SoftLayer Security and Compliance:

Similar documents
SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Protecting Your Cloud

Secure Esri Solutions in the AWS Cloud. CJ Moses, AWS Deputy CISO

AWS Webinar. Navigating GDPR Compliance on AWS. Christian Hesse Amazon Web Services

Introduction to AWS GoldBase

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

Control-M and Payment Card Industry Data Security Standard (PCI DSS)

HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere.

PCI DSS Compliance. White Paper Parallels Remote Application Server

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Watson Developer Cloud Security Overview

Total Security Management PCI DSS Compliance Guide

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Compliance with CloudCheckr

AWS continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Layer Security White Paper

Vendor Security Questionnaire

Virtustream Cloud and Managed Services Solutions for US State & Local Governments and Education

Cloud Customer Architecture for Securing Workloads on Cloud Services

Accelerating the HCLS Industry Through Cloud Computing

Security & Compliance in the AWS Cloud. Vijay Rangarajan Senior Cloud Architect, ASEAN Amazon Web

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Cloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com

AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE

SECURITY PRACTICES OVERVIEW

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

Riverbed Xirrus Cloud Processes and Data Privacy June 19, 2018

Altius IT Policy Collection Compliance and Standards Matrix

Security & Compliance in the AWS Cloud. Amazon Web Services

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

TRACKVIA SECURITY OVERVIEW

Dimension Data IaaS Services. Gary Ramsay

Domain Registrations. Shared Hosting. Office 365 and Hosted Exchange #DOMAINS #HOSTING #

Altius IT Policy Collection Compliance and Standards Matrix

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

WHITE PAPER- Managed Services Security Practices

Locking Down the Cloud Security is Not a Myth

Paperspace. Security Primer & Architecture Overview. Business Whitepaper. 20 Jay St. Suite 312 Brooklyn, NY 11201

Compliance of Panda Products with General Data Protection Regulation (GDPR) Panda Security

10 Considerations for a Cloud Procurement. March 2017

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

QuickBooks Online Security White Paper July 2017

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

HikCentral V.1.1.x for Windows Hardening Guide

Automate sharing. Empower users. Retain control. Utilizes our purposebuilt cloud, not public shared clouds

Education Network Security

Enhanced Threat Detection, Investigation, and Response

NS2 Cloud Overview The Cloud Built for Federal Security and Export Controlled Environments. Hunter Downey, Cloud Solution Director

Enhanced Privacy ID (EPID), 156

Daxko s PCI DSS Responsibilities

HikCentral V1.3 for Windows Hardening Guide

RMS(one) Solutions PROGRESSIVE SECURITY FOR MISSION CRITICAL SOLUTIONS

ICBA Migration to IaaS Cloud Platform REQUEST FOR PROPOSAL

Hackproof Your Cloud: Preventing 2017 Threats for a New Security Paradigm

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Simple and Powerful Security for PCI DSS

epldt Web Builder Security March 2017

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Verasys Enterprise Security and IT Guide

The Common Controls Framework BY ADOBE

Twilio cloud communications SECURITY

Online Services Security v2.1

PCI DSS and VNC Connect

Security

Cisco Meraki Privacy and Security Practices. List of Technical and Organizational Measures

Exam C Foundations of IBM Cloud Reference Architecture V5

The Top 6 WAF Essentials to Achieve Application Security Efficacy

FormFire Application and IT Security

Flex Tenancy :48:27 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

Integrigy Consulting Overview

in PCI Regulated Environments

CRYPTTECH. Cost-effective log management for security and forensic analysis, ensuring compliance with mandates and storage regulations

Awareness Technologies Systems Security. PHONE: (888)

Verizon Software Defined Perimeter (SDP).

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

Introduction to AWS GoldBase. A Solution to Automate Security, Compliance, and Governance in AWS

Features. HDX WAN optimization. QoS

University of Sunderland Business Assurance PCI Security Policy

Auditing the Cloud. Paul Engle CISA, CIA

M2M / IoT Security. Eurotech`s Everyware IoT Security Elements Overview. Robert Andres

Tenable for Palo Alto Networks

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

Google Cloud Platform: Customer Responsibility Matrix. April 2017

PCI DSS and the VNC SDK

What can the OnBase Cloud do for you? lbmctech.com

IBM Case Manager on Cloud

Microsoft Azure Security, Privacy, & Compliance

WHITEPAPER. Security overview. podio.com

Hybrid IT with VMware on IBM Cloud and SoftLayer

Oracle Data Cloud ( ODC ) Inbound Security Policies

OUR CUSTOMER TERMS CLOUD SERVICES - INFRASTRUCTURE

CoreMax Consulting s Cyber Security Roadmap

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

Transcription:

SoftLayer Security and Compliance: How security and compliance are implemented and managed Introduction Cloud computing generally gets a bad rap when security is discussed. However, most major cloud providers operate on a security level that many companies can only dream of implementing and maintaining. This white paper explains how security is woven into the essence of SoftLayer. pg. 1

Data Center Security by Design Cloud security starts at the data center level. SoftLayer prioritizes the physical security of all data center facilities by incorporating strict security requirements in its standardized approach to building facilities around the world. In addition to the baseline security requirements in every data center, the data center model standardizes network infrastructure, the physical infrastructure, and the power and cooling systems that make up each and every data center. NETWORK INFRASTRUCTURE PHYSICAL INFRASTRUCTURE This consistent data center design enables SoftLayer to operate using defined roles and responsibilities. It also provides a secure foundation for all customer workloads and data. Inside the data center, SoftLayer securely automates daily operations and tasks with an information management system (IMS) that links all of its data centers and infrastructure together. IMS automates the provisioning of: POWER AND COOLING SYSTEMS All servers, storage and devices The ongoing collection of server statistics and overall monitoring Customer support for reboots, operating system reloads and updates The de-provisioning of resources when they are no longer required By automating manual tasks, SoftLayer greatly reduces the possibility of human error. Automation also provides a consistent level of security by ensuring tasks and procedures are performed exactly the same way, every time. Hands-on device management is only done when physical access is required and it s in response to a customer-raised support ticket. Each data center is staffed locally with network and operations personnel to monitor and provide support for the cloud resources hosted in the facility. IMS monitors and logs detailed account activity on the customer s behalf for compliance purposes. At all times, customers have complete visibility into what s happening on their infrastructure. This includes: User access (authenticated and failed attempts) Compute resources that users deploy or cancel Intrusion protection and detection services that observe traffic to customer hosts Automated controls that mitigate Distributed Denial of Service (DDoS) threats are also in place should a public-facing customer interface be subjected to an attack. Network Security by Design SoftLayer s global network consists of multiple 10 Gbps fiber connections. These connections link all data centers together through more than 2,000 Gbps of private connectivity between the existing data centers and the external network points of presence. Inside each data center, network traffic is separated into one of two physically separate networks: on the public/internet-facing network or across the private internal network. It s important to realize that there is no direct path from the public network to the internal private network. The complete separation of the public and private networks allows for complete segregation of Internet and private traffic. pg. 2

Internet connectivity to any device can be removed, resulting in a completely private environment that s not accessible from the outside world. Each bare metal server, bare metal appliance and virtual server can be accessed through a secured management network. The management network provides secure out-of-band management access to all customers servers. The management network is only accessible through a VPN connection (SSL or PPTP). In addition, each user account must be granted individual access to the management network. Customers have access to a dedicated SoftLayer portal that is securely accessible from the Internet. All actions carried out by customers through the portal are logged and reviewed by the internal support teams at SoftLayer. Portal access requires strong authentication credentials. Access can be further locked down through the use of optional two-factor authentication and through IP address-based restrictions. Secure Workload Choices Workloads at SoftLayer are executed on bare metal servers, virtual servers, or both. If the customer chooses bare metal, SoftLayer will provision the bare metal server as ordered. From that point, managing, configuring and operating the bare metal server are the customer s responsibilities. Virtual servers running on the Xen hypervisor can be provisioned on multi-tenant (public) or single-tenant (private) hardware nodes. With the multi-tenant model, the hypervisor grants each tenant exclusive access to its data, which always remains secure and only accessible by each customer. Virtual servers on private nodes are available for customers that need on-demand flexibility, with space to add additional virtual servers on the same hardware node. Controlled Network Access Each server, regardless of its type, is hosted on a public and private VLAN provided for each customer. Public VLANs provide public access to the server. Private VLANs offer access to internally shared services as well as other SoftLayer data centers across the private network. VLANs have Layer 2 status, and they are provisioned at the physical switch level. These options exist because different workloads require different solutions. Each customer has the choice of hosting workloads on the public and private network or on the private network alone. User Controls SoftLayer customers are provided with a master user account. This account requires a complex, 12-character password. Password ************ The master user account is the only user account SoftLayer will create for each customer; it is highly privileged and should be closely monitored and protected. Each customer is responsible for all additional user accounts created. Furthermore, every user name is unique across all accounts, and the reuse of a user name once it has been assigned is not allowed. Security controls on each user account must be individually enabled. VPN access or API calls features that must be manually enabled per user account are disabled by default. pg. 3

User account privileges can be enabled for each account, allowing customers complete control of their user roles and responsibilities. Permissions are grouped into support, devices, network, security and services. SUPPORT DEVICES NETWORK SECURITY Access to the SoftLayer portal does not imply that a portal user also has authentication access to customer servers. Authentication and access to provisioned servers is completely independent of SoftLayer portal access. Transparency SERVICES Using IMS, a complete inventory of all deployed servers provisioned on a customer account can be obtained to help manage a customer s existing cloud infrastructure. Each server listing can include: The IP address for public and private connections The configured customer VLANs The switch location indicating the rack and row location of the server Using the SoftLayer API, customers can drill down into the hardware components, exposing many pieces of the physical servers such as linecard and subcomponent serial numbers. Furthermore, users can run vulnerability scans on all customer devices on the SoftLayer network, creating a report of the analysis, security issues, and proposed fixes for each scanned device. Customers can also use the Security tab in the portal to display all active users with device access, and get results of the last five vulnerability scans and KVM console access logs. Advanced Security Options SoftLayer has choices for firewalls that can protect a single server, all servers on a VLAN, or provide advanced perimeter protection. For simple protocol and port control, firewall devices can be provisioned and quickly set up from the customer portal. For more complex security workloads, customers can opt for dedicated or high-availability hardware firewalls, or they can configure Fortigate Security Appliances, which provide next-generation firewall (NGFW) capabilities along with antivirus protection and web filtering. Additionally, Vyatta Network OS Gateway appliances are available to enable advanced routing and firewall services, IPsec tunnels and routing, and shaping traffic flow between customer VLANs. SoftLayer also offers a broad range of security software to help customers protect data. With intrusion protection and virus scanning software from McAfee and Nessus, customers can enhance their own software security. And for even more flexibility and control, customers can deploy Citrix NetScaler. This web application delivery appliance offers optional application protection, L4 and L7 load balancing, L7 traffic management, and TCP and SSL offload. For securing storage resources, customers have the option of deploying single-tenant dedicated bare metal storage devices that establish private storage only accessible to each customer. Customers can also choose to encrypt their hard drives from the operating system level to further protect workloads and data records. pg. 4

SoftLayer Compliance Standards SoftLayer s security management is aligned with U.S. government standards based on the NIST 800-53 Rev 4 framework, a catalog of security and privacy controls defined for U.S. federal government information systems. SoftLayer maintains SOC 2 Type II reporting compliance for every data center. SOC 2 reports are audits against controls covering security, availability and process integrity. SoftLayer s data centers are also monitored around the clock for both network and on-site security. SoftLayer customers may request a copy of their SOC 2 audit through the portal. Many companies have workloads that require a level of compliance for meeting industry specific rules and regulations. SoftLayer engages in multiple internal and external third-party risk assessments, audits, and control reviews to ensure the environment hosting your workloads is always managed to the prescribed security standards. SoftLayer s controls enable customers to meet the following compliance standards: SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70 Type II) SOC 2 SOC 3 HIPAA ISO 27001 ISO 27018 PCI DSS v3.0 FedRAMP (in select data centers) FISMA (in select data centers) SoftLayer is also a member of the Cloud Security Alliance registry and has completed the CSA self-assessment questionnaire, which is publicly available through the CSA registry. HIPAA Compliance SoftLayer has customers running Health Insurance Portability and Accountability Act (HIPAA) workloads on both bare metal and private virtual servers. A business associate agreement (BAA) signed by SoftLayer and the customer defines the security model that will be applied to provide the necessary data protection. SoftLayer is responsible for the Infrastructure-asa-Service (IaaS) platform according to security best practices mandated by the HIPAA controls. The customer is responsible for managing its workloads (with the exception of the physical infrastructure provided by SoftLayer) to comply with HIPAA rules. SoftLayer s platform provides a number of offerings to help achieve HIPAA compliance, including: Strict logical access control Physical security for data centers, including two-factor access authentication and CCTV monitoring Servers labeled with barcodes to obscure customer identity PCI-DSS Compliance The Payment Card Industry Data Security Standard (PCI-DSS) standard is applied to companies that accepts, transmits or stores any credit card data. SoftLayer supports PCI workloads by providing the physical security required by this standard. The Attestation on Completion along with SOC 2 Type II report and ISO-27001 certification demonstrates that SoftLayer infrastructure meets existing PCI controls. pg. 5

The Attestation on Compliance from an independently qualified service assessor is available upon request from SoftLayer. To help assist with PCI-DSS compliance, SoftLayer provides the Citrix NetScaler appliance for customers that require a dedicated hardware appliance. Citrix NetScaler can scale to handle thousands of concurrent SSL transactions. The Citrix NetScaler application firewall blocks, logs and reports against many of the common vulnerabilities that are outlined for PCI-DSS section 6.5 (which details XML security protection, form tagging, dynamic context sensitive protections and deep stream inspections). The Citrix NetScaler appliance can also assist in masking payment account numbers to prevent any leakage of cardholder as it relates to PCI-DSS section 3.3. For further details, visit www.softlayer.com/compliance. Government Workloads If you require government workloads to be hosted in the cloud, SoftLayer data centers are built to meet the privacy and security controls required in the FedRAMP and FISMA standards. As of 2015, two SoftLayer data centers, one in Dallas (DAL08) and one in Washington, D.C. (WDC03), are reserved for FedRAMP and FISMA compliance. These facilities are designed and built to meet the privacy and security controls required in the FedRAMP and FISMA standards, and they are reserved exclusively for those workloads. Conclusion SoftLayer provides a secure cloud environment for all of its customers, providing ongoing and verifiable physical and logical security. All physical data centers, the private and public networks, and all hosted devices and workloads are maintained and highly secured at all times. SoftLayer security controls and procedures are audited and reported through SOC 2 and ISO-27001 security audits. Each SoftLayer customer should have confidence in securely building and running workloads of any size in the SoftLayer cloud. Want to learn more? View the webinar Cloud Security - What IBM Cloud brings to the enterprise with Softlayer pg. 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback