TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES. Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1

Transcription

1 TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1

2 Table of Contents 1. Operational Security 2. Physical Security 3. Network Security 4. Recommended Customer Controls Tonaquint Data Center, Inc Cloud Security Policy & Procedures 2

3 1: Operational Security Tonaquint Data Center Hosting policies and procedures set a high standard that each employee, consultant, and third-party service provider is required to follow. These corporate standards cover key functions like: Password-based access Password expiration Firewall Documented change management and escalation procedures Security Training VPN-base access Vulnerability Scans Tonaquint Data Center maintains documented operational procedures for both infrastructure operations and customer-facing support functions. Newly provisioned infrastructure undergoes appropriate testing procedures to limit exposure to any hardware failure. Documented procedures and configuration version controls provide protection from errors during configuration. Changes to an existing infrastructure are controlled by a technical change management policy, which enforces best practice change management controls including impact/risk assessment, customer sign off, and back-out planning. Tonaquint Data Center participates in and maintains the following audit: SSAE 16 Type II SOC1 SSAE 16 Type II SOC2 DATA SECURITY/BACKUP! Tonaquint Data Center provides security measures to ensure that the cloud hosting service is secure. This includes network switches and routers, host servers, firewalls, IDS/IPS, and SAN. Tonaquint Data Center Private Cloud allows third-party encryption tools to be used throughout the infrastructure, including SSL/TLS certifications and file/database encryption, giving customers flexibility to reuse their current encryption tools. While no solution is prescribed, Tonaquint Data Center Implementation teams will work with customers to provide guidance on how to integrate these. Tonaquint Data Center Private Cloud is integrated with Tonaquint Data Center Managed Backup service utilizing SAN to SAN replication and/or Zerto DR software. Tonaquint Data Center provides DR locations 300+ miles away from the primary data center. Operationally, the Tonaquint Data Center Private Cloud support team can actively monitor the cloud environment and proactively reach out to customers when actions are required. Tonaquint Data Center, Inc Cloud Security Policy & Procedures 3

4 2: Physical Security For Private Clouds hosted in a Tonaquint Data Center data center, physical security concerns are addressed across the data center and network. DATA CENTER Tonaquint Data Center s physical security capabilities include: Two-factor authentication required to access all data center facilities. Electromechanical locks controlled by biometric authentication (hand geometry or fingerprint scanner) and key-card/badge. Termination and role-change control procedures are in place so that any physical or logical access rights are removed in a timely manner when access is no longer necessary or appropriate Closed circuit video surveillance is installed at all entrance points on the interior and exterior of the buildings that house data centers. Cameras are monitored 24x7x365 by on-site security personnel and support data retention for 30 days. Centralized Security Management Systems are deployed at all data centers to control the Electronic Access Control Systems and closed circuit television networks. Tonaquint Data Center maintains its facility 24x7x365 and is manned around-the-clock by network operations professionals. Appropriate additional perimeter defense measures, such as walls, fencing, gates and anti-vehicle controls are in place at Tonaquint Data Center. The delivery and loading bays at the Tonaquint Data Center are separate areas secured by defined procedures and security controls. Unauthorized visitors are not permitted access to the data center. Authorized data center visitors are required to abide by the following rules: Authorized approvers must specifically grant visitor access to the data centers at least 24 hours before the scheduled visit Visitors must have a valid reasons for entering the data center Visitors must sign the visitor s log, present a valid photo ID, and specify the reason for visiting and a Tonaquint Data Center point of contact Visitor badges differ in appearance from Tonaquint Data Center employee badges and do not provide any control over doors, locks, etc. All visitor access is logged. This policy applies equally to Tonaquint Data Center employees not assigned to the data center. Visitors, including Tonaquint Data Center customers, are strictly forbidden from accessing the data halls themselves and other secure sub areas. Visitors must be escorted at all times while at any Tonaquint Data Center facility. Tonaquint Data Center, Inc Cloud Security Policy & Procedures 4

5 Data center management performs a quarterly audit of security and visitor access logs 3: Network Security NETWORK SECURITY WITHIN TONAQUINT DATA CENTER All Tonaquint Data Center network infrastructure devices are located in a physically secure data center with controlled access. All visitors or authorized contractors are logged and escorted. Local console access to network devices is restricted to authorized individuals and requires access to the physical location as well as the correct username and password for console login. Logical access to cloud infrastructure network devices is only provided to those Tonaquint Data Center employees with a business requirement for such access, and is subject to permissions change control including independent managerial authorization and timely revocation of access rights. SSL is used to encrypt administrative sessions. Implementing new cloud environments is performed according to standardized procedures in order to minimize the risk of accidental insecure network provisioning. Tonaquint Data Center maintains strict policies on the use of network services. These include antispoofing controls and IP prefix-lists, as well as Unicast Reverse Path Forwarding (URPF) protocols in place at edge routers in data centers hosting cloud environments. Tonaquint Data Center provides a network firewall at the cloud edge. This firewall should not be used to replace security best practices on a server such as secure passwords, automatic security updates, and properly provisioned services. Each customer can specify what controls they want in place. Professionals at Tonaquint Data Center will help make recommendations if needed. This managed firewall service is available to all Tonaquint Data Center private cloud customers. Requests to change firewall controls will be handled by the Tonaquint Data Center Network Operations Center (NOC). A trouble ticket will be created and the request will be handled in timely manner. 4: Recommended Customer Controls When hosted at Tonaquint Data Center, the infrastructure controls are designed to protect cloud resources from attack within the environment, appropriately control and provide assurance over Tonaquint Data Center access to customer cloud resources. The customer should seek to protect their cloud resources and hosted data with measures overlaying Tonaquint Data Center infrastructure controls as appropriate to their data s sensitivity and criticality as informed by a formal risk assessment. Customers are the primary owner of their data and maintain sole visibility over its specific security requirements. Accordingly, customers are responsible for classifying their data and applying appropriate risk mitigation controls. Customer s sensitive data should be encrypted for storage in Tonaquint Data Center, Inc Cloud Security Policy & Procedures 5

6 order to preserve confidentiality. Tonaquint Data Center recommends that data being transmitted to and from the cloud should be subject to encryption appropriate to its requirements, for example the use of TLS or a secure VPN. As primary system administrator of the cloud resources, the customer is responsible for managing user accounts creation, provisioning and destruction, password policies, server level account authentication mechanisms, etc. Tonaquint Data Center recommends that customers integrate their Private Cloud with their organizational single-sign on (SSO) domain if available in order to simplify this task. Tonaquint Data Center, Inc Cloud Security Policy & Procedures 6