1 Hosted Microsoft Exchange System Architecture SilverSky 440 Wheelers Farms Road Suite 202 Milford CT silversky.com 2013 SilverSky
2 i SilverSky Hosted Exchange System Architecture Contents Exchange Architecture Summary... 3 Exchange Architecture... 4 Storage Architecture... 5 Fully Redundant Data Centers Client Access... 9 Mobile Technology Support Gateway and Secure Messaging Services...11 Complete Security...15 Monitoring...16 Processes and Controls...17 Change Control Process Overview...18 Premier People and Support...19 Conclusion...19 SilverSky Certifications Financial Strength Analyst Approved About SilverSky... 22
3 P.3 SilverSky Hosted Exchange System Architecture Exchange Architecture Summary SilverSky Delivers Security from the Cloud + SilverSky operates a state-of-the-art Microsoft Exchange environment that spans multiple geographic locations and serves more than 6,700 customers in highly regulated industries, including financial services, manufacturing, transportation, entertainment, healthcare, retail and government. + The SilverSky cloud platform is comprised of carrier-grade infrastructure and built to meet the mission critical needs of the most demanding global enterprises. Our cloud platform is the only solution to bring together SaaS suites for both and network protection and fully complement them with industry-leading managed services. Additionally, SilverSky maintains financially-backed SLAs that offer 100% guaranteed availability. + SilverSky s distributed and fully-redundant data centers feature restricted access, surveillance, redundant HVAC air filtration systems, waterless fire suppression systems, raised flooring, and uninterrupted power supply systems with diesel backup generators. Our network operations staff monitors the entire SilverSky cloud infrastructure 24x7 year round. + SilverSky s facilities and processes undergo continuous quality assessments, with rigorous third party attestations including annual AICPA SOC 2 and Verizon Cybertrust security audits. Moreover, SilverSky is the only major cloud messaging provider under FFIEC (Federal Financial Institutions Examination Council) oversight, which requires SilverSky to operate within the same stringent security guidelines as banks. As a result, all customers gain superior cloud services through all these certifications. + SilverSky has unmatched security expertise. Our security analysts have earned multiple advanced security certifications including CISSP, GSEC, CEH, CCSP, CCNA, CISM, Security+, Linux+, Project+, and Intellitactics. Manned by more than 50 certified security experts providing 24x7 monitoring, alerting and reporting, the SilverSky security operations center serves as the foundation for delivering and securing our cloud and network security products and services. + SilverSky has earned a reputation for outstanding high-touch customer service and support. Unlike other companies in the market, SilverSky is solely focused on secure communications and network security we don t have other business lines competing for resources. Our customers benefit from our focus and dedication to serving our customers. Our Mission SilverSky tirelessly safeguards your most important information to enable you to pursue your business ambitions without security worry. + We simplify how our customers secure their information. + We manage our customers and collaboration applications, secure their sensitive data, and monitor their networks 24x7 for intrusions all from our cloud. + We enable growth-minded leaders to pursue their business ambitions without security worry.
4 P.4 SilverSky Hosted Exchange System Architecture Exchange Architecture SilverSky s Exchange architecture is built modularly to ensure easy and quick scalability as our customer base expands. SilverSky s messaging infrastructure employs best-of-breed hardware and software applications including: network devices from Cisco Systems, F5 Networks, and Check Point; storage devices from NetApp; software from Microsoft, virus scanning by Trend Micro, spam filtering by Brightmail and Cloudmark; and HP servers. SilverSky leverages experience, expertise, strategic partnerships, best practices, and advanced technologies to enhance the design, performance, and security of its hosted messaging services. No single point of failure exists within the architecture and every piece of equipment used is completely redundant. SilverSky s platform redundant infrastructure is designed to withstand failure at multiple points throughout the architecture without service degradation. In the event the Exchange service is down, SilverSky customers still have access to mission-critical message anti-virus/anti-spam ( Security) and with continuity to keep their business running. The internet border routers are a redundant pair of service provider-class network devices terminating one 2 Gb/s circuit from one carrier, and a separate 1 Gb/s circuit from a different carrier on separate fiber rings and physical entry points into the data center. If one carrier experiences a fiber cut or other issues with their service, SilverSky customers are quickly redirected to alternate routes. SilverSky also closely monitors network utilization and ensures that there is an abundance of above-peak utilization. Exchange 2007 Exchange 2010 HTTPS OWA SMTP POP/IMAP HTTPS (RPC/HTTPS) Redirect for Exchange 2007 OWA, EWS and Autodiscover HTTPS (OWA and RPC/HTTPS) POP/S-POP IMAP/S-IMAP SMTP HTTPS Provisioning Provisor v7.5 CAS HUB RPC Proxy for Exchange 2007 RPC/HTTP, IMAP, POP and ActiveSync (EAS) Virtual Machines MBX MBX MBX GC Database Availability Group MSA2000 MSA2000 MSA2000 SilverSky s Technology Partners Exchange SnapMirror Exchange SnapMirror Denver JCY Denver
5 P.5 SilverSky Hosted Exchange System Architecture Network Core Public Network Restricted Network Storage Architecture SilverSky s core network architecture, using proven best-of-breed Cisco technology, connects all of the Exchange distribution and access layer switches and facilitates communication throughout the environment. Each switch has redundant links and failover protocols. Every server is distributed throughout the core devices so that no two servers performing the same function are connected to the same module or switch. This prevents disruption of service if a single module or an entire switch were to fail. The front-end-end network consists of publicly accessible servers load balanced by devices from F5. RPC over HTTPS (Outlook Anywhere), Outlook Web App (OWA), IMAP, POP, and SMTP are all protocols that are load balanced and completely redundant. If a message server fails, the redundant hardware load-balancing device removes that server and associated services from the available server pool. Multiple servers may fail before service would be disrupted or degraded. Secure Socket Layer or SSL is used to secure the communication for RPC/HTTPS, OWA, IMAP, POP, and SMTP client access. The back-end network at SilverSky is a private network that is isolated and secured from the internet as well as other networks within the environment. It is protected by multiple pairs of redundant, stateful and application-aware firewalls. The network follows RFC 1918 guidelines and contains the critical systems such as Exchange, Active Directory, and SQL servers. The Exchange mailbox servers are configured leveraging Database Availability Group (DAG) technology configured into the Exchange system. If a server, database, or service fails, the DAG environment allows clients to be seamlessly redirected. This allows Exchange to recover quickly without administrative intervention and minimizes service disruption. The Exchange DAGs are connected to a Storage Area Network (SAN), which is connected to multiple, redundant storage arrays. Sharing storage simplifies storage administration and adds flexibility since cables and storage devices do not have to be physically moved to offset storage from one server to another. SilverSky s storage arrays are configured with multiple power feeds, network connections and are protected in a RAID configuration. This is very critical for successfully managing the SilverSky Exchange architecture and ensures the highest availability. SilverSky s SAN architecture provides a fast connection medium for: Active Copy of DB DAG + backing up, + restoring, + archiving, + and retrieving customer data. Passive Copy of DB Mailbox Servers DAG Each storage array leverages snapshot technology backing up the system every four hours and replicating the storage array to an alternate storage array in a geographically redundant data center every night. This geographic replication is then retained for 14 days. This is another critical aspect to the integrity of the SilverSky Exchange infrastructure to ensure business continuance in a disaster.
6 P.6 SilverSky Hosted Exchange System Architecture Scalability True scalability for messaging solutions means more than simply adding mailboxes; it consists of real-world growth patterns (see figure below). This distributed architecture incorporates individually scalable components to accommodate expansion along each of these axes, allowing hardware additions and resource expenditures to be strategically tailored to specific growth patterns. Message Traffic Number of Users on Message Store Server SilverSky s SMTP servers handle inbound and outbound mail delivery and routing. Each SMTP server can handle millions of messages per day with the ability to grow as needed. These servers can also facilitate custom SMTP routing to accommodate specific customer needs. The current infrastructure processes billions of messages each year. Message Traffic Agent MTA Frequency and Type of Access Client Access Server SilverSky s clustered message servers ensure reliable, persistent storage of messages. The Operating System for each of the cluster nodes are stored on mirrored local disk drives. The critical components of the SilverSky Message Store including Transaction Logs, SMTP Queues and Mail Database are stored on highly available disk arrays using RAID technology. The disk arrays have hot online spares, so that in the event of a hard drive failure, the online spare immediately takes over. All message stores are backed up fully each night to provide a faster recovery than if a typical incremental backup is performed. Message Store All message stores are backed up nightly to for rapid data recovery. Active Directory and Provisioning The SilverSky Message Store is optimized to provide rapid access and retrieval of messages. All message store operations are logged to provide high reliability in the event of catastrophic system failure. Message store servers and their associated mail databases are optimally sized to handle an appropriate number of users, primarily based on mailbox size, access method, and mailbox I/O usage. Mail databases and Exchange mailbox servers can be added to a DAG as the number of users increase. Each cluster can handle several thousand concurrent OWA, Outlook, IMAP, and POP users. Clusters can support an even larger numbers of concurrent POP/IMAP users. All user objects are contained in Active Directory, which can scale to millions of objects in the directory. Active Directory servers within SilverSky s Exchange architecture function in a master-master mode to provide complete redundancy and load distribution. The SilverSky provisioning tool provides customer administrators with the ability to extensively manage their end users. Customers can add, remove, or change numerous attributes on the end user record through an intuitive web interface. The provisioning system also ensures that customer information is isolated and protected, preventing unauthorized access. The provisioning system uses Active Directory to programmatically secure customer information allowing only users within that specified company the ability to see information.
7 P.7 SilverSky Hosted Exchange System Architecture Fully Redundant Data Centers SilverSky s geographically-distributed and fully redundant data centers are designed as secure locations for messaging systems physically protecting both the integrity and availability of customer data. Data Center Statistics: + Complete data redundancy between multiple geographically-located sites. Denver Data Center Jersey City Data Center + Supplied by two separate carrier feeds. Client Access Server NetApp SAN Replication Leveraging SnapMirror Technology + SOC 2 Type II compliant. DB + Tier III rated. Exchange SnapMirror Mailbox Server 1 Mailbox Server 2 Mailbox Server 3 Mailbox Server 4 Mailbox Server 5 Mailbox Server 6 DB DB1 DB2 DB3 DB DB4 DB5 DB1 DB DB2 DB3 DB4 DB DB5 DB1 DB2 DB DB3 DB4 DB5 DB DBx DBx DBx NetApp SAN
8 P.8 SilverSky Hosted Exchange System Architecture Skilled Personnel SilverSky has an internal team of security experts performing 24x7 monitoring on the security of its messaging systems. Furthermore, background checks are performed on all operational personnel, and employees are held to binding non-disclosure agreements on SilverSky s data security policies. Controlled Access Our data centers have 10-foot tall exterior perimeter fences, 24x7 on-site security guards, video monitoring and taped surveillance, key card access on all doors, and intrusion detection systems. Backup Power and Controlled Environment SilverSky goes above and beyond traditionally expected standards to assure the integrity and availability of our customers data. Since controlled access and the availability of secure messaging systems are both dependent on power, SilverSky s data centers also maintain these related measures: + Sixty thousand square feet of raised floor space. + Diverse and redundant power from two separate power grids. + Eight Uninterrupted Power Supply (UPS) systems with 15 minute run time. + Seven on-site diesel generators with 90,000 gallons of fuel on site. + Environmental performance monitoring to detect temperature and humidity changes as well as redundant HVAC systems. + Fire suppression and pre-action sprinklers. Primary Power and Backup Data center power is supplied from two separate sub-stations creating a critical, redundant power supply. If the primary power sub-station fails, the secondary sub-station will automatically assume the electrical load. Power is routed through uninterruptible power supplies (UPS) to floor units within the data center. Power is then pulled from a floor mounted Power Distribution Unit (PDU) to a separate PDU in each individual rack. Similarly, each rack has a secondary power source pulled from a separate PDU floor unit. This unit is powered from the same power sub-station source; however, through an alternate path, and is fed into a second rack mounted PDU, creating redundant power distribution units. Each server is then plugged into both rack-mounted PDUs. Emergency Power In the event that both sub-stations fail, an uninterruptible power supply (UPS) will take over. The UPS will provide power for a minimum of 15 minutes. This 15 minute power minimum ensures adequate power is supplied until emergency generators restore power. SilverSky s hosted Exchange solution has seven backup generators located at the data centers. Six of these generators supply backup power for the building routing through the UPS and providing a recharge to the batteries. The data centers can be powered with three of these generators. The seventh generator is a reserve unit in case of a failure or maintenance needs on any of the other six generators. SilverSky s data centers also store an emergency supply of diesel and water on site: + Three underground diesel fuel tanks of 30,000 gallons each. + Thirty thousand gallon underground water tank. + One hundred seventy thousand gallons of water stored in the basement of the data center building. This water is used both for replenishing water for the air conditioning and for emergency fire suppression should the municipal water source be interrupted. + With the current loads the data center can run without grid power for two weeks. The data center also has contracts with fuel suppliers to get water and diesel deliveries in case of emergencies. Fire Suppression There are three lines of fire defense in our data centers: IFD + The incipient fire protection system (IFD) constantly samples the air for smoke in the data center. If smoke is detected, alarms will sound in the building and the maintenance quarters alerting emergency staff. Halon + Our data centers immediately dispense Halon if smoke is detected. Pre-action Water Sprinklers + If fire is present, automated sprinklers will release localized water to the affected area(s).
9 P.9 SilverSky Hosted Exchange System Architecture Client Access Customers can access SilverSky and achieve the same user experience whether sitting in the corporate office, working in a hotel, or checking mail at an airport kiosk. Client communication is achieved through various protocols and mediums providing SilverSky s customers the ability to access wherever an internet connection exists. Secure MAPI (Outlook) Users can also access SilverSky s Exchange service from an Outlook client anywhere there is an internet connection using secure Messaging Application Programming Interface (MAPI). The Check Point firewalls filter communications from the client by using application intelligence to provide a secure method for Outlook users. This is accomplished without any additional software on the client machine. Outlook Anywhere (RPC over HTTPS) Using Outlook 2007 (or newer) combined with Windows 7 (or newer), users can access SilverSky s Exchange service anywhere an internet connection is available. RPC over HTTPS tunnels RPC packets inside of Hypertext Transfer Protocol or, Secure Socket Layer [SSL]-protected HTTP packets. This allows a mobile user to launch Outlook, connect to SilverSky on secure port 443, and have the RPC traffic tunneled from the SilverSky entry point to the Exchange server. Outlook Web App (OWA) and Outlook Anywhere (RPC/HTTP) Outlook Web App and Outlook Anywhere access enables communication via an internet browser and provides the end user with a rich and secure experience. OWA and Outlook Anywhere communication is accomplished by connecting the user to the front-end Exchange Client Access servers which then proxy all communication to the back-end Exchange Mailbox servers. This architecture secures the mail data from any connections from the public network. IMAP/POP These traditional access methods allow users to connect using Outlook Express or alternate lightweight clients to securely communicate with the Exchange servers. These protocols connect to the frontend servers, which then proxy communication to the back-end Exchange servers securing the client connection. Dedicated Point-to-Point Connections Clients can utilize a point-to-point circuit to access . SilverSky s dedicated routers can terminate various types of circuits (DS3, T1, ISDN). Hardware VPN Dedicated VPN tunnels leverage the internet and provide a secure communication link between the customer and SilverSky. Our VPN concentrators can handle thousands of simultaneous VPN tunnels. Software VPN Software VPN is a VPN tunnel on a per-user basis and requires a software VPN client on every client workstation. The Software VPN solution can handle 40,000 simultaneous connections.
10 P.10 SilverSky Hosted Exchange System Architecture Mobile Technology Support Microsoft ActiveSync ActiveSync is a new feature built directly into Exchange Server. ActiveSync-enabled devices communicate to front-end servers running the ActiveSync service which proxy the connections to the Exchange mail servers. This allows any ActiveSync enabled device the ability to synchronize , calendar, and contact information. SilverSky supports the industry s most popular mobile access and control methods, significantly enhancing the productivity of the wireless workforce while protecting company data assets and intellectual property. IMAP/POP Most popular wireless devices have the ability to setup a POP/IMAP client, allowing users to take advantage of SilverSky s traditional POP/IMAP service. BlackBerry Enterprise Server The BlackBerry server is located on the back-end network and directly communicates with the Exchange server through the MAPI protocol. This integration captures any changes to the user s mailbox, which are then processed by the BlackBerry server and sent to the handheld device. BlackBerry also has advanced security capabilities to ensure data on the wireless device is secure. BlackBerry BESX Express The BlackBerry Express service connects to SilverSky s secure messaging and collaboration software to redirect s and synchronize contacts and calendaring information between servers, desktop and laptop systems, and mobile devices. SilverSky MDM Powered by AirWatch, SilverSky s mobile device management (MDM) service protects classified company data and communications on both employee-owned and corporateissued smartphones and tablets for best-inclass policy compliance and network security. Consolidate disparate mobile policies into a centralized, worry-free, management console. SilverSky s MDM console empowers IT administrators to consistently deliver policies and standardized control across the full spectrum of mobile devices. Power and security through a single, simple-to-use console. IT departments can remotely control password policy, perform partial or full device wipes, push lock or reset commands, and enforce encryption and whitelist management.
11 P.11 SilverSky Hosted Exchange System Architecture Secure Gateway and Messaging Services Security SilverSky Security reduces risk exposure and corporate liability by safeguarding with multi-engine anti-virus and anti-spam technologies that block malicious software and spam at the gateway. It is not only compatible with SilverSky Mail, the service also works seamlessly in any deployment type whether on-premise, hosted by SilverSky, or elsewhere in the cloud. Anti-Spam SilverSky utilizes Brightmail and Cloudmark anti-spam solutions for industry-leading spam protection. At < %, both solutions have the lowest false positive rating in the industry. Furthermore, SilverSky has developed proprietary spam control processes that allow for dynamic blocking when targeted attacks are detected. Additionally, SilverSky subscribes to several services including MAPS RBL+, CBL (Composite Block List) and BSR (Symantec/Brightmail Zombie list) all of which maintain global block lists for unsafe domains, addresses and SMTP relays. The MAPS subscription includes the real-time Blackhole List, Dial-up Users List and Open Relay List. The combination of these lists, applications, and dynamic monitoring tools, ensures maximum protection from unsolicited . that is captured by these rules or lists is automatically deleted before it is delivered to the user s inbox. Anti-Virus Trend Micro s ScanMail for Exchange runs on both the Exchange Mailbox servers and the Exchange HUB (SMTP) servers scanning all mail twice. ScanMail scans the information store database on the back-end Exchange server and the SMTP queues of the Gateway servers. Patterns files are autoupdated every 15 minutes. In the event of a virus outbreak with no available pattern file, Exchange administrators can quickly add scan rules based on message attributes to stop a virus from spreading. Content Filtering Content filtering is fully configurable by customer administrators using the intuitive Web-based SilverSky Management Console. Mail messages can be filtered by phrases, attachment types, spam, and inappropriate language, allowing customers to comply with legal or regulatory requirements. All messages that match specified criteria can be viewed in a quarantine container allowing customer administrators the ability to take appropriate action. Approved Content Filter Approved Quarantined
12 P.12 SilverSky Hosted Exchange System Architecture Secure Gateway and Messaging Services DLP SilverSky Data Loss Prevention has advanced analysis features like proximity checking, full redaction capabilities, and the ability to test policies before deploying them. Customers can easily build and enforce granular policies to block, quarantine, or automatically encrypt sensitive, inappropriate and risky messages using the highly tunable policy-driven rules engine in the SilverSky Management Console. Employees Allow Quarantine Customers & Partners SilverSky DLP Encrypt Redact Block Unknown Users The SilverSky DLP solution provides: + Ready-made and programmable granular policies to block, quarantine, redact, or automatically encrypt inappropriate and risky messages using the highly tunable policy-driven rules engine. + Infinitely flexible search algorithms, regular expressions, and other advanced action types for best-in-class policy management and hardened protection against confidential and proprietary information loss. + Unmatched flexibility in policy and control definition for HIPAA and state PII statute compliance. + Multiple, customizable tuning levels for effective false-positive reduction. SilverSky s robust Gateway architecture scans, filters, and routes all SMTP traffic according to customer requirements. Gateway Services are configured so customers can choose to implement all, some, or to opt-out of any Gateway Service applications.
13 P.13 SilverSky Hosted Exchange System Architecture Secure Gateway and Messaging Services Encryption Encryption (formerly MailSafe) allows users to securely send sensitive data via . Businesses can enforce encryption policies to ensure confidential information will be sent securely over . Encryption is in compliance with GLBA, HIPAA, California Disclosure Law, and FFIEC guidelines. + Infrastructure is owned and operated by SilverSky and requires no software at customer location. + Encrypted handling of all sensitive content determined by rules. + Secure facility for recipients to reply to the secure message. Archive Archive provides comprehensive ediscovery, instant compliance archiving, and mobile archive access using the SilverSky Archive Anywhere SM service. Archives all incoming and outgoing messages to help organizations meet government rules and regulations as well as ediscovery requests. SilverSky Archive provides the tools necessary for customers to achieve compliance with SEC, FINRA, HIPAA, SOX, and the Federal Rules for Civil Procedures (FRCP). + Streamlined review and audit processes reduce the amount of time needed to stay compliant. + Pre-packaged content that supports policies and regulations. + Archive dashboard allows customers to see and control sensitive information flows. + Automated review increases accuracy so suspicious activities don t slip between the cracks. + Granular access controls limit what end-users, administrators and outside counsel can see or do.
14 P.14 SilverSky Hosted Exchange System Architecture Secure Gateway and Messaging Services Continuity Continuity provides always-available access and usage even when an server is down. Securely stores all inbound and outbound messages off site in SilverSky s data centers in case of any downtime. Should downtime occur, users can access their s using a webmail interface. Archive retention periods can range from 30 days to multiple years. + Single web-based interface. + Simple reporting and management features. + Maintain business continuity. + Customizable data retention. + Easy recovery. Archive Anywhere SM Comprehensive ediscovery, compliance archiving, and mobile archive access using the SilverSky Archive Anywhere service. Archives all incoming and outgoing messages to help organizations meet government rules and regulations as well as ediscovery requests. + Provides easy, safe and secure messaging while ensuring business continuity and legal compliance. + Facilitates message archiving in the office, at home, or on-the-go. + Browse and search message archive from anywhere on any device. Inbox View Archive Anywhere View Select a Specific Month to Access Archived Messages
15 P.15 SilverSky Hosted Exchange System Architecture Complete Security SilverSky s hosted Exchange network automates complicated, time-consuming processes necessary to protect customers from malicious attacks. In doing so, it empowers company IT departments to drive down security risk and do more with limited resources. Complete Security from the Cloud Security best practices are the critical design consideration for the architecture of SilverSky s Microsoft Exchange system. Administrators with more than 30 years of combined industry experience, participation in Microsoft s Technology Adoption Program (TAP) for Exchange, and architectural testing at the HP/Intel Solution center provide our resource foundation. As a Microsoft Gold Certified Partner and ongoing member of Microsoft s TAP for Exchange, SilverSky continuously receives restricted securityrelated recommendations and pre-release updates from Microsoft. These updates are analyzed and exhaustively tested prior to incorporation into our architecture and service solutions. Network Security The first layer of defense includes access lists located on the SilverSky border routers serving as an initial protection to the devices and internet connectivity. Firewalls using packet filtering technology with application awareness are the first firewall layer of defense. All incoming internet and dedicated customer connectivity traffic is inspected by this layer of firewalls that reside in the internet gateway connecting SilverSky systems to the public internet. The next layer of firewall security includes a redundant pair of stateful-inspection and application-aware firewalls that inspect incoming and outgoing traffic. These firewalls are configured to permit only the traffic that is needed, thereby denying and logging all other connectivity attempts. These firewalls are configured to inspect the data portion of the packet to ensure validity and verify that it complies with RFC standards. Since SilverSky s core focus is secure messaging, systems can be locked down more tightly than can most typical enterprise networks. SilverSky also employs a DMZ (perimeter network) in which all public interfacing traffic is separated from critical back-end servers, such as Exchange or database servers for an additional layer of security. All back-end servers are privately addressed and are not directly accessible from the internet. Exchange servers on the front-end network are not only load balanced and completely fault tolerant, but the hardware-based load balancers are also configured with security measures to protect against network/system attacks such as SYN Flood attacks. Data Security Active Directory is an extremely robust and secure enterprise system. Active Directory allows a company to assign folder permissions, set up objects and resources, and completely segregate data. Active Directory gives the ability to completely lock down a segment of the database while allowing broader access to other resources. This is controlled by a robust provisioning system that programmatically sets permissions on all objects and containers ensuring that customer data is isolated and secure. Additional security measures, both proactive and reactive, include network-based Intrusion Detection Systems (IDS). SilverSky has a distributed IDS model that monitors for malicious and anomalous data communications throughout the environment. Network-based IDS helps identify attackers by alerting and logging anomalous traffic and signature-based attacks.
16 P.16 SilverSky Hosted Exchange System Architecture Monitoring SilverSky utilizes a number of monitoring solutions including a completely integrated Security Operations Center to monitor, manage, measure, operate, control, and support the SilverSky hosted Exchange infrastructure. SilverSky s Network Operations Center (NOC) staff monitors the data center and the entire SilverSky messaging infrastructure 24x7x365. This means that the SilverSky support is staffed at Tier I, II and III levels with on site resources not relying on a paging system to cover off hours. A variety of best-of-breed toolsets are used for monitoring the hosted Exchange environment including System Center Operations Manager, HP VantagePoint Operations (ITO), Nagios, SolarWinds, GroundWork, and other proprietary message monitoring solutions. Let Us Be an Extension of Your IT Team SilverSky s team of security experts monitors the critical devices on your network 24x7 and responds immediately to any security issues. Our solution eliminates the need to staff an internal security team around the clock and empowers your IT team to focus on core business activities without security worry. Leverage Our Security Expertise SilverSky s solution also enables your organization to reduce risk by leveraging our vast security expertise. Our Security Information and Event Management (SIEM) intelligence correlates security events across your entire network and alerts our analysts of any suspicious activity. Our analysts then utilize advanced techniques to investigate suspicious activity and take immediate action to prevent attacks from occurring. Also, because SilverSky correlates all security events across our massive customer base, we can identify and respond to emerging threats more quickly than internal teams. SilverSky s advanced technology, expert intelligence, and superior scale enable our team to prevent sophisticated attacks that are difficult for internal teams to detect.
17 P.17 SilverSky Hosted Exchange System Architecture Processes and Controls Microsoft Gold Certified Processes It is critical to have a redundant architecture; furthermore, it is equally important to have the proper processes and controls in place to ensure the integrity of the system. SilverSky has proven to have not only a reliable architecture but also consistent procedures by achieving the Microsoft Gold Certification. Below is a breakdown of each control objective: Testing SilverSky utilizes its Systems Engineering Lab and Operational Readiness Lab to perform regression testing on all new service packs, virus definition updates and program updates before applying them to the production environment. This testing policy allows SilverSky to assess any change ramifications. Problem Management This process evaluates all incidents and tickets to the system and provides a means to correlate recurring problems. This process helps bring together the different aspects of the architecture to provide a Big Picture view to ensure there is no systemic issue occurring within the environment. Incident Management Incident Management is the process of resolving day-to-day incidents. This process funnels customer trouble tickets through the various levels of support to ensure issues are resolved fast and effectively. Vulnerability Management Vulnerability Management ensures that new vulnerabilities to the environment are identified and prioritized, and solutions to mitigate the vulnerabilities are implemented within an acceptable time frame based on their criticality and priority. Vulnerabilities are tracked from notification to closure, and are brought to the attention of a change control committee to ensure management support. CIRT The SilverSky Computing Incident Response Team (CIRT) is responsible for the quick and timely mitigation of new vulnerabilities and/or computing incidents. Capacity Management Managing growth and changes in technology is the key to providing a positive customer experience. Capacity management allows SilverSky to grow its systems while maintaining speed and reliability. Business Continuity Continuity is critical in establishing the proper level of redundancy in the architecture, as well as implementing procedures to recover from faults and failures. This process also ensures that data recovery, hardware replacement, and service restoration are performed without disrupting service. Data Center Management Data center management ensures that all data center environmental controls are in proper order, personnel accessing the facility are legitimate, and facilitates physical changes to the data center. Knowledge Retention and Training We ensure all knowledge of our systems is well-documented and securely stored so that there is no single point of failure. In technology, training is critical. Because messaging and network security are SilverSky s core business, SilverSky employees are equipped to be experts in the messaging field.
18 P.18 SilverSky Hosted Exchange System Architecture Change Control Process Overview SilverSky s Approach to Managing Change SilverSky focuses on continuous improvement of its products and processes. Improvement, however, implies change, and therefore the possibility of some inherent risk. To mitigate this risk, change must be carefully managed to ensure it remains controlled and delivers on the promise of higher quality and value. To achieve this, SilverSky employs a Change Management System. Collection of System Information The Technical Lead, System Administrator, or Engineer collects information concerning the maintenance task. And, all hardware or software that may be affected during the maintenance is identified. In addition, the specific steps and materials for the task are defined. Creation of a Change Request Document Proposed changes to products or processes are detailed in a controlled document called a Change Management Record (CMR). The CMR details or documents the specific procedures, impacts, materials and resources needed to complete the maintenance task, as well as production verification procedures, and detailed back-out plans. Approval of the Change Request A regular review is conducted for proper evaluation of proposed changes. The Change Review is the approving mechanism for all maintenance tasks. Public Folders serve as the repository for all maintenance history. The Change Request is completed with installation instructions, system impact, time allotted, materials needed, resources needed, customer impacts, risks, and mitigations. Once the change is approved, customers are notified of the change, as appropriate. Coordination of the Maintenance Schedule To ensure there are no unintended negative consequences related to the change, a maintenance time line is created. Using information from the test lab, SLAs, backup schedule and networking group, the Change Coordinator prepares a schedule of the maintenance tasks to be performed. The appropriate parties are notified and the schedule is amended and approved as needed. The Change Management Group references SLAs and current system downtime data for any affected customers. During implementation, the following steps are performed: + Review of vendor information/procedures. + Preparation of tools. + Acquisition of materials (if appropriate). + Notification/updates to parties at completion/progress (Postmaster, appropriate administrators, Operations, Customer Care).
19 P.19 SilverSky Hosted Exchange System Architecture Premier People and Support In addition to SilverSky s highly robust, secure, scalable and reliable hosted Microsoft Exchange architecture, SilverSky employs more than 300 security operations, customer service, and technical support professionals. These experienced and certified professionals epitomize SilverSky s commitment to provide the best possible and network security customer experience for our customers. Security Analysts SilverSky s security analysts have earned multiple advanced security certifications including CISSP, GSEC, CEH, CCSP, CCNA, CISM, Security+, Linux+, Project+, and Intellitactics. Our Level 1 Analysts have an average three years of experience and our Level 2 and 3 Analysts average over seven years of experience. Many of our analysts have received advanced training from Blackhat, Defcon, SANS, and other cutting-edge security organizations. Customer Service and Support Over the past seventeen years, SilverSky has earned a reputation for outstanding customer service and support. Unlike other companies in the market, SilverSky is solely focused on secure communications and network security we don t have other business lines competing for resources. Our customers benefit from our focus and dedication to serving our customers. SilverSky provides multi-layered support to ensure that customer needs are met 24x7, 365 days per year. A dedicated Technical Account Manager will serve as your primary contact and will respond to questions and concerns and resolve day-to-day issues. SilverSky also provides customers with unlimited, unmetered Tier I, II and III technical support. Our experienced teams are on duty aroundthe-clock to ensure that our customers always have access to premier service and technical support. SilverSky s customer service and technical support teams will listen, provide thorough analysis and insight, and resolve issues effectively and efficiently so that you can get back to running your business. In addition, we have dedicated support relationships with all of our technology vendors to ensure that escalated issues receive a quick and thorough response. Conclusion SilverSky provides a comprehensive Security-as-a-Service platform to empower and accelerate companies through a single-source trusted partner. SilverSky s suite of enterprise-grade cloud services are engineered with best-in-class security built in, and our cloud platform enables customers to secure, monitor and manage critical communications and network infrastructure. SilverSky operates a major hosted infrastructure exclusively dedicated to providing world class enterprise messaging solutions. SilverSky offers a complete suite of reliable, secure and scalable hosted solutions backed by a commitment to operational excellence and guaranteed service levels. Moreover, all SilverSky systems are configured for maximum performance and reliability and are architected to eliminate single points of failure. Each component in our solution is redundant and load-balanced to guarantee our customers with a reliable experience every time they connect. SilverSky leverages experience, expertise, strategic partnerships, best practices, and leading technologies to enhance the design and performance of our Hosted Exchange services. You run your business. We will run your secure messaging and network security.
20 P.20 SilverSky Hosted Exchange System Architecture SilverSky Certifications SilverSky offers a proven hosted Exchange solution that is diverse, scalable, and reliable. Microsoft Gold Certified Partner FFIEC Oversight SilverSky is the only major cloud provider under direct oversight by the FFIEC. We are regulated like a bank, and are held to the same standards as the most tightly regulated organizations in the world. Verizon Cybertrust Certified In delivering hosted Microsoft Exchange, SilverSky utilizes best practices in systems management, testing, application deployment, infrastructure implementation, and security practices. These best practices allow SilverSky to consistently provide its users with a 99.9% service level agreement (SLA) for system availability of the hosted Microsoft Exchange service translating into increased productivity and reduced costs for customers. SilverSky s infrastructure and processes are constantly reviewed and tested by stringent third-party evaluators and auditors to ensure we meet compliance requirements. In most cases, our systems and processes exceed industry standards. These certifications and validations not only ensure the reliability of our architecture and processes, but customers also inherit the compliance benefits simply through using our secure cloud services. As a Microsoft Gold Certified Partner, SilverSky has satisfied Microsoft s highest level of eligibility requirements by demonstrating consistent, high-quality hosted service and a proven track record in providing Microsoft Exchange managed messaging and collaboration services. SilverSky has been a Microsoft Gold Certified Partner since 2002 and has achieved Microsoft Competencies in Advanced Infrastructure Solutions, Security, Hosting and Mobility Solutions. Federal Financial Institution Examination Council s (FFIEC) Oversight The Council is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision (OTS) to make recommendations to promote uniformity in the supervision of financial institutions. SilverSky carries the Verizon CyberTrust certification for its Internet interface and core network operations. This certification confirms that security infrastructure polices, people and physical premise meet stringent guidelines of CyberTrust for maintainable security of IT infrastructure. More than a seal of approval, a Verizon Cybertrust Security Certified status demonstrates to customers that SilverSky has made safeguarding user information a critical priority. The Verizon Cybertrust Security Certified seal also demonstrates that SilverSky employs proven security processes and technologies to maintain a proactive and comprehensive information security program.
Amazon Web Services: Overview of Security Processes May 2011 (Please consult http://aws.amazon.com/security for the latest version of this paper) 1 Amazon Web Services (AWS) delivers a scalable cloud computing
Securing Microsoft s Cloud Infrastructure This paper introduces the reader to the Online Services Security and Compliance team, a part of the Global Foundation Services division who manages security for
Top 10 SIEM Implementer s Checklist Operationalizing Information Security Compliments of AccelOps www.accelops.com Table of Contents Executive Summary....................................................................
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
Best Practices for Cloud-Based Information Governance Autonomy White Paper Index Introduction 1 Evaluating Cloud Deployment 1 Public versus Private Clouds 2 Better Management of Resources 2 Overall Cloud
Mi c r os of tgl obalsec ur i t y Mi cr osof tgl obalsecur i t yshowcase Physi calsecur i t yatmi cr osof t Taki ngadvant ageofst r at egi ci TConver gence Techni calwhi t epaper Publ i shed:apr i l2009
Five Hosted VoIP Features WHITEPAPER: hosted exchange BUYER S GUIDE www.megapath.com executive summary The adoption of cloud-based hosted services is gaining momentum among businesses interested in reducing
Cyber-Security Essentials for State and Local Government Best Practices in Policy and Governance Operational Best Practices Planning for the Worst Case Produced by with content expertise provided by For
A GUIDE TO Security and privacy in a Hosted Exchange environment What s inside this white paper: A two-page checklist for comparing the security of hosted Exchange providers Definitions for each element
Security Whitepaper: OCLC's Commitment to Secure Library Services Contents Executive Summary... 2 I. Information Security and Enterprise Risk Management... 4 A. OCLC's Corporate Policies... 5 B. Data Classification
Firewall Strategies June 2003 (Updated May 2009) 1 Table of Content Executive Summary...4 Brief survey of firewall concepts...4 What is the problem?...4 What is a firewall?...4 What skills are necessary
The Microsoft Office 365 Buyer s Guide for the Enterprise Guiding customers through key decisions relative to online communication and collaboration solutions. Version 2.0 April 2011 Note: The information
CUSTOMER SERVICES Help Desk Support Services System Monitoring Remote Data Backup Managed Services Hosting Outsourcing Copyright Notice This document and its contents are the property of CIBER UK Limited
Moving from Legacy Systems to Cloud Computing A Tata Communications White Paper October, 2010 White Paper 2010 Tata Communications Table of Contents 1 Executive Summary... 4 2 Introduction... 5 2.1 Definition
Plug Into The Cloud with Oracle Database 12c ORACLE WHITE PAPER DECEMBER 2014 Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only,
WHITE PAPER Staying Secure in the Cloud Considerations for Migrating Communications Solutions to Cloud Services Table of Contents 1. Overview...3 2. Introduction...3 3. Privacy vs. security... 3 4. What
JANUARY 2013 REPORT OF THE DEFENSE SCIENCE BOARD TASK FORCE ON Cyber Security and Reliability in a Digital Cloud JANUARY 2013 Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics
Cyber Security Planning Guide The below entities collaborated in the creation of this guide. This does not constitute or imply an endorsement by the FCC of any commercial product, service or enterprise
Microsoft System Center 2012 R2 Why Microsoft? For Virtualizing & Managing SharePoint July 2014 v1.0 2014 Microsoft Corporation. All rights reserved. This document is provided as-is. Information and views
Ernst & Young LLP One Commerce Square Suite 700 2005 Market Street Philadelphia, PA 19103 Tel: +1 215 448 5000 Fax: +1 215 448 5500 ey.com Report of Independent Auditor To the Management of Verizon Communications
UNITED STATES SECURITIES AND EXCHANGE COMMISSION Washington, D.C. 20549 FORM 10-K (Mark One) È Annual Report pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934 For the fiscal year ended
Tenzing Security Services and Best Practices OVERVIEW Security is about managing risks and threats to your environment. The most basic security protection is achieved by pro-actively monitoring and intercepting