fasthosts server support...dedicated servers providing hardware support and investigating issues at...
TRANSCRIPT
Fasthosts Customer Support
Responsibilities and Best Practices
We take great care to ensure that all parties understand
and appreciate the respective responsibilities relating to
an infrastructure-as-a-service or self-managed
environment. This document highlights and identifies
these responsibilities to help our customers operate in a
defined and mutually understood environment.
Customer Support | Fasthosts Server Support
Page 1
Contents
1 Introduction .................................................................................... 1
2 Document Disclaimer ..................................................................... 2
3 Our Responsibilities....................................................................... 3
3.1 Security of Data Centre’s ............................................................ 3
3.2 Hardware Maintenance .............................................................. 4
Dedicated Servers ......................................................................... 4
Virtual Private Servers................................................................... 4
3.3 Security Testing of Our Infrastructure ......................................... 4
3.4 Maintaining security best practices ............................................. 5
3.5 Confidentiality of Our Services and Infrastructure ....................... 5
3.6 Integrity of Our Services and Infrastructure ................................. 6
3.7 Availability of Our Services and Infrastructure ............................ 6
3.8 Principal of Least Privilege ......................................................... 6
3.9 Service Availability ..................................................................... 7
3.10 Secure Destruction of Data, Hardware, Removable Media ....... 7
3.11 Secure Data Communications on Our Networks ....................... 7
3.12 Incident Management on Our Networks .................................... 8
3.13 Internet Connections ................................................................ 8
3.14 Change Management ............................................................... 8
3.15 Notification of Planned Outages ............................................... 9
3.16 Denial of Service Attacks .......................................................... 9
4 Typical Infrastructure Management Responsibilities of
Customers ....................................................................................... 10
4.1 Software Installation and Build ................................................. 10
Customer Support | Fasthosts Server Support
Page 2
4.2 Firewall Between On Premise and Off Premise Networks......... 11
4.3 Hardening of the Host Operating System ................................. 11
4.4 Change Default System Settings, Usernames and Passwords . 12
4.5 Applying Service Packs, Security Patches and Software Updates
....................................................................................................... 12
4.6 Maintaining Infrastructure Optimisation ..................................... 13
4.7 Testing/Quality Assurance of Applications and Services ........... 13
4.8 Event Logging .......................................................................... 14
4.9 Anti-Virus and Anti-Malware Protection .................................... 14
4.10 Backup ................................................................................... 14
4.11 Remote Administration and Maintenance ............................... 15
4.12 Application and License Management .................................... 15
4.13 Change Management ............................................................. 15
4.14 Compliance with License Agreements, Local Legal and
Regulatory Bodies .......................................................................... 16
4.15 Managing User Accounts........................................................ 16
4.16 Managing Passwords ............................................................. 16
4.17 Operating System Failure ....................................................... 17
4.18 First Line Support ................................................................... 17
4.19 Customer Initiated Penetration Testing ................................... 18
4.20 Managed Firewalls and VPN Concentrator ............................. 19
Customer Support | Fasthosts Server Support
Page 1
1 Introduction
Fasthosts is committed to building information-security principles into everything
it does and maintains or exceeds industry best practices. Fasthosts Dedicated
and Virtual Servers are supplied on a Self-Managed basis. This document details
the responsibilities of Fasthosts and its customers for infrastructure security
within a Self-Managed service. It also offers recommendations on how customers
can carry out these responsibilities.
Customer Support | Fasthosts Server Support
Page 2
2 Document Disclaimer
The customer using this document must be made aware that the contents of this
document setting out the responsibilities of each party are shown as guidelines.
This document is designed to demonstrate the typical and normal responsibilities
of each party within an infrastructure-as-a-service (IaaS) or hosted environment
to ensure there is a clear understanding of responsibilities.
This document cannot cater for every eventuality so customers should use the
guidelines as examples and for indicative and understanding purposes only.
Fasthosts wishes to ensure that the customer accepts and understands the
variety and complexity of possible solutions and services that may be made
available and that it is not feasible to provide comprehensive guidance for all
circumstances and individual customer requirements.
It is the customer’s responsibility to ensure that they seek clarity or additional
advice before making any assumptions on the applicable responsibilities as each
customer’s circumstances may be different. This may therefore necessitate a
modified set of responsibility requirements to be specified depending on the
technical and products / services proposed.
Fasthosts shall accept no responsibility for reliance on the guidelines or
misinterpretations and we recommend that the customer seeks prior clarification
and advice from Fasthosts or an IaaS professional if they have queries or non-
typical requirements or require clarification on any related responsibility concern.
Customer Support | Fasthosts Server Support
Page 3
3 Our Responsibilities
3.1 Security of Data Centre’s
We are responsible for managing and protecting our Data Centres by:
Conducting annual physical security reviews to ensure we adhere with
policies and best practices.
Escorting visitors while they’re in data centres and signing them in and out
of facilities.
Restricting access to data centres with fences, gates, swipe-card-entry
systems and role-based privileges.
Protecting facilities with out-of-hours security guards.
CCTV monitoring and a reception that’s manned 24/7/365.
Maintaining operations during short-term power fluctuations with reserve
power supplies, backups (e.g. uninterrupted power supply) and redundant
generators, which we test regularly.
Maintaining optimum environmental conditions in our data centres with air-
conditioning systems, which we test regularly.
Providing fire detection and suppression systems, which we test regularly.
Customer Support | Fasthosts Server Support
Page 4
3.2 Hardware Maintenance
We are responsible for maintaining optimum system performance in our data
centres. How we maintain this performance differs depending upon the type of
server you are using:
Dedicated Servers
Providing hardware support and investigating issues at the request of
customers.
Identifying and replacing faulty hardware.
Virtual Private Servers
Maintaining redundant hardware to transfer services to; in the unlikely
event of an outage.
Monitoring business-critical hardware and resolving issues for customers.
3.3 Security Testing of Our Infrastructure
We are responsible for testing the security of our infrastructure by:
Conducting regular security tests on our infrastructure and managing the
results of tests through incident/risk management processes to resolve
issues quickly.
Customer Support | Fasthosts Server Support
Page 5
3.4 Maintaining security best practices
We are responsible for maintaining security best practices by:
Utilising an Information Security manager to manage and implement
security standards and best practice.
Regularly reviewing policy’s and updating them to follow best practice.
Utilising an Information Security Steering committee to approve and govern
changes to policy.
Clearly and comprehensively train all staff on current information policies.
Maintain clear disciplinary policies and procedures which it outlines during
employee inductions.
3.5 Confidentiality of Our Services and Infrastructure
We strive to protect, the confidentiality of customer data by preventing our
employees from accessing data unless customers provide them with root / admin
access. We also use the following to ensure confidentiality:
Network security protocols.
Network authentication services.
Data encryption services.
Physical entry controls.
Additional hardening of internal operating systems depending upon their
role, importance and location within our network.
Customer Support | Fasthosts Server Support
Page 6
3.6 Integrity of Our Services and Infrastructure
We strive to protect, the integrity of customer data by preventing our employees
from accessing it and using the following to ensure integrity:
Multiple level Firewall services and network segmentation. Access depends
upon business requirements and the services being accessed.
Communications security management.
3.7 Availability of Our Services and Infrastructure
We strive to maintain the availability of customer data by implementing redundant
internet connections, power supplies, generators, network infrastructure and
storage area network (SAN) disks. We will also use the following to ensure
availability:
Role Based Access Control (RBAC).
Redundant disk systems and internet connections.
Acceptable logins and operating process performance.
Reliable and interoperable security processes and network security
mechanisms.
3.8 Principal of Least Privilege
We ensure that only engineers who need access to servers, infrastructure and
networks get it. Employees who don’t have a business requirement to access
these can’t do so without authorized personnel.
Customer Support | Fasthosts Server Support
Page 7
3.9 Service Availability
We are responsible for maintaining 99.99% availability for virtual private servers
and 99.99% availability for dedicated servers.
3.10 Secure Destruction of Data, Hardware, Removable Media
We are responsible for securely destroying our data, hardware and removable
media and use accredited partners to securely destroy hardware such as hard
disk drives and backup media.
Cleanse hard disks before reusing them and test samples to ensure data
can’t be recovered. The company does this with software that adheres to
HMG CESG standards.
3.11 Secure Data Communications on Our Networks
We are responsible for maintaining secure communications in our private
network by:
Segmenting customer’s networks to prevent unauthorized access.
Encrypting virtual private network (VPN) tunnels with IPsec to protect traffic
to customers’ sites. (VPN Tunnelling and Managed firewalls only available
via our sales department).
Customer Support | Fasthosts Server Support
Page 8
3.12 Incident Management on Our Networks
We are responsible for managing incidents on our network by:
Following ITIL-based management processes to deal with incidents.
Providing an on duty incident manager, who is on duty 24/7/365.
3.13 Internet Connections
We are responsible for maintaining internet connections for servers by using
multiple 10Gb/s connections to the Internet and diverse routing to ensure that
connectivity is not lost due to one failure.
3.14 Change Management
We are responsible for managing change associated with our infrastructure and
minimising the impact to yourself wherever possible. We manage these changes
by:
Utilising a Change Manager who is responsible for change management
processes.
Following ITIL-based change management processes.
Utilizing a change management team to authorize change requests based
upon role, location and importance in our network.
Customer Support | Fasthosts Server Support
Page 9
3.15 Notification of Planned Outages
We are responsible for notifying customers of planned outages and endeavour to
provide at least 24 hours’ notice of planned outages. In the majority of cases, we
will provide notice earlier than this.
3.16 Denial of Service Attacks
We are responsible for mitigating denial of service attacks from the Internet by
Reserving the right to remove service for the duration of an attack, or until we can
deploy a compensating control, if an attack threatens our wider infrastructure.
Note: We may give less notice for emergency maintenance
needed to resolve high-risk security incidents that affect
multiple customers.
Customer Support | Fasthosts Server Support
Page 10
4 Typical Infrastructure Management Responsibilities of Customers
4.1 Software Installation and Build
You are responsible for configuring servers to suit your requirements, including
security policies. You can reset your servers to base configuration at any time.
We provide our services with some elements pre-configured to enable them to
work within our environment.
We recommend that you consider the following questions when configuring your
servers:
How do you secure data at rest and in motion?
Who has access to data?
What is available to the outside world?
What should be implemented to protect data held in your systems?
What controls are necessary to uphold your information security policies?
Customer Support | Fasthosts Server Support
Page 11
4.2 Firewall Between On Premise and Off Premise Networks
You are responsible for managing, implementing and adding firewalls between
off-premise and on premise networks. We recommend that you:
Implement ingress and egress firewall policies at on premise tunnel
endpoints.
Configure firewalls to only allow in and out bound ports and IP addresses
for the services in the off-premise environment.
4.3 Hardening of the Host Operating System
You are responsible for hardening your servers.
We recommend that you:
Apply hardening templates.
Restrict access over unused ports.
Disable unused features.
Quick tip: You can find hardening best practice guides at
http://www.sans.org.
Customer Support | Fasthosts Server Support
Page 12
4.4 Change Default System Settings, Usernames and Passwords
You are responsible for changing default system settings or operating-system
passwords. We recommend you:
Implement different user profiles for people who access the server directly.
Use RBAC so that users can only access the services they need to do their
jobs.
Implement strong password controls, such as a minimum length of eight
characters for passwords, which must include at least one upper case,
lower case and numeric character.
Rename default administrator accounts, such as domain admin or root, with
a meaningless value. Add a complex password and store this in a safe
location. Create different accounts and apply limited privileges to these
accounts for other users.
Create specific accounts for third parties (including Fasthosts) that expire
after a short time. If a third party has a shared privileged account, change
the password or disable the account immediately after the third party
completes their work.
4.5 Applying Service Packs, Security Patches and Software Updates
You are responsible for applying and configuring service packs, security patches
and software updates to your servers. We recommend you:
Disable unused services,
Configure a method to apply updates and security patches to servers.
Customer Support | Fasthosts Server Support
Page 13
4.6 Maintaining Infrastructure Optimisation
You are responsible for implementing any Operating system configuration
changes recommended by ourselves to optimise or secure your server on our
infrastructure. Best Practice:
You should update your server configuration in line with any revised best
practices as recommended by ourselves and your own change
management process.
4.7 Testing/Quality Assurance of Applications and Services
You are responsible for conducting functionality testing and quality assurance of
applications and services on your servers. We recommend that you:
Ensure you have a good backup or snapshot of servers before deploying
updates or patches.
Ensure your services have sufficient capacity to cope with peak loads.
Deploy patches and updates regularly to minimize the impact if something
goes wrong and make it easier to identify causes.
Test your applications after patches and updates to check they aren’t
affected.
Customer Support | Fasthosts Server Support
Page 14
4.8 Event Logging
You are responsible for monitoring the logs of systems, applications and servers.
We recommend you:
Set up event logging to move logs onto a different server and analyses
them for security-related events. This will help define the correct defences
for their services.
Retain logs for a reasonable length of time i.e. minimum of one month but
preferably a year.
4.9 Anti-Virus and Anti-Malware Protection
You are responsible for deploying and managing anti-virus and anti-malware for
your servers. We recommend you:
• Install anti-malware software and configure it to auto update or comply with
your corporate anti-virus policies.
4.10 Backup
You are responsible for arranging backup for your servers. It is also your
responsibility to back up your data and test your backup systems. We
recommend you:
• Back up data and implement a regime that allows you to recover their
business in the event of a disaster.
• Test your backup systems.
Customer Support | Fasthosts Server Support
Page 15
4.11 Remote Administration and Maintenance
You are responsible for managing servers and firewalls provided by us via
remote access VPN portal. We recommend you:
• Conduct remote administration and maintenance securely. We can provide
a secure remote access VPN to maintain servers and firewalls. (Only
available via our Sales department).
• Do not expose management interfaces to the Internet or allow weak
authentication controls.
4.12 Application and License Management
You are responsible for maintaining applications to support their servers and for
ensuring you have licenses for your applications. We recommend you:
• Ensure you have sufficient processes in place to maintain your
applications.
4.13 Change Management
You are responsible for managing change associated with their servers. We
recommend you:
• Implement a change-management process. This will make it easier to
identify reasons for a failure and restore systems.
Customer Support | Fasthosts Server Support
Page 16
4.14 Compliance with License Agreements, Local Legal and Regulatory Bodies
You are responsible for ensuring compliance with license requirements and legal
and regulatory bodies. We recommend you:
• Pay attention to local regulations that may affect you.
4.15 Managing User Accounts
You are responsible for managing user accounts in line with your procedures. We
recommend you:
• Create individual accounts for users who access their systems.
4.16 Managing Passwords
You are responsible for managing passwords in line with your procedures. We
recommend you: implement strong password-management policies, for example:
• Password length is set between eight and 15 characters.
• Force password change at first logon.
• Enforce password expiry.
• Enforce password history; preventing users from reusing their previous n
passwords, where n is between 0 and 9.
• Enforce password expiry- suggested maximum age is 45 days.
Customer Support | Fasthosts Server Support
Page 17
4.17 Operating System Failure
You are responsible for maintaining your operating systems. We recommend
you:
• Employ appropriately skilled engineers to manage your servers.
4.18 First Line Support
You are responsible for managing all first-line support issues. We recommend
you:
• Provide first-line support and build processes to authenticate users who
contact your service desks requesting access to your systems.
Customer Support | Fasthosts Server Support
Page 18
4.19 Customer Initiated Penetration Testing
You are responsible for penetration testing. These responsibilities include:
• Obtaining authorisation from ourselves and any other customers involved in
testing. Customers MUST submit a request to test at least five working
days before penetration testing or vulnerability scanning activity.
• Ensuring that only experienced employees or professional third-party
consultancies conduct penetration tests and vulnerability scans.
• Outlining details of penetration tests or vulnerability scans to ourselves.
This must include:
o Time frame for the test.
o Testing scope.
o IP addresses involved.
o Key contacts.
• Getting third-party testing organizations to complete a Fasthosts non-
disclosure agreement before testing or scanning.
• Informing the Fasthosts Service Desk of test results that may adversely
affect Fasthosts, such as denial of service.
• Reporting vulnerabilities identified in the Fasthosts infrastructure.
• Please note that if our support teams aren’t aware that you are testing, it is
likely that they will deploy mitigating controls and blocks to stop the attack.
Important: We will suspend services of customers who do
not comply with this.
Customer Support | Fasthosts Server Support
Page 19
Best practice:
• Conduct penetration tests or vulnerability scanning once Rise has deployed
their services. This is to ensure that partners’ configurations follow best
practice and don’t have any security weaknesses.
4.20 Managed Firewalls and VPN Concentrator
You are responsible for configuring your end of a VPN tunnel. We recommend
you:
• Lock down firewall configurations and only allow the in and out bound ports
and IP addresses the application requires.
Note: Managed Firewalls and VPN connectors are only
available through our Sales department and cannot be
purchased through your control panel.