CloudSigma Security & Business Continuity Features
CloudSigma Security Capabilities
CloudSigma endeavours to deliver a high degree of security and privacy for customers in accordance with the various aspects of their computing. This is reflected in CloudSigma certifications like ISO27001/17/18, PCI DSS and CSA Security, Trust, Assurance and Risk (STAR). We regard this as a top priority and are committed to openness and transparency with respect to our security procedures and policies.
Out-of the box Certifications and Compliance
Sovereign cloud requires compliance with local regulations. In that sense, CloudSigma maintains a high level of certification related to security management, cloud security and data privacy.
.
Network Security & Traffic Separation (Data in Transit)
CloudSigma network topology design provides a full separation of all traffic between client accounts below the virtual machine level. No end user can view traffic from any other end user, this is achieved through full packet inspection of all incoming and outgoing packets to VMs by Linux KVM. KVM implements a virtual switch for every networking interface of each VM. Acceptable traffic courses (i.e. other VMs in the user’s account) are instantiated on boot and updated as VMs are added and removed from various networks in (i.e. end user private networks in the cloud).
Two-Factor Authentication
CloudSigma customers are able to use Two-factor authentication (2FA) in order to log onto their accounts. Two-step verification increases the security for access to their cloud platform account by providing a six to eight-digit unique password, which users must provide in addition to their username and password in order to log into the cloud platform UI.
Root Access & Operating System Security
Customers retain full sole access to their data at the file system level; the CloudSigma system does not have access inside VMs or drives. All customer data is handled automatically by our system. This includes activities such as drive deletion and scheduled deletion (for deprecated accounts). CloudSigma makes no copies of client drive data and therefore the sole copy resides in our cloud unless the customer chooses to clone the drive to another storage system or location.
OS Image Library
CloudSigma provides a public presinstalled image library of client OS (Linux, Windows and BSD) . These operating systems are correctly patched regularly to ensure security vulnerabilities are patched enabling end users to deploy secure virus and vulnerability free operating systems for their VMs on first boot.
Customers can also import their own custom images.
Security Management
CloudSigma is ISO-27001 certified including all areas of sales, operations and support as well as being PCI-DSS compliant. A copy of the latest ISO-27001 certificate can be obtained upon request. In addition, the CloudSigma cloud is also certified by Canonical as a certified Ubuntu Public Cloud.
Quality Management
At present CloudSigma applies internal quality management procedures to processes relating to the creation and quality control of the products and services offered by the company. We use a combination of methodologies and management tools to ensure customer requirements and expectations are continuously monitored and met. The heads of each department are responsible for the implementation of all quality management procedures and to ensure the management system is compatible with ISO-900:2008 standards and other certifications for which we are already certified, such as ISO-27001.
An integrated management interface is the centralized system we use to manage and monitor the cloud, from both an operations and account management perspective. There are different access levels defined by the separate user roles and rights. Team members are trained and kept up to date on the different components and metrics used, and are then granted access level based on their roles.
An agile framework provides us with a group of software development methods in which requirements and solutions evolve through collaboration between self-organizing, cross-functional teams. Retaining short term flexibility through an agile approach reduces the risk of failure and surfaces issues earlier before they threaten the success of the proposal. The iterative sprint process provides the ability over time forecast the work effort required for each deliverable allowing the product owner to fine tune their product roadmap. Being agile also moves the trade off between completeness of product and release timing. It is possible to release more frequently and to iterate faster.
The second facet of our engineering approach, are the systems in place to manage software deployment in a secure and reliable manner, complementing the agile methodologies discussed. Deployment is managed across three separate environments: development, acceptance testing, and production. The main source code repository is managed through a Source Code Management tool. The updated codebase is verified through our CI/CD pipeline which tests each check-in via an automated build, and running a sequence of integration tests and unit tests on the code.
On the integration servers we run a suite of user level acceptance tests that primarily monitor performance. If these tests pass successfully, the code is added to the Production Repository. At this point the code becomes subject to an internal code review, by a developer who has not been involved with this code base. When this is signed off, the code is sent to final repository, ready for deployment into the production environment.
Risk Management is applied in tandem with our agile approach and assigned the following four elements: risk description, probability, size of loss measured in days or story points and exposure. The risks are reevaluated at each sprint, with a single consolidated risk value created.
Technical Audit
All customers of the CloudSigma platform are entitled to perform security, operations and processes auditing in relation to the services that we provide. The audit can be performed by the customer or a third party authorized by the customer. Please note the following:
any audits shall be executed at the cost of the customer, including but not limited to charges that we have incurred during this process;
the data center can be visited and access can be granted only after an advance notice of two weeks prior to the day of visit;
in order to conduct the audit, the customer or their third-party auditor shall be accompanied by a CloudSigma staff member.
Data Encryption
The CloudSigma cloud supports the encryption of partial or full i.e. boot level encryption of virtual drives. With this in mind, we recommend as a best practice that end users perform boot-level encryption of sensitive data and retain the keys outside our cloud. The cloud platform currently supports a number of customers running fully encrypted data storage in conjunction with their services in the cloud. End users can also connect to their VMs using encrypted protocols to ensure the integrity of login and other data they transmit to and from their servers.
Typical end user use cases where encryption would be used would be when a hosted processing provider is storing sensitive end user information or when a service provider themselves wishes to store proprietary data that they wish to be secured additionally. In these case an encrypted partition can be created for that specific data or a separate virtual drive with full file system encryption used. In this way the end user providing the service can combine best performance from data not needing encryption with high security for the data that does.
SSH KeysSecure access to end-user VMs is facilitated using SSH key pairs. This allows users to run commands on a machine’s command prompt without them being physically present near the machine. This enables users to establish a secure channel over an insecure network..
The SSH key creation covers the following three scenarios:
Customers can generate their own SSH keypair from the API or the WebApp
Customers can import their own SSH keys themselves and upload only the public key in their CloudSigma account. In this scenario customers take the responsibility for the protection and access of the private key. This option is provided for customers that are especially concerned about security in the cloud.
Access Control Lists/Policies
Access control lists (ACLs) are meant to segment account control rights and access to the different operational aspects. With this feature the account administrators can allow access to different resources or a group of resources across the account. The account administrator delegates permissions to each account and lets each user log in to the web console with their own user credentials. Examples of delegated abilities:
Give junior sysadmins access to start/stop servers, but not to create or delete anything.
Provide senior sysadmins access to fully manage the architecture, but not being able to access billing.
Provide the operations team with access to firewall policies and networking, but not to servers.
Provide a team with full access to their servers (using server tagging), but not any of the other resources.
ACLs enable a very granular control over the account’s permissions and budget, resulting in higher levels of transparency and security. For each module, it is possible to delegate either read-only or read-write permission. It is also possible to delegate permission on individual resources, for example a server or set of drives.
Logging Service
Software upgrades and system patches at both the operating system and application layer are achieved without service disruption due to the redundant and clustered architecture of the solution. System patching including security updates are subject to our security and change management procedures covered by CloudSigma’s ISO27001:2013 certified processes.
Patching Service
Software upgrades and system patches at both the operating system and application layer are achieved without service disruption. This is possible due to the redundant and clustered architecture of the solution. System patching including security updates are subject to our security and change management procedures covered by CloudSigma’s ISO27001:2013 certified processes.
DDoS Protection Measures
The following measures are used to prevent Distributed Denial of Service (DDoS) attacks:
Apply an ISP approach for safety – Traffic shaping (put in place a policy limiting the number of packets and throughput).
Upon request that policy will be editable for a particular client or set of clients
blacklisting of IP addresses in the event of an attack
additional firewall measures both at our edge and internally
obfuscation of and removal (in some cases) of public IP connectivity from core cloud infrastructure where possible to avoid targeting of key cloud infrastructure assets
externally hosted cloud status page allowing status updates even during a potential total outage
(see http://status.cloudsigma.com)
using IP proxies on core services and other measures that can’t be shared publicly
automatic blocking of DDOS attacks against our clouds.
Zhenya is a Digital Marketing Expert at CloudSigma, focusing on brand strategy, social media marketing and digital marketing campaigns. She is passionate about the continuous innovation within the digital environment and the endless growth opportunities that inbound marketing brings.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
.
