Backup and Restore Session Security
At the
core of the Internet Vaulting solution is the DS Client
management application. This piece of software enables
all backup and retrieval behavior at the client level.
At the time of backup, the software scans the
pre-configured backup sets, and determines what data to
send to the offsite, highly available, mirrored Internet
Vaulting Data Center servers.
Backup is initiated when:
• The
DS Client contacts the Data Center via TCP/IP socket.
•
Connection is authenticated via the unique machine ID
key.
•
Following authentication, the management application
encrypts each file flagged for backup with AES [56-bit,
128-bit, 192-bit or 256-bit key] and sends the data to
our secure Data Center.
• The
Vaults organize all the encrypted files from a given
client’s backup session into a proprietary folder system
on the server’s file system, leaving the files
encrypted.
Restores are initiated when:
• The
DS Client contacts the Data Center.
• The
DS Client then sends to the Data Center a list of files
to retrieve.
• The
Data Center transmits the encrypted files to the client,
and the DS Client decrypts them upon arrival and places
them within a customer specified location.
Note:
Prior to any backup or restore activities, a valid
username and password MUST be entered to gain access to
the DS Client management application– requiring a
username and password can prevent unauthorized persons
with physical access to the DS Client machine from
performing any malicious activities.
Archival Security
The
data sent from the DS Client to the Data Vaults is sent
either as entire files or as 4K delta blocks (changes to
files previously backed up). Data is encrypted prior to
transmission from the DS Client machine. To prevent
unauthorized parties from gaining access to user data on
the server:
Internet Vaulting encrypts all data with encryption
algorithms
§
AES
[56-bit, 128-bit, 192-bit or 256-bit key]
§
The
encrypted output is sent to the Data Vaults. The Data
Vaults store the encrypted files without decrypting
them.
It is
important to note that the Internet Vaulting Data Vaults
are established as storage repositories and is not part
of a communications system. The data vault servers do
not provide a view to user data. As a result, in the
highly unlikely event that an individual is able to gain
access to user data files on the server, that individual
would not be able to view the data.
Network & Firewall Security
Network Practices
The
Internet Vaulting Primary and Backup Data Center
Facilities:
• Are
located at an undisclosed location.
• All
data received by any Internet Vaulting Data Vault is
immediately replicated to the backup data center.
•
Internet Vaulting has yielded 99.99% uptime for the past
three years.
Firewall Best Practices
Our
Data Center firewall policies do not permit casual
non-encrypted access from the outside to the Data Vault
servers. Thus, access to customer archive files via
remote connection to the production servers is not
possible via the Internet. Internet Vaulting uses a
designated TCP port for all client communications via
the DS Client. We have deployed dual firewalls with hot
fail-over capability to ensure maximum uptime.
The Internet Vaulting Data Center
The
Internet Vaulting backup service is managed with the
goal of 100% uptime, 24x7. This is achievable due to the
mirroring of the Internet Vaulting Data Center to
another facility.
Our
Internet Vaulting service is provided by a series of
redundant load balanced front-end serves each of which
has its data mirrored at our backup data center
facility. The Internet Vaulting servers run Red Hat
Enterprise Linux. Red Hat’s best practices are followed
and security patches are implemented when released.
In
addition to deploying all the latest Red Hat security
patches, our firewalls utilize up-to-date virus
protection to disable any virus attacks that threaten
the Data Center.
Internet Vaulting Uptime – Mirrored Data Protection
The
primary Data Center is located in Massachusetts. All
data received by the primary Data Center is immediately
replicated to its mirror via a private 200mb WAN
connection. In the event of a disaster at the primary
Data Center, the backup Data Center will be brought
online to handle client requests. The service has
yielded 99.99% uptime for the past 3 years.
Most
scheduled maintenance procedures and unscheduled outages
affect only one member of the load balanced redundant
front-end server cluster at a time. Our clustered client
facing front-end server solution enable us to maintain
client connectivity 24x7 even while servicing various
parts of our infrastructure without any business
interruption. In the rare event that the cluster must be
brought down, we will endeavor to do so outside normal
scheduled backup hours, and to give customers several
days’ advance notice.
Internet Vaulting Backup Network
The
Internet Vaulting service utilizes multiple high-speed
internet access lines to handle customer requests. Each
server platform has fail over and redundancy, continuous
server monitoring and performance tuning, assuring that
storage capacity is never exceeded. All are purchased
from multiple tier one internet access providers.
Hardening – Internet Vaulting Physical Security
Internet Vaulting protects customer data from all over
the world within its data centers. Access to these
facilities is restricted to Data Center Administrators
only. Internet Vaulting also takes the necessary steps
to ensure that only Internet Vaulting employees and
signed-in guests of Internet Vaulting employees can gain
access to the Internet Vaulting Data Centers.
• All
Internet Vaulting technical employees are issued a
card-key for entry to the building. Card key use logs
are reported and reviewed periodically.
Other Data Center Security measures include:
•
Internal and external alarm systems with 24x7 monitoring
and motion detection
•
Generator backup (tested weekly) with unlimited capacity
to run on reserve power
•
Mirrors are located within a locked cage at an
undisclosed location with 24x7x365 security
o
Access to the mirror is restricted to pre-authorized
individuals.
o
Mirror is located on redundant power grids for increased
availability in the event of a power failure.
o A dry
fire-suppression system is installed at each site.
