We do not treat data security as a separate service provided to our customers. Security is built in to virtually everything we do. From firewalls to servers to spam filtering, security is a dominant attribute of our product and service offerings. Here are just a few of the tools we use to ensure the security of customers’ data.
Our experts use a variety of methods to secure customer networks beginning with the network firewall. Firewalls are installed at both the perimeter of a customer’s network and within their internal network.
At the perimeter we control the access to customers’ networks from Internet sources. Servers need to be accessed from the Internet in order to enable things like email delivery and web sites. Also, many organizations require their employees to be able to gain access remotely through virtual private network (VPN) connections. The perimeter firewall usually handles access-control and setup for these connections.
Internal firewalls segregate access to internal networks. We often set up demilitarized zones (DMZs) for Internet-facing applications to ensure that if those systems are compromised the rest of the customer’s data is not vulnerable. We also set up segregated networks for organizations to allow guests to access network and Internet resources without gaining access to proprietary data.
Our firewall-management procedures include an automated daily audit of firewall configuration to ensure that no unauthorized changes have been made. This audit also ensures that all changes made by our staff are accompanied by a ticket explaining the purpose and details of the change.
In addition to auditing firewall configuration we also log attempts to access internal resources through the firewall. These logs are generally retained for at least one year to ensure that they are available if they are needed for tracing the source of an access violation.
Cryptography allows us to transmit data over the Internet and other media in a way that makes it extremely difficult for others to view that data. We use cryptography in many parts of our information exchange with customers and encourage customers to use it in key areas of their operations as well.
Whenever possible we use AES-256 or 3DES encryption with 2048-bit RSA keys signed by either our certificate authority or a trusted public authority. Using these high-grade ciphers mitigates the risk of an outside party gaining access to private data.
We encourage our customers to adopt best practices for both physical and logical access controls. For physical access controls it is essential that servers are located in a place where admittance can be limited to people who have a need to access them.
Logical access controls are also important. Ensuring that users have access to only the data they need to do their job is essential. By securing data access within a company we mitigate the risk of rogue employees gaining access to data they should not have. In the case of a compromised user account or password, these controls also limit the amount of data that can be compromised.
In order to safeguard the access controls our customers have in place, our systems perform a series of audits on a daily basis. These audits fall into two categories: privilege-level audits and access-control-list audits.
The privilege-level audits review the access level and group membership of each user in a customer’s domain. If unauthorized changes are made to a user’s account they are detected and reviewed by a technician who can take corrective action. These audits also detect new user accounts that are created for the purpose of subverting access controls.
The access-control-list audits review the access controls set on key file-storage locations within the customer’s network. If unauthorized changes are made, they will be detected and reviewed by a technician. That technician can then work with the customer to determine corrective action.
In order to establish strong security you must first have strong authentication. For most companies this usually means ensuring their users have strong passwords that are of sufficient length and contain mixed case letters, numbers, and/or symbols. For customers where security risks are more elevated we set up multi-factor authentication systems where must have some token in addition to their password to gain access to the company’s systems. This token can be a fingerprint, a key fob, or some other device. We work with customers to determine the appropriate level of authentication and build the systems to enforce the customer’s policy.
We’ve partnered with Trend Micro to provide malware blocking and URL filtering to our customers. Trend Micro has a comprehensive tool suite, and more importantly, they have the best track record of detecting and blocking malware among their peers.
We offer cloud-based email spam and malware filtering from both Microsoft and SpamHero. These tools detect unsolicited email along with email that contains viruses or other malware and prevents those messages from getting to users’ inboxes.