Exoprise CloudReady® Help
Search:     Advanced search

CloudReady Security Overview

Article ID: 41
Last updated: 12 May, 2015

This document details the security mechanisms and processes that Exoprise has implemented in order to ensure and enforce the safety, protection and privacy of our customer data. The security measures that Exoprise have implemented span across the technology, operations, and legal aspects of protecting customer data and environments.


Data Center Security

CloudReady is physically hosted in the Amazon Web Services (AWS) cloud. AWS infrastructure and controls are subject to annual SAS-70 Type II audits and AWS information security management processes and controls have achieved ISO 27001 and PCI DSS Level 1 certification. More information about AWS security and controls can be found here.

Exoprise is located in Waltham, MA and all of our co-locations currently reside in the United States. To support our growing list of international clients Exoprise plans for expansion to other international data center regions and is actively investigating the use of content distribution networks (CloudFront) for the distribution of some CloudReady digital components.

Internal Controls

Exoprise operations are maintained at the highest standard to ensure the integrity and security of our customers’ data. Some of the steps taken to achieve this include:

  • Least privileged access and separation of duties - Only designated, named operational staff members are authorized to access protection systems
  • Security scans and penetration testing are performed on a scheduled basis
  • Change and configuration management
  • Access controls and maintenance
  • All employees have signed legal documents that explicitly address the need for security, privacy, and compliance
  • 2-factor authentication to prevent access by external people should an account be compromised

Legal Terms and Privacy

Protecting customer data goes beyond technology and processes, Exoprise offers the following assurances:

Exoprise Secure Shell

The Exoprise Secure Shell (ExoShell) was designed from the beginning to be a secure sandbox enabling customers to execute cloud automation that is delivered from secure.exoprise.com. The ExoShell is written in C++ leveraging the open-source based QT Library. Exoprise custom compiles and distributes private versions of the QT library to reduce the attack surface and component size of the libraries.

All interaction between the ExoShell and secure.exoprise.com are executed over 256-bit encrypted channels (SSL). The ExoShell is explicitly tied to only interact with *.exoprise.com sites. The privileged sandbox is only enabled when the ExoShell communicates via SSL to secure.exoprise.com. It is impossible to inject a man-in-the-middle attack between secure.exoprise.com and the ExoShell.

The ExoShell is utilized for end-user interaction, deployment and automation. Occasionally, when accomplishing systems management tasks that require credentials from a user, the credential information is encrypted using Microsoft Windows DPAPI which binds the encrypted values to the machine on which the ExoShell is deployed.

The ExoShell installer and components that the ExoShell retrieves from secure.exoprise.com are digitally signed with code signing certificates from Digicert. The SSL certificates utilized to communicate with secure.exoprise.com are SHA-2/SHA-1 2048-bit SSL certificates providing continuous 256-bit encrypted communication. The SSL certificates are also from Digicert.

Exoprise Secure Service Shell

The Exoprise Secure Service Shell (ExoSvcShell ) was designed from the beginning to be a secure distributed service endpoint and sandbox enabling customers to execute cloud-based automation and monitoring tasks delivered from secure.exoprise.com. The ExoSvcShell is written in C++ leveraging the open-source based QT Library. Exoprise custom compiles and distributes private versions of the QT library to reduce the attack surface and component size of the libraries.

As with the ExoShell, all interaction between the ExoSVcShell and secure.exoprise.com are executed over 256-bit encrypted channels (SSL). The ExoSvcShell is explicitly tied to only interact with *.exoprise.com sites. The privileged sandbox is only enabled when the ExoSvcShell communicates via SSL to secure.exoprise.com. It is impossible to inject a man-in-the-middle attack between secure.exoprise.com and the ExoSvcShell.

Deployment

The ExoSvcShell can be installed in two different ways, interactively via the Secure Shell or by downloading the ExoSvcShell installer from secure.exoprise.com. Deploying the ExoSvcShell manually requires some planning and supplying various command line parameters.

The ExoSvcShell installer is digitally signed with an Exoprise code signing certificate. The initial installation securely binds the ExoSvcShell to secure.exoprise.com using unique public/private key-pairs.

Binding

ExoSvcShell requires a secure communication channel with secure.exoprise.com.  However, since ExoSvcShell is designed to run unattended for long periods of time it can not authenticate based on user name and password. Instead, the ExoSvcShell authenticates with an instance ID and signed HTTP requests (similar to how many Internet APIs work from vendors like Amazon, Google, etc).

During ExoSvcShell installation, CloudReady generates an instance ID and instance key.  Both the ID and key are stored on the client computer and encrypted with the DPAPI. The use of DPAPI in this scenario locks the keys to the machine and service account where the ExoSvcShell is installed. This prevents the ExoSvcShell from being moved to another machine (spoofing prevention).

When ExoSvcShell requests data from secure.exoprise.com, it generates a Hash-Based Message Authentication Code (HMAC) signature of the HTTPS packet signed with the instance key. The HMAC is validated by ExoSvcShell for every message and instruction received. When data is pushed to CloudReady the data is encrypted via 256-bit encryption (SSL) and the message authenticity and integrity is validated by the CloudReady servers.

Automated Installation

The ExoSvcShell can be deployed via Electronic Software Deployment (ESD) tools such as SCCM, Altiris or BigFix. From the CloudReady Monitor website a customer can download the separate code-signed installation executable for packaging and automated deployment. For additional information see the Bulk Deployment Guide.

Monitoring Tasks

Tasks that are delivered to the ExoSvcShell are regularly retrieved from CloudReady and are only kept in memory, never cached to disk, as an additional security protections. Tasks are periodically checked for updating. All task instructions and configuration are fetched via SSL and HMAC signed as previously detailed.

Digitally Signed Components

All Exoprise installer exes are digitally signed using code-signed certificates from Digicert. Additionally, the core executables, ExoShell and ExoSvcShell are digitally code-signed. For automation and monitoring tasks the ExoShell and ExoSvcShell download and cache service specific components. These components are written in Microsoft .NET, for Windows, and Mono for Linux. All sub-components that are downloaded and executed by the ExoSvcShell and ExoShell are digitally code-signed by Exoprise and validated to come from Exoprise before being executed.

Also read
document How to Change Private Site Log On and Permissions

Prev   Next
Security     How do you run sensors from a least privilege account?