Global Platform Hosting Hosting Environment Security White Paper

Transcription

1 Global Platform Hosting Hosting Environment Security White Paper Contents January, Introduction 2 Physical Security 3 Environmental Controls 3 Network Security 4 System Security 5 Remote Management 5 Application Security 6 Data Encryption 6 Logging and Auditing 6 Backups and Archiving 6 Redundancy and Disaster Recovery 7 Organization and Support 7 Certifications 7 Summary Version 2.6

2 Global Platform Hosting Hosting Environment Security White Paper Introduction As a service provider utilizing the Software as a Service (SaaS) model, Xerox understands the importance of security and risk management. This white paper describes the security measures employed in the Xerox hosting environment. It covers physical and electronic security. Physical Security The hosted data center is located in an area with restricted access and environmental control features to protect the facility and its contents. The datacenter is owned and operated by a vendor specializing in datacenter management. Non-Xerox tenants reside in the datacenter. However, the Xerox hosting environment is contained in a secured cage that contains only Xerox-managed assets. Access to the datacenter requires authenticating against multiple security controls. All physical entryways are monitored for unauthorized access. Recording devices such as portable personal cameras and camera phones are strictly prohibited. Other physical security measures include: Length of employee tenure and necessity dictate access right provisioning. Data floor access is restricted to approved individuals and requires twofactor authentication against an electronic badge reader and a biometrics scanner. Badge readers are located at the exterior doors and the data floor access points, and separate Access Control Lists (ACLs) are maintained for each access level. Biometric scanners are located at all data floor access points. All access is monitored, recorded, and stored digitally by hidden cameras. Although customer records contain photo identification, a security guard is present and reserves the right to request valid photo identification from visitors. The security guard monitors the surveillance video and makes random walking rounds throughout the facility. Badge card and biometric access transactions are retained for the life of a customer s contact with the datacenter vendor. Surveillance video is retained for 90 days. All access logs and individual rights are reviewed on a regular basis. All hosting assets are contained within secured racks. The racks are located in a secured cage within the data floor. Access to the cage and racks is restricted, and keys are tightly controlled. Portions of the cage are covered with Plexiglas, to prevent tampering from outside of the cage. The cage and racks do not display the names of their tenants. Access to removable media and drive bays is restricted. Retired media is properly sanitized prior to disposal. The sanitization process follows practices established by Xerox Corporation and the Department of Defense. An option exists for incinerating retired media when warranted. All external windows employ bulletproof glass. Critical areas, such as external air intakes and shipping docks employ measures to prevent unauthorized access. The entire facility is surrounded by a barbed-wire fence with a gated entry that can be secured in emergency situations. From October 2007-January 2009, the datacenter and Hosting Team Operations will have been audited five times: Xerox Physical Security Audit (datacenter) Xerox Information Security Audit (datacenter and Hosting Team Operations) ISO 27001:2005 Internal Audit (datacenter and Hosting Team Operations) ISO 27001:2005 Certification Renewal Audit (datacenter and Hosting Team Operations) Third-party network penetration test (network and server security) From October 2007-October 2008, six auditors will have conducted audits against the datacenter: Xerox Physical Security Auditor Two Xerox Information Security Auditors Xerox ISO 27001:2005 Auditor Third-party ISO 27001:2005 Auditor from the British Standards Institute Third-party network security auditor 2

3 The facility s exterior is designed visually to look like a non-descript warehouse, rather than a datacenter. The facility is not located near any high-risk facilities or high crime areas. The datacenter was audited by Xerox Corporate Security prior to contract signing. The auditor verified that the physical security measures were in compliance with Xerox requirements. Environmental Controls The datacenter employs numerous environmental controls: Environmental variables are controlled and monitored proactively. State-of-the-art fire suppression technologies. Redundant power generation capabilities that can utilize a variety of fuel sources. The generators can run indefinitely and are routinely tested. All Uninterruptible Power Supply (UPS) and Heating/Ventilation/Air Conditioning (HVAC) systems are N+1 redundant, ensuring that a duplicate system can immediately come online in the event of a system failure. Air quality is monitored to detect potential issues such as a fire or damage to the facility. Server power supplies and servers supporting load-balanced applications are distributed across multiple electrical circuits. Circuit load is proactively monitored to assure proper power distribution. Network Security The following network security controls are employed: The network infrastructure is segmented and secured by routers, firewalls, an intrusion detection system (IDS), application layer content switches and network switches. The routing environment has ACLs configured to restrict unauthorized access and Quality-of-Service (QoS) configured to prevent Denial-of-Service (DoS) events. The IDS is configured to detect potential security events and send proactive notifications. The Intrusion Detection System is routinely tested using both announced and unannounced audits. The firewalls are configured to permit only required incoming and outgoing services at each tier. Servers are only provided with outgoing Internet access if required for an application or service they host. For servers requiring Internet access, that access is restricted to specific destinations when possible. Firewall rules and configuration are reviewed on an annual basis by Xerox Corporate information security professionals. Application layer switches provide hardware-based load-balancing and Secure HyperText Transfer Protocol (HTTPS) termination, as well as additional protection against DoS events. Layer 2 switches employ Virtual Local Area Networks (VLANs) to further segment network traffic. Third party, accredited auditors provide additional verification of security controls. These audits may include process and documentation reviews and penetration tests. Changes to device configurations follow a strict change management process requiring documentation and approval of the requested change. Network and server tests are a part of our regular processes: In Q4 2008, we had a network penetration test conducted against our environment by a third-party We regularly conduct internal network and server security audits as part of our normal operating procedures 3

4 A process exists for assuring the security of the hosting environment DNS against cache poisoning and other DNS-specific threats. Servers do not have routable IP addresses on any interface. Internet-facing interfaces are provided with access through Network Address Translation (NAT) of non-routable private addresses. System Security A specific process exists for testing and securing servers before they are deployed into the production environment. This process is derived from industry best-practices and recommendations by Xerox Corporation Information Risk Management (IRM), the Center for Internet Security (CIS), CERT, and the SysAdmin, Audit, Network, Security (SANS) Institute. The process employs template-based server deployments, Group Policies and regular auditing of systems using industry recognized security tools to discover improper configurations and known vulnerabilities. Malware prevention tools secure all servers against viruses, spyware and rootkits. Updated virus definitions are applied daily after successful staging. Malware protection is managed using an enterprise management tool, and all updates and notifications are automated. Members of the hosting team receive weekly reports detailing the current malware protection status of all servers in the hosting environment. A patch management procedure exists for testing and verifying Operating System (OS) patches before deployment in the production environment. An enterprise patch management tool provides controlled patch deployment and notification of missing patches. Patches are downloaded automatically based on server role and installed software. The patches are applied during a maintenance window within 30 days of patch availability and successful staging. Current patch status for all servers is reported to Xerox IRM on a monthly basis. Additionally, members of the hosted team receive monthly reports detailing the status of all patches released in the past 90 days. Web servers employ host-based firewalls as an additional layer of security. Servers are proactively monitored for intrusion detection (electronic and physical), power availability and quality, component performance and availability, and environmental variables such as temperature. For servers requiring Internet Information Services (IIS), a process exists for assuring secure IIS instances. This process includes testing of IIS and the methods employed for the server s secure communications to verify their proper operation. Only safe IIS methods are employed. IIS in configured to protect against Uniform Resource Locator (URL) injections and other known attacks. For servers requiring SQL Server, a process exists for assuring secure SQL Server instances. The database servers are located on a separate nonroutable private network. SQL Server and application users are created using the least-privileges model. Unique users are created for each application s database access. SQL connection strings are encrypted in storage. Special registry keys are maintained that can be employed in an emergency situation to harden the servers against DoS attacks that manage to circumvent the network layer controls. These registry keys harden the Transmission Control Protocol (TCP) stack against TCP SYN Floods and other recognized attacks, as well as hardening the Server service against attacks that disable file sharing. All servers are scanned on all network interfaces on a regular basis by two industry-recognized security tools. One tool verifies controls against known attacks and Windows vulnerabilities, and the other verifies compliance with pre-defined policies. The hosting team receives scan reports that include instructions for closing any gaps discovered during a scan. 4

5 Access to application file stores is restricted to members of the hosting team, application service accounts, anti-virus service accounts and tape backup service accounts. Each customer has its own separate folder in each application s file store. Customer folders are named with Globally Unique Identifiers (GUIDs) and not the customer s name. Web Services are restricted to the required interfaces. Inter-application Web Services not required to listen on the Internet are restricted to a private internal network. Remote Management Servers in the hosting datacenter are remotely managed via an encrypted channel from management stations located on a secure network. When responding to an after-hours alert, team members use an encrypted Virtual Private Network (VPN) connection to authenticate to the secured network before connecting to the hosting datacenter. The VPN connection utilizes twofactor authentication, with one of the factors being authentication to an Active Directory domain. Application Security A specific process exists for testing and securing the applications that reside in the hosting environment. This process is derived from industry best-practices and recommendations by Xerox IRM, CIS, CERT and SANS Institute. The process employs a strategy based upon regular auditing of systems using industry recognized security tools to discover improper configurations and known vulnerabilities. The applications are multi-tenant, which means that multiple customers are managed from the same database. The applications are designed with granular security roles so that users, or groups of users, have only those privileges and data access rights needed to perform their approved job functions. A process exists for verifying proper role implementation. For more information, see the Multi-Tenant Architecture Security White Paper. Applications are scanned using an industry-recognize application security tool throughout the software development lifecycle. Security gaps are closed prior to deployment of new applications or patches to existing applications. The security scans verify protections against known attacks, including SQL Injection, Blind SQL Injection, Cross Site Scripting, POSTDATA Injection and Buffer Overflows. The scanning tool is updated on a regular basis to assure protection against emerging threats. Scanning includes both applications and Web Services. Users must authenticate to hosted applications using a unique user ID and password. Applications support the enforcement of a password policy consisting of length, complexity, and session timeout requirements. Account lockouts result in an event log entry, an application log entry and notification to the hosting team. Application operations are verified to assure that passwords are stored, supplied and submitted in an encrypted format and that users cannot access unauthorized application areas. Application inputs are validated at the client and server to prevent malformed or incorrect data from being entered, stored and displayed. Application outputs are validated to assure that outputs cannot cause malicious code execution on the client. Our patch management process includes: Microsoft Patches Antivirus patches and definitions Patches for all third-party applications We monitor for new vulnerabilities through multiple sources, including automated tools and subscribing to common mailing lists We stage all patches prior to deployment, including virus definitions 5

6 Data Encryption All communications with the applications must occur over an encrypted channel. Encryption protocols include Transport Layer Security (TLS) 1.0 and Secure Sockets Layer (SSL) v3 for application connections. All applications employ RC4 (128-bit) session encryption, RSA (1024-bit) key exchange encryption and sha1rsa message digests. Exact encryption implementation depends on the client. We verified that all client connections were utilizing strong encryption (128-bit), and disabled all options using weak ciphers or key strengths. All requests for data on an unencrypted channel will be automatically redirected to an encrypted channel. Other sensitive data, such as user passwords, connection strings, configuration files and backups are encrypted. Logging and Auditing The hosting operations employ the following auditing controls: Physical access to the datacenter is logged and the access logs are audited on a regular basis for discrepancies. All servers and server components are configured to create entries in the Windows Event Logs and their respective application logs. All logs and server operations are monitored with a server management software package and logs are audited on a regular basis. Logs are centrally managed and proactive alerts sent as required. All applications are configured to create entries in the Windows Event Logs and their respective application logs. These logs are reviewed on a regular basis. Logs are centrally managed and proactive alerts sent as required. We have a secure purchasing process that reviews products against the following certifications: ISO 27001:2005 ISCA Labs FIPS Common Criteria ISO 9001:2000/2008 DISA-JITC PinkVerify Backups and Archiving A backup solution exists to securely backup application data locally and to an offsite location. Recent backups are stored locally on a Storage Area Network (SAN) to expedite small restore requests. Backups are also written to tape for long-term vaulting and disaster recovery. Tape transport and vaulting is managed by one of the leading data management vendors. Tape transport is conducted by bonded carriers, and thorough chain-of-custody documentation is provided. All data retains its security ACLs during the backup and recovery process. Offsite backups are encrypted using industry-recommended ciphers and key strengths. Redundancy and Disaster Recovery Redundancy is employed at every opportunity to exceed contracted uptimes: Redundancy includes redundant hardware components, servers, network infrastructure and processing facilities. Multiple (more than 2) Internet Service Providers (ISPs) are used for the production and warm standby facilities. The warm standby facility is geographically separate from the production site. Processes exist for securely replicating the data from the production site to the warm standby site and for failing between the sites. The transfer protocol is Secure File Transfer Protocol (SFTP), and the methods of encryption have been reviewed and approved by Xerox information security specialists. The SFTP connection employs ssh-rsa (1024 bit) key exchanges, aes256-cbc (256-bit) for session encryption and hmac-sha1 message signing. The hosting team employs managed DNS systems to provide consistent URLs between the sites. The replication and failover processes are documented, and the hosting team is trained on them. The process for replicating data and failing between the sites has been 6

7 reviewed and approved by Xerox Corporate disaster recovery and information security specialists. The business resumption process is tested on an annual basis, or sooner if dictated by environmental or infrastructural changes to either facility. During the 2007 calendar year, the business resumption process was tested on a quarterly basis. Organization and Support All datacenter and hosting team personnel must pass a background check and drug test. The datacenter and hosting team staff are on call 24/7/365 and receive proactive alerts. Certifications The Hosted Operations have been ISO 27001:2005 certified since February, The ISO 27001:2005 certification must be renewed on an annual basis. The ongoing certification process requires both internal and external audits. For more information, see the ISO Certification Process White Paper. Awareness is given to other certifications, and compliance is maintained where necessary. Current regulations are Safe Harbor for streamlined compliance with European Union Directive on Data Protection [Directive 95/46/EC] and the Federal Information Security Management Act of 2002 ( FISMA, 44 U.S.C. 3451, et. seq.). Additionally, the all hosted applications are certified against internal Xerox processes for risk assessment and treatment. Summary This white paper details the security controls employed in the Xerox hosting environment. It covers both physical and electronic controls. Additionally, it covers related elements, including data backup and disaster recovery. To learn more, visit us at Xerox Corporation. All rights reserved. Contents of this publication may not be reproduced in any form without permission of Xerox Corporation. XEROX and the sphere of connectivity design are trademarks of Xerox Corporation in the U.S. and/or other countries. The information in this white paper is subject to change without notice. 02/10 MPSWP-04UA 7