Ernst & Young LLP One Commerce Square Suite 700 2005 Market Street Philadelphia, PA 19103 Tel: +1 215 448 5000 Fax: +1 215 448 5500 ey.com Report of Independent Auditor To the Management of Verizon Communications Inc. We have examined management s assertion included in the accompanying Report by Management on the Effectiveness of Its Controls over Verizon Communications Inc. s Administration of Verizon Terremark Managed Services System Based on the AICPA/CICA Trust Services Principles and Criteria (Management Assertion) that Verizon Communications Inc., during the period from November 1, 2012 to October 31, 2013 maintained effective controls over the Administration of Verizon Terremark Managed Services System to provide reasonable assurance that the Administration of Verizon Terremark Managed Services System was: protected against unauthorized access (both physical and logical) and available for operation and use, as committed and agreed based on the AICPA/CICA Trust Services Security and Availability Principles and Criteria. This assertion is the responsibility of Verizon Communications Inc. s management. Our responsibility is to express an opinion based on our examination. Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included (1) obtaining an understanding of Verizon Communications Inc. s relevant security and availability controls over the Administration of Verizon Terremark Managed Services System; (2) testing and evaluating the operating effectiveness of the controls over the Administration of Verizon Terremark Managed Services System; and (3) performing such other procedures as we considered necessary in the circumstances. We believe that our examination provides a reasonable basis for our opinion. Because of inherent limitations in controls, error or fraud may occur and not be detected. Furthermore, the projection of any conclusions, based on our findings, to future periods is subject to the risk that the validity of such conclusions may be altered because of changes made to the system or controls, the failure to make needed changes to the system or controls, or deterioration in the degree of effectiveness of the controls. In our opinion, Verizon Communications Inc. s management assertion referred to above is fairly stated, in all material respects, based on the AICPA/CICA Trust Services Security and Availability Principles and Criteria. 1403-1222506 1 A member firm of Ernst & Young Global Limited
The SOC 3 SysTrust for Service Organizations Seal on Verizon Communications Inc. s web site constitutes a symbolic representation of the contents of this report and it is not intended, nor should it be construed, to update this report or provide any additional assurance. EY February 21, 2014 1403-1222506 2 A member firm of Ernst & Young Global Limited
Report by Management on the Effectiveness of Its Controls over Verizon Communications Inc. s Administration of Verizon Terremark Managed Services System Based on the AICPA/CICA Trust Services Principles and Criteria Verizon Communications Inc. has established and is responsible for maintaining effective controls over the security and availability of Verizon Communications Inc. s Administration of Verizon Terremark Managed Services System to provide reasonable assurance that the Administration of Verizon Terremark Managed Services System was: protected against unauthorized access (both physical and logical) and available for operation and use, as committed and agreed during the period November 1, 2012 to October 31, 2013, based on the Trust Services Principles and Criteria established by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). The AICPA/CICA Trust Services Principles and Criteria contain the following definitions of the security and availability of the system: Security: the system was protected against unauthorized access (both physical and logical). Availability: the system was available for operation and use, as committed and agreed. The AICPA/CICA Trust Services Principles and Criteria may be obtained from the AICPA s website at http://www.aicpa.org/download/trust_services/final-trust-services.pdf. Our attached Description of Verizon Communications Inc. s Administration of Verizon Terremark Managed Services System identifies the aspects of the customer production environment covered by our assertions. Verizon Communications Inc. One Verizon Way Basking Ridge, NJ 07920 February 21, 2014 1403-1222506 3
Description of Verizon Communications Inc. s Administration of Verizon Terremark Managed Services Company Overview Verizon Terremark (the Company) is one of three operating units of Verizon Communications Inc. (NYSE: VZ). The Company delivers advanced IP, data, voice and wireless solutions to a majority of the Fortune 500 businesses and government agencies in more than 200 state-of-theart data centers in 23 countries across five continents. Verizon Terremark global IP footprint serves 4,000+ networks in 142 countries and territories, including non-verizon Terremark connections from more than 60 network providers globally. Verizon Terremark provides information technology deployments with advanced infrastructure and managed service offerings that deliver the scale, security, and reliability necessary to meet the requirements of enterprises and governments around the world. Boundaries of the System Verizon Terremark core business function is to provide strategically positioned data centers around the world within which customers/potential customers can subscribe to Verizon Terremark Managed Services in a controlled and managed data center space with the hardware, software, multiple connectivity options, physical security, and environmental safeguards necessary to offer customers a comprehensive hosting solution. Depending on customer requirements, open racks, cabinets, or customized caged floor spaces are available across a global footprint of hardened and secure facilities designed to withstand major environmental incidents. Verizon Terremark facilities offer choices and redundancies in communication infrastructure. Verizon Terremark data centers are connected to multiple domestic fiber backbones, undersea cables and over 160 carriers providing customers access to virtually any location in the world. Customers have the ability to contract services directly with carriers in Verizon Terremark facilities for the connectivity and redundancy they require. Data Centers The hardened facilities sit on top of Tier 1 networks. The data centers provide the physical security for sensitive business applications and n+2 redundant power and cooling backed by service level agreements (SLAs). Verizon Terremark provides ongoing monitoring and on-site technical support. Network Verizon Terremark provides customers network connectivity, with plug-and-play access to leading global carriers, delivering a competitive marketplace of connectivity that allows customers to strategically select the connectivity service best suited to their business. Verizon Terremark s peering fabric brings together providers from around the world to a common location for handing off traffic and making connections. Verizon Terremark provides zero mile connectivity to the world. 1403-1222506 4
Service Delivery Platform (SDP) Service Management Verizon Terremark s next generation SDP Service Management system is driven by a focus on computing, network design, operations and management. This advanced technology represents the optimization of the surrounding technical operations and business processes to create the architectural logic of an entire managed environment. It integrates the capability for Verizon Terremark to manage its services for customers through the following modules: Order Broker, Entity Manager, Alert Management, Implementation, Configuration Management Database (CMDB), Change Management, Ticketing, and Verizon Terremark View Point. Infinistructure Utility Computing Terremark's Infinistructure platform allows customers to pay only for the resources they need while enabling the deployment of new capacity in a secure, highly available enterprise-class environment. The Infinistructure platform meets these challenges with high performance architecture that brings new levels of flexibility and scalability to customer applications, while allowing customers to match infrastructure costs to business needs and optimizing systems utilization. Managed Router Service (MRS) Verizon Terremark offers a Managed Routing Service (MRS) that leverages the global network connectivity provided by the telecommunications companies located within Verizon Terremark s carrier-neutral facilities. Verizon Terremark s Managed Router Service (MRS) provides optimal access to the Internet without the purchase and management of individually owned Internet routers. Using Verizon Terremark s Managed Route Control Platform (MRCP), the MRS solution helps ensure the best possible path to the Internet in real-time. Verizon Terremark intelligently routes Internet traffic across multiple networks, reducing latency and providing redundancy in the event of a problem. Hybrid Capabilities Verizon Terremark has the ability to provide hybrid solutions that combine traditional colocation with cloud computing environments and managed services. Existing physical devices and private networks can also be integrated into cloud environments as needed. Verizon Terremark s hybrid capabilities provide customers with access to various levels of support depending on their requirements. RemoteHands SmartHands Service Verizon Terremark s RemoteHands SmartHands services assist customers that need remote access to equipment for performing simple troubleshooting or maintenance tasks. Verizon Terremark s staff can perform basic tasks that may require the use of tools or equipment. Verizon Terremark RemoteHands SmartHands services are available on demand or by subscription in four-hour blocks per month. 1403-1222506 5
Network and Connectivity Services Verizon Terremark s Managed Network and Connectivity services include the basic layer one services such as physical interconnection to more complex layer three monitoring of networks and alerts. Carrier-neutral design provides zero mile access to robust connectivity and at the same time delivers cost savings, flexibility, and can scale to match customer growth while still delivering the performance customers demand. Managed Security Services Verizon Terremark offers a full line of managed and professional network security solutions, including vulnerability assessments, penetration testing, incident response and customized services to help customers identify, understand, and effectively deal with security issues before and after they occur. Advanced Data Solutions Verizon Terremark s Advanced Data Solutions group helps customers design and implement data storage, data protection and data availability systems. Storage and availability specialists have a focused expertise in data storage subsystems (SAN and NAS), data storage networks, backup and recovery, tape automation, clustering and replication, data center virtualization and disaster Cross-connect Services Cross-connectivity is provided to customers in a streamlined manner through the adoption of a centralized hub named a Meet Point Room, to which all inbound and outbound interconnections are routed to service the customers. Cross-connects can be delivered by means of copper (POTS), coaxial, unshielded twisted pair (UTP) and fiber. Exchange Services Peering Verizon Terremark's state-of-the-art Exchange Platform is at the core of Verizon Terremark s network and offers a total switching capacity of over 1.0 Tbps. In addition to providing flexible and reliable Ethernet-virtual local area network (VLAN) and Optical/Digital connections for the exchange of Internet traffic, Verizon Terremark s Exchange Platform is used for the provisioning of next generation network-based services. Verizon Terremark s Exchange Platform employs an industry-leading and state-of-the-art Ethernet technology. The Exchange Platform is the vehicle used to reach many businesses and consumers served by the companies connected to Verizon Terremark, enabling Internet Protocol (IP)-based products and services to easily reach virtually anywhere in the world. 1403-1222506 6
Verizon Terremark Managed Services Overview Verizon Terremark s Managed Services solution includes Managed Hosting and Enterprise Cloud Services (ecloud). Verizon Terremark offers customers controlled and managed data center space with multiple connectivity options to house computing, storage, telecommunications and application server equipment. Depending on customer requirements, open racks, cabinets, or customized caged floor spaces are available across a global footprint of hardened and secure facilities designed to withstand major environmental incidents. Verizon Terremark provides these services from the data centers located in the following geographies: North America Latin America Europe Culpeper, VA Sao Paulo, Brazil Amsterdam, The Netherlands Dallas, TX Englewood, CO Miami, FL Pleasanton, CA Richardson, TX Santa Clara, CA Verizon Terremark Managed Hosting The company's Managed Hosting provides comprehensive managed IT services for operating systems, databases, web engines and custom applications for business applications with service level agreements (SLAs) structured to meet the needs of the business application. Managed Hosting provides reliable service and support utilizing a multi-tenant virtualized computing platform or dedicated infrastructure as suited to specific customer requirements. Managed Hosting includes: Managed Firewalls: Verizon Terremark provides both utility and dedicated options for firewalls. Both solutions are based on industry-leading solutions from Cisco. Cisco ASA firewalls provide a flexible, and secure option for delivering managed services customers the level of service and security required for mission-critical applications. Managed Operating Systems: The Managed Infrastructure services also include the deployment, availability and patching support for industry-leading operating systems from Microsoft, Red Hat Linux, CentOS and Solaris. Verizon Terremark is able to offer high levels of security through standardization. Verizon Terremark has a skilled team of engineers responsible for updating, optimizing, and securing the Verizon Terremark standard operating system builds. Through automation and standardization, Verizon Terremark achieves consistent and repeatable deployment of servers ensuring that each customer server has the same standard version of the operating system and web server software. 1403-1222506 7
Managed Load Balancers: Verizon Terremark provides both utility and dedicated options for load balancers. Citrix NetScaler provides the foundation for both options. The NetScaler load balancer delivers an array of load balancing technologies, including health monitoring, session persistence, network integration, and content switching. NetScaler load balancing and content switching capabilities improve the efficient use of server resources by intelligently distributing application requests among multiple servers. NetScaler increases server efficiency and enhances application availability by directing each request to the correct server. In addition to improving application availability and performance, NetScaler secures applications and networks from a wide variety of threats and attacks, prevents the leakage of confidential data, and protects sensitive communications with SSL offloading capabilities. Managed Dedicated SAN: As an alternative to Shared SAN services Verizon Terremark offers customized Dedicated SAN Storage to customers interested in high-speed storage services. Customers may elect to utilize Dedicated SAN storage for several reasons. Through Custom Engineering Review (CER) process Dedicated SANS can be architected to meet the precise customer requirements in a Verizon Terremark supportable model. CER will provide a Bill of Materials for the customer purchase and additional services fees will be added to the Dedicated SAN model for Management and Space and power services. Managed Shared SAN: The Shared Storage Area Network (SAN) service provides fiber-attached, high-performance storage for Managed Services customers for use with dedicated physical servers. It provides high performance storage for Managed Services customers at a fraction of the cost of dedicated SAN storage. Better yet, the shared SAN service allows customers to scale as their requirements grow in size. Managed Shared NAS: Verizon Terremark's Shared NAS offering provides costeffective storage solutions that allow customers to expand their data resources with lower-tiered storage without upfront capital costs. Managed Shared Backup: Verizon Terremark s backup team manages the software, hardware, and network infrastructure for customer backup architecture. Verizon Terremark employs a systematic approach to ensure that most current data is backed up and can be quickly restored. Full backups capture the data on the system and data drives. Full backups are performed every seven days while incremental backups are performed daily. This captures changes to the data since the last backup, whether it was a full or incremental backup. Full system and content backups are stored on-site at Verizon Terremark facilities for 15 days, with incremental backup available off-site for an additional 15 days. Verizon Terremark high-performance backup architecture helps to ensure minimal performance drains on customers servers from the backup process. A secure, back-end network is used to transfer data from disk to tape. By performing backup through a back-end network, Verizon Terremark helps to ensure that end-user traffic is not impacted. 1403-1222506 8
Managed Dedicated Servers: Verizon Terremark's Managed Services offers the full suite of management services required for a traditional dedicated physical server in the format of "Managed Dedicated Servers". This comprehensive management suite includes material handling, onboarding, and registering the physical hardware in the CMDB. It also includes racking, stacking, and connecting the physical equipment to the Verizon Terremark network as well as patch and life cycle management required for the physical hardware such as firmware. Last but not least, when a customer acquires a valid support and maintenance plan, return to service of defective hardware is included as a service. Managed Utility Virtual Infrastructure: Verizon Terremark s Managed Virtualized Computing Platform eliminates the problem of underutilized, over engineered, and rapidly aging dedicated servers. Working together with strategic technology partners including VMware, Cisco, EMC, NetApp and HP, Verizon Terremark has designed a managed infrastructure that offers the required flexibility, availability and scalability. Advanced virtualization technologies allow the platform to deliver unseen processing, memory, and storage scalability. Effectively enabling companies to purchase capacity as required for seasonal or event-driven needs, optimizing system utilization and aligning infrastructure investments with business goals. Last but not least it eliminates traditional costly forklift upgrades associated with dedicated solutions. Managed Dedicated Virtual Infrastructure: Verizon Terremark recognizes that customers may be driven towards dedicated virtualized computing kit due to regulatory, compliance or company policy requirements. In order to address these use cases, Verizon Terremark offers its expertise and knowledge to manage dedicated virtual infrastructure islands for customers, while still leveraging best practices and lessons learned from the utility-based platforms. Managed Connectivity Options: Bandwidth services are provided using the Verizon Terremark Managed Routing Service (MRS). MRS is a blended bandwidth solution leveraging services from three Tier 1 carriers; with Verizon Terremark managing the BGP routing providing customers with redundant Internet connections with the ability to scale from 1 Mbps to over 10 Gbps. Bandwidth requirements above a committed rate of 50 Mbps will require dedicated load balancers. Incident Management for Custom Applications: Verizon Terremark takes pride in the level of management provided under Managed Services for web servers and databases. To address the basic needs of monitoring and problem resolution for a broad array of applications, Verizon Terremark provides Incident Management service for applications. Verizon Terremark will install these applications based on customer written instructions and monitor designated process/services for availability. Upon detection of a failure event, Verizon Terremark will take steps to restore the application to normal operating state. 1403-1222506 9
Managed Services for Database Servers: Managed Services for Database Servers includes procurement and acquisition of the licenses, base configuration and validation of the software, and incident and problem management for Microsoft SQL, Oracle and MySQL database servers. Managed Services for Database Servers includes security patch evaluation, deployment, and notification to help ensure that customer site is protected against security weaknesses. Backups of databases are included in the Managed Services offering and can be performed with minimal setup. The database is dumped as a flat file into a designated directory, where Verizon Terremark captures the data for backup purposes. This method allows customer databases to remain live while backup is completed each night. Other backup methodologies can be supported upon technical review. Verizon Terremark ecloud Services Verizon Terremark meets the diverse needs of enterprises with services and solutions in every part of the cloud services continuum from private cloud deployments and traditional IT managed services to public cloud services for enterprises of all sizes. ecloud service offerings can address a wide range of customer s IT infrastructure requirements from infrastructure as a service to managed hosting. For enterprises that want to outsource hardware platform management but maintain control and self-manage their own IT infrastructure, Enterprise Cloud is a flexible infrastructure-as-a-service solution offering compute, storage and networking combined with the expertise, security and availability that large organizations with mission-critical computing needs demand of their infrastructure. An easy-to-use web-based management interface provides command and control over a provisioning and management of VMs and the customer-specific networks in which they reside. From the portal, customers can build and configure their VMs, install Verizon Terremark or customer-provided OS and applications, configure storage, firewall and load balancer, comprehensive role-based access controls, and reporting. The clustered enterprise-class computing architecture features virtualization technology from VMware, the industry leader in enterprise virtualization, and housed in Verizon Terremark's secure, top-tier datacenters. The Enterprise Cloud allows for dynamic, location specific allocation of computing resources when and where they're needed. And, because it s based on Verizon Terremark's proven Enterprise Cloud Infrastructure utility computing platform, massive and diverse network connectivity and top-tier data centers, the Enterprise Cloud has the scale, performance and security to meet most enterprise needs. Offered as both reserved pools or as a pay as you go model, customers can acquire fixed price pools of resources in which they place VMs at whatever level of density they require including oversubscription or just build a VM at a time with hourly billing. The multi-layer approach to delivering security services enables customers to purchase appropriate services in order to achieve a desired state of protection at all levels within their Enterprise Cloud environment. 1403-1222506 10
Multi-layer security services can be delivered in the cloud to defend customer web sites, applications and data from malicious attacks by combining advanced tools, services and instrumentation, all managed by a team of trained, experienced and certified security professionals. Verizon Terremark Enterprise Cloud services are provided from the data centers located in the following geographies: North America Latin America Europe Culpeper, VA Sao Paulo, Brazil Amsterdam, The Netherlands Englewood, CO Miami, FL Richardson, TX Santa Clara, CA Components of the System Verizon s System includes infrastructure, software, people, procedures and data: Infrastructure the physical and hardware components of the System including facilities, equipment, and networks. Software the programs and operating software of the System including systems, applications, and utilities. People the personnel involved in the operation and use of the System including developers, operators, users, and managers. The Company s organizational structure provides the overall framework for planning, directing, and controlling operations. Personnel and business functions are separated into departments according to job responsibilities. The structure provides defined responsibilities and lines of authority for reporting and communication. The assignment of roles and responsibilities within the various departments provides effective segregation of duties. All team members are recruited and managed using Verizon s global policies and procedures. Procedures the automated and manual procedures involved in the operation of the System. The Company s employees adhere to Verizon s global policies that define how services should be delivered. The policies are located on Verizon s intranet and can be accessed by the Company s employees. 1403-1222506 11
Data the information used and supported by the System. Verizon does not manage or input data into the customer s systems and is not responsible for the accuracy or completeness of the customer s data. Customer s data necessary to provide the services within the boundaries of the System is managed in accordance with the relevant data protection and other regulations, with any specific requirements specified in the customer contracts. 1403-1222506 12