Knowledge base
Extended specification of Oktawave cloud platform security aspects
Posted by on 26.02.2014 19:41
Table of Contents
  1. Introduction
  2. Basic information
  3. Legal status and ownership of infrastructure
  4. Physical protection of data
  5. Area 1: Location of data and facility security (physical and procedural)
  6. Area 2: Method of data storage, including security at the level of media
  7. Area 3: Method for allocating access to the data
  8. Area 4: Ways of securing public and private networks (including isolation of the network)
  9. Public network working on the basis of PVLAN
  10. Private networks (so-called OPN) operating on the basis of VLAN
  11. Protection of data in the logical range
  12. Managing access to the data through process manager (called a hypervisor)
  13. The method of allocation and revocation of access to data
  14. A method of removing deleted data
  15. Isolation of data between subregions
  16. Regular scanning of security
  17. Summary

 

Introduction

This document is devoted to security aspects of data entrusted in Oktawave cloud platform. The purpose of the document is to clarify the applied safeguards, as well as to describe the mechanisms, procedures and algorithms of data security.

The document is divided into two parts. The first concerns the security of data on the physical range and the second part is devoted to the logical layer (with the exception of data security management done with the application used to process the data, supplied by the customer and installed in Oktawave infrastructure).

 

Basic information

According to the definition, Oktawave provides IaaS type cloud computing services (Infrastructure as a Service). The essence of this type of services is to provide resources in a virtualized environment, allowing for allocation of specific computing resources for a customer in a dynamic and "ready on demand" model. In the case of IaaS cloud, its individual services are components of analogical dedicated server infrastructure, while canceling all its limitations:

  • physicality and the thus the vulnerability to failure,
  • lack of rapid scaling mechanisms.

We distinguish three main services that form the core of IaaS cloud (they are provided to users in the same way as it is being done while providing dedicated servers). In Oktawave these are:

  1. memory and processors (Xeon or AMD), hereinafter collectively referred to as OCI (Oktawave Cloud Instance),
  2. disk space, hereinafter referred to as the OVS (Oktawave Volume Storage),
  3. network interfaces (private and public), hereinafter referred to as OPN (Oktawave Private Network).

This division of resources means, that in order to run server in Oktawave cloud - which from the perspective of devices and operating system is corresponding to a dedicated server - it is necessary to use at least two of these three components: OCI (which is computing component) and OVS (which is respectively assigned disk space resource).

Such prepared service is fully compatible with almost any currently existing operating system and - just like a dedicated server - inherits the same set of rules for safety. Therefore you can use and implement almost the same architectural procedural and safety rules as in the classical hosting solution.

This means that in the case of migration services to the IaaS cloud (or in the case of starting a new environment) the context of data security designed patterns is analogous to classical (traditional, on premise) solution.

Due to the similarity between IaaS cloud and dedicated environment, also in the case of IaaS clouds customer should consider essential security division of data into two main areas, namely:

  1. protection against data loss,
  2. protection against loss of control over data.

In this document both areas will be addressed alternately without taking into account the uniform division. This is due to the need of assessing the risks arising from both areas in the context of different types of securities issues described in the next section.

 

Legal status and ownership of infrastructure

Oktawave is a company registered in the District Court for the Capital City of Warsaw, XIII Commercial Division of the National Court Register under KRS number 0000426334, at the address: Domaniewska 44a Street (Platinum 5), 02-672 Warsaw, Poland.

All shares of Oktawave belong to K2 Internet S.A., which is listed on the GPW, registered in the District Court for the Capital City of Warsaw, XII Commercial Division of the National Court Register under the number 0000059690 with registered capital of 2 485 032 PLN (paid in full).

The owner of the entire infrastructure used by thy cloud platform is Oktawave. It includes all the necessary infrastructure components, including:

  • servers,
  • storage systems,
  • network switches, backbone switches and data networks,
  • routers,
  • wiring.

No element of this infrastructure is leased from another entity. Full control over all components is directly and exclusively on Oktawave.

Physical protection of data

The physical aspect of the protection and security of data should be clearly divided into 4 areas.

Area 1: Location of data and facility security (physical and procedural)

All the devices of Oktawave cloud are currently working in Thinx data center, located on the Konstruktorska 5 Street, Warsaw, Poland. The owner of the data center is ATM S.A. (Grochowska 21a Street, 04-186 Warsaw, Poland). Oktawave rents from the ATM S.A. technical floor surface on which Oktawave own devices are installed within the standard 19-inch rack. ATM S.A. supplies following services:

  • rental of data center technical floor surface,
  • security of data center space in terms of physical aspect and procedural/access,
  • the power supply,
  • cooling,
  • wiring between Oktawave racks and MMR (so-called meet-me-room),
  • transmission of the data to the ACX (exchange of data between national operators), data transmission to Orange (formerly TP), transmission of transit data (foreign transit).

Full specification of Thinx data center is available at: http://en.thinx.pl/data_center/technical_specifications.

The data center is certified based on the following standards:

  • Certificate of Information Security Management System ISO/IEC 27001:2013 Certificate No: IS 524327 issued by the British Standards Institution,
  • Certificate of Quality Management System ISO 9001:2008 Certificate No: FS 602564 issued by the British Standards Institution.

Used security systems :

  • CCTV system (inside and outside),
  • the system of partition access control based on proximity cards,
  • visitors at the escort of facility security services,
  • a system intruder alarm with automatic notification of external intervention group,
  • a list of persons entitled to access into the facility,
  • security staff monitoring the object,
  • monitoring,
  • Network Operations Center,
  • support,
  • electronic identification card,
  • all alarm systems monitored 24/7/365.

Area 2: Method of data storage, including security at the level of media

All the block data stored in the Oktawave infrastructure (OVS service, analogous to the hard disk drive), is written by a completely proprietary technology, forming the so-called data network - based on the data nodes. Architecture introduces the concept of physical multilevelness of data:

  1. block layer for Tier- 1,
  2. block layer for Tier-2 up to Tier-5,
  3. object layer for OCS,
  4. Tier-1/Tier-2 layer copy up to Tier-5 from another node.

In Oktawave, classical disk array has not been used, which means that there is no single point of storage, as there is no single point of backup storage. Network that stores data is characterized by the independent analysis of the state feature, verification of data integrity and the ability to replace any node showing a disability. In fact, on the Oktawave data network we can look the same way as at the matrix, but with an extremely high capacity and scalability (to eliminate the risk of data loss).

Area 3: Method for allocating access to the data

In terms of access to the data it is necessary to distinguish between two ways of access:

  1. using physical presence in the data center, after completion of the procedural requirements (access lists, identification),
  2. by Oktawave infrastructure through the use of OVS services.

In the case of the first method, direct access to the data is not possible, only access to the infrastructure is possible. The presence in the data center cannot be identified with the situation of getting knowledge of the physical location of data on specific part of infrastructure (eliminating the risk of losing control over data). Information about the location of stored data is stored only at the level of Oktawave management platform. Although customer may consider the risk of stealing a part of the infrastructure from the data center, but one of the essential characteristics of the Oktawave data network described above makes the data loss very unlikely because thus someone must have known before the exact parts of infrastructure that should be taken.

As a result - even in the event of removing of part of the infrastructure outside the data center - information contained therein will be useless without access to the rest of the infrastructure and the knowledge on write method of data stored on them. In this way, a clear advantage of cloud computing over the classical hosting solution based on dedicated servers reveals. In such traditional solutions, simply geting out a specific server or disk from the data center is enough to access the data.

Naturally, you should take into account the very high level of data center security from unauthorized access and the extreme marginalized risk of unauthorized removing any part of infrastructure. At the same time, all the requirements set by the law on the protection of personal data are met - Oktawave is able at any time to pinpoint the exact location of data within one data center.

In the case of the second method, customer using OVS disk resources is assigned physically to a specific area of ​​space from the data network that is equivalent of hard drives addressing in classic dedicated servers (eliminating the risk of losing control over data). There is virtually no risk of allowing one user to access the OVS drives assigned to another user.

The process responsible for mapping areas of disk space, uses mechanism built-in with VMware ESX/vShpere Server, which will be discussed in the section on logical security.

Area 4: Ways of securing public and private networks (including isolation of the network)

In this case, we should distinguish two areas of the network:

  1. public network working on the basis of PVLAN,
  2. private network (so-called OPN) operating on the basis of VLAN.

Public network working on the basis of PVLAN

In the Oktawave cloud environment, for public interfaces we use a solution based on PVLAN technology (Private VLAN). This technology enables the automatic creation (segmentation) of the network in a manner that guarantees no direct communication between OCI instances belonging to one client and the separation between OCI instances belonging to different customers.

Each public interface of server in the cloud (OCI) has been working in the so-called isolated mode. This mode allows transmission only between the server, on the second layer of Ethernet (OCI) and the access gateway to the network. Also, the exchange of data between different servers (OCI) within one network is implemented using the access gateway (Proxy ARP). The gate is equipped with a number of filters that prevent carrying out a wide range of attacks, including DHCP snooping, sniffing and arp spoofing (eliminating the risk of losing control over data).

Private networks (so-called OPN) operating on the basis of VLAN

In the case of OPN private networks used in Oktawave infrastructure, we create a fully functional VLAN including all elements of the infrastructure used by the client. In order to gain an access from a specific server instance (OCI) to OPN, it must be created an interface, which then has to be mapped to a selected OPN and set the appropriate IP addresses. Each client can have multiple OPN networks. Access to the created OPN is limited on the physical level, using network switches only for a specific client.

Due to its complete separation, OPN networks are also completely cut off from the public networks and are mainly used for the segmentation of the network in architecture of the client application, allowing the separation of the individual segments of the network with each other (e.g., the separation of application network segments from databases or web servers).

Communication between different OPN client networks (or public network) is only possible using the server (OCI) equipped with software to filter traffic - the so-called firewall. The role of the client is to run and configure the appropriate firewall rules (elimination of the risk of loss of control over the data).

This is known from classical dedicated architecture, where the selected servers act as firewalls, controlling traffic between created VLAN's.

From the perspective of data security, protection of the public network using PVLAN effectively protects data against attempts to take over of data packets during transmission (loss of control, swapping). The use of OPN service is used to protect internal data (not transmitted through public channel) against the attempts of unauthorized eavesdropping of the transmission and enables filtering and assignment of access rights to individual segments.

Protection of data in the logical range

As in the case of physical security, logical protections range should be divided into four areas.

Managing access to the data through process manager (called a hypervisor)

Oktawave uses only VMware ESX solutions (VMware vShpere 5.0), which are widely known on the market, as a manager of processes serving each OCI run by customers. VMware vShpere is a software with EAL4+ certification, considered as the leading standard in safety, especially important in the case of institutional clients and government. More information about the certificate: http://en.wikipedia.org/wiki/EAL4. More information about VMware Certification can be found here:

In addition, Oktawave uses many own protective mechanisms, including solutions ensuring customers block data isolation. One of them is the use of Kerberos protocol in the authorization mechanism for management platform (http://admin.oktawave.com). This ensures that all operations carried out by the platform, at every stage, are made in the context of the logged-in user (leasing rights).

Another protective mechanisms is a logical separation of data at the level of the OVS drives using the SCSI protocol in the layer of providing data to the hypervisor. Each OVS disk volume is also connected to a specific OCI chosen by the customer using a dedicated LUN (unique identifier for the disk).

 

The method of allocation and revocation of access to data

Managing access to data method is determined by the mechanisms of allocating OVS disk space. Oktawave allows the client to assign the necessary number of OVS volumes to the OCI server - however, the application installed on a OCI server by client, must have functions regulating the access to data. It is analogous scenario as in the case of physical servers, where the application determines who has the right of access to data stored on the local hard disk of the server. In the OCI case, the application in the same way will manage access rights to data stored on OVS disks.

In this context Oktawave responsibility for the allocation and revocation of access to the data is reduced to allowing for the allocation of the corresponding OVS disk to a specific OCI server with a guarantee of exclusive access to the data stored on the disk only by the OCI, to which the drive is connected.

In the case of sensitive data, OVS disk encryption may be used, done by encryption software installed on the OCI. Data encryption is then done in the context of the OCI operating system and Oktawave (supplier) has no real way of acquiring and decrypting data (does not have the encryption keys).

The following properties are noteworthy:

  • each created OCI is initially equipped with tech-support service account allowing for possible assistance in configuring the OCI operating system (it is an account in the OCI operating system). Password for your tech-support account is stored in a secure Oktawave system management platform and only system administrators have access to it. The customer may at any time make a decision to remove the tech-support account from each running OCI (eg. before upload their own data). Then, Oktawave technical suport will be deprived of access to the collected data (and at the same time the possibility of customer support during setup or daily administration),
  • Oktawave administrators have the technical ability to clone copies of customer data (this is a function provided by VMware vSphere), but this feature is strictly limited to the administration team of the highest level. In this functionality a very precise mechanism to log information about the cloning process is built in, including at least the informations about person performing the clone and operation time. This functionality is essential for Oktawave to retain the ability to transfer data to the relevant police departments at the request of the relevant state bodies without the risk of destabilizing the entire infrastructure. It is a mechanism that in the dedicated servers world corresponds to the possibility of acquisition in the form of an exhibit an electronic server located in the data center. Please note that in the case of encrypted OVS volumes, the content remains encrypted, therefore impossible to read even during cloning.

 

A method of removing deleted data

In the case of Oktawave infrastructure data removal is simple as removing OVS disk volume. We should distinguish the following division:

  • removal of the data by the supplied/operational application on OCI, to which OVS disks are connected,
  • removal of OVS drives in Oktawave infrastructure.

In the case of deleting data by the supplied/operational application on OCI, the application should have mechanisms to safely remove the data (multiple implementation of overwriting data mechanism with random sequences of bytes). Oktawave does not intervene at any time in the process of writing/erasing data on OVS drives.

In the case of removing the OVS disk from Oktawave infrastructure - removal of map indicating addressation of data blocks belonging to the removed OVS disk will follow. At this point there is no overwriting proccess. However, in each case of creation of new OVS disk, the data area that was assigned to him is pre-set to zero (0 bytes overwritten). Consequently, any newly created OVS disk (even if it contains the data blocks previously used by deleted OVS) is devoid of any data.

 

Isolation of data between subregions

To provide the opportunity to build HA environments (High Availability) in Oktawave infrastructure, the concept of subregions was introduced. Subregions are physically independent Oktawave network segments (clusters) that do not share with each other any physical devices. Individual sub-regions are arranged in a single data center.

As a result, instances of OCI and OVS drives run in different sub-regions have the ability to work even in the event of failure of one of them. This design allows the customer to put the system/application in one subregion with a redundant copy of the second subregion. Then - using load balancing functionality (another Oktawave service) - the user can dissipate the load to applications between two (or more) subregions.

This function does not directly affect the risk of data loss or control over the data, however, can significantly increase the level of data availability.

Regardless of the concept of subregions, Oktawave also provides mechanisms for ensuring HA provided in the VMware hypervisor software.

 

Regular scanning of security

Due to the processing of various types of data entrusted in Oktawave infrastructure, including transactional data, the Oktawave platform is regularly (on a quarterly basis) the subject to security scan, required by the PCIDSS certificate. Current result of the last scan of the infrastructure is at this link: https://pci.usd.de/compliance/3514-FCBB-F7A9-8321-8A8D-CAB9/details_en.html.

 

Summary

In addition to the data security mechanisms above, Oktawave, under the contracts has the ability to determine the appropriate (non-primary) rules relating to:

  • SLA, together with definitions of response time and resolving the failure and the responsibility for the unplanned outages,
  • the method and extent of data processing,
  • determine the level of administrative support,
  • mechanisms for monitoring and notifying the customer of potential problems,
  • making copies of data policy.


Attachments 
 
 extended specification of oktawave cloud platform security aspects_v2.pdf (640.04 KB)
 attestation_of_scan_compliance_9695-3.pdf (126.24 KB)
(4 vote(s))
This article was helpful
This article was not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below. This is required to prevent automated registrations and form submissions.