Strategic Benefits Advisors, Inc. (SBA) takes security associated with client data extremely seriously and has developed and implemented world-class technology and processes to ensure unsurpassed protection. We have installed technology that prevents the downloading of any data to laptops, workstations or any other device. Our goal is to lead the industry in the protection of sensitive information.
SBA’s network infrastructure consists of three major components – the headquarters, remote users, and data center. Each component works together to ensure maximum security as well as usability for the users of the SBA network. Every user has a laptop running Windows 7 Professional and most users travel between multiple locations.
Headquarters for SBA consists of a 20 mb fiber circuit to the Internet with the internal network being protected behind a SonicWALL TZ215 that runs a Comprehensive Gateway Security Suite. This firewall provides NAT functionality, stateful packet inspection, deep packet inspection, anti-spyware functionality, anti-virus functionality, intrusion protection, content filtering and application intelligence and control services. No users have access to the management console for the local SonicWall. All unsolicited inbound traffic to the office is blocked by the SonicWall. All updates, ongoing subscriptions and equipment warranties are managed by SBA’s representatives.
Wireless services within SBA’s office are provided using 256-bit WPA2 encryption standards along with strong passwords. There are separate wireless networks for internal users and guests. The guest network is isolated from anything other than connectivity to the Internet.
All networking equipment at headquarters is secured in a separate room, using restricted card access, within the SBA facility and none is shared with other tenants in the building. SBA’s office is also secured using keycard access for authorized personnel only.
Each workstation is kept up-to-date on Windows Critical Updates via a management agent. All workstations are additionally protected by an antivirus agent on each machine; McAfee Security as a Service endpoint protection. This software is centrally managed from the McAfee cloud platform and does not allow for end-users to circumvent or turn-off the subscription.
A persistent site-to-site IPSEC VPN tunnel using 256 bit AES encryption algorithm is maintained between SonicWalls at the office and the data center for access to servers and data contained within. No company/client information, cached email, or other sensitive information can be stored on any laptops/workstations. In addition, the network is configured to completely prevent any downloading of any information from the data center to any laptop or workstation. No SBA computer outside of the data center can ever have any client data stored on it.
Users access all data through a terminal services session to the terminal server, which will be explained in further detail in the data center section. Direct mapping of drives to the servers is not permitted and all data must be accessed through the terminal services session.
Remote users consist of any users that normally work outside of the headquarters office or any users that work outside of the office on occasion, such as from home or from a client site. Remote users connect using an SSL VPN encryption algorithm to the data center using the SonicWall SSL VPN client. Establishing this connection requires the VPN settings for the connection and a valid user account with VPN permissions. VPN user authentication is handled via LDAP authentication to allow for a single source of user account information.
Once a user has successfully established a VPN connection, the user then has the ability to establish a terminal services session to the terminal server as discussed above in the headquarters section.
In addition to VPN/Terminal Services connectivity, remote users also have the option to access email via an encrypted SSL Outlook Web Access webmail session. This requires that the user has been granted the right to use Outlook Web Access and can successfully authenticate to the server using their Windows credentials.
The data center is a world-class facility featuring state-of-the-art layered physical security including: single point of entry, coded key cards, biometric fingerprint readers, onsite security personnel 24x7x365 and comprehensive surveillance camera coverage. The SBA servers are located within the main facility of the data center in a locked cabinet to which only SBA’s representative have access.
The hosting environment is temperature-controlled and provides backed up, redundant power sources. The environment also features redundant internet connections. Each server features redundant power supplies, redundant network connections, and redundant disk storage.
The SBA network segment at the data center is protected by a SonicWALL TZ400 firewall which provides provides NAT functionality, stateful packet inspection, deep packet inspection, anti-spyware functionality, anti-virus functionality, intrusion protection, content filtering and application intelligence and control services. This device is the endpoint for the Headquarters VPN connection as well as the endpoint for all Remote User VPN connections. Only VPN connections, inbound e-mail, and webmail requests are allowed to pass through the firewall unsolicited. The SBA equipment is located on a dedicated VPN with no other client access.
All of the servers used by SBA are either Microsoft Windows Server 2012 or 2008 R2 and are virtualized using the VMWare ESXi platform. Redundant physical host servers also leverage VMWare Vmotion technologies to ensure that uptime and redundancy is maximized. The system is setup as a Windows Active Directory domain with all servers and user workstations as members. All users use domain accounts and no users are granted access above “standard user.”
An EMC VNXe3150 Storage Attached Network (SAN) with RAID-5 redundancy is used as primary storage for all user data and all e-mail. Exchange 2013 provides secure email and stores all mail in the information store located on the SAN. While calendar and contacts sharing is allowed between users on an opt-in basis, all e-mail boxes are accessible only to the owning user.
Each user has a dedicated folder on the SAN which is accessible only from the terminal server for all data. This is the only permitted storage location for user data. NTFS Permissions are used to ensure that each user has access only to his or her directory and no user is permitted access to any other user’s directory.
Backups of all user data, VM’s, server images and e-mail are performed to a dedicated backup server that resides in the same data center along with the production environment equipment in the locked cabinet. Offsite backup of data is electronically transmitted using a dedicated VPN connection and 256 bit encryption standards to a dedicated server that belongs to SBA and resides in a secure secondary data facility in another state. Backups are performed nightly. The environment that the offsite backup server resides in is the same as the primary data center in terms of security, accessibility and redundancy.
User accounts are managed via Active Directory. Password policies are enforced and require users to adhere to Windows password complexity guidelines as well as a minimum length of 7 characters. Thirty day password changes are also enforced. All servers, firewalls, connectivity and network equipment are monitored by SBA representatives, which includes firewall logs, event logs, performance data, and other vital metrics.
All servers are kept up to date on critical Windows vulnerabilities via automatic and monitored patching mechanisms.
Additional Security Measures
All of SBA’s stringent security technology is completely supported by security policies and procedures that are detailed in our employee manual. Employees are trained on all security procedures on their first day of employment and receive scheduled refresher training ongoing. Employees are clear that deviation from our stated security policies is grounds for immediate termination. We perform thorough background checks on all new employees.
Physical security at headquarters starts with card reader access and monitored security systems but continues to strict policies of keeping all client files securely locked in cabinets at all times when not in use. As stated above, no electronic client data is ever stored at headquarters or any other location other than the secured data center.
Recently, a Fortune 100 client sent in their security audit team to thoroughly access all areas of data security at SBA. The exhaustive process spanned two complete days and covered hundreds of audit points. In the end, SBA scored higher than any of the client’s facilities world-wide.