Security
CrownPeak’s process follows secure software development best practices, which include formal design reviews by our internal CrownPeak security team, threat modeling, completion of risk assessment, and static code analysis as well as recurring penetration testing by carefully selected experts. Our security risk assessment reviews begin during the design phase, and last through post-launch.
Security Monitoring (All Application Data Centers)
Across the AWS Networks, CrownPeak uses a host-based intrusion detection system with a separate monitor and notification server to monitor the network traffic. Signatures are automatically updated during the day. Notifications are send for Priority 1 triggers with manual verification on the firewall/sensor to determine if the alert is a false positive or not.
Back to top
Security Escalation Policy & Procedure
The CrownPeak security or application administrator determines if an attack has occurred or is occurring and may deny IP Addresses, disable user accounts, communication tunnels or databases to limit the extent of the attack. The administrator will then notify the CrownPeak support team. A support team member will then contact the customer representative and alert them of the attack and any reduced functionality implemented to limit the extent of the attack. Once the attack has been defended against or resolved, any disabling of functionality is enabled again to resume normal operations.
Back to top
Application Security for Supporting OS & Core Applications
With regard to data center core application and OS security, the CrownPeak Cloud CMS and associated infrastructure utilizes the IIS 7 Web server with a custom ISAPI module that provides security instead of IIS. This module provides for its own security policy with a “deny access unless otherwise authorized” policy. The authorization information is stored within the file system and database. The database used is Microsoft SQL Server 2008. Each account has its own separate database within MSSQL with an auto-generated password that is different for each database. Database access is only allowed from the specific IIS machine.
The application uses C# .Net DLL objects for networking and information processing, JavaScript client-side GUI controls, and VBScript classes for some of the core application logic. The template programming syntax will be switched to C# .Net, starting in Q2 2011. The VBScript classes are being refactored in C# .Net rapidly as part of the routine code update process.
For the content delivery, system installation is implemented using hardened, patched OS versions, and system patching using WSUS is configured to provide ongoing protection from exploits. All CrownPeak employees are trained on documented information security and privacy procedures. Consultation is provided on outfitting architecture against the customer’s standards or concerns for security. This can include architectural build out recommendations with multiple networks for application/database isolation, and geographic security designs (site to site vpn, etc.). These services can also include the addition and maintenance of colocation devices within the Rackspace managed hosted network such as SMTP firewalls, XML or Application firewalls, etc.
A customer's 3rd party vendors can be isolated into web directories upon request and password expiration policies are available. SFTP account info is sent to the customer in two emails or can be given over the phone. For Linux machines, SFTP is locked down so that console access cannot be obtained. CrownPeak can also provide further OS hardening against non-standard or 3rd party web service add-ons. An example is periodic audits of web directories to verify security of the file structure and web.config or to ensure .htaccess implementations are within secure bounds. SMTP relays are locked down to just the local IP.
For a more detailed set of CMS and OMM software related security functions, please contact us to review our Security Policies and Procedures document.
Back to top
Network Security
All CrownPeak applications are established as a multi-tenant environment with appropriate security precautions between customers. Alternate architecture implementations are possible but incur additional costs.
CrownPeak uses remote KVM via IP over VPNs for maintenance of the software. CrownPeak provides numerous secure protocol communications from the software applications to the remote hosting locations such as SSL and SFTP.
For CrownPeak's own Cloud CMS, the company uses Windows 2008 Data center Edition as the supporting operating system. All un-needed services are disabled. Patches are applied on a daily basis if relevant. All relevant OS patches and upgrades are applied on test machines, and then rolled out to production boxes. The security administrator monitors multiple security news groups and the SANS diary for any late breaking news concerning security flaws that may apply to CrownPeak.
Ossec is run on the servers which will alert CrownPeak IT staff on any changes to the OS. The firewalls run PF to control access to the servers.
Nagios, OpenNMS and cfengine are used to monitor hosts for integrity and availability. Users can create their own CMS Passwords with restrictions.
CrownPeak configures the SFTP access for secure transport in publishing. Crownpeak will manage the firewall beyond the initial set up by opening only the ports necessary for the customer's web facing applications (Port 80 or Port 443), and only to customer requested IP addresses. Any requests for 3rd party access need to be approved by the customer. A periodic report of rules can be sent to the customer for review with further requests being made to add or removed access. The RDP and SSH access is limited to CrownPeak only for management.
Back to top
