Data Center Security Specifications

At Veriato, the security of customer data and privacy is paramount. Our online server platform is Amazon Web Services (AWS), which comes with extensive security measures.

AWS Physical Security Specifications

AWS Data Centers are built with state-of-the-art design, architecture, and engineering methods. Amazon applies its many years of experience with large-scale data centers to the AWS platform, infrastructure, and security. Physical facility security measures are listed below.

Data Center Locations

AWS data centers are housed in nondescript facilities at undisclosed locations. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. 

In addition to on-site security teams, AWS Security Operations Centers, located around the world, monitor sites, perform regular threat and vulnerability reviews, triage and respond to incidents, and provide 24/7 support to the on-site security teams.

Data Center Facility Access

To gain access to any data center floor, authorized staff must pass two-factor authentication a minimum of two timesAll visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. 

Physical access and information about data centers is provided only to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to data centers by AWS employees is logged and audited routinely.

Fire Detection & Suppression

Automatic fire detection and suppression equipment has been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems.

Data Center Power

The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide back-up power for the entire facility.

Climate & Temperature

Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels.

AWS Data Center Reliability and Availability

Data centers are built in clusters in various global regions. All data centers are online and serving customers; no data center is “cold.” In case of failure, automated processes move customer data traffic away from the affected area. Core applications are deployed in an N+1 configuration, so that in the event of a data center failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.

Redundancy

AWS provides the flexibility to place instances and store data within multiple geographic regions as well as across multiple availability zones within each region. Each availability zone is designed as an independent failure zone. This means that availability zones are physically separated within a typical metropolitan region and are located in lower risk flood plains (specific flood zone categorization varies by Region).

In addition to discrete uninterruptable power supply (UPS) and onsite backup generation facilities, data centers are each fed via different grids from independent utilities to further reduce single points of failure. Availability zones are all redundantly connected to multiple tier-1 transit providers.

Management

AWS monitors electrical, mechanical, and life support systems and equipment so that any issues are immediately identified. Preventative maintenance is performed to maintain continuous operation of equipment.

Incident Response

The Amazon Incident Management team employs industry-standard diagnostic procedures to drive resolution during business-impacting events. Staff operators provide 24x7x365 coverage to detect incidents and to manage the impact and resolution.

AWS Data Center Network Security

The AWS network architecture permits customers to select the level of security and resiliency appropriate for the workload. To enable you to build geographically dispersed, fault-tolerant web architectures with cloud resources, AWS has implemented a world-class network infrastructure that is carefully monitored and managed.

Secure Network Architecture

Network devices, including firewall and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, access control lists (ACL), and configurations to enforce the flow of information to specific information system services. ACLs, or traffic flow policies, are established on each managed interface, which manage and enforce the flow of traffic. ACL policies are approved by Amazon Information Security. These policies are automatically pushed using AWS’s ACLManage tool, to help ensure these managed interfaces enforce the most up-to-date ACLs.

Secure Access Points

AWS has strategically placed a limited number of access points to the cloud to allow for a more comprehensive monitoring of inbound and outbound communications and network traffic. These customer access points are called API endpoints, and they allow secure HTTP access (HTTPS), which allows you to establish a secure communication session with your storage or compute instances within AWS. In addition, AWS has implemented network devices that are dedicated to managing interfacing communications with Internet service providers (ISPs). AWS employs a redundant connection to more than one communication service at each Internet-facing edge of the AWS network. These connections each have dedicated network devices.

Compliance

The IT infrastructure that AWS provides to its customers is designed and managed in alignment with security best practices and a variety of IT security standards, including:

  • SOC 1/SSAE16/ISAE 3402 (formerly SAS 70)
  • SOC 2
  • SOC 3
  • FISMA, DIACAP, and FedRAMP
  • DOD CSM Levels 1-5
  • PCI DSS Level 1
  • ISO 9001 / ISO 27001
  • ITAR
  • FIPS 140-2
  • MTCS Level 3

Storage Device Decommissioning

When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. AWS uses the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process. All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance with industry-standard practices.

Veriato Client-Server Security

The following measures ensure the integrity and security of data transport between client (agent recorder) and server:

  • Transport Layer Security (TLS): All client-server communication utilizes TLS/SSL connections with SHA-2 signature algorithms and RSA 2048-Bit Public Keys. All TLS/SSL certificates are issued by GoDaddy Secure Certification Authority Class 2.
  • File Encryption: All recorded data from monitored client machines is encrypted using a combination of SHA-1 (160-bit) and 3DES (192-bit) standards, with an encryption key created from a salted hash of target machine identifiers. Data is encrypted at the client before being transmitted to the server.

Veriato Application Security

The Veriato production network is secured by several measures. All servers are configured for private IP addresses, and access to them is tightly controlled via Network Address Translation (NAT) as well as a Cisco firewall platform. (More specifics on this platform cannot be given for security reasons.)

Veriato Database Security

Access to our database is strictly controlled. Only the database administration team has access to connect directly to the database server, and all access to the database is through individualized accounts. All accounts require strong passwords of a minimum length of eight characters, consisting of upper and lower case letters, numbers, and special characters. All failed login attempts to the database are logged and reviewed to ensure that no attempts to brute force attack the database are being made.

Our database administration team is based in the USA, and consists of individuals with the highest levels of training and certification. They are all bound by personnel and corporate policies not to access customer account information without team lead approval and business need.

All database servers are kept patched to the latest security patches for both the Operating System as well as the Database platform to minimize the threat potential in the event that someone was able to breach the network firewall.

Updated: 03/26/2024