Introduction
In the rapidly changing world of Internet cyber threats and security, the integrity of your hosting services is critical to the success of your online operations and must be properly managed and protected.
This document seeks to provide you with information about how Squiz manages these risks and the security capabilities Squiz Cloud hosting can provide for your organization.
Defense in depth
Squiz employs a range of measures across different layers of the Squiz Cloud network and
infrastructure to ensure your website and its data are protected by several types of defense without reliance on any single mechanism.
Squiz Cloud defense-in-depth layers
Layer | Defense | Description |
|---|---|---|
Internet Border | Multiple diverse internet providers | Adds redundancy by having multiple data centers and multiple internet service providers. |
Direct Tier 1 network connectivity | A Tier 1 ISP is an ISP that has access to the entire Internet Region solely via its free and reciprocal peering agreements | |
Always-on DDOS protection | Cloudflare for Network and Transport layer DDoS protection, and the native DDoS protection built into our service provider’s networks | |
Access Layer | Real-time traffic analysis | internal monitoring tools providing network and server log analytics for our technical staff to support the infrastructure and servers used to host customer systems. |
Intrusion detection systems | Systems designed to notify Squiz when adverse behavior is detected. | |
Traffic filtering | Firewalls are used to block unwanted traffic to reach in or out of the environment. | |
Highly available, fully redundant network infrastructure | Leveraging Multiple Diverse Internet Providers, we have systems configured to enable us to switch to disaster recovery, or highly available systems to reduce problems with service delivery of our systems. | |
Services Layer | Hardened operating system builds | Making sure servers, operating systems, networking devices, etc are configured in a secure way based on International best practices from baselines, and vendor recommendations. |
Service anomaly detection | Additional monitoring systems on the server layer provide specific information on how a specific instance is used, which helps to analyze problems and react quickly to apply security fixes. These systems also provide notification if adverse behavior is detected. | |
Proven content management software | We have been a CMS for a long time, and staff expertise in how to use content in the right way provides the ability to design solutions in the best possible and secure way. Matrix is also a mature system, which has been tested and updated regularly. | |
High-speed distributed storage | To prevent problems with service delivery, the drives used as part of Squiz Cloud have high read/write rates and have the ability to be changed in the event of hardware failure. |
Our network border equipment is resistant to infrastructure DOS and DDOS attacks while providing high-speed access to domestic and international Internet destinations, even under adverse network conditions.
We monitor all traffic that traverses our border network for known attack signatures and use analytical software to detect patterns and trends that might indicate security threats.
DDOS protection where it counts
... which is everywhere. Over recent years DDOS attacks have become a growing threat to the uptime of high-profile websites. Squiz has made significant investments in DDOS detection and mitigation infrastructure and has gained experience by successfully mitigating dozens of major DDOS attacks made against our customers.
Always on
The Squiz approach to DDOS protection is to build it into the fabric of the Squiz Cloud so that all customers on the Squiz Cloud get the benefit of high-grade DDOS protection all the time.
Many hosting providers will simply disable hosting for a customer that experiences a DDOS attack but on the Squiz Cloud, we will work to keep your site online regardless of whether your site appears to be the target of an attack or not.
This protection also covers the Squiz Cloud infrastructure itself, so if attackers don’t have success attacking your site on the Squiz Cloud, there are no alternative infrastructure targets to attack.
Advanced detection technology
Squiz Cloud includes a network of global high-performance traffic monitors which monitor all traffic entering the Squiz network in real-time and detect DDOS attacks in less than ten seconds. Once this occurs, details of the DDOS attack are immediately released to our support team, and DDOS traffic is automatically removed before it even arrives at the Squiz network.
Mitigation on the Internet backbone
Our DDOS mitigation provider has direct peering with multiple Tier 1 Network providers, which means they can mitigate DDOS attacks that are unlimited in size by scrubbing out the bad DDOS traffic deep in the backbone networks on the Internet. Once that’s done, they pass the legitimate traffic back to Squiz Cloud to keep Squiz Cloud customers online.
Double infrastructure = Double reliability
The Squiz Cloud was built with high availability in mind, using enterprise-grade equipment in high-quality data centers. All Squiz Cloud data centres provide dual redundant power circuits with UPS in the event of mains power failure. If a server running your service fails, we have another one ready to automatically take over and keep your site online without data loss.
This equipment is connected by a fully redundant local network with no single point of failure.
Multiple data centres
Squiz maintains servers in multiple data centers and is able to supply geographically diverse DR facilities with near real-time replication of customer data between data centers. This allows your website to get back online and be fully functional after a disaster at its primary site with next to no data loss.
Always offsite backups
Regardless of whether a customer selects to use one or multiple Squiz data centers, all Squiz Cloud services are backed up on a nightly basis and replicated offsite to a separate location within the same country. This ensures that customer data is always available for restoration in the event of a disaster or corruption at any of our primary data centers.
Diverse Internet connectivity
Squiz data centers have multiple Internet providers available 24x7, 365 days a year, and can re-route traffic on-the-fly to avoid network outages or external congestion that might degrade performance for your users. Our internal network infrastructure is fully redundant with multiple pathing and automatic failover for traffic to and from all customer services.
The Squiz monitoring system has sensor nodes deployed around the world that feed information regarding the health of not only the Squiz network and services but the Internet at large. Squiz support teams use this information to more quickly diagnose problems users are experiencing and can often route user traffic around problems outside the Squiz Cloud network.
Always on monitoring and support
The security situation of the Internet is constantly changing. To counter this, Squiz Cloud services are monitored 24/7 by a suite of customized checks that raise alerts as soon as a problem occurs.
Squiz has a follow-the-sun support arrangement via our Squiz Support office in the UK, so dedicated support personnel are always available to intelligently respond to alerts or changing network conditions.
Squiz’s server audit system updates an online dashboard for system administrators on a daily basis and can spot problematic security configurations and conditions before they cause service degradation or security incidents.
Situational awareness for improved security
When providing security on the Internet, it is important to consider the larger global security scenario. After all, the Internet connects everyone to everyone. With this in mind, Squiz security staff doesn’t just monitor technical alert notifications, we also monitor news and social media to watch for changes in behaviour that might indicate a risk to Squiz customers or networks.
Squiz works with customers to understand specific risks they may be aware of, based on past history or information they have received directly. Where customers can provide information regarding these threats Squiz is able to correlate that information against network traffic analysis data to assess the threat and determine the best course of action. Taking the time to acquire this specific threat information improves security and reliability for that customer and for the Squiz network as a whole.
We maintain a technical dialogue with our network provider partners to gather information about issues on the wider Internet and are in contact with special interest groups and law enforcement agencies to stay on top of more general changes in the security situation.
Vulnerability analysis based on experience
Squiz has a formal policy for monitoring security alerts and categorizing security issues. The
experienced Squiz security team uses a range of security information sources to gather information regarding the latest known security issues.
These issues are then analyzed within the context of how they would impact Squiz-supported systems and customers and categorized accordingly. Advice from the security team on how best to handle new vulnerabilities are distributed to Squiz production teams to ensure that Squiz customers get the most possible benefit from Squiz’s expertise and continue to be protected from emerging online threats.
Regular security scans
Squiz commissions independent third-party penetration tests against the Squiz Cloud bi-annually. These penetration tests cover network, service, and web application testing. Automated network scans run daily to detect anomalous network configurations. Exceptions from these scans are reviewed by Squiz staff.
For servers that are maintained to PCI DSS compliance, an Approved Scanning Vendor is used to perform a detailed network and vulnerability assessment of all relevant IPs before PCI compliance is certified for that customer.
A public cloud, but private services
The Squiz Cloud is a public cloud service, but we understand that control over your data is important. That’s why the Squiz Cloud provides dedicated virtual machines for all Customer services, which enforce separation between customers.
There are two main mechanisms that enforce isolation between customers:
Server firewalls
In addition to border access control lists and PCI firewalls (where required), all Squiz Cloud customer servers run deny-by-default host-based firewalls that restrict all traffic flows except those needed to meet customer requirements.
Squiz Cloud monitoring will detect and raise alerts if the server firewall configuration deviates from what is stored in the centralized configuration repository.
Virtualization
Squiz Cloud uses a hypervisor framework that ensures customer virtual machines are unable to access each other’s memory, CPU, or storage resources. When a customer VM is decommissioned, the virtual disks are deallocated to ensure the data on those disks is not readable when the underlying physical storage media is allocated to another VM.
Physical security
All Squiz Cloud customer data is stored within secure Squiz data centers. Customers may select to store data within a single data center (with offsite backups), multiple data centers within a single sovereign territory, or multiple data centers worldwide.
Squiz only uses high-quality colocation facilities operated at UTI Tier III or better standards to ensure robust physical security and very high levels of reliability. This means that at a minimum, all Squiz data centers have:
- 24/7 security personnel
- CCTV
- ID card and/or biometric authentication
- Redundant Power & Cooling
- Advanced fire suppression systems
Data center locations
Australia
- Global Switch West, Sydney
- NextDC M1, Port Melbourne
United Kingdom
- The Bunker, Ash
- The Bunker, Newbury (DR only)
United States
- NTT Global Data Centres, Sacremento
- Cologuard, New York (DR only)
Security standards
ISO 27001:2013
The Squiz Cloud support teams, as well as all Squiz data center providers worldwide, are fully ISO 27001:2013 compliant and accredited. BSI certificates of ISO compliance are available upon request.
PCI DSS
Squiz Cloud is able to provide PCI DSS v3 compliant hosting for customers that process credit card information. PCI DSS compliance is enabled on a customer-by-customer basis, depending on the customer's requirements.
CIS Benchmark and hardening
Squiz uses the CIS Benchmark for hardening servers and network devices to a well-defined standard. All Squiz Cloud network devices are hardened to CIS Benchmark Level 1 if applicable. Customer servers can be optionally hardened to CIS Benchmark Level 1.
Cloud Security Alliance (STAR)
Squiz has completed the CSA STAR registration and our response to the CSA security questionnaire is available online for review by Squiz customers.
OWASP Top 10
Squiz Labs produces Squiz’s software, including Squiz Matrix and Squiz Roadmap products. During the development and maintenance of these products, Squiz Labs developers code against the OWASP Top 10 risk mitigation strategies, and any code found during the review contract to these strategies is registered as a bug and rewritten.
Australian Signals Directorate ‘Top 4’
The Australian Signals Directorate (ASD) estimates that 85% of cyber attacks can be prevented by mitigating the ‘top 4’ risks in computing facilities:
Mitigation 1: application whitelisting
Squiz primarily uses the Linux operating system for its Squiz Cloud servers and limits which applications can be installed on these servers by mandating the use of approved software repositories. Automated configuration control and daily audits ensure that unauthorized software and configurations are not installed or run on Squiz Cloud servers. This is in accordance with ASD recommendations for application whitelisting.
In addition, Squiz deploys systems with the SELinux Mandatory Access Control security mechanism, which provides kernel-level controls on network and file system assets available to users and processes and provides effective mitigation against application abuse.
Mitigation 2: patch applications
Squiz Labs releases security patches for the Squiz Matrix CMS as required, which are then applied after coordination with each client. In the event of a security vulnerability being actively exploited in the wild, Squiz reserves the right to apply security patches to customer servers immediately and notify the customer as soon as possible.
Mitigation 3: patch the operating system
Squiz monitors software vendor and industry security alert mailing lists for alert notifications of vulnerabilities in software used within the Squiz Cloud. In the event that a security alert impacts software in the Squiz Cloud, Squiz Account Managers work with customers to schedule a time for Squiz to patch the operating system. Squiz also aims to install all non-critical operating system updates within six months and runs daily audit checks to ensure that servers have not fallen behind in OS patches and have been left in a vulnerable state.
Similar to application patching, Squiz reserves the right to apply OS patches and updates for customer servers immediately if required to maintain the integrity of the Squiz Cloud service.
Mitigation 4: minimize administrative privileges
Administrative privileges on Squiz Cloud servers are restricted to Squiz System Administrators who require this access to support and manage the Squiz Cloud. These System Administrators have been selected by Squiz for their experience and skills and undergo a thorough Squiz induction and training program before being granted administrative privileges. Administrator privileges are managed from a central configuration control system and can be added and revoked across all servers as required.