Welcome to EMC Consulting Blogs

Managed Data Centre

Amazon Web Services

Google AppEngine

What physical controls are in place to protect the servers my applications and data are hosted on?        

The infrastructure is hosted at premises that provide the following facilities:  Data centre facilities are monitored and recorded on a  24 x 7 x 365 basis;Resilient power supplied on separate feeds;UPS and generator backups;Fire detection and suppression facilities; Temperature and humidity controlled environments;Equipment is installed in dedicated physical racks;CCTV cameras and key card access protection;Premises are monitored by a 24 x7 x 365 security guard;Smart card keys are provided on access to the premises at security;Smart card keys must be returned on departure;Access will only be provided by prior agreement and on presentation of approved Photo ID . Vistirs

AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter controls as well as other natural boundary protection.  Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means.  Authorized staff must pass two-factor authentication no fewer than three times to access data center floors.  All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

Many Google datacenters are wholly owned and managed ensuring that no outside parties can gain access. The geographic locations of the datacenters were chosen to give protection against catastrophic events.. Only select Google employees have access to the datacenter facilities and the servers contained therein, and this access is tightly controlled and audited. Security is monitored and controlled both locally at the site, and centrally at Google’s worldwide security operations centers.

What authentication mechanisms are in place for  support staff to access the systems?

Remote access is via a  VPN connection which requires two factor authentication . Once granted access via the VPN individual a further username/ password combination is required to access the hosts

AWS administrators with a business need are required to use their individual cryptographically strong SSH keys to gain access to a bastion host.   These bastion hosts are specifically built systems that are designed and configured to protect the management plane of the cloud. Once connected to the bastion, authorized administrators are able to use a privilege escalation command to gain access to an individual host.

All access to production systems is conducted by personnel using encrypted SSH (secure shell).

What is the password policy?

A password policy that mandates the use of complex passwords with password histories in place  to prevent the reuse of the same password within 10 password changes. Passwords   are forced to be changed every 42 days. See attached policy

Virtual instances are completely controlled by the customer.  They have full root access and all administrative control over additional accounts, services, and applications. AWS administrators do not have access to customer instances, and cannot log into the guest OS. Customers should disable password-based access to their hosts and utilize token or key-based authentication to gain access to unprivileged accounts

Google gives businesses the control to integrate corporate security, access, auditing, and authentication methodologies into Google Apps. Google Apps provides a single sign-on API based on SAML 2.0 which lets companies use existing authentication mechanisms to let users access Google Apps.

What is the change mgt policy?

A defined change mgt policy is in effect. This details the procedure for deploying changes to the infrastructure.

Virtual instances are completely controlled by the customer

Controls provide reasonable assurance that Google Apps systems are redundant and incidents are properly reported, responded to, and recorded

What is the anti-virus and patching policy?

All machines have anti-virus agents installed. Virus definitions are kept up to date automatically via the centralised anti-virus management server.
Patches are deployed following the three stage change management(test -> Stage -> Production) . The process is automated by using an internal  Update Server  where the patches are approved to be deployed to each environment.

Patches are deployed to the test environment as soon as they are made available. Patches are then assessed based on the following criteria and deployed to the production environment according to the category assigned to the patch:

•    Stability in test and stage environments; and
•    No adverse reports from news groups.

Category    Description
Emergency    Patch required to address an imminent threat to the network
Critical     Patch required to address an identified security vulnerability

Virtual instances are completely controlled by the customer

All software is scanned using a variety of commercial and proprietary network and application scanning packages. The Google Security team also works with external parties to test and enhance Google’s infrastructure and application security posture

What is the incident response policy?

A defined Incident response procedure is to be followed in the event of a security incident occurring or being suspected.
The procedure ensures that incidents are dealt with in a consistent manner and those who need to be informed are kept appraised of the situation.
A record of the details of the incident and response are kept using the standard response procedure form
The incident response policy can be supplied on request

AWS has a service health dashboard where it publishes the most up-to-the-minute information on service availability Users can subscribe to an RSS feed to be notified of interruptions to service.Users can also submit a service issue report.  two AWS Premium Support offerings (Silver and Gold) provide fast, predictable response times, an unlimited number of support cases, and personalized support from AWS developer support engineers (with as-needed escalation to Service Specialists). You can also ensure around the clock (24×7x365) coverage and telephone support for your most mission-critical applications when you sign up for the Gold Support plan

The Google Security team audits all infrastructure for potential vulnerabilities, and works directly with engineering to correct any known issue immediately. Google Apps Premier Edition customers are notified of user-impacting security issues as soon as practicable via email

What Business continuity facilities are offered?
(What backup facilities are offered?)

The security and other measures that we have in place are intended to greatly reduce the chances of an event occurring that disrupts the ability to deliver services.  Notwithstanding this the following measures are in place to assist business continuity in the event that such a disruption does occur:
Backups

•    Database backups are performed each night and are fully encrypted  and stored as a minimum on disk for 3 days.
•    The encrypted database backups are then backed up to tape and the tapes stored at a secure off site location. This is referred to as a D2D2T (Disk to Disk to Tape) method.
•    Other application and web servers, specific configuration files are backed up to their respective resilient servers and then backed up to tape
•    Daily backup checks are performed, including a pre-check job status to ensure tapes are available. and servers are accessible, any errors are notified to the appropriate support personnel.
•    Quarterly data recovery tests are performed which are internally audited.

Data stored in Amazon S3, Amazon SimpleDB, or Amazon Elastic Block Store is redundantly stored in multiple physical locations as a normal part of those services and at no additional charge.  Data that is maintained within running instances on Amazon EC2, or within Amazon S3 and Amazon SimpleDB, is all customer data and therefore AWS does not perform backups. 

Data is replicated multiple times across Google’s clustered active servers, so, in the case of a machine failure, data will still be accessible through another system. In addition, user data is replicated across datacenters. As a result, if an entire datacenter were to fail or be involved in a disaster, a second datacenter would be able to immediately take over and provide services to users.

What information system security controls are implemented to assist in the prevention of unauthorised access to services  ?

Security is provide at a number of layers:

•    First layer of defence is the firewall

•    The second layer of defence are the inline IPS devices which are designed to identify suspect traffic before it hits the web servers and  will only allow legitimate data to access the web servers discarding suspect traffic wrapped within the http / https packets.

•    The third layer of defences are on the actual servers themselves which comprise hardening the servers, anti-virus protection, patching the servers with appropriate security patches and the use of filtering solutions such as URLScan or the equivalent on the web servers to discard suspect traffic.

•    Fourth layer of defences involve the actual applications themselves which are subjected to a security assessment which involves the use of an internal application security assement tool as part of regular deployment activities and quarterly external vulnerability assessments. Applications must comply with the assessment requirements before being put into production.

•    Fifth layer of defence: Staff vigilance, monitoring etc.

Security within Amazon EC2 is provided on multiple levels: The operating system (OS) of the host system, the virtual instance operating system or guest OS, a stateful firewall and signed API calls.  AWS administrators are required to use their individual cryptographically strong SSH keys to gain access to a bastion host.   These bastion hosts are specifically built systems that are designed and configured to protect the management plane of the cloud. Once connected to the bastion, authorized administrators are able to use a privilege escalation command to gain access to an individual host. All such accesses are logged and routinely audited.  Amazon EC2 provides a complete firewall solution; this mandatory inbound firewall is configured in a default deny mode and the Amazon EC2 customer must explicitly open any ports to allow inbound traffic. The AWS network provides significant protection against traditional network security issues and the customer can implement further protection.

the web server layer is specially designed and implemented by Google to only expose the capabilities required for operation of specific applications. Therefore, it is not as vulnerable to the wide range attacks that most commercial software would be susceptible to. Google has also made modifications to core libraries for security purposes . Google’s servers are also protected by multiple levels of firewalls to protect against attacks. Traffic is inspected as appropriate for attempted attacks, and any attempts are dealt with to protect users’ data.

Who will have access to my data , how can we audit this and provide me with visibility?

IT staff who work on client information are security cleared by a third party specialist company to British Standard 7858:2004, this clearance includes 10 year background and criminal records bureau checks.
Any user  who has access to the systems has an assigned unique ID. Access is audited via a combination of the event logs, firewall logs , Database auditing and  file integrity solutions.

Virtual instances are completely controlled by the customer. AWS administrators do not have access to customer instances, and cannot log into the guest OS.  customers have the utmost in flexibility to determine how, when, and to whom they wish to expose the information they store in AWS, Amazon S3 APIs provide both bucket- and object-level access controls,  the customer maintains full control over who has access to their data

Google employees will access your account data only when an administrator from your domain grants Google employees explicit permission to do so for troubleshooting purposes.

How is my data segregated from other client data?

Client data is identifiable by a unique client identifier. This ensures that the client’s data is segregated from other Client data using the client identifier to achieve this.

Different instances running on the same physical machine are isolated from each other utilizing the Xen hypervisor. A firewall resides within the hypervisor layer, between the physical interface and the instance's virtual interface.   All packets must pass through this layer, thus an instance’s neighbors have no additional access to that instance, and can be treated as if they are on separate physical hosts.  The physical RAM is separated using similar mechanisms.  Customer instances have no access to raw disk devices, but instead are presented with virtualized disks.  The AWS proprietary disk virtualization layer automatically wipes every block of storage used by the customer, and guarantees that one customer’s data is never exposed to another.  AWS recommends that customers further protect their data using appropriate means. .The customer maintains full control over who has access to their data.

User data is only accessible with appropriate credentials, ensuring that there is no possibility of one customer having access to another customer’s data without explicit knowledge of their login information.Data is virtually protected as if it were on its own server. Unauthorized parties cannot access your data. Your competitors cannot access your data, and vice versa. In fact, all user accounts are protected via this virtual lock and key that ensures that one user cannot see another user's data. This is similar to how customer data is segmented in other shared infrastructures such as online banking applications.
Google Apps has received a satisfactory SAS 70 Type II audit.

What encryption options are there?

EV SSL-encrypted endpoints are in place. Sensitive data can be encrypted using an appropriate level of encryption e.g RSA with a 2048 bit key ,Triple DES.

API Calls to launch and terminate instances, change firewall parameters, and perform other functions are all signed by an X.509 certificate or the customer’s Amazon Secret Access Key.  Without access to the customer’s Secret Access Key or X.509 certificate, Amazon EC2 API calls cannot be made on their behalf.  In addition, API calls can be encrypted in transit with SSL to maintain confidentiality.  Amazon recommends always using SSL-protected API endpoints. SimpleDB is accessible via SSL-encrypted endpoints. users can encrypt their data before it is uploaded to Amazon S3 so that the data cannot be accessed or tampered with by unauthorized parties

Access to the web-based administrative console to Google Apps as well as most end-user applications is offered through a Secure Socket Layer (SSL) connection. Google offers HTTPS access to most services within Google Apps, and the product can be set up to allow only HTTPS access to key services

One of my clients has a requirement that their data is not held any where except within the EU  how will you address this?

The Data Centre is located in the UK a site visit can be arranged to verify the location.

Regions consist of one or more Availability Zones, are geographically dispersed, and will be in separate geographic areas or countries.  Amazon EC2 is currently available in two regions: one in the US and one in Europe.

Google adheres to the U.S. Safe Harbor Privacy Principles of Notice, Choice, Onward Transfer, Security, Data Integrity, Access and Enforcement, and is registered with the U.S. Department of Commerce’s Safe Harbor Program.

Generally, an organization must decide whether its use of Google Apps is compliant with any regulations it may be subject to.

What type of certification is held to demonstrate that sound corporate practices are adhered to 

Staff are ITIL certified . The Data Centre is certified against  ISO 27001 . PCI compliance has been achieved .

AWS is working with a public accounting firm to ensure continued Sarbanes Oxley (SOX) compliance and attain certifications such as recurring Statement on Auditing Standards No. 70: Service Organizations, Type II (SAS70 Type II) certification.

we  work to ensure that our processes meet (and in many cases exceed) industry standards. These include audits for Sarbanes-Oxley, SAS 70, PCI (payment card industry) compliance, and more. By working with independent auditors, who evaluate compliance with standards that hold hundreds of different companies to very rigorous requirements, we add another layer of checks and balances to our security processes.

References

Amazon Web Services : overview of Security Processes http://developer.amazonwebservices.com/connect/entry!default.jspa?categoryID=152&externalID=1697&fromSearchPage=true
http://developer.amazonwebservices.com/connect/entry.jspa?externalID=1927

The same security, privacy and data protection policies we have for Google's applications applies to all App Engine applications
http://googleblog.blogspot.com/2008/03/how-google-keeps-your-information.html

Comprehensive review of security and
vulnerability protections for Google Apps: ds_gsa_apps_whitepaper_0207

http://www.google.com/support/a/bin/answer.py?answer=60762

http://www.export.gov/safeharbor/