful failure modes (e.g. journaling file systems, memory‐leak detection)

    • Fault isolation so that bugs or crashes in one part (for example, a buggy driver) don’t bring down the entire system

    • Watchdogs, health checks and recovery mechanisms (auto‐reboot, process supervisors)

  4. Security and Isolation

    • Principle of least privilege and mandatory access controls (e.g. SELinux)

    • Strong boundaries between user and kernel space, and between untrusted and trusted components

    • Audit logging, authentication frameworks and defences against common attacks (buffer overflows, race conditions, side-channels)

  5. Portability and Hardware Independence

    • Abstracted hardware interfaces so the same OS core can run on different CPU architectures and platforms

    • Use of a hardware‐abstraction layer or bus architecture (e.g. PCI, ARM device trees)

    • Conditional compilation & hardware‐specific modules kept out of the core logic

  6. Maintainability and Code Quality

    • Readable, well‐documented source code following consistent style guidelines

    • Automated test suites (unit, integration, regression, stress tests) and continuous integration pipelines

    • Effective use of version control, code reviews, issue tracking and release engineering

  7. Extensibility and Configurability

    • Support for dynamically loadable modules (drivers, filesystems, network protocols)

    • Clear configuration mechanisms (compile-time options, run-time tunables, package management)

    • Stable APIs/ABIs to allow third-party extensions without breaking existing software

  8. Usability and Ecosystem

    • Straightforward installation, upgrade paths and rollback mechanisms

    • Consistent user-space tools and documentation (man-pages, tutorials, online resources)

    • A rich ecosystem of applications, libraries and developer communities

  9. Real-Time and Special-Purpose Capabilities (when needed)

    • Deterministic scheduling and bounded-latency interrupt handling for real-time use cases

    • Resource reservations or priority inheritance to meet stringent timing requirements

  10. Measured Engineering Processes

    • Formal or semi-formal methods for specification and verification where appropriate

    • Periodic design reviews, post-mortems on failures, and continual performance/security auditing

    • Roadmaps and lifecycle planning for long-term support and deprecation

In short, a “well-engineered” operating system is more than just “it works.” It embodies rigorous design, careful implementation, comprehensive testing and ongoing maintenance, all aimed at delivering reliable, secure, efficient and maintainable system software across a broad range of use cases.

Well Architected

../_images/well-architected.png

Well-Architected usually refers to the AWS Well-Architected Framework, which codifies best practices for designing and operating cloud workloads. The six pillars are:

  1. Operational Excellence

    • How you run and monitor systems to deliver business value

    • Key practices: change management, incident response, learning from failures

  2. Security

    • Protect data, systems, and assets

    • Key practices: identity and access management, detective controls, infrastructure protection, data encryption

  3. Reliability

    • Ensure a workload recovers from failures and meets demand

    • Key practices: fault isolation, automated recovery, capacity planning

  4. Performance Efficiency

    • Use IT and computing resources efficiently

    • Key practices: selecting the right resource types and sizes, monitoring performance, trade-off analysis

  5. Cost Optimization

    • Avoid unnecessary costs

    • Key practices: controlling where money is spent, selecting cost-effective resources, scaling to meet actual demand

  6. Sustainability

    • Minimize environmental impact of running cloud workloads

    • Key practices: measuring and reducing energy consumption, optimizing resource utilization, considering carbon footprint in design

Applying these pillars helps you build systems that are resilient, secure, efficient, cost-effective and environmentally responsible.

Well Secured

../_images/well-secured.png

Well-secured virtual machine (VM) is one that has been configured, hardened, monitored and maintained so as to minimize its attack surface, protect its data and ensure its integrity, confidentiality and availability. In practical terms, a well-secured VM typically exhibits the following characteristics:

  1. Hardened Operating System and Applications

    • Started from a vetted, up-to-date golden image or template (e.g. a CIS- or vendor-approved baseline)

    • Unnecessary services, packages and daemons disabled or uninstalled

    • Default accounts removed or renamed; strong passwords or key-based login enforced

    • File system permissions tightened; unnecessary ports closed

  2. Timely Patching and Vulnerability Management

    • Automated patch management in place for OS, hypervisor tools and applications

    • Regular vulnerability scans (e.g. with Qualys, Nessus) and prompt remediation

    • Third-party software and libraries kept up to date

  3. Strong Access Controls and Authentication

    • Role-based access control (RBAC) or least-privilege IAM policies for administrators and users

    • Multi-factor authentication (MFA) enforced for console or SSH/RDP logins

    • SSH key-only access (no password SSH) or certificate-based RDP where possible

    • Just-in-time (JIT) or time-limited access tokens for emergency troubleshooting

  4. Network Segmentation and Traffic Filtering

    • Placement behind virtual firewalls or security groups that restrict inbound/outbound traffic to only what’s needed

    • Micro-segmentation between tiers (web, app, database) so a compromise in one VM can’t reach others

    • Network intrusion detection/prevention (IDS/IPS) monitoring east-west and north-south traffic

  5. Encryption and Data Protection

    • Disk-at-rest encryption (e.g. LUKS, BitLocker, cloud-provider volume encryption)

    • Encryption of data in transit (TLS, IPSec VPNs) between VMs and clients or other services

    • Secure key management (hardware security modules or vault services, not embedding keys in VM images)

  6. Monitoring, Logging and Alerting

    • Centralized logging (e.g. syslog, cloud logging services) of system events, authentication attempts and application logs

    • Real-time alerting on suspicious behaviour (multiple failed logins, unexpected process launches, abnormal network connections)

    • Endpoint detection and response (EDR) or host-based intrusion detection (HIDS) agents installed

  7. Minimal Attack Surface and Immutable Infrastructure

    • Infrastructure-as-Code (IaC) or templates used so every VM is built identically and reproducibly

    • Immutable VMs that are discarded and rebuilt rather than manually patched in production wherever practical

  8. Hypervisor and Host Security

    • Hypervisor patched and configured according to vendor hardening guides

    • Management plane (API endpoints, consoles) network-isolated and MFA-protected

    • Hardware virtualisation features (e.g. Intel VT-x, AMD-V, TPM) enabled to reduce risk of VM-escape attacks

  9. Backup, Recovery and Resilience

    • Regular, tested backups of VM images and data; off-site or cross-region copies

    • Disaster recovery (DR) plans in place, with automated failover if possible

    • Immutable snapshots or WORM (write-once, read-many) storage for critical data

  10. Compliance and Continuous Improvement

    • Alignment with relevant security frameworks (CIS Benchmarks, NIST, ISO 27001, PCI DSS, HIPAA, etc.)

    • Periodic third-party or red-team penetration testing to validate security posture

    • Continuous review of logs, metrics and threat intelligence to update defences

By covering all these layers—host, hypervisor, guest OS, network, data and operations — a virtual machine can be considered “well-secured.” The exact controls you deploy will depend on your organization’s risk profile, regulatory requirements and business needs, but the core principles (least privilege, defense in depth, automation and monitoring) remain the same.