150 Security considerations

Updated . Posted . Visible to the public.

Physical security

  • We're hosting in the datacenter "Munich East" of our datacenter provider noris.
  • The datacenter holds multiple certifications: https://www.noris.de/wp-content/uploads/Rechenzentrum-Muenchen-MUC5-datacenter-Leistungsmerkmale.pdf Show archive.org snapshot (PDF in german)
    • ISO/IEC 27001: Information security management system
    • ISO 27001: Certification of basic IT protection
    • ISO/IEC 20000-1: Service management system
    • ISO 9001: Quality management system
    • EN 50600: Construction and operation of secure data centers
    • VdS 3406: Object-specific safety management system
    • PCI DSS: Payment Card Industry Data Security Standard
    • ISAE 3402 Type II: Internal control system based on COBIT 5
    • TISAX
  • The data center's protection system includes fire safety, redundant network connections, redundant power supply, security on-site and rapid support with incidents.

Multi-tiered network security

  • All servers are configured to have their services available only on an internal interface but not on the public internet. Configuration management ensures both service and firewall configuration.
  • Network traffic in the internal network is restricted by firewalls and separated networks to the servers of individual customers. Customer network areas are separated from each other.
  • Ingress HTTP traffic for web applications goes through our hardened load balancer/reverse proxy service to reach the destination application servers.

Operating systems

  • Rapid handling of security vulnerabilities and quick patching is part of all security considerations.
  • We follow all relevant security newsfeeds and information sources.
  • We follow update feeds of our Long Term Support operating systems.
  • We follow update feeds of all relevant services not provided by the operating system.
  • Upon discovery of security vulnerabilities we assess criticality, consider impact of emergency maintenance to affected services, deploy mitigations and apply security updates at the next possible opportunity.
  • Regular security updates, monitoring, handling and patching of security vulnerabilities.
  • Server access for deploying new software releases is generally limited to SSH.
  • We restrict access to asymmetric keys; insecure and potentially guess-able passwords are prohibited.
  • Brute force login attempts are detected and stopped.
  • Privileged access to servers is restricted to administrative personnel and is logged.
  • Logs are shipped to dedicated logging servers to allow effective analysis and ensure integrity in case of security incidents.
  • Service and operating system configuration is monitored and enforced by our configuration management software (Puppet).

Data and services

  • Customer infrastructure is generally hosted on dedicated virtual machines that are not shared with other customers.
  • Services inside VMs are restricted to only necessary permissions.
  • Software hosted for customers are separated from other software components according to agreements. Different products are isolated from each other by the permission concept on the file system level.
  • Data storage and database access is restricted to internal, customer specific network areas with restrictions on firewall and permission level.
  • We perform regular backups that can't be destroyed, manipulated or encrypted by the system that is being backed up: https://makandracards.com/opscomplete/44762-backup
  • Backups are kept in a physically separate location for protection from fire or other physical hazards.
  • Backups of customer data are encrypted with individual keys, different from those of other customers.
  • Backups are checked for integrity regularly. Recovery tests happen weekly.

Security incidents

  • All servers and services are monitored for correct operation and anomalies are detected.
  • Anomalies in metrics, notifications or logs are handled by an on call operations engineer.
  • Incident response follows established procedures. All operations engineer on staff are trained in these procedures. Escalation, notification to customers and final reports are part of the procedures.

Certifications

We hold security related certifications:

  • DCSO Cloud Vendor Assessment (CVAT)
  • VdA tisax, including high protection needs and data protection

Our datacenter provider Noris holds certifications that are can be retrived from their website Show archive.org snapshot

Emma Heinle
Last edit
Kim Klotz
License
Source code in this card is licensed under the MIT License.
Posted by Emma Heinle to opscomplete (2023-12-05 14:42)