319 MANAGED HOSTING TECHNICAL DETAILS

Transcription

1 319 MANAGED HOSTING TECHNICAL DETAILS 319 NetWorks

2 Table of Contents Architecture Platform Applications Network Stack Cloud Hosting Technical Details... 5 Server Access... 7 Monitoring Systems... 7 Instance Isolation... 7 Elastic Block Storage (Amazon EBS) Security... 8 Multiple levels of Security... 8 Network Security Summary Amazon Simple Storage Service (Amazon S3) Security Data Management Amazon Certifications Commitment NetWorks Page 3

3 Architecture The 319 Enterprise Network comprises 319 Platform, 319 Applications, 319 Network Stack, Amazon Cloud Technology and Cloud Technical Applications, 319 Redundant Montioring System and 319 Backup & Restore Systems. 319 NetWorks Page 4

4 319 Platform The 319 Platform is a dynamic object oriented engine. The platform runs sets of 319 Applications. The base functions of the platform are but are not limited to: Web Page Security Engine o User Data Store and Authentication File management Web page generation o Page Template Engine o Dynamic Blocks o CSS Layer connected to Dynamic Blocks o HTML Content store and display o XML to XSLT Transformation Tracking Engine 319 Applications 319 Applications are comprised of 319 Platform Objects/ Actions that are dynamic systems which store, and query data form the 319 Platform Database. A filled 319 Platform can comprise of greater than 1000 Applications for everything from full elearning to web page secured login. 319 Network Stack The 319 network Stack is built from open source technology including but not limited to Linux, PHP 5+, MySQL 5 + and many other applications. 319 Cloud Hosting Technical Details The 319 Cloud Enterprise Solution employs a full cloud environment which is optimized for scalability, reliability and security. Virtual Servers are deployed at edge location the closest to the customers needs reducing latency and improving performance. The web server is a virtual machine that uses elastic IPs. Elastic IPs allow for rapidly moving of server resources as demands need for security, reliability and performance. If a virtual server is seeing high loads of traffic and file transfer, 319 has the rapid ability to partition a new and larger server and deploy a server image to it, change the elastic IP and connect the virtual drive to it. This assures the high reliability and uptime. The 319 Cloud Enterprises Solution is built inside the Amazon Cloud. 319 NetWorks Page 5

5 Server Image: A server image is a remote stored image of the 319 Server Stack. This includes all critical server applications, 319 Platform, all 319 Applications and key settings. In less than 10 minutes a new boot drive can be configured and connected to the new server instance. Boot Drive: This is the drive that is used to virtually connect to the server instance which boots up the server and includes the entire 319 Server Stack. Elastic IP: Elastic IP addresses are static IP addresses designed for dynamic cloud computing. An Elastic IP address is associated the 319 Cloud not a particular instance. Unlike traditional static IP addresses, however, Elastic IP addresses allows for masking of instance. This allows for rapid changes as the networks demands change or in case of an event. Virtual Data Store: Data is stored on virtual drives allowing for rapid drive resizing and scalability as needs demand. Replication and duplication built into cloud storage assures the reliability of data store and eliminate the reliability issues created by physical drives. Backup: Backup is run 7 days a week in the middle of the night EST depending on the demands of the server. Backup runs in parallel thus not stopping access to server resources or having any effect of uptime of the site. It will have a small impact on speed of the website during this time. Since backup runs from virtual drive to virtual drive it has little to no effect on the webserver but only on the disk access during the backup cycles. The backup stores 7 consecutive days of full backups for each site, including Platform319, 319Applications and data. This assures that under any event the site can 100% be restored to a prior state if needed. Since we also backup the applications and the platform a site can be replicated to another drive rapidly and will assure it will remain in the state of that backup. Backups are stored on a separate virtual drive providing the highest reliability in case of a drive event. On the 8 th day the backup from that day writes over the backup from the 1 st day, thus it is 7 days rolling. 319 Streaming Cloud: The 319 Streaming cloud deploys a combination of virtual drives and cloud front technology. The virtual drives allow for virtually unlimited scaling. Cloud front deploys copies of these files and they are served up from the closes point from where the visitor is requesting the file. Files in the Easter part of the US will be servers from Vagina while requests from Asia will be served up from Asia. At any time the file is changed it will dynamically be replicated across the entire CloudFront. CloudFront are determined for each customer based on their user footprint. Requests for files from the streaming network do not transfer through the webserver but rather are delivered directly from the CloudFront. Streaming is performed via RTMPS. Direct file delivery is achieved via HTTPS. 319 NetWorks Page 6

6 Server Access The server access is limited to standard internet protocol of https for secure sites, http for some sites for non-secure sites. Software maintenance is performed via SSH, Secure Shell (SSH) is a cryptographic network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client (running SSH server and SSH client programs, respectively). Monitoring Systems 319 employees 2 separate monitoring systems. Monitoring System 1: Amazon Cloud Watch Amazon CloudWatch provides monitoring for AWS cloud resources and the applications run on AWS. In CloudWatch we monitor resource utilization, application performance, and operational health. Monitoring System 2: 319 Monitoring This is a custom monitoring system that resides on an external server that monitors the health of all sites and their resources running within the 319 Cloud. Both systems employ notification via and SMS. Instance Isolation Different instances running on the same physical machine are isolated from each other via the Xen hypervisor. Amazon is active in the Xen community, which provides awareness of the latest developments. In addition, the AWS firewall resides within the hypervisor layer, between the physical network interface and the instance's virtual interface. All packets must pass through this layer, thus an instance s neighbors have no more access to that instance than any other host on the Internet and can be treated as if they are on separate physical hosts. The physical RAM is separated using similar mechanisms. 319 NetWorks Page 7

7 Customer instances have no access to raw disk devices, but instead are presented with virtualized disks. The AWS proprietary disk virtualization layer automatically resets every block of storage used by the customer, so that one customer s data are never unintentionally exposed to another. AWS recommends customers further protect their data using appropriate means. One common solution is to run an encrypted file system on top of the virtualized disk device. Elastic Block Storage (Amazon EBS) Security Amazon EBS volume access is restricted to the AWS Account that created the volume, and to the users under the AWS Account created with AWS IAM if the user has been granted access to the EBS operations, thus denying all other AWS Accounts and users the permission to view or access the volume. However, a customer can create Amazon S3 snapshots of their Amazon EBS volume and enable other AWS Accounts the ability to use the shared snapshot as the basis for creating their own volumes. Customers also have the ability to make Amazon EBS volume snapshots publicly available to all AWS Accounts. Sharing Amazon EBS volume snapshots does not provide other AWS Accounts with the permission to alter or delete the original snapshot as that right is explicitly reserved for the AWS Account that created the volume. An EBS snapshot is a block level view of an entire EBS volume. Data which is not visible through the file system on the volume, such as files which have been deleted, may be present in the EBS snapshot. Customers that want to create shared snapshots should do so carefully. If a volume has held sensitive data or has had files deleted from it, a new EBS volume should be created. The data to be contained in the shared snapshot should be copied to the new volume, and the snapshot created from the new volume. Amazon EBS volumes are presented to the customer as raw unformatted block devices, which have been wiped prior to being made available for use. Customers that have procedures requiring that all data be wiped via a specific method, such as those detailed in DoD M ( National Industrial Security Program Operating Manual ) or NIST ( Guidelines for Media Sanitization ), have the ability to do so on Amazon EBS. Customers should conduct a specialized wipe procedure prior to deleting the volume for compliance with their established requirements. Encryption of sensitive data is generally a good security practice, and AWS encourages users to encrypt their sensitive data via an algorithm consistent with their stated security policy. Multiple levels of Security Virtual Private Cloud: Each VPC is a distinct, isolated network within the cloud. At creation time, an IP address range for each VPC is selected by the customer. Network traffic within each VPC is isolated from all other VPCs; therefore, multiple VPCs may use overlapping (even identical) IP address ranges without loss of this isolation. By default, VPCs have no external connectivity. Customers may create and attach an Internet Gateway, VPN Gateway, or both to establish external connectivity, subject to the controls below. 319 NetWorks Page 8

8 API: Calls to create and delete VPCs, change routing, security group, and network ACL parameters, and perform other functions are all signed by the customer s Amazon Secret Access Key, which could be either the AWS Accounts Secret Access Key or the Secret Access key of a user created with AWS IAM. Without access to the customer s Secret Access Key, Amazon VPC API calls cannot be made on the customer s behalf. In addition, API calls can be encrypted with SSL to maintain confidentiality. Amazon recommends always using SSL-protected API endpoints. AWS IAM also enables a customer to further control what APIs a newly created user has permissions to call. Subnets: Customers create one or more subnets within each VPC; each instance launched in the VPC is connected to one subnet. Traditional Layer 2 security attacks, including MAC spoofing and ARP spoofing, are blocked. Route Tables and Routes: Each Subnet in a VPC is associated with a routing table, and all network traffic leaving a subnet is processed by the routing table to determine the destination. VPN Gateway: A VPN Gateway enables private connectivity between the VPC and another network. Network traffic within each VPN Gateway is isolated from network traffic within all other VPN Gateways. Customers may establish VPN Connections to the VPN Gateway from gateway devices at the customer premise. Each connection is secured by a preshared key in conjunction with the IP address of the customer gateway device. Internet Gateway: An Internet Gateway may be attached to a VPC to enable direct connectivity to Amazon S3, other AWS services, and the Internet. Each instance desiring this access must either have an Elastic IP associated with it or route traffic through a NAT instance. Additionally, network routes are configured (see above) to direct traffic to the Internet Gateway. AWS provides reference NAT AMIs that can be extended by customers to perform network logging, deep packet inspection, application-layer filtering, or other security controls. This access can only be modified through the invocation of Amazon VPC APIs. AWS supports the ability to grant granular access to different administrative functions on the instances and the Internet Gateway, therefore enabling the customer to implement additional security through separation of duties. Amazon EC2 Instances: Amazon EC2 instances running with an Amazon VPC contain all of the benefits described above related to the Host Operating System, Guest Operating System, Hypervisor, Instance Isolation, and protection against packet sniffing. Tenancy: VPC allows customers to launch Amazon EC2 instances that are physically isolated at the host hardware level; they will run on single tenant hardware. A VPC can be created with dedicated tenancy, in which case all instances launched into the VPC will utilize this feature. Alternatively, a VPC may be created with default tenancy, but customers may specify dedicated tenancy for particular instances launched into the VPC. Firewall (Security Groups): Like Amazon EC2, Amazon VPC supports a complete firewall solution enabling filtering on both ingress and egress traffic from an instance. The default group enables inbound communication from other members of the same group and outbound communication to any 319 NetWorks Page 9

9 destination. Traffic can be restricted by any IP protocol, by service port, as well as source/destination IP address (individual IP or Classless Inter-Domain Routing (CIDR) block). The firewall isn t controlled through the Guest OS; rather it can be modified only through the invocation of Amazon VPC APIs. AWS supports the ability to grant granular access to different administrative functions on the instances and the firewall, therefore enabling the customer to implement additional security through separation of duties. The level of security afforded by the firewall is a function of which ports are opened by the customer, and for what duration and purpose. Well-informed traffic management and security design are still required on a per-instance basis. AWS further encourages customers to apply additional per-instance filters with host-based firewalls such as IP tables or the Windows Firewall. Network Access Control Lists: To add a further layer of security within Amazon VPC, customers can configure Network ACLs. These are stateless traffic filters that apply to all traffic inbound or outbound from a subnet within VPC. These ACLs can contain ordered rules to allow or deny traffic based upon IP protocol, by service port, as well as source/destination IP address. Like security groups, network ACLs are managed through Amazon VPC APIs, adding an additional layer of protection and enabling additional security through separation of duties. Network Security Summary The diagram below depicts how the security controls above inter-relate to enable flexible network topologies while providing complete control over network traffic flows. 319 NetWorks Page 10

10 Amazon Simple Storage Service (Amazon S3) Security With any shared storage system, the most common security question is whether unauthorized users can access information either intentionally or by mistake. So that customers have flexibility to determine how, when, and to whom they wish to expose the information they store in AWS, Amazon S3 APIs provide both bucket- and object-level access controls, with defaults that only permit authenticated access by the bucket and/or object creator. Unless a customer grants anonymous access to their data, the first step before a user, either an AWS Account, or a user created with AWS IAM, can access data is to be authenticated using an HMAC-SHA1 signature of the request using the user s private key. An authenticated user can read an object only if the user has been granted Read permissions in an Access Control List (ACL) at the object level. An authenticated user can list the keys and create or overwrite objects in a bucket only if the user has been granted Read and Write permissions in an ACL at the bucket level or via permissions granted to them with AWS IAM. Bucket and object level ACLs are independent; an object does not inherit ACLs from its bucket. Permissions to read or modify the bucket or object ACLs are themselves controlled by ACLs that default to creator-only access. Therefore, the customer maintains full control over who has access to their data. Customers can grant access to their Amazon S3 data to other AWS Accounts by AWS Account ID or , or DevPay Product ID. Customers can also grant access to their Amazon S3 data to all AWS Accounts or to everyone (enabling anonymous access). Data Management For maximum security, Amazon S3 is accessible via SSL endpoints. The encrypted endpoints are accessible from both the Internet and from within Amazon EC2, so that data are transferred securely both within AWS and to and from sources outside of AWS. Securing data at rest involves physical security and data encryption. As mentioned in detail in Physical Security, Amazon employs multiple layers of physical security measures to protect customer data at rest. For example, physical access to Amazon datacenters is limited to an audited list of Amazon personnel. Encryption of sensitive data is generally a good security practice, and AWS encourages users to encrypt their sensitive data before it is uploaded to Amazon S3. When an object is deleted from Amazon S3, removal of the mapping from the public name to the object starts immediately, and is generally processed across the distributed system within several seconds. Once the mapping is removed, there is no remote access to the deleted object. The underlying storage area is then reclaimed for use by the system. Amazon S3 is designed to provide % durability and 99.99% availability of objects over a given year. Objects are redundantly stored on multiple devices across multiple facilities in an Amazon S3 Region. To help provide durability, Amazon S3 PUT and COPY operations synchronously store your data across multiple facilities before returning SUCCESS. Once stored, Amazon S3 helps maintain the 319 NetWorks Page 11

11 durability of your objects by quickly detecting and repairing any lost redundancy. Amazon S3 also regularly verifies the integrity of data stored using checksums. If corruption is detected, it is repaired using redundant data. In addition, Amazon S3 calculates checksums on all network traffic to detect corruption of data packets when storing or retrieving data. Amazon S3 provides further protection via Versioning. You can use Versioning to preserve, retrieve, and restore every version of every object stored in your Amazon S3 bucket. With Versioning, you can easily recover from both unintended user actions and application failures. By default, requests will retrieve the most recently written version. Older versions of an object can be retrieved by specifying a version in the request. You can further protect your versions using Amazon S3 Versioning's MFA Delete feature, once enabled for an S3 bucket, each version deletion request must include the six digit code and serial number from your multi factor authentication device. Amazon Certifications SOC 1/SSAE 16/ISAE 3402 Amazon Web Services now publishes a Service Organization Controls 1 (SOC 1), Type 2 report. The audit for this report is conducted in accordance with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the International Standards for Assurance Engagements No (ISAE 3402) professional standards. This dual-standard report can meet a broad range of auditing requirements for U.S. and international auditing bodies. The SOC 1 report audit attests that AWS control objectives are appropriately designed and that the individual controls defined to safeguard customer data are operating effectively. Our commitment to the SOC 1 report is on-going and we plan to continue our process of periodic audits. This audit is the replacement of the Statement on Auditing Standards No. 70 (SAS 70) Type II report. FISMA Moderate AWS enables U.S. government agency customers to achieve and sustain compliance with the Federal Information Security Management Act (FISMA). FISMA requires federal agencies to develop, document, and implement an information security system for its data and infrastructure based on the National Institute of Standards and Technology Special Publication , Revision 3 standard. FISMA Moderate Authorization and Accreditation requires AWS to implement and operate an extensive set of security configurations and controls. This includes documenting the management, operational, and technical processes used to secure the physical and virtual infrastructure, as well as the third-party audit of the established processes and controls. AWS has received a three-year FISMA Moderate authorization for Infrastructure as a Service from the General Services Administration. AWS has also successfully achieved other ATOs at the FISMA Moderate level by working with government agencies to certify their applications and workloads. 319 NetWorks Page 12

12 PCI DSS Level 1 AWS has achieved Level 1 PCI compliance. We have been successfully validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). Merchants and other service providers can now run their applications on our PCI-compliant technology infrastructure for storing, processing, and transmitting credit card information in the cloud. Other enterprises can also benefit by running their applications on other PCI-compliant technology infrastructure. PCI validated services include Amazon Elastic Compute Cloud (EC2), Amazon Simple Storage Service (S3), Amazon Elastic Block Storage (EBS) and Amazon Virtual Private Cloud (VPC), Amazon Relational Database Service (RDS), Amazon Elastic Load Balancing (ELB), Amazon Identity and Access Management (IAM), and the underlying physical infrastructure and the AWS Management Environment. For more information please visit our PCI DSS Level 1 FAQs. ISO AWS has achieved ISO certification of our Information Security Management System (ISMS) covering our infrastructure, data centers, and services including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3) and Amazon Virtual Private Cloud (Amazon VPC). ISO 27001/27002 is a widely-adopted global security standard that sets out requirements and best practices for a systematic approach to managing company and customer information that s based on periodic risk assessments. In order to achieve the certification, a company must show it has a systematic and ongoing approach to managing information security risks that affect the confidentiality, integrity, and availability of company and customer information. This certification reinforces Amazon s commitment to providing transparency into our security controls and practices. AWS s ISO certification includes all AWS data centers in all regions worldwide and AWS has established a formal program to maintain the certification. A copy of our ISO certificate, available to AWS customers, describes the ISMS services and geographic scope. For more information please visit our ISO FAQs. International Traffic In Arms Compliance The AWS GovCloud (US) region supports US International Traffic in Arms Regulations (ITAR) compliance. As a part of managing a comprehensive ITAR compliance program, companies subject to ITAR export regulations must control unintended exports by restricting access to protected data to US Persons and restricting physical location of that data to US land. AWS GovCloud (US) provides an environment physically located in the US and where access by AWS Personnel is limited to US Persons, thereby allowing qualified companies to transmit, process, and store protected articles and data under ITAR. The AWS GovCloud (US) environment has been audited by an independent third party to validate the proper controls are in place to support customer export compliance programs for this requirement. 319 NetWorks Page 13

13 FIPS The Federal Information Processing Standard (FIPS) Publication is a US government security standard that specifies the security requirements for cryptographic modules protecting sensitive information. To support customers with FIPS requirements, the Amazon Virtual Private Cloud VPN endpoints and SSL-terminating load balancers in AWS GovCloud (US) operate using FIPS validated hardware. AWS works with AWS GovCloud (US) customers to provide the information they need to help manage compliance when using the AWS GovCloud (US) environment. 319 Visual Monitoring: One time a quarter 319 Technical Staff review data form all cloud resources for current and future planning. This data provides us with insight to potential future needs that may arise before they arise. Commitment 319 NetWorks is committed to reliability and security for all resources on its networks and continually improves our technology, processes and procedures. 319 NetWorks Page 14