fasthosts server support...dedicated servers providing hardware support and investigating issues at...

Fasthosts Customer Support

Responsibilities and Best Practices

We take great care to ensure that all parties understand

and appreciate the respective responsibilities relating to

an infrastructure-as-a-service or self-managed

environment. This document highlights and identifies

these responsibilities to help our customers operate in a

defined and mutually understood environment.

Customer Support | Fasthosts Server Support

Page 1

Contents

1 Introduction .................................................................................... 1

2 Document Disclaimer ..................................................................... 2

3 Our Responsibilities....................................................................... 3

3.1 Security of Data Centre’s ............................................................ 3

3.2 Hardware Maintenance .............................................................. 4

Dedicated Servers ......................................................................... 4

Virtual Private Servers................................................................... 4

3.3 Security Testing of Our Infrastructure ......................................... 4

3.4 Maintaining security best practices ............................................. 5

3.5 Confidentiality of Our Services and Infrastructure ....................... 5

3.6 Integrity of Our Services and Infrastructure ................................. 6

3.7 Availability of Our Services and Infrastructure ............................ 6

3.8 Principal of Least Privilege ......................................................... 6

3.9 Service Availability ..................................................................... 7

3.10 Secure Destruction of Data, Hardware, Removable Media ....... 7

3.11 Secure Data Communications on Our Networks ....................... 7

3.12 Incident Management on Our Networks .................................... 8

3.13 Internet Connections ................................................................ 8

3.14 Change Management ............................................................... 8

3.15 Notification of Planned Outages ............................................... 9

3.16 Denial of Service Attacks .......................................................... 9

4 Typical Infrastructure Management Responsibilities of

Customers ....................................................................................... 10

4.1 Software Installation and Build ................................................. 10


Page 2

4.2 Firewall Between On Premise and Off Premise Networks......... 11

4.3 Hardening of the Host Operating System ................................. 11

4.4 Change Default System Settings, Usernames and Passwords . 12

4.5 Applying Service Packs, Security Patches and Software Updates

....................................................................................................... 12

4.6 Maintaining Infrastructure Optimisation ..................................... 13

4.7 Testing/Quality Assurance of Applications and Services ........... 13

4.8 Event Logging .......................................................................... 14

4.9 Anti-Virus and Anti-Malware Protection .................................... 14

4.10 Backup ................................................................................... 14

4.11 Remote Administration and Maintenance ............................... 15

4.12 Application and License Management .................................... 15

4.13 Change Management ............................................................. 15

4.14 Compliance with License Agreements, Local Legal and

Regulatory Bodies .......................................................................... 16

4.15 Managing User Accounts........................................................ 16

4.16 Managing Passwords ............................................................. 16

4.17 Operating System Failure ....................................................... 17

4.18 First Line Support ................................................................... 17

4.19 Customer Initiated Penetration Testing ................................... 18

4.20 Managed Firewalls and VPN Concentrator ............................. 19


Page 1

1 Introduction

Fasthosts is committed to building information-security principles into everything

it does and maintains or exceeds industry best practices. Fasthosts Dedicated

and Virtual Servers are supplied on a Self-Managed basis. This document details

the responsibilities of Fasthosts and its customers for infrastructure security

within a Self-Managed service. It also offers recommendations on how customers

can carry out these responsibilities.


Page 2

2 Document Disclaimer

The customer using this document must be made aware that the contents of this

document setting out the responsibilities of each party are shown as guidelines.

This document is designed to demonstrate the typical and normal responsibilities

of each party within an infrastructure-as-a-service (IaaS) or hosted environment

to ensure there is a clear understanding of responsibilities.

This document cannot cater for every eventuality so customers should use the

guidelines as examples and for indicative and understanding purposes only.

Fasthosts wishes to ensure that the customer accepts and understands the

variety and complexity of possible solutions and services that may be made

available and that it is not feasible to provide comprehensive guidance for all

circumstances and individual customer requirements.

It is the customer’s responsibility to ensure that they seek clarity or additional

advice before making any assumptions on the applicable responsibilities as each

customer’s circumstances may be different. This may therefore necessitate a

modified set of responsibility requirements to be specified depending on the

technical and products / services proposed.

Fasthosts shall accept no responsibility for reliance on the guidelines or

misinterpretations and we recommend that the customer seeks prior clarification

and advice from Fasthosts or an IaaS professional if they have queries or non-

typical requirements or require clarification on any related responsibility concern.


Page 3

3 Our Responsibilities

3.1 Security of Data Centre’s

We are responsible for managing and protecting our Data Centres by:

Conducting annual physical security reviews to ensure we adhere with

policies and best practices.

Escorting visitors while they’re in data centres and signing them in and out

of facilities.

Restricting access to data centres with fences, gates, swipe-card-entry

systems and role-based privileges.

Protecting facilities with out-of-hours security guards.

CCTV monitoring and a reception that’s manned 24/7/365.

Maintaining operations during short-term power fluctuations with reserve

power supplies, backups (e.g. uninterrupted power supply) and redundant

generators, which we test regularly.

Maintaining optimum environmental conditions in our data centres with air-

conditioning systems, which we test regularly.

Providing fire detection and suppression systems, which we test regularly.


Page 4

3.2 Hardware Maintenance

We are responsible for maintaining optimum system performance in our data

centres. How we maintain this performance differs depending upon the type of

server you are using:

Dedicated Servers

Providing hardware support and investigating issues at the request of

customers.

Identifying and replacing faulty hardware.

Virtual Private Servers

Maintaining redundant hardware to transfer services to; in the unlikely

event of an outage.

Monitoring business-critical hardware and resolving issues for customers.

3.3 Security Testing of Our Infrastructure

We are responsible for testing the security of our infrastructure by:

Conducting regular security tests on our infrastructure and managing the

results of tests through incident/risk management processes to resolve

issues quickly.


Page 5

3.4 Maintaining security best practices

We are responsible for maintaining security best practices by:

Utilising an Information Security manager to manage and implement

security standards and best practice.

Regularly reviewing policy’s and updating them to follow best practice.

Utilising an Information Security Steering committee to approve and govern

changes to policy.

Clearly and comprehensively train all staff on current information policies.

Maintain clear disciplinary policies and procedures which it outlines during

employee inductions.

3.5 Confidentiality of Our Services and Infrastructure

We strive to protect, the confidentiality of customer data by preventing our

employees from accessing data unless customers provide them with root / admin

access. We also use the following to ensure confidentiality:

Network security protocols.

Network authentication services.

Data encryption services.

Physical entry controls.

Additional hardening of internal operating systems depending upon their

role, importance and location within our network.


Page 6

3.6 Integrity of Our Services and Infrastructure

We strive to protect, the integrity of customer data by preventing our employees

from accessing it and using the following to ensure integrity:

Multiple level Firewall services and network segmentation. Access depends

upon business requirements and the services being accessed.

Communications security management.

3.7 Availability of Our Services and Infrastructure

We strive to maintain the availability of customer data by implementing redundant

internet connections, power supplies, generators, network infrastructure and

storage area network (SAN) disks. We will also use the following to ensure

availability:

Role Based Access Control (RBAC).

Redundant disk systems and internet connections.

Acceptable logins and operating process performance.

Reliable and interoperable security processes and network security

mechanisms.

3.8 Principal of Least Privilege

We ensure that only engineers who need access to servers, infrastructure and

networks get it. Employees who don’t have a business requirement to access

these can’t do so without authorized personnel.


Page 7

3.9 Service Availability

We are responsible for maintaining 99.99% availability for virtual private servers

and 99.99% availability for dedicated servers.

3.10 Secure Destruction of Data, Hardware, Removable Media

We are responsible for securely destroying our data, hardware and removable

media and use accredited partners to securely destroy hardware such as hard

disk drives and backup media.

Cleanse hard disks before reusing them and test samples to ensure data

can’t be recovered. The company does this with software that adheres to

HMG CESG standards.

3.11 Secure Data Communications on Our Networks

We are responsible for maintaining secure communications in our private

network by:

Segmenting customer’s networks to prevent unauthorized access.

Encrypting virtual private network (VPN) tunnels with IPsec to protect traffic

to customers’ sites. (VPN Tunnelling and Managed firewalls only available

via our sales department).


Page 8

3.12 Incident Management on Our Networks

We are responsible for managing incidents on our network by:

Following ITIL-based management processes to deal with incidents.

Providing an on duty incident manager, who is on duty 24/7/365.

3.13 Internet Connections

We are responsible for maintaining internet connections for servers by using

multiple 10Gb/s connections to the Internet and diverse routing to ensure that

connectivity is not lost due to one failure.

3.14 Change Management

We are responsible for managing change associated with our infrastructure and

minimising the impact to yourself wherever possible. We manage these changes

by:

Utilising a Change Manager who is responsible for change management

processes.

Following ITIL-based change management processes.

Utilizing a change management team to authorize change requests based

upon role, location and importance in our network.


Page 9

3.15 Notification of Planned Outages

We are responsible for notifying customers of planned outages and endeavour to

provide at least 24 hours’ notice of planned outages. In the majority of cases, we

will provide notice earlier than this.

3.16 Denial of Service Attacks

We are responsible for mitigating denial of service attacks from the Internet by

Reserving the right to remove service for the duration of an attack, or until we can

deploy a compensating control, if an attack threatens our wider infrastructure.

Note: We may give less notice for emergency maintenance

needed to resolve high-risk security incidents that affect

multiple customers.


Page 10

4 Typical Infrastructure Management Responsibilities of Customers

4.1 Software Installation and Build

You are responsible for configuring servers to suit your requirements, including

security policies. You can reset your servers to base configuration at any time.

We provide our services with some elements pre-configured to enable them to

work within our environment.

We recommend that you consider the following questions when configuring your

servers:

How do you secure data at rest and in motion?

Who has access to data?

What is available to the outside world?

What should be implemented to protect data held in your systems?

What controls are necessary to uphold your information security policies?


Page 11

4.2 Firewall Between On Premise and Off Premise Networks

You are responsible for managing, implementing and adding firewalls between

off-premise and on premise networks. We recommend that you:

Implement ingress and egress firewall policies at on premise tunnel

endpoints.

Configure firewalls to only allow in and out bound ports and IP addresses

for the services in the off-premise environment.

4.3 Hardening of the Host Operating System

You are responsible for hardening your servers.

We recommend that you:

Apply hardening templates.

Restrict access over unused ports.

Disable unused features.

Quick tip: You can find hardening best practice guides at

http://www.sans.org.

http://www.sans.org/


Page 12

4.4 Change Default System Settings, Usernames and Passwords

You are responsible for changing default system settings or operating-system

passwords. We recommend you:

Implement different user profiles for people who access the server directly.

Use RBAC so that users can only access the services they need to do their

jobs.

Implement strong password controls, such as a minimum length of eight

characters for passwords, which must include at least one upper case,

lower case and numeric character.

Rename default administrator accounts, such as domain admin or root, with

a meaningless value. Add a complex password and store this in a safe

location. Create different accounts and apply limited privileges to these

accounts for other users.

Create specific accounts for third parties (including Fasthosts) that expire

after a short time. If a third party has a shared privileged account, change

the password or disable the account immediately after the third party

completes their work.

4.5 Applying Service Packs, Security Patches and Software Updates

You are responsible for applying and configuring service packs, security patches

and software updates to your servers. We recommend you:

Disable unused services,

Configure a method to apply updates and security patches to servers.


Page 13

4.6 Maintaining Infrastructure Optimisation

You are responsible for implementing any Operating system configuration

changes recommended by ourselves to optimise or secure your server on our

infrastructure. Best Practice:

You should update your server configuration in line with any revised best

practices as recommended by ourselves and your own change

management process.

4.7 Testing/Quality Assurance of Applications and Services

You are responsible for conducting functionality testing and quality assurance of

applications and services on your servers. We recommend that you:

Ensure you have a good backup or snapshot of servers before deploying

updates or patches.

Ensure your services have sufficient capacity to cope with peak loads.

Deploy patches and updates regularly to minimize the impact if something

goes wrong and make it easier to identify causes.

Test your applications after patches and updates to check they aren’t

affected.


Page 14

4.8 Event Logging

You are responsible for monitoring the logs of systems, applications and servers.

We recommend you:

Set up event logging to move logs onto a different server and analyses

them for security-related events. This will help define the correct defences

for their services.

Retain logs for a reasonable length of time i.e. minimum of one month but

preferably a year.

4.9 Anti-Virus and Anti-Malware Protection

You are responsible for deploying and managing anti-virus and anti-malware for

your servers. We recommend you:

• Install anti-malware software and configure it to auto update or comply with

your corporate anti-virus policies.

4.10 Backup

You are responsible for arranging backup for your servers. It is also your

responsibility to back up your data and test your backup systems. We

recommend you:

• Back up data and implement a regime that allows you to recover their

business in the event of a disaster.

• Test your backup systems.


Page 15

4.11 Remote Administration and Maintenance

You are responsible for managing servers and firewalls provided by us via

remote access VPN portal. We recommend you:

• Conduct remote administration and maintenance securely. We can provide

a secure remote access VPN to maintain servers and firewalls. (Only

available via our Sales department).

• Do not expose management interfaces to the Internet or allow weak

authentication controls.

4.12 Application and License Management

You are responsible for maintaining applications to support their servers and for

ensuring you have licenses for your applications. We recommend you:

• Ensure you have sufficient processes in place to maintain your

applications.

4.13 Change Management

You are responsible for managing change associated with their servers. We

recommend you:

• Implement a change-management process. This will make it easier to

identify reasons for a failure and restore systems.


Page 16

4.14 Compliance with License Agreements, Local Legal and Regulatory Bodies

You are responsible for ensuring compliance with license requirements and legal

and regulatory bodies. We recommend you:

• Pay attention to local regulations that may affect you.

4.15 Managing User Accounts

You are responsible for managing user accounts in line with your procedures. We

recommend you:

• Create individual accounts for users who access their systems.

4.16 Managing Passwords

You are responsible for managing passwords in line with your procedures. We

recommend you: implement strong password-management policies, for example:

• Password length is set between eight and 15 characters.

• Force password change at first logon.

• Enforce password expiry.

• Enforce password history; preventing users from reusing their previous n

passwords, where n is between 0 and 9.

• Enforce password expiry- suggested maximum age is 45 days.


Page 17

4.17 Operating System Failure

You are responsible for maintaining your operating systems. We recommend

you:

• Employ appropriately skilled engineers to manage your servers.

4.18 First Line Support

You are responsible for managing all first-line support issues. We recommend

you:

• Provide first-line support and build processes to authenticate users who

contact your service desks requesting access to your systems.


Page 18

4.19 Customer Initiated Penetration Testing

You are responsible for penetration testing. These responsibilities include:

• Obtaining authorisation from ourselves and any other customers involved in

testing. Customers MUST submit a request to test at least five working

days before penetration testing or vulnerability scanning activity.

• Ensuring that only experienced employees or professional third-party

consultancies conduct penetration tests and vulnerability scans.

• Outlining details of penetration tests or vulnerability scans to ourselves.

This must include:

o Time frame for the test.

o Testing scope.

o IP addresses involved.

o Key contacts.

• Getting third-party testing organizations to complete a Fasthosts non-

disclosure agreement before testing or scanning.

• Informing the Fasthosts Service Desk of test results that may adversely

affect Fasthosts, such as denial of service.

• Reporting vulnerabilities identified in the Fasthosts infrastructure.

• Please note that if our support teams aren’t aware that you are testing, it is

likely that they will deploy mitigating controls and blocks to stop the attack.

Important: We will suspend services of customers who do

not comply with this.


Page 19

Best practice:

• Conduct penetration tests or vulnerability scanning once Rise has deployed

their services. This is to ensure that partners’ configurations follow best

practice and don’t have any security weaknesses.

4.20 Managed Firewalls and VPN Concentrator

You are responsible for configuring your end of a VPN tunnel. We recommend

you:

• Lock down firewall configurations and only allow the in and out bound ports

and IP addresses the application requires.

Note: Managed Firewalls and VPN connectors are only

available through our Sales department and cannot be

purchased through your control panel.

fasthosts server support...dedicated servers providing hardware support and investigating issues at...

Documents