Your Security, Our Mission
A Holistic Approach
Let's start by defining two terms. We like to use the words perspective and prospective because they are often incorrectly interchanged yet they complement one another eloquently when analyzing security requirements.
Perspective is almost always a noun referring to a view, how something is viewed, or the appearance of objects in relation to one another, while prospective is an adjective describing something that is likely to happen or likely to become.
As part of our holistic security approach our security perspective is almost exclusively defined by the prospective threats emerging both from within and external to our control. In order to anticipate these emerging threats one has not only to understand the technology which defines the network but one must also understand the behaviors that drive those threats, both electronic and human.
We make it our business to understand these behaviors, profile normal behaviors and prepare ourselves for emerging threats by recognizing those behaviors that are abnormal, whether generated electronically or through human to human interaction.
State sponsored attacks, corporate espionage, social engineering, internal threats, whether from customers or employees and electronic threats from outside sources are equally relevant and must all be actively monitored. We must be diligent and remain engaged at all times.
Our information security disclosure philosophy is simple. We operate on a need to know basis and we don't answer specific questions regarding our security implementation. We firmly believe that what you know can hurt us.
In some cases we will divulge more information when required. We do, however; require clients requesting specific security related information to sign a non disclosure agreement (NDA).
Each of our employees have had thorough background checks conducted upon them and a few have held secret and top secret security clearances at one time or another.
We hope you like our security philosophy. If you would like to discuss security with our CTO, just give us a ring. He loves it!
Our network intrusion security starts with a layer of DDoS protection. We provide our clients with basic protection from SYN flood attacks and other DDoS type attacks.
We then implement Cisco ASA firewall protection into our second layer. Our approach here is simple. We start by blocking all ports and then open only those ports that are necessary to provide our clients the ability to deliver the required application service(s) to their clients. We utilize scanning threat detection to monitor our network for port sweeps and network scans and take an aggressive approach to blocking individuals that violate our policies. Our philosophy is that if you behave like a hacker we will treat you accordingly.
We also have a very restrictive policy with regard to Countries participating in state sponsored cyber threats, attacks and intrusions with particular respect to state sponsored theft of intellectual property. Our policy is straight forward. These states may access DNS services, web browsing, and email services but remain closely monitored. All other services are closed unless requested by our client for their specific servers and applications.
Our intrusion detection and intrusion prevention layers are inline with our firewall services and provide protection by inspecting packets that flow both in to and out from our network. We have a highly tuned set of specialized intrusion signatures designed to provide a highly customized secure environment for the web hosting industry. Many of our signatures are proprietary customized signatures designed to closely monitor intrusion attempts from both directions of our network.
Behind our IDS/IPS layer we have deployed a layer 3 access switching network that implements highly tuned ACL's designed to protect from within. We feel it is not only important to protect our clients from the outside but also from threats within.
The last layer of defense is customer specific. Should you choose to implement Windows or Linux firewall services we recommend consulting with our network engineering team in order to understand the needs and requirements of our support staff and monitoring systems.
Many of our clients have extended security requirements such as PCI (Payment Card Industry), HIPAA (Health Insurance Portability and Accountability Act) and Sarbanes-Oxley and have asked questions such as "Are you PCI compliant", or "Are you HIPAA certified"?
We would like to start by saying that it is a myth to believe that any web hosting company is PCI or HIPAA compliant. Compliance extends beyond the hosting company and to the client. More specifically, your application and database must also meet the requirements specified by PCI, HIPAA or Sarbanes-Oxley. The hosting provider is only a piece of the bigger picture, which includes YOUR application, YOUR data and YOUR policies and procedures. For example, we can provide you with DDoS protection, Firewall, IDS/IPS, secure networking and a fully patched server with one user one login requirements, but if your application has security holes, SQL injection points or you use a single login for multiple employees to access your clients credit cards or personal healthcare information (PHI) you won't be in compliance.
Having cleared the air regarding hosting compliance, we can now honestly tell you that everything in our company, from equipment and personnel to policies and procedures has been designed and implemented with PCI, HIPAA and Sarbanes-Oxley in mind and we always meet or exceed the requirements necessary for our clients to pass PCI compliance, HIPAA compliance and Sarbanes-Oxley compliance.
Sure, often we need to apply a new patch, change a security setting or implement a new policy or procedure, but in the end, we always meet or exceed compliance and will continue to do so in the future.
You can rest assured that hosting your application and data with ASPwebhosting.com will result in compliance for your company.
Now that you have a better understanding of the requirements of compliance you can take comfort in knowing that ASPwebhosting.com works diligently to ensure that your company can meet or exceed the compliance requirements required for PCI, HIPAA and Sarbanes-Oxley.
Your compliance marks our compliance.
Your security is our mission.
A Deeper View
Maintaining a secure network infrastructure requires a fundamental understanding of networking along with a deep understanding about how clients utilize network resources.
We have 15 years experience evaluating our clients use of network resources in a hosted environment. In conjunction with our extensive knowledge of the OSI model, TCP/IP packet switching and armed with a rich toolset of network protocol analyzers, our network engineers are well equipped to deal with the emerging threats of today and the future.
At the heart of our security is a full implementation of Cisco's v9 NetFlow, combined with FlowTraq's Black Falcon Technology. These tools enable our network engineers to deal with emerging threats in real time, not just after they occur. In addition, we capture and store flow data for two years providing a historical record of every event that occured within our network.
What does this mean to you? If someone does happen to break into your application and steal or corrupt your data, whether it be a foreign threat or one of your own, we have a record of that transaction.