Security Q and A

Q. What hardware and software does Richweb run on its website and web application servers?

A. A complete Richweb web application server system consists of:

An application server connected at one of our secure colo facilities, a database server, and a network firewall. All management of Richweb servers is done remotely either via a browser interface or via secure shell (software updates and database restoration if the customer requests a restore).

A browser installed on the client PCs. (MS IE6, IE7 or Firefox 1.5+ suggested; system should work with older browsers but they are not officially supported).
An embedded database (Firebird, MySQL RDBMS engines are loaded on the server.

A secure (SSL) web interface for end users and Program Administrators
Housekeeping programs that update the system automatically each night.

Q. Where is Richweb hosting its servers?

A. Richweb servers are hosted at the premiere Data Center facilities in Central Virginia: Peak10,   NetTelcos, and Level3.

Each facility offers:

Gigabit connections to multiple global Internet backbone networks

Fail-over disaster recovery facilities

On site 72 to Hr minimum Diesel Generator with 7000 gallon tank capacity is kept full; Hot cut to backup generator is tested on a monthly basis. Generator system is housed in a secure building adjacent to the main building.
On site multi-terabyte backup server capacity

The following is the overview information sent to us by Peak10 regarding SAS70 operating requirements:

You may contact Peak10 to obtain a copy of the documentation that specifically meets your compliance requirements.

The basic Peak10 SAS70 documentation consists of aletter on Peak10 company letterhead stating they passed the SAS70 Type I and Type II. Audit was performed by Lattimore, Black,Morgan and Cain (LBMC).

Peak10 can provide additionally:
Copies of report cover letters for a calendar year (an Executive Summary of the audit signed by LBMC). [Cost: $500 per year.]

Copies of the complete reports for a calendar year, detailing the
controls and audit findings. [Cost: $3000 per year.]

Q. Results of Penetration Tests and Vulnerability Scans?

Richweb has a monthly scan performed by Qualys Scanner – qualys.com. Results are reviewed and any level 3, 4 or 5 vulnerabilities are addressed immediately. (Levels 3 and above are considered potential attack vectors, levels 1 and 2 are information gathering). If a level 1 or 2 issues is possible to address, Richweb will address the issue (many level 1 or 2 issues are false positives in fact). In this packet of information are the scan results against several servers at one of Richweb's data centers. These scan results are very representative of the overall security posture that Richweb is able to achieve. We have address ALL outstanding serious security exposures and/or vulnerabilities that were detected by the scans continually.

In addition, Richweb profiles all of the applications that are requested for hosting by our clients into 2 categories: “unknown/not measured” and “dangerous”. Dangerous applications are those apps that are known to be poorly written via source code audit and/or have a continual stream of disclosed vulnerabilities. Richweb takes additional security precautions such as extra outbound packet filters and increased host based intrusion detection measures when a client insists on hosting an app classified as dangerous. Of course Richweb's first step in this process is to educate the customer about the application in question in an effort to remove the need for hosting the application in the first place (perhaps a suitable more secure replacement app is available).

As part of OCC (Federal Banking Regulators) Pen testing that was done for a Richweb client using a Richweb server hosting a production (live) representative set of applications no successful penetration was achieved during testing. In addition Richweb firewalls have been pen tested several times by different clients with no successful penetration. Real world experience has shown our servers to be maximally secure with password weakness being the only exploited attack vector in the last 8 years. As we all realize, passwords are only as secure as the client administrator can keep them.

Q. What disaster recovery policies does Richweb have in place regarding its hosting operations?

Richweb has additional capacity at the NetTelcos Data Center located in Innsbrook [Glen Allen, Virginia]. The NetTelcos Data Center is a 10,000 square foot, professional Data Center providing the following features:

High-speed connections to multiple global Internet backbones
Fail-over disaster recovery facilities
On site 24 to 48 Hr Diesel Generator within a permanent building enclosure

Richweb replicates nightly all customer builds (software code and data) to its secured corporate backup server. See the contingency planning question and answer for more information on this topic.

Q. What are the physical security controls in place for access to the servers and software?

A. The cabinets which house the servers are locked; the servers are locked at the BIOS level. Only authorized (by Richweb) data center personnel have access to the servers (as directed by Richweb).

Peak10 has a fully operational man trap and SAS70 type II compliant access control implemented. There is 2 factor authentication: ID card acquired in exchange for valid US Govt. ID as well a biometric reader that blocks unauthorized access at the man trap. Only pre-registered users that have entries in the biometric scanner database are allowed into the data center. Each user type (employee, contractor, vendor, customer) is categorized for the purposes of ID generation. All movement through the facility is monitored and tracked.

The NetTelcos Glen Allen facility has monitored access (biometric authentication is required to gain access) identical to the Peak10 Richmond facility and SAS 70 compliance is under-way.

All source code, server configuraton files and server system files that detail setup are checked into and managed with the industry leading open source code management software Subversion. Richweb uses Subversion over SSL protected HTTPS sessions so no source code or config files are pulled via clear text protocols at any time.

Q. How does the process of a Richweb employee gaining access to a customer database work?

Richweb does not maintain or create accounts for Richweb management purposes to client database instances unless authorized and
instructed to do so by an authorized Program Administrator of the
client in question. This authorization should be given via the telephone. Some clients have made arrangements with Richweb whereby certain actions can be taken via emails from the PA/PM but usually these directives are issues via telephone conferences or conversations. A written email will then be sent for confirmation of any action that is to be taken. This provides an audit trail for the access that was granted. Richweb logs all time spent supporting a client in our EMS project management system. The EMS system project logs will contain these notes and actions taken.

Q. What kind of contingency planning and backups does Richweb have in place?

A. All databases and web applications and websites hosting services are virtualized. This means that the server is in and of itself a virtual server. This technology allows for quick and efficient backup as well as restoration of the complete operating image of both the server and its services as well as the applications and the data the applications need.

Richweb maintains additional server capacity at its backup data centers. These servers are idle when a customer is not using an image on the server in disaster recovery mode.

Backups of the filesystem and the databases are handled by 2 separate backup processes.

Full backups of each customer database are cut to disk on the local server and then replicated back to Richweb's NOC via the rsync+ssh protocol, which is an industry standard for secure, fast, efficient remote file replication.

Database backups can be arranged for weekly, twice weekly, or daily intervals depending on how fast the data is updated.

Richweb takes monthly and/or weekly full filesystem backups of your vserver. Monthly backups are standard, weekly backups can be arranged if you have a fast changing site that places content or data on the filesystem.

Richweb also takes a nitely incremental backup of each vserver. This incremental backup is written over each nite so if you inadvertantly delete a file or directory contact Richweb immediately and we can fetch the backup from the disk image.

Custom backup schedules can also be arranged with Richweb. Some customers like to have images of disks or databases zipped up and uploaded to a customer ftp server or dropped to dvd, cdrom, usb hardrive, or tapedrive.

More about vservers, and software releases:

Each server is running a software release (also called build) that is cut or generated from the version control repository.

The backup vserver is simply updated to the appropriate build, and the database file is pushed from the backup server at the NOC to the backup vserver. Once the database file is restored the system is fully operational as far as the data is concerned.

Richweb maintains 3 or 4 hr ttls (time to live) on the domain names so that within 3 hours the domains can be re-pointed from the main colo facility to the backup colo facility.

Should a client require more frequent backups than each night then Richweb can implement a more aggressive backup schedule for an additional charge. Both the MySQL and Firebird advanced database architectures permits hot or live database backups. This means that the backup can be taken while the system is live and processing production data. The database backup is taken from a snapshot which ensures it has internal consistency and integrity (i.e. the backup is NOT taken half way through a transaction so that when the backup is restored it WILL NOT have an invalid transaction).

Q. What is the screening process for the analysts/employees at Richweb?

A. Richweb management conducts 2 in-person interviews with each candidate for hire and we typically hire only people that have either worked with us previously as a vendor/partner or as a client. We check 3 personal references for each analyst candidate.

Richweb contracts with analysts on a part-time trial basis for 90 to 180 days before making a full time permanent hire decision. During this trial period analysts have a very restricted access to source code and test data in the R&D environment and no access at all to any production environments.

Richweb can execute an NDA (non-disclosure agreement) with its employees at the request of a client.

Q. What about spam? Are the Richweb email servers secure? Will Richweb servers prevent spamming or attacks by spammers to use and abuse the servers for the purposes of sending spam?

A. Richweb suggests that our customers utilize a vendor (our preferred vendor is “Constant Contact” ) for legitimate marketing communications with customers that have OPTED-IN for email communications. Constant Contact is a bonded, responsible bulk mailer with contracts for the services that it provides to its customers that do NOT violate US laws regarding UCE (unsolicited commercial email – i.e. spam). Constant Contact sends all of its email communications through its own registered servers; you do not have to worry about whitelisting (allowing to bypass a filter) Richweb servers only to see other 3rd party spam allowed in.

Richweb runs a dkim signing proxy for all outbound bulk email generated from customer web applications. This ensures delivery to yahoo.com and other dkim aware domains.