Near-Time provides a secure environment for thousands of organizations to host their collaborative spaces. Near-Time utilizes a security in depth approach through out the system as pictured below: Physical SecurityOur primary production equipment is located in a data-center in Charlotte, NC. The facility has 24-hour site security. Staff access is controlled via biometric fingerprint identification systems. Our servers are locked in a dedicated cage accessible only to authorized individuals. Our fail-over site is similarly configured at a second, geographically disperse location. Operating System SecurityRemote user access to our servers is strictly limited. SSH DSA certificates are required for all users. User accounts do not have root privileges and extensive task automation eliminates the need for explicit privileged operations in almost all cases. Near-Time utilizes Tripwire, a Host Intrusion Detection System (HIDS) to monitor the servers continuously for potential intrusion by an unauthorized entity. Near-Time servers run Gentoo Linux, a high-performance variant of this popular Unix-based OS. OS patches are aggressively evaluated and deployed to ensure the most up-to-date software stack. Network SecurityThe network perimeter is protected by redundant NetScreen firewalls. Servers are individually hardened to restrict ports and services to only those necessary to fulfill their role in the cluster. This reduces attack vectors and exploit opportunities. Snort, a Network Intrusion Detection System (NIDS) continuously monitors network traffic to detect suspicious or unauthorized network access to the systems. Database SecurityNear-Time customer data is stored in a MySQL database cluster. Access to the database is restricted to root and to the application’s user account only. End-user passwords are stored via the industry leading BCrypt "one-way" hashing algorithm and are nonrecoverable. Credit cards and other sensitive financial information are stored using 1024-bit RSA encryption. SQL injection attacks are mitigated through the use of an object-relational mapping layer which pre-processes each request to ensure proper escaping. “Naked” SQL is not used in the system. Application SecurityNear-Time is implemented using Ruby on Rails. This modern environment is one of the fastest growing platforms on the web and has been a key enabler to this next generation of web applications. Our industry leading application security model prevents one Near-Time.net customer from accessing another's data. Automated testing leverages application language features to detect and report any attempt by application logic to access data outside of the appropriate scope (e.g. within a space, for a user). This security model is reapplied with every request and enforced for the entire duration of a user session at the model, view and controller levels. Advanced plans include a roles based permissions model which provides granular access control for each user. Automated integration testing suites validate security controls with every build of the system during development and deployment. Individual spaces can be configured to require the use of secure protocols such as https to prevent access while in transit. The Rails framework ships with countermeasures to mitigate the risk of cross-site scripting (XSS) vulnerabilities. Near-Time aggressively leverages these capabilities and also implements a whitelisting approach to securing user-supplied javascript at the content level. All invalid http requests are logged and investigated by a support engineer. User SecurityUsers can access Near-Time.net only with a valid username and password combination, which is encrypted via SSL while in transmission. An encrypted session ID cookie is used to uniquely identify each user. Passwords must be at least 6 characters long and are encrypted prior to being stored. Failed login attempts are logged and investigated. A manager of a space has the ability to review all the activities of a member in that space. A manager may also remove a member from a space at any time. Roles-based permissions in advanced plans also enable managers to adjust the interaction level for each member individually. Spaces may be kept private to its members or portions may be made available to the public. Managers may also elect to allow public users to post comments. CAPTCHA, blacklisting and IP logging minimize the chances of ‘spam’ comments. Managers control the invitation process for each space. Invitations are by special code, which can be changed at any time. Individual invitations can be issued with a limited window of validity (2 weeks) before being automatically revoked. Space owners can assign management controls to other space members. Reliability While our security features ensure that only authorized individuals have access to your content, our reliability features ensure that that access is assured through time. ReliabilityWhile our security features ensure that only authorized individuals have access to your content, our reliability features ensure that that access is assured through time. RedundancyNear-Time leverages redundancy throughout its service. Our servers are powered by redundant power sources backed by a generator and UPSs. Network connectivity is BackupNear-Time provides real-time replication and synchronization of all customer content via a private OC-3 connection between our primary and secondary sites. In addition, nightly and weekly backups are stored off-site. Managers of spaces can also leverage application features to implement their own back up strategies if desired. Spaces may be serialized as XML at any time. MonitoringNear-Time’s hardware and software stack are continuously monitored. On-site monitoring occurs at the Network Operations Center at both our primary and secondary locations. Additional layers of monitoring track the health of each system component, both hardware and software. In the event of an impending failure (or an actual one), our operations staff receive email, IM and voice notifications immediately. RecoveryRecovery procedures are exercised monthly for selected scenarios to ensure the accuracy and completeness of the procedures. AvailabilityUptimeNear-Time understands the importance of ensure continuous access to important data. Historically we have delivered better than 99% uptime for our application. SupportUpdatesAs a hosted application, Near-Time is able to deliver incremental improvements that benefit our customers without any work on their part. In order to minimize disruption, we use a standard maintenance window of 1am (EST) Wednesday mornings. These windows typically last 10 minutes. A reminder notice is sent via an online alert 1 hour before to further minimize impacts. We maintain an online record of recent improvements that is accessible to customers in our advanced plans at http://public.near-time.net/wiki/category/news. Issue ResolutionWe offer phone and email support during regular business hours: 8:30 - 8:30 pm (EST). Response time is same business day. Advanced plans offer 7-days-week coverage with quicker response times and guaranteed priority issue queuing.
|