Standards & accreditations
We hold the ISO27001 security accreditation. In reality, that accreditation is of limited value when assessing an IT providers security procedures (it is mainly focussed on matters like changing passwords regularly rather than foiling a determined corporate spy), and we vastly exceed its requirements - see below:
External hacking attacks
The most common (although not usually the most determined) form of actual data theft is one over the wire; if your server is accessible via the Internet then it is in a known virtual location (its IP address) which can then be targeted.
We provide a range of services to help mitigate such attacks, including our Memset®-managed SLA, Packet Patrol™ managed firewall, Perimeter Patrol™ vulnerability scanning and Penetration Patrol™ intrusion detection.
The data centres all have the standard set of security measures; 24/7 monitoring, secure perimeters, personal swipe cards for entry, and no one is allowed into the buildings unaccompanied by the cleared staff.
However, we do not own our own data centres, instead we rent floor space and power from third parties. This is for three main reasons:
We are IT experts, not cooling and power experts. The two fields are very different, and while we could easily build a good data centre of our own we feel it would be a distraction from focussing on being really, really good at managing IT equipment and virtual servers.
This approach means that we can have multiple data centre locations with independent power and fibre links, thus allowing us to provide multi-site resilience. Our customers who are paying for multi-site clustering have literally meteor-proof systems.
We have an organisational separation between the mechanical & equipment data centre layer, and the IT layer. We sub-contract out the physical handling of the servers to our data centre suppliers. This means that the staff who have physical access to the servers do not have access to our customer data base.
So, imagine our hypothetical attacker now trying to get your data by physically accessing (or stealing) the server on which it resides. Even if, somehow, they managed to obtain the assistance of one of the data centre personnel (under duress or bribery), the people with physical access to the servers do not know what is running on them.
We hide your server (dedicated or virtual) as a tree in the proverbial forest; even if the attacker managed to guess the data centre which in which your server were hosted (difficult, but not impossible since they could look at a trace route for where the external access was going), their "man on the inside" would be faced with row upon row containing thousands of servers with anonymous labels on them like "SRV04261".
Internal staff are not allowed access to data centre locations without supervision and clearance from the head of security either.
A potential threat to data security is recycling of hardware back into our pool, be it from virtual machines, cloud storage or dedicated servers. Our approach to this is two-fold.
First, whenever a server which has contained customer data is deprovisioned its hard disks are labelled as "DIRTY" in our asset management system. Our automated systems will not allow such a hard drive to be redeployed until it has been "cleaned" which we do by overwriting the entire disk with random data twice.
For purists, yes if data is only overwritten twice it is theoretically possible to examine the hard drive under a scanning electron microscope looking at the edges of the tracks and determine the previous binary state with sufficient accuracy to reconstitute the data (at staggering expense, it should be noted). However, all the hardware remains in our control, in our secure data centres, and access only by our authorised personel. Two wipes is sufficient to prevent data recovery via the hard disks own mechanisms.
Second, broken hard disks represent additional challenges since we cannot then use their own systems to destroy data. For these hard disks, we bring them back to our secure head office location ourselves (ie. in our own van, with our own background-checked rack engineer) and store them until we have 20 or so. That can take up to a few months. Once we have 20 our hard drive destruction supplier comes to our offices and we observe them as they put the hard disk drives into what is essentially a giant industrial shredder. The disks and their magnetic platters are all reduced to small fragments, from which data recovery would be impossible.
Personnel / 'purchase key' attacks
The biggest security weak-point for any organisation is its people. A determined attacker will not bother with trying to steal servers nor hack into them, but will attempt to gain leverage over key members of staff; the "purchase key attack". How much is your information worth to your competitors? Enough to warrant them filling a manilla envelope with £50 notes and whispering in the ear of an employee with privileged access, or worse still trying to gain leverage over them via threats to a loved one? Quite possibly.
We take such threats very seriously, and undertake a number of steps to ensure that our customers are not vulnerable to such attacks:
- All staff are CRB & background checked.
- Only our systems administrators have access to customer servers.
- Access to customer servers is gained via personal keys, and all access is logged.
- Logs and activity are routinely checked by our head of security.
- Organisational separation of those who have physical access to servers, and those who know what is on the servers (see above).
Our head of security is obviously in a privileged position. They have additional levels of security check, and are monitored closely by Kate & Nick (the executive directors). Further, we do not disclose their identity.
Denial of service attacks
This is the most common form of attack is a simple attempt to disable a Web site (or other service) by flooding it with requests. This does not pose a threat to information security, but there have been reports of groups deliberately overloading Web sites (especially gambling ones with high daily revenues) and demanding money to prevent it happening again; a literal online protection racket.
We provide a layer of defence against DOS attacks; our firewall automatically detects incoming traffic that looks abnormal and starts ignoring traffic from that IP address. We call that the "DOS squasher".
In the case of a highly determined attacker, there will be multiple sources for the attack. In case you ever wonder what people write viruses for, this is one of the reasons; the viruses recruit the infected personal computer into what is termed a "bot net" - a distributed network of PCs (and sometimes servers) which are under the control of the attacker. They can then send out a message instructing the bot net to launch a distributed attack (a DDOS) which floods the target server with requests from all around the globe.
While our DOS-squasher can kill off several attacking IPs per second, if faced by a major-leage bot net it would be overrun, and even then if an attack managed to max-out that data centre's uplink (at least one gigabit per second, so given an average home connection can do 300kbps upload a bot net of 3,000 might do it) we have to drop the target (victim's) IP address in order to protect other customers.
However, in this instance our multi-location architecture provides protection (see below - we have multiple data centre providers with independent uplinks). If you, the customer, are taking advantage of our multi-site clustering, the bot net would have to launch multi-gigabit attacks against multiple locations in order to actually overload all of them. Such an attack would be on a level such that the police or even GCHQ would likely get involved.