Whitepaper 1 Security e-messenger
Contents 1. Introduction Page 3 2. Data centre security and connection Page 3 a. Security Page 3 b. Power Page 3 c. Cooling Page 3 d. Fire suppression Page 3 3. Server access security, maintenance and monitoring Page 3 a. Server access security Page 3 b. Server maintenance Page 4 c. Server monitoring Page 4 2 4. Availability, redundancy and backups Page 4 a. Availability and redundancy Page 4 b. Data storage and backup Page 5 5. Application security and logging Page 5 a. e-messenger Security System Page 5 b. Logging Page 6 6. Security Audit Page 7 7. ecircle AG - Colocation Network infrastructure Page 7
1. Introduction Sprinklr is committed to a very high degree of security in terms of data and availability making sure that your data stays secure from unauthorized access and that e-messenger itself is available 24/7. This document is intended for customers or potential customers who desire information about the security for the e-messenger ASP solution. 2. Data centre security and connection e-messenger systems are hosted at the Level (3) data centre in Munich one of the most secure and reliable locations available world-wide. The main characteristics of the data centre are: a. Security: Multi-layer security control procedures, biometric palm readers, and closed-circuit video monitoring b. Power: Uninterruptible AC and DC power solutions c. Cooling: HVAC redundant design with under-floor air distribution for maximum temperature control d. Fire Suppression: Smoke detection system above and below raised floor; doubleinterlock, pre-action, dry-pipe fire suppression 3 This secure environment offers strictly restricted access to the e-messenger servers only for ecircle administrators. The e-messenger clusters are connected to the Internet with a redundant 1GBit connection using different peerings. ecircle AG has its own IP ranges which it can assign to providers, so the company is not bound to a specific provider. 3. Server access security, maintenance and monitoring a. Server access security e-messenger is protected by high-performance firewalls (Linux /IP tables), both between the outside world and e-messenger and inside e-messenger between application and database protecting your data from unauthorized access. Administrative access to these systems is limited to the core administration team of ecircle no other employee has a possibility to access the server administration facilities. The administrative access is only possible directly from the ecircle offices, not from the outside world. Non-secure access on these machines is of course disabled.
b. Server maintenance All servers in the productive environment are running on a current stable distribution of Linux. The ecircle administration team monitors, upgrades and security patches for the used distributions and installs critical patches immediately. Upgrades of machines are handled via automatic distribution from clean, nonproduction golden clients, configurations are identical across all machines which are used for a specific task (e.g. all e-messenger worker machines are configured identically). This way maintenance and upgrades of the machines can be handled fast and cleanly. Our Change Management Processes guarantee that the threat of changes is as low as possible. Of course a fall-back strategy is also part of our Change Management, so that in worst case scenarios we can always go back to the last stable configuration. c. Server monitoring ecircle uses separately running tools to continuously monitor all services (mail and web interfaces, databases, message queues, etc.) and variables (load, hard disk space, memory consumption, etc.) on the cluster machines that are necessary for a smooth running of the e-messenger application. These tools provide one-glance overview of the current system state and also send automatic notifications to the administrators when a service is in danger of failing. 4 4. Availability, redundancy and backups a. Availability and redundancy e-messenger operates as a distributed cluster: Several worker machines are clustered around a central (redundant) database and are using the same (equally redundant) message queue. A new job like the send-out of a huge newsletter is split into several small parts (e.g. Send-out of the first 1000 mails) and put to the message queue. One of the worker machines will get the job from the queue and send out the mails. Once it is finished, it will report the completion of the job and ask for the next job from the queue. The advantages of this architecture are that each worker machine is completely hot-swappable during operation even new worker machines can be added to
the cluster while it is running as the central components do not need to know how many workers exist. All critical machines (web server, DNS server, message queue server, switches) are redundant. All server support automatic fail-over, i.e. another machine takes over immediately when a failure occurs. Other network components have replacement units standing by which can be switched on or replaced manually. Potential faults in the system are tracked via FMEA (Failure Mode Effect Analysis) style documentation, which prioritizes and organizes all possible defects that could appear in the system. Using this method allows ecircle to define and prepare contingency measures for problems before they actually occur. b. Data storage and backup All customer data is kept clean and centrally in the primary database. This database is hardware redundant, using a SAN (Storage Area Network) (with RAID-10 disk arrays and hotspares) and has a standby replacement machine which is continuously synced (with a slight delay) to the main machine using a separate storage outside the SAN. This can be quickly activated in the case of a complete hardware failure of the primary machine. Furthermore the primary database is backed up completely each day, continuous incremental change logs are kept, to allow the restoration of any state between two consecutive full daily backups. The last 14 daily backups are kept on a separate highly redundant filer and a monthly backup is stored on tapes in a different location. 5 An additional standby database in a separate physical location allows complete disaster recovery and resuming of operations even in the case of a complete failure of primary/standby database and the physical destruction of the data centre. The application data itself (code, libraries, pages, etc.) is stored centrally in a (daily back upped) version control system in a separate physical location and always built and installed directly from this system. 5. Application security and logging a. e-messenger Security System e-messenger itself contains a sophisticated hierarchical permission- and role based security system: Every important action in the system can be allowed or forbidden for a specific role. The actual security checks are conducted inside of the action layer, so that manipulation of accessible components (like parameters
in web pages) will not have any impact. Every single data item retrieved from the database and displayed in the web requires a Security check, preventing unauthorized users from seeing your information. Every user of the application (and this includes all normal recipients of newsletters) can be assigned a system role. This role has a set of permissions that control access to all system-level data items (user profiles, system blacklist, content management items, etc. etc.) and features. Roles can be assigned to users if the assigner has a hierarchically higher role than both the new role to assign and the current role of the user whom the role should be assigned to. Every recipient of a newsletter has a role in the context of this specific newsletter as well. The permissions for this role can be set globally for all newsletters, but overwritten for specific newsletters and control access to all newsletter-specific data items and features (access to messages, statistics, recipient lists, downloads, etc. etc.). This two-leveled concept allows users to have very extensive rights in one sort of newsletter (for instance their own) and very limited rights in others (where they might only be allowed to view a specific type of message statistics). Authorization to the application uses a standard user name / password login, recommended login is over an SSL-encrypted connection. 6 The application has mechanisms to prevent most forms of cross-site scripting and always checks identifiers for context so that cross-referencing of identifiers for retrieving data is impossible. b. Logging All actions in the system, regardless of their origin (web interface, mails, automated interfaces, etc.) are logged with the executing user. HTTP requests to the system are logged with the IP address, for (critical) double-opt-in confirmations the complete request with all available information (IP, referrer, all parameters, etc.) is stored. Double-opt-in confirmations via mail store the confirmation email with all relevant headers. Standard system log files from all machines are kept as well and are centrally archived.
6. Security Audit In order to detect potential security hazards in advance and to make sure that the application stays secure, e-messenger security is being audited every 12 months by an external auditor. This audit checks for illegal access and corruption possibilities, vulnerabilities in e- Messenger itself and the possibility of break-ins. A copy of the most current audit is available from ecircle AG (due to the technical details mentioned in the report the signing of a Non-Disclosure Agreement is required). Please contact your sales or project manager. 7. ecircle AG - Colocation Network infrastructure 7