In order to reduce security risks to minimum, a
holistic approach to security is required. Our
security processes are born out of a clear
definition of the threats to our system.
Security threats are a result of the various
interaction points that an application provides to
the external world, and the various users that can
interact with these interfaces. For instance Your
Customers, Your Resellers, Your staff, Our Staff,
Anonymous Internet Users and Third Party Servers are
interacting with our Systems at any given point of
time. Each of these actors need to have different
access levels and different rights and permissions.
Security Goals
Privacy - Information within our
infrastructure and systems will only be accessible
by authorized users
Integrity - Data and information
within our infrastructure cannot be tampered with by
any unauthorized user
Data Protection - Data within
the systems cannot be harmed, deleted or destroyed
Identification and Authentication
- Ensures that any user of the system is who he
claims to be and eliminates chances of impersonation
Network Service Protection -
Ensures that networking equipment is protected from
malicious hacking attempts or attacks that threaten
uptime
Our Holistic Security Model
Our Security platform and process leverage on
multiple levels of security - consisting of Security
Systems and Equipment1 combined with
Security Procedures and Practices2 and
Auditing Processes3, to ensure
unparalleled security for all the services we
provide. The platform tackles security at 7
different levels
Our global datacenter partnerships are a result of a
comprehensive Due diligence process. Security and
stability are two of the most important variables in
our due diligence process. All datacenters are
equipped with surveillance cameras, biometric locks,
authorization-based access policies, limited
datacenter access, security personnel, and similar
standard security equipment, processes and
operations. What separates us however is the fact
that our due diligence process also incorporates a
measure of proactiveness demonstrated by the
datacenter towards security. This is measured by
evaluating past practices, customer case studies,
and the amount of time the datacenter dedicates
towards security research and study.
Our global infrastructure deployments incorporate
DDOS mitigators, Intrusion Detection systems, and
Firewalls both at the edge and the Rack level. Our
deployments have weathered frequent hacking and DDOS
attempts (sometimes as many as 3 in a single day)
without any degradation.
Protection against Distributed
Denial-of-Service (DDoS) Attacks
Denial of Service is currently the top source of
financial loss due to cybercrime. The goal of a
Denial-of-Service attack is to disrupt your business
activities by stopping the operation of your web
site, email or web applications. This is achieved by
attacking the servers or network that host these
services and overloading the key resources such as
bandwidth, CPU and memory. The typical motives
behind such attacks are extortion, bragging rights,
political statements, damaging competition etc.
Virtually any organization that connects to the
Internet is vulnerable to these attacks. The
business impact of large sustained DoS attacks is
colossal, as it would lead to lost profits, customer
dissatisfaction, productivity loss etc due to
inavailability or deterioration of service. A DoS
attack in most cases would even land you with the
largest bandwidth overage invoice that you have ever
seen.
Our Distributed Denial-of-Service protection
system provides unrivaled protection against DoS and
DDoS attacks on your internet-facing infrastructures
i.e. your websites, email and mission critical web
applications, by using sophisticated
state-of-the-art technology which automatically
triggers itself as soon as an attack is launched.
The DDoS mitigator's filtering system blocks almost
all fraudulent traffic and ensures that legitimate
traffic is allowed up to the largest extent
possible. These systems have seamlessly protected
several web sites from large service outages caused
by simultaneous attacks as large as 300+ Mbps in the
past, thus allowing organizations to focus on their
Business.
Firewall Protection
Our round-the-clock firewall protection system
secures the perimeter and delivers the very best
first line of defense. It uses highly adaptive and
advanced inspection technology to safeguard your
data, website, email and web applications by
blocking unauthorized network access. It ensures
controlled connectivity between the servers that
store your data and the Internet through the
enforcement of security policies devised by subject
matter experts.
Network Intrusion Detection system
Our network intrusion detection, prevention and
vulnerability management system provides rapid,
accurate and comprehensive protection against
targeted attacks, traffic anomalies, "unknown"
worms, spyware/adware, network viruses, rogue
applications and other zero-day exploits. It uses
ultramodern high-performance network processors that
carry out thousands of checks on each packet flow
simultaneously with no perceivable increase in
latency. As packets pass through our systems, they
are fully scrutinized to determine whether they are
legitimate or harmful. This method of instantaneous
protection is the most effective mechanism of
ensuring that harmful attacks do not reach their
targets.
Hardware Standardization We have
standardized on hardware vendors that have a track
record of high security standards and quality
support. Most of our infrastructure and datacenter
partners use equipment from Cisco, Juniper, HP, Dell
etc.
Host Based Intrusion Detection System
With the advent of tools that are able to bypass
port blocking perimeter defense systems such as
firewalls, it is now essential for enterprises to
deploy Host-based Intrusion Detection System (HIDS)
which focuses on monitoring and analyising the
internals of a computing system. Our Host-based
Intrusion Detection System assists in detecting and
pinpointing changes to the system and configuration
files - whether by accident, from malicious
tampering, or external intrusion - using heuristic
scanners, host log information, and by monitoring
system activity. Rapid discovery of changes
decreases risk of potential damage, and also reduces
troubleshooting and recovery times, thus decreasing
overall impact and improving security and system
availability.
Our applications run on myriad systems with myriad
server software. Operating Systems include various
flavors of Linux, BSD, Windows. Server Software
includes versions and flavors of Apache, IIS, Resin,
Tomcat, Postgres, MySQL, MSSQL, Qmail, Sendmail,
Proftpd etc etc. We ensure security despite the
diverse portfolio of software products we utilize by
following a process-oriented approach
Timely Application of Updates, Bug Fixes
and Security Patches
All servers are registered for automatic updates to
ensure that they always have the latest security
patch installed and that any new vulnerabilities are
rectified as soon as possible. The largest number of
intrusions result from exploitation of known
vulnerabilities, configuration errors, or virus
attacks where countermeasures ARE already available.
According to CERT, systems and networks are impacted
by these events as they have "not consistently"
deployed the patches that were released.
We fully understand the requirement for strong
patch and update management processes. As operating
systems and server software get more complex, each
newer release is littered with security holes.
Information and updates for new security threats are
released on an almost daily basis. We have built
consistent, repeatable processes and a reliable
auditing and reporting framework which ensures that
all our systems are always up-to-date.
Periodic Security Scans
Frequent checks are run using enterprise grade
security software to determine if any servers have
any known vulnerabilities. The servers are scanned
against the most comprehensive and up-to-date
databases of known vulnerabilities. This enables us
to proactively protect our servers from attacks and
ensure business continuity by identifying security
holes or vulnerabilities before an attack occurs.
Pre-Upgrade testing processes
Software upgrades are released frequently by various
software vendors. while each vendor follows their
own testing procedures prior to release of any
upgrade, they cannot test inter-operability issues
between various software. For instance a new release
of a database may be tested by the Database vendor.
However the impact of deploying this release on a
production system running various other FTP, Mail,
Web Server software cannot be directly determined.
Our system administration team documents the impact
analysis of various software upgrades and if any of
them are perceived to have a high-risk, they are
first beta-tested in our labs before live
deployment.
All of the application software that is used in the
platform is built by us. We do not outsource
development. Any 3rd party Products or Components go
through comprehensive training and testing
procedures where all elements of such products are
broken down and knowledge about their architecture
and implementation is transferred to our team. This
allows us to completely control all variables
involved in any particular Product. All applications
are engineered using our proprietary Product
Engineering Process which follows a proactive
approach towards security. Each application is
broken down into various components such as User
Interface, Core API, Backend Database etc. Each
layer of abstraction has its own security checks,
despite the security checks performed by a higher
abstraction layer. All sensitive data is stored in
an encrypted format. Our engineering and development
practices ensure the highest level of security with
regards to all application software
The weakest link in the security chain is always the
people you trust. Personnel, Development staff,
Vendors, essentially anyone that has privileged
access to your system. Our Holistic Security
Approach attempts to minimize security risk brought
on by the "Human Factor". Information is divulged
only on a "need-to-know" basis. Authorization
expires upon the expiry of the requirement.
Personnel are coached specifically in security
measures and the criticality of observing them.
Every employee that has administrator privileges
to any of our servers goes through a comprehensive
background check. Companies that skip out on this
are putting to risk all sensitive and important data
belonging to their customers, as no matter how much
money is invested into high-end security solutions,
one wrong hire - having the right amount of access -
can cause greater damage than any external attack.
In a vast deployment of globally distributed
servers, audit processes are required to ensure
process replication and discipline. Are all servers
being patched regularly? Are the backup scripts
running all the time? Are offsite backups being
rotated as desired? Are appropriate reference checks
being performed on all personnel? Is the security
equipment sending out timely alerts? These and many
such questions are regularly verified in an
out-of-band process that involves investigation,
surveys, ethical hacking attempts, interviews etc.
Our audit mechanisms alert us to a kink in our
security processes before it is discovered by
external users.
