by New Media Solutions 37 Walnut Street Wellesley, MA p f Avitage IT Infrastructure Security Document

Transcription

1 Avitage IT Infrastructure Security Document The purpose of this document is to detail the IT infrastructure security policies that are in place for the software and services that are hosted by Avitage. Overview Avitage operates it s software and delivers services using a network of servers that are available online through the domains Avitage.com and Presentationselect.com All servers in the server environment are Microsoft Windows based servers The server environment is situated behind a robust firewall The server environment is physically located in a collocation space provided by Internap, a leading collocation provider Avitage contracts IT consulting and special project support from Thrive Networks, a Microsoft Certified IT Solutions Partner Physical Security Physical security provided by collocation provider Internap, a leading collocation provider. For additional specifications on Internap physical specifications, please see related document (Internap_DataCenterSpecs.doc). Connectivity Redundant network drops and routers SLA guarantee of 100 percent network availability, 45 millisecond latency, 0.3% packet loss, and 0.5 millisecond jitter Connections to multiple backbones including o AT & T o Global NAPS o Level 3 o NEON o Verizon o MCI o XO Security Multiple layers of hardened physical security 24x7x365 security presence Closed-circuit television surveillance with digital storage Multiple layers of electronically controlled card access Multiple biometric scanners control access Individual locked cabinet Power Distribution 2,750KVA of robust, conditioned, highest quality AC power For Liebert 600 series UPS systems (3-750KVA & 1-500KVA)

2 5750 KW of redundant generator backup with 30-hour fuel supply and extended refuel contracts Overhead delivery Environmental Control Temperature maintained between 64 and 78 degrees 680 tons of robust and redundant HVAC 24 Liebert HVAC units (20-30 ton & 4-20 ton units) for N+1 redundancy Liebert rooftop glycol drycooler units for N+1 redundancy Floor water dams with liquid sensors Steam humidification Overhead delivery Fire Detection/Prevention VESDA (Very Early Warning Smoke Detection) throughout the data center Zoned dry-piped pre-action sprinkler system Access Policy Physical Access to Servers Physical access to server environment secured by collocation vendor Internap Physical access protected by electronic pass card and biometric controls Granting employee physical access: IT administrator approves employee physical access to server environment by communicating employee information to Internap. Employee name, , and driver s license number is communicated to Internap via from IT administrator and verified by phone. On initial visit, the employee must show driver s license at collocated data center. Driver s license number is validated against approved employee list held by Internap, and electronic pass card and biometric control implemented for the employee. Internap security employee must open locked cabinet for physical access to server Employee Access to Servers Each employee is assigned their own username and password for logging purposes. The IT administrator controls individual access and levels of permissions. Not all employees are granted access to server environment. Employees that work in the company offices have VPN access to server environment. IT administrator uses individual username and password (i.e. not administrator) Employee user account de-activated upon termination of employment Contractor/Partner/Vendor Access to Servers Collocation vendor Internap has keyed access to physical servers, however, they do not have any login access to servers No partners have login access to servers For IT consultant vendor (Thrive Networks), each engineer has an individual user name and password. By default, each account is de-activated. When an engineer needs access to server for a particular project or work request, they contact the IT administrator who temporarily activates their account. Their account is de-activated when the work is complete.

3 Intrusion Detection Virus Detection Virus protection on all servers performed by Norton Antivirus and managed by Symantec System Center. Virus definition updates retrieved automatically on a daily basis using Norton LiveUpdate. Full disk scans performed automatically on a daily basis for all servers in environment. Windows patches and updates monitored and implemented by IT administrator with Microsoft Certified Solutions Partner (Thrive Networks) as a reference. Network Monitoring Windows 2000 Performance Monitor (W2PM) running on the domain manager monitors the performance of each server in the server environment Monitored objects include processor usage, physical disk usage, network interface and memory. Alerts from W2PM are ed to CERT (computer emergency response team) and triaged via phone contact Notification Procedures/Incident Response In the event of an incident, the following general procedures are followed: a. CERT (computer emergency response team) contacted. IT Administrator, assistant IT Admin, and Thrive Networks 24 hour support contacted. b. Company president contacted. c. Security logs reviewed by IT Administrator or assistant and Thrive Networks contact. d. Appropriate course of action decided by IT Administrator or assistant with Thrive Networks contact. Actions may include: e. Blocking of intrusion IP f. Quarantine of affected server g. System shut down Company president contacted first. h. None. System Administration Server Standards All servers are kept at the same OS, patch and release level All server standards are maintained and monitored by IT Administrator. Change Management All software and system changes are first installed on local development server that mirrors setup of live servers. Hardware updates are tested on local development server if possible. QC team consisting of IT Administrator, Development, and Product Manager review impact of any change on systems. Changes to live servers are implemented on Saturday morning to allow weekend testing.

4 IT Training/Updates IT administrator responsible for technical competency of employees and vendors with access to servers. IT members attend Microsoft TechNet seminars in the Boston area. Patch Management Notification Security alerts and patches are received directly from Microsoft via . The IT manager and several backups receive the alerts. General updates are received during the middle of the second week of each month. Critical updates are reviewed as soon as they are released. Implementation Microsoft patches identified as critical are installed on a development server, tested, and then installed on production servers within 24 hours. Non critical patches are received during the second week of each month, installed on a development server, tested, then installed on productions servers the following Saturday at 2:00 AM ET. Required re-boots are done sequentially to minimize down time. Additionally, Microsoft Baseline Security Analyzer (MBSA) is run against the servers once every two months to identify potential security issues. Currently each server is updated manually. Future plans include upgrading to Microsoft Windows Update Services (WUS). Auditing /Logging Audited Information Standard IIS W3C Extended Log Files are generated for all web sites. All system level security events (including activity by administrators and privileged users) are logged using the standard Microsoft security audit log. Audit log parameters are defined at the domain level and standard across all servers in the network. Security warnings, errors, information, Logon successes, Logon failures from all system event sources and categories are logged including account management events, oolicy change events, object access events, privilege use events, and process tracking events. For each logon event, username, domain, logon process, and workstation id or IP address is logged. Active log files include 7 days of audit information. Log file archives are stored off server for a length of 180 days. Review Process IT Administrator reviews IIS Audit Log files using product called 123 Log Analyzer.

5 Security logs are reviewed manually by IT Administrator using Microsoft Operations Manager (MOM) approximately once per month. Redundancy/Fail Over Redundancy Redundancy of power and internet connectivity is provided by hosting vendor Internap. Each server in the system has a redundant partner that can be used in the case of server failure. Databases are replicated using SQL clusters across physical servers to minimize impact of any hardware failure Disaster Planning Backed up data can be restored using an online backup management tool In case of physical disaster in server environment, sites and applications can be restored to server environment in company offices. DNS pointers would be re-directed. Data Backup Software applications and customer data are protected by backup systems designed to ensure complete redundancy. Components of the backup strategy include: Nightly automatic backups of application settings, SQL backups and customer data Backup performed directly to a secure off-site location with rotating tape schedule. Rotation scheme includes 3 month data retention, and weekly off site removal of full snapshots. Full backups performed weekly and differentials saved daily. Enterprise level backup management software for backup job organization, restore functions, reporting, and alerts. Automatic notification of backup job status on nightly basis to multiple administrators. Hourly SQL transaction logs stored to alternate local device. Application Security User System Requirements Internet Explorer 5.0+, Netscape 4.78+, and Mozilla all supported for general library use Internet Explorer 5.0+ required for personal library use No cookies are used No ActiveX or Java applets used in the application Logon and Access Security There are three system level options for login o Required manual log-in: Non log-in access is disabled. Every user that wishes to browse an Avitage library must manually type in a password to be authenticated.

6 Authentication assigns a 36 character session key (GUID) that is only applicable for that session. There are no cookies to allow users to remember me. o Internal password encryption: System level security parameters are required for access into the system. Those parameters can be hidden and encrypted and placed on a web site internal to the customer (i.e. inside the firewall). Any user requests to access the system can be directed through that page which ensures only users inside the firewall can access the application. System level security parameters are not displayed in the user s address bar or any other place in the application. Optionally, the system level security parameters can be changed on a regular basis. o User restriction based on IP address: Using standard Windows IIS IP security functions, logons can be restricted to designated IP address ranges. Defined user IP ranges (including proxy server addresses) are required for this option. Compile and Go and Direct To Folder links can be set to hide security parameters in page link. Customers choose this option if they would like to only have security parameters only available on internal web pages. Users with designated accounts (Avitage Personal Libraries) are limited to one session at a time to prevent unwanted logins No cookies are used for session state 128 bit SSL is an option Data Security Source documents are separated into individual files for each slide, filenames are randomly generated 128 bit cryptographically secure strings. Each presentation that is compiled for download or for sending to a customer is created in its own directory on the server. The name for each compiled presentation directory is a randomly generated 128 bit cryptographically secure alpha-numeric string. This ensures that a user who knows the URL to one presentation cannot find the URL to another. System users can choose expiration dates for presentations that are compiled for download or sending to a customer. If users do not choose an expiration date, a default expiration date is applied. Application Security Application runs under local domain accounts with unique username and password Dynamically generated and unique 36 character session key required to access any page within the application Page views are dynamically generated within each user session EXE s, DLL s and other key files are not Internet accessible Scanning of uploaded files for malicious content Buffer overflow patches from Microsoft are considered critical and installed within 24 hours of patch release Client and server side checks against user entered database fields are performed to reduce risk to cross site scripting and SQL injection attacks