Security Practices, Policies & Infrastructure
This document outlines some of the mechanisms and processes in use, by our providers, to help ensure that your data is protected. The below security practices are grouped in four different areas: Physical Security; Network Security; People Processes and Redundancy and Business Continuity.
The data centers our providers use are hosted in some of the most secure facilities available today in locations that are protected from physical and logical attacks, as well as from natural disasters such as earthquakes, fires, floods, etc.
- 7x24x365 Security. The data centers that host your data are guarded seven days a week, 24 hours a day, each and every day of the year by private security guards.
- Video Monitoring. Each data center is monitored 7x24x365 with night vision cameras.
- Controlled Entrance. Access to the data centers are tightly restricted to a small group of pre-authorized personnel.
- Biometric, two-Factor Authentication. Two forms of authentication, including a biometric one, must be used together at the same time to enter data centers.
- Undisclosed locations. Servers are located inside generic-looking, undisclosed locations that make them less likely to be a target of an attack.
- Bullet-resistant walls. Servers are guarded safely inside bullet-resistant walls.
A network security team and infrastructure helps protect your data against the most sophisticated electronic attacks. The following is a subset of the network security practices. These are intentionally stated in a very general way, since even knowing what tactics are used is something hackers crave.
- 128/256-bit SSL. The communication between the computers and the servers is encrypted using strong 128-bit keys (256-bit keys in many cases). What this means is that even if the information traveling between the computers and the servers were to be intercepted, it would be nearly impossible for anyone to make any sense out of it.
- IDS/IPS. The network is gated and screened by highly powerful and certified Intrusion Detection / Intrusion Prevention Systems.
- Control and Audit. All accesses are controlled and also audited.
- Secured / Sliced Down OS. Applications used run inside a secured, sliced-down operating system engineered for security that minimizes vulnerabilities.
- Virus Scanning. Traffic coming into Servers is automatically scanned for harmful viruses using state of the art virus scanning protocols which are updated regularly.
Designing and running data center infrastructure requires not just technology, but a disciplined approach to processes. This includes policies about escalation, management, knowledge sharing, risk, as well as the day to day operations. The security team protecting your data has years of experience in designing and operating data centers and continually improves the processes over time. This team has developed world class practices for managing security and data protection risk.
- Select Employees. Only employees with the highest clearance have access to the data center data. Employee access is logged and passwords are strictly regulated. There is limited access to customer data to only a select few of these employees who need such access to provide support and troubleshooting on the customers' behalf.
- Audits. Audits are regularly performed and the whole process is reviewed by management
- As-Needed Basis. Accessing data center information as well as customer data is done on an as-needed only basis, and only when approved (i.e. as part of a support incident), or by senior security management to provide support and maintenance.
Redundancy and Business Continuity
One of the fundamental philosophies of cloud computing is the acknowledgment and assumption that computer resources will at some point fail. The systems and infrastructure have been designed with that in mind.
- Distributed Grid Architecture. The services run on a distributed grid architecture. That means a server can fail without a noticeable impact on the system or services. In fact, on any given week, multiple servers fail without customers ever noticing it. The system has been designed knowing that servers will eventually fail - the infrastructure has been implemented to account for that.
- Power Redundancy. Servers are configured for power redundancy – from power supply to power delivery.
- Internet Redundancy. Our provider is connected to the world –and us- through multiple Tier-1 ISPs. So if any one fails or experiences a delay, you can still reliably get to your information.
- Redundant Network Devices. Systems run on redundant network devices (switches, routers, security gateways) to avoid any single point of failure at any level on the internal network.
- Redundant Cooling and Temperature. Intense computing resources generate a lot of heat, and thus need to be cooled to guarantee a smooth operation. Servers are backed by N+2 redundant HVAC systems and temperature control systems.
- Geo Mirroring. Customer data is mirrored in a separate geographic location for Disaster Recovery and Business Continuity purposes.
- Fire Prevention. The data centers are guarded by industry-standard fire prevention and control systems.
- Data Protection & Back-up. User data is backed-up periodically across multiple servers, helping protect the data in the event of hardware failure or disaster.
SOC 2 - SOC 2 is an evaluation of the design and operating effectiveness of controls that meet the AICPA’s Trust Services Principles criteria.
The following are the Trust Service Principles:
- Security: The system is protected against unauthorized access (both physical and logical).
- Availability: The system is available for operation and use as committed or agreed.
- Processing Integrity: System processing is complete, accurate, timely, and authorized.
- Confidentiality: Information designated as confidential is protected as committed or agreed.
- Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA and CICA.
The work being done by security researchers in improving the security of service offerings and the commitment to working with the community to verify, reproduce, and respond to legitimate reported vulnerabilities is valued by the provider. To report a security issue please contact us.