SaaS architecture security

Transcription

1 Introduction i2o solutions utilise the software as a service (or SaaS) model because it enables us to provide our customers with a robust, easy to use software platform that facilitates the rapid deployment of innovative new functionality. Security is an important part of providing any SaaS solution that monitors and controls water distribution networks. i2o has placed particular focus on building high levels of security into its SaaS solutions. This whitepaper provides an overview of i2o s approach to security within its software service delivery capabilities. We offer robust, scalable, resilient solutions and policies that meet the security needs of our customers. Security lies at the heart of i2o s multi-tenanted systems architecture. Each customer is provided with its own isolated data stores. The only users able to access the data are those authorised by the customer. Each customer benefits from comprehensive physical, operational and systems security measures, each of which are described in more detail in the following sections. This approach allows i2o to minimise any security risk and enables our customers to focus on maximising the benefits from i2o s Advanced Pressure Management technologies. Issue 1.1 Jan 2014

2 The value of i2o s Software as a Service Over the last ten years the SaaS model has become the dominant approach to delivering software-based solutions. The SaaS approach delivers significant value to the user community for several reasons: + It simplifies, de-risks and reduces the total cost of ownership, providing customers with the flexibility to increase or decrease the service provision in accordance with their specific business needs. + Peace of mind knowing that enterprise class data management policies and practices are in place to ensure business continuity. + A single version of i2o software is delivered to all customers, ensuring that everyone is up to date and using the latest version of the solution. There is no need to worry about the cost and time of managing updates. + The user community is engaged in the on-going development of new and improved software applications provided by i2o. + Feature rich updates fuelled by the user community are delivered seamlessly to enhance the user experience and to provide functional upgrade options. + Rapid time to deploy and realise value enables organisations to avoid involved and costly procurements and respond rapidly to changing market needs. + The SasS model has great green credentials, as there is a significant reduction in energy consumption using SaaS infrastructure when compared to in-house solutions. + Guaranteed service continuity ensures that our customer s operations teams stay in control of water network services 24/7 and 365 days a year. Traditional in-house software solutions The traditional alternative to the SaaS model involves software being implemented within the customers own datacentre environment. Whilst there is a sense of control and ownership with this model, there are a number of issues with this traditional model, which have both cost and security implications. For example: + License fees require the whole cost of the software to be paid upfront + Further fees are usually charged for greater software application usage plus maintenance costs at approximately 25% pa. + Hardware (servers and storage) is procured, installed and maintained in-house + As software usage increases, additional hardware will be required + Operating systems are maintained internally 2

3 + Customisations and bespoke integrations must be maintained internally + Software vendors usually charge for upgrades and training + In-house responsibility for service delivery e.g. redundancy and failover + Data is known to be stored on site + Rogue personnel can by-pass security and attack systems 3

4 SaaS Security The security of the SaaS solution can be split into 4 areas: + Physical security: prevention of unauthorised physical access, damage, and interference to the hosted data premises and stored information + Operational security: continuous management of operational processes to ensure security is maintained + System security: using dedicated firewalls and hardened servers to control access to the software and associated data + Transport layer security: utilising encryption, IDS, IPS and Malware protected physical networks and VPN tunnels. Physical security The physical security associated with the i2o software includes locking down and logging all physical access to the data centres where the i2o system is hosted. This includes the following: + Data centre access is limited to only authorised personnel. For staff leaving the data centre (via resignation or dismissal), the hosting vendor ensures it immediately revokes all logins and access to the i2o software solutions. System and building access rights are also revoked. The data centre building access rights are continuously audited by the hosting vendor s Internal Audit Department. The data centre staff escort ALL visitors. Each visitor signs a log that requires them to present a valid photo ID, purpose of visit and who will escort them. The data centre corporate Security department performs a monthly audit of Security and Visitor access logs. + Badges and biometric scanning for controlled data centre access. All data centre employees utilise picture proximity badges and access cards to enter buildings. All employees entering any of the data centre facilities need to display their badge to the security front desk and strict policy enforcement, requires they visibly wear their badges at all times while in the building. The data centre s policy strictly prohibits employees from tailgating each other at entrances to the data centres. Data centre employees must scan their proximity badges and access cards to enter the lobby. A security guard team operates the front desk where they will check and verify 4

5 credentials before a data centre employee can scan their badge to enter the facility. Entry to the data centres also includes a guarded mantrap to enforce that tailgating does not happen. + Access and video surveillance log retention. All data centre locations are monitored by CCTV/DVRs. Standard data centre access and visitor access is strictly controlled and logged. Motion detection surveillance cameras are deployed internally and externally in all data centre facilities monitoring 24/7. All CCTV/DVRs and supporting data is retained for 90 days. + 24x7 onsite staff provides additional protection against unauthorised entry. In addition to the onsite staff and the surveillance cameras, an unarmed Guard Force is used on site and is present 24/7/365. All Staff are subject to screening. + Unmarked facilities to help maintain low profile. The data centres are unmarked and difficult to identify. No external signage is shown to identify the data centre, therefore reducing external interest in the buildings. + Physical security audited by independent firms annually. An annual report is produced to ensure the physical security of the data centre hosting the i2o software is as secure as possible. Operations Security This involves creating business processes and policies that follow security best practices, to limit access to confidential information held in the data centres and maintain tight security over time. + ISO 27001/2 based policies, reviewed at least annually The i2o data centre provider adheres to policies that meet the best Industry Standards, such as following the ISO27001/22 Framework. The ISO certification covers a broad range of security controls within the data centre, from the physical environment in which the i2o software is deployed, accessed and monitored, to the logical system-based controls employed to manage access. With this certification, the i2o data centre vendor has a systematic approach to managing critical, confidential, and sensitive corporate information to meet current standards for information security. + Documented infrastructure change management procedures Documentation of network and hardware change management procedures is fully documented. This provides procedures to correctly upgrade the data centre network infrastructure (cables, 5

6 power supplies, servers, storage), and re-allocation of data centre assets to other parts of the building. + Secure document and data centre media destruction All documentation detailing the data centre assets is securely stored and only accessible by usernames and password. The access is logged to provide an audit trail. All media that has reached its end of life is physically destroyed. Media is not just wiped clean due to security concerns. An external contract exists with a media destruction company to handle all media destruction. A certificate of destruction by barcode for all media destroyed is sent to the i2o data centre vendor after the destruction has occurred. + Incident management function Policies and processes are in place aimed at making sure information security events and weaknesses are communicated in a timely manner to allow corrective action. All serviceimpacting incidents are logged and shared with customers pro-actively. + Business continuity plan focused on availability of infrastructure Includes disaster recovery strategies and redundancy procedures should the i2o platform hosting the software develop any issues. I2O utilises RAID configurations and a managed backup agent running continuously to ensure frequent data backups are performed. (See section on Data protection and managed backups) + Continuous monitoring and improvement of security programme Continuous monitoring provides on-going visibility of any threats that are being encountered, and any potential new threats to the data centre. Continuous improvement in identifying and defending against those threats is part of the security programme. System Security System security maintains the security of the overall hardware servers the i2o software data is hosted on. This involves the following: + System installation using hardened, patched Operating System (OS) Each server has a hardened OS, which means the OS has the basic services required for the i2o software to run. The OS is hardened using guidelines from Microsoft, NIST and industry vendors. A vulnerability scan is used to validate the integrity of the servers before they are made live to i2o customers. 6

7 At the router infrastructure level, the router configuration supports filtering of non-routable private IP addresses, therefore only allowing authorised data to get through to the i2o system. + System patching to provide on-going protection from exploits All system patches are thoroughly tested in a test environment prior to installation on the live servers. Critical patches are applied immediately when available. + Dedicated firewalls to help block unauthorised system access The i2o servers are located behind a number of firewalls to stop unauthorised system access. Industry leading firewalls including Cisco ASA & PIX dedicated firewalls are used to protect the servers. The firewalls are fully certified including ICSA Firewall and IPSec certification and Common Criteria EAL4 evaluation status. All firewalls are deployed in a maximum secure state, with all ports/services closed/off to begin with. + Data protection with managed backup solutions Servers are backed up to the centralised Managed Backup Storage System. The default configuration is to perform Weekly Full and Daily Differential back-ups with retention rates of two or four weeks, which is a configurable period and can be extended as required. Managed Backup utilises an independent private network for all backups running on an all Cisco equipment switched network. This minimises Network Security concerns with the following results: Each server is in a port level VLAN. Each server can only see the backup servers and no other servers on the network, including their own. No one server can see any other server on another port level VLAN. Once the backups are made, they are stored in a library; the tape libraries are logically separated from all other equipment in the data centre. The onsite data is stored within the locked Tape library, which can only be accessed, by authorised data centre or backup technicians. i2o Application Security The i2o application has been built following best practice offered by OWASP. The application sits between multiple firewalls and multi-faceted security filters. All Logins are audited and users are filtered to ensure authentic behaviours. Administration and operational functionality exist in separate applications with independent security credential requirements. 7

8 + Intrusion Detection System to provide an additional layer of protection against unauthorised system access The data centre hosting the i2o software utilises an Intrusion Detection System (IDS), called AlertLogic to provide IDS capability. The IDS system will detect suspected malicious network traffic and respond appropriately. It detects non-whitelisted and blacklisted data patterns, allowing whitelisted, blocking blacklisted and providing alerts for unknown data patterns. The diagram below shows how IDS works to protect the i2o software from being threatened by unauthorised attacks. + Distributed Denial of Service (DDoS) mitigation services Access Control Listings (ACLs) are set up to stop specific IP addresses from reaching the i2o software and lowering the number of DDoS attacks. In the case of of traffic flowing to the i2o software servers, if abnormal traffic behaviour is detected (i.e. sudden increase in traffic from 1 IP address or multiple login attempts to i2o software), then this is treated as malicious activity. The DDOS mitigation service acts quickly, routing suspicious traffic through a "sanitation engine", which uses multiple DDoS detection methods to filter out and divert malicious traffic. All legitimate traffic is then forwarded to the intended destination servers, which are able to serve clients entirely unaffected by the on-going DDoS attack. 8

9 Transport Layer Security Device(s) GPRS Network i2o Encryption System Operator Internet VPN tunnel option i2o Water Data Centre Encrypted Data Private, Physical Network with IDS, IPS, Malware Protection Firewalls Encrypted SSL and Private Vulnerability Scanning Patch Management Malware Protection IDS/IPS Firewalls The two-way communication follows a transport layer that ensures high levels of security to and from the i2o devices in the field and the data centre. The data in transit is also encrypted and would require detailed system and code level understanding in the unlikely event of interception and decryption, to facilitate any change or intervention. Corrupted or modified data will not be understood or accepted by the i2o system. 9

10 Fire event at the data Centre? An important consideration is what happens in the event of a fire at the data centre hosting the i2o software. The i2o data is backed-up on a daily basis onto a different storage area at a different location for redundancy purposes. In the unlikely event there is a fire, the backup data will be made available for use through the i2o user interface. Backup Technicians will monitor backup jobs, perform data restores and change configurations to ensure the backup procedure works well. The i2o data is hosted using an advanced fire suppression system; this is designed to stop fires from spreading in the unlikely event one should occur. The data centre has the following system in place for fire detection and suppression: + Siemens Cerberus Pyrotronics System with VESDA smoke detection (VESDA- (Very Early Smoke Detection Apparatus) System provides very early warning of smoke or conditions leading to a fire, by continuously sampling air in facilities for carbon products) + Pre-action dry pipe fire suppression system + Portable dry-chemical fire extinguishers + Heat sensitive sprinklers located in all areas of the data centre facilities + Fire extinguishers present throughout the data centre facilities with proper identifying signage and last inspection dates The fire alarm system is connected to an off-site monitoring location that notifies the data centre engineering team to take appropriate actions. The data centre utilises the Foreseer Monitoring system for all Heating Ventilation and Air Conditioning (HVAC) and electrical distribution. In terms of water/liquid damage, the i2o hosted data centre has water leak detector installed under the raised floor throughout the data centres. Detectors are tied into Liebert units for remote alarming and paging through Foreseer. The Liebert unit is a mission-critical cooling solution for computer installations. 10

11 SaaS Accreditation The Hosting vendor used by i2o is accredited with the following certifications: + ISO27001 certified: The ISO certification covers a broad range of security controls within the data centres, from the physical environment in which the i2o system is hosted, accessed and monitored, to the logical system-based controls employed to manage access. This security certification provides assurance for customers as to the scope and scale of the secure environment that the i2o system is hosted in. + ISAE 3402 Type II Service Organisation Control (SOC 2 Reporting): this is a globally recognised standard for reporting on service organisation controls. This demonstrates that all processes, procedures and controls have been formally evaluated and tested by an independent accounting and auditing company for their data centres. The examination includes controls relating to security monitoring, change management, service delivery, support services, back-up, environmental controls, logical and physical access. + ISO 9001:2008 (Quality Management): The data centre enterprise and support functions are certified to this internationally recognised standard, this ensures the quality principles of ISO 9001 are actively embraced in the day-to-day Support to customers Conclusion The SaaS model provides substantial user benefits and the agility to rapidly meet new business requirements as they emerge. For many organisations the shift to external service-based delivery creates a real advantage, driving innovation and lowering costs. For others it is strategic option to explore and support new initiatives, unlocking the dependency on scarce in-house IT resources. The i2o SaaS model provides utilities with a robust and secure platform from which to manage their networks and deliver outstanding service to their customers. World-class security will always lie at the very heart of i2o s business and the service we provide to our customers. 11