Security April Solving the data security challenge with our enhanced private and hybrid cloud services

Transcription

1 Security April 2015 Secure cloud solutions with guaranteed UK data sovereignty. Solving the data security challenge with our enhanced private and hybrid cloud services This paper enables discussion around the new security challenges cloud introduces and details how these are addressed by our cloud offerings. Our solutions are hosted at Tier 4 ISO certified data centres in the UK. Our solutions offer control through flexible pay as you use pricing and the ability to scale up, or down, enabling private and public sector organisations to move to the cloud with ease Learning Possibilities Ltd, 506 Centennial Park, Centennial Avenue, Elstree, Herts, WD6 3FG, UK. info@cloudpossibilities.com Telephone: +44 (0)

2 Solving the data security challenge with our enhanced private and hybrid cloud services Cloud computing is changing the way we use computing and has the potential for significant economic and efficiency benefits. But the speed of adoption depends on how quickly trust in new cloud models can be established. Some of the growing cloud security concerns include: security of highly virtualized environments from targeted threats and attacks, enabling secure collaboration and the protection of the data. In this paper we present some of the measures that we take in relation to these foundational concerns. Data governance Governance, risk and compliance are common issues raised by stakeholders. We recognise that taking advantage of cloud requires new considerations for governance and that there are important questions about how data will be managed in the cloud. In order to assist transparency, We align our approach to recognized industry standards. We implement security policies, standards and processes consistent with the ISO framework and control areas. In our delivery organizaon we also regularly submit these policies, standards and processes to both internal audits and external cerficaons. We also maintain many industry related cerficaons such as ISO 9001, for quality and process control across all of our departments. We are accredited for UK Government OFFICIAL data to level The accreditaon describes the auditable controls needed for operang a secure organisaon. Our data centre is PCI DSS compliant. This is an informaon security standard designed for organisaons who process, store, transmit or otherwise handle cardholder data. If your business falls in to this category, such as if it deals with online payments, then PCI compliance is a mandatory requirement for your company. It s there to protect your customers and, ulmately, to protect you. Information security incident management In the event of a problem or incident occurring in the cloud, formal response processes, aligned to our Incident Management Processes, are executed and Figure 1: How well did IT managers understand IT security threats (Entrepreneur Is your company's data secure in the cloud?) November 2014) records retained. We have extensive experience of environments with shared users and incident management is handled to best efforts to ensure that customers and their data are protected. We have documented policies and procedures relating to the management and monitoring of security events within its offerings and infrastructure, including policies on escalation and resolution of incidents. In order to maintain the integrity of these security policies and procedures, and protect our customers, these policies are not divulged outside our organisation. Procedures are, however, subjected to internal and external audits on a regular basis. In the case of a security event, we will evaluate the situation, and where an issue has a material impact on a customer, will notify them of such incidents. We also protect its infrastructure by shutting down 2

3 instances that violate acceptable use policy. In addition, we have put in place log management of its infrastructure, including network traffic and administrative functions, to ensure issues can be investigated. Our customers can be assured that the cloud infrastructure monitoring does not capture or retain logs of customer data, other than metadata. Identity and access management To ensure that only those who need to access cloud environments do so, we have developed processes to ensure that access is tightly controlled. We maintain robust access control and privileged user monitoring to ensure enforcement and compliance regarding access to customer content and information. Access to any system managed by us begins with a formal access request and management approval process. Once approved, access is revalidated on a periodic basis, at least annually, to ensure users sll require the level of access they have been granted. Systems are also in place to ensure that those who leave the company have their access rights removed. Administrators of the cloud have to authencate to the management environment and to the management tools in order to gain access to funconality. These acvies are monitored and logged to prevent unauthorised access to customer virtual environments. All customer content managed by us is strictly controlled and acvely monitored. Only those personnel with appropriate authorisaon have access to host management systems. Secure infrastructure against threats and vulnerabilities Securing any infrastructure requires a defence in depth approach and we use a number of different processes and procedures to protect cloud infrastructures. These are underpinned with people and technology to secure the infrastructure against threats and vulnerabilities. The solutions have been architected with isolation built in at the network, hypervisor and storage layers. Management and infrastructure components are compartmentalised into security zones based on function, data types and access requirements, and storage networks and guest networks are physically separated. Infrastructure is regularly scanned for vulnerabilies using industry standard tools and master images are regularly updated to the latest security fix/patch level. Intrusion detection and prevention systems (IDPS) are utilised at boundaries to the Internet, we employ an approach that does not rely on signature based vulnerability detection alone. This capability allows protection against previously unseen threats based on behavior and not just signatures. All management systems and underlying infrastructure periodically undergo security configuration checking to ensure system security settings continue to be configured in line with security standards and policy. Figure 2: Organisations unaware of data regulation legislations (egress survey results) 3

4 Physical and personnel security One concern often raised is where the data is located and how it will be controlled in the data centre. Our hosting centres are located within established UK data centres and the company has extensive experience in managing data centres. Our data centres are equipped with strong physical controls including, but not limited to, CCTV, biometric authencaon mechanisms, resiliency tools and door alarms. All our personnel undergo background CRB checks prior to being hired. We permit accompanied visitaon of its site facilies by its customers, however no persons, other than our personnel and agents working on behalf of the company, are allowed access to the data centre facilies beyond those areas specified for visitors. Access to our data centre floor is strictly restricted to authorized personnel only and those permied to carry out work on behalf of the company. We require employees to go through training in the handling of customer data and to demonstrate understanding of those policies. Our business conduct guidelines oversee expectaons and requirements of employees including the handling of customer data. Our enhanced security features include: Physical Security Manned Security reception (Entrance Access lists with pre approved personnel with entry cards. Valid photo ID required to gain entrance Physical security of the hosting site with a stringently enforced access control policy, including the use of biometrics. Multi layered system monitoring on a 24/7/365 basis. Swipe card entry to lift and server room which provides access to associated floor and room only Swipe card exits to monitor exit from the room, floor and building Sever racks installed with combination locks and forced temper alerting Grade 3 intruder alarm system from approved gold contractor with Redcare GSM with Grade 1 police response Virtual Security Multi layered firewalls providing anti virus, Trojan code and intrusion protection. Separate testing and developments systems/sites Network Inspection System (NIS), HTTPS inspection, Web anti malware, URL filtering, E mail protection subscription service SSL encryption with TLS security provided for enhanced security. Secure backup data storage with six monthly Disaster Recovery testing. Data Governance All process, procedures and technical design ensure compliance with ISO/IEC 17799:2005, and ISO/IEC 27001:2005 Role based system design providing defined user access. All staff CRB checked PGA and PCI compliance 4

5 About Cloud Possibilities Cloud Possibilities is a division of Learning Possibilities, providing private and hybrid cloud solutions to the public sector for over 10 years. Our cloud platforms are currently used by over 1 million users across the UK. The organisation has recently joined the G Cloud framework to provide Infrastructure as a Service (IaaS) and Software as a Service (SaaS) solutions to support the UK Government s drive to transform public sector IT and delivery of efficient and effective services to the public sector. The company has been a long standing Microsoft Gold Partner with key competencies in Hosting. In 2014, Learning Possibilities won the Education Investor Award for Technological Infrastructure. In 2012, Learning Possibilities won the national contract to provide the LP+4 learning platform to over 1500 schools in Wales. The cloud project, funded by the Welsh Government, offers a bi lingual, customised Microsoft SharePoint based learning platform solution that is available anytime, anywhere through a simple Internet connection. By signing into the solution, schools also have single sign on access to Microsoft's cloud service, Office 365 for teachers and learners. Cloud Possibilities 506 Centennial Park Centennial Avenue Elstree, Hertfordshire WD6 3FG UK info@cloudpossibilities.com Phone: Website: 5