This document details the security mechanisms and processes that Exoprise has implemented in order to ensure and enforce the safety, protection and privacy of our customer data. The security measures that Exoprise have implemented span across the technology, operations, and legal aspects of protecting customer data and environments.
Data Center Security
CloudReady is physically hosted in the Amazon Web Services (AWS) cloud. AWS infrastructure and controls are subject to annual SAS-70 Type II audits and AWS information security management processes and controls have achieved ISO 27001 and PCI DSS Level 1 certification. More information about AWS security and controls can be found here.
Exoprise operations are maintained at the highest standard to ensure the integrity and security of our customers’ data. Some of the steps taken to achieve this include:
Legal Terms and Privacy
Protecting customer data goes beyond technology and processes, Exoprise offers the following assurances:
Exoprise Secure Shell
The Exoprise Secure Shell (ExoShell) was designed from the beginning to be a secure sandbox enabling customers to execute cloud automation that is delivered from secure.exoprise.com. The ExoShell is written in C++ leveraging the open-source based QT Library. Exoprise custom compiles and distributes private versions of the QT library to reduce the attack surface and component size of the libraries.
Exoprise Secure Service Shell
The Exoprise Secure Service Shell (ExoSvcShell ) was designed from the beginning to be a secure distributed service endpoint and sandbox enabling customers to execute cloud-based automation and monitoring tasks delivered from secure.exoprise.com. The ExoSvcShell is written in C++ leveraging the open-source based QT Library. Exoprise custom compiles and distributes private versions of the QT library to reduce the attack surface and component size of the libraries.
The ExoSvcShell can be installed in two different ways, interactively via the Secure Shell or by downloading the ExoSvcShell installer from secure.exoprise.com. Deploying the ExoSvcShell manually requires some planning and supplying various command line parameters.
ExoSvcShell requires a secure communication channel with secure.exoprise.com. However, since ExoSvcShell is designed to run unattended for long periods of time it can not authenticate based on user name and password. Instead, the ExoSvcShell authenticates with an instance ID and signed HTTP requests (similar to how many Internet APIs work from vendors like Amazon, Google, etc).
The ExoSvcShell can be deployed via Electronic Software Deployment (ESD) tools such as SCCM, Altiris or BigFix. From the CloudReady Monitor website a customer can download the separate code-signed installation executable for packaging and automated deployment. For additional information see the Bulk Deployment Guide.
Tasks that are delivered to the ExoSvcShell are regularly retrieved from CloudReady and are only kept in memory, never cached to disk, as an additional security protections. Tasks are periodically checked for updating. All task instructions and configuration are fetched via SSL and HMAC signed as previously detailed.
Digitally Signed Components
All Exoprise installer exes are digitally signed using code-signed certificates from Digicert. Additionally, the core executables, ExoShell and ExoSvcShell are digitally code-signed. For automation and monitoring tasks the ExoShell and ExoSvcShell download and cache service specific components. These components are written in Microsoft .NET, for Windows, and Mono for Linux. All sub-components that are downloaded and executed by the ExoSvcShell and ExoShell are digitally code-signed by Exoprise and validated to come from Exoprise before being executed.