Security: Safeguarding Your Data

An information security program is only as good as the support it has from the organization. The entire Infrascale team (executives and staff) is committed to ensuring customer data is secured properly.

• Leadership commitment
  At Infrascale, the information security program whereby the primary champions for Information security reside within the executive leadership team. Information security is directly aligned to strategic goals and objectives.
• Information Security Organization and Management
  Infrascale has a dedicated security team who provides direct oversight and management for information security within Infrascale.
• Risk Management
  Infrascale adheres to a dedicated process for identifying, tracking, and resolving risks that can affect the confidentiality, integrity, and availability of customer data.
• Human Resource controls
  • Background validation and competency – All staff who interact with the customer platform are screened through background check processes.
  • Onboarding and offboarding – The Infrascale HR team controls onboarding and offboarding processes which are directly tied to the company-wide access control process. This ensures only specifically-identified Infrascale staff members have access to production systems.
  • Security Awareness Training – All staff members are required to take annual security awareness & action training.

Infrascale deploys technical security controls to ensure your data is kept secure and out of harms reach.

• Physical and environmental security
  The Infrastructure that hosts Infrascale products is deployed within facilities that utilize industry standard physical controls and maintain redundant power/cooling. All facilities have CCTV (closed-circuit television), physical isolation, and badged/biometric access that protect Infrascale infrastructure. Access to Infrastructure is limited to datacenter personnel and Infrascale authorized personnel.
• Environment isolation
  Customer environments are completely logically and physically isolated from other infrastructure. Access to production environments is restricted to limited Infrascale personnel only through two factor authentication.
• Access Control
  Strict Access Control rules, that leverage the concept of least privilege, are applied to customer environments and support tools. Only the requisite staff may access and provide support – and only then with the least number of privileges required. Access enablement and removal follow dedicated processes that includes multi-level approvals, automated expiration, and periodic auditing.
• Encryption
  Customer data is transmitted securely through TLS encryption and backup data in our cloud is stored with AES-256 encryption.
• Employee endpoint protection
  Infrascale staff accessing customer infrastructure may only do so through Infrascale-owned computing assets. These computing assets may only make secure connections to customer environments, as enforced by endpoint management software. Enforced controls include encryption, centralized malware detection, software updates/patching, and other related controls.
• Endpoint protection
  Malware and vulnerability detection agents are deployed to production servers.
• Network security
  Firewalls are deployed on the perimeter of customer environments. Customer data is isolated behind dedicated VLANS (virtual local area networks) and pass through secure firewalls.

The processes that surround the management of infrastructure are just as important as how data is technically protected. Thus, Infrascale has implemented the requisite operational processes to control risks from entering customer environments.

• Vulnerability management
  Infrascale maintains a dedicated vulnerability management process. Through this process, infrastructure is continually scanned for new vulnerabilities using specialized vulnerability analysis tools. Vulnerabilities are remediated promptly.
• Penetration testing
  Annual third-party penetration testing is conducted on the Infrascale customer infrastructure. Through this process a thorough analysis and report is produced for all aspects of customer infrastructure; plans are constructed and executed to address critical vulnerabilities – even those that may not be detected through automated tools.
• Media handling
  Secure erasure and disposal – All physical assets containing customer data have a life cycle. When an asset from a customer environment is recycled or deprecated, secure processes ensure customer data is removed safely from storage using industry standard wiping protocols.
• Change Management
  Changes can introduce risk to infrastructure. Infrascale provides a dedicated process for ensuring changes do not cause any unnecessary impact to customers and that the security resiliency of Infrascale infrastructure is maintained. The Infrascale Change Process includes multi-level approvals and a cross-functional change board consisting of: information security and compliance, engineering, product, operations, and customer support functions.
• Business continuity, disaster recovery and backups
  A dedicated business continuity process is maintained and regularly updated. Through it, Infrascale consistently monitors its own disaster recovery plans and validate that backup processes are sufficiently able to restore critical customer infrastructure. The security and compliance team conducts annual business continuity exercises and validate backups and restore processes quarterly.
• Logging and monitoring
  Customer infrastructure, operating systems, applications and supporting systems are logged and monitored. Automated alarms and ticketing are in place for identifying critical issues that might affect confidentiality, availability, or integrity of customer environments. Dedicated teams monitor these tickets 24×7.
• Secure engineering, product development and project management lifecycles
  Infrascale engineering and operations teams follow strong security practices when implementing new products, product updates, and new infrastructure architecture for customers. At the code development level, we apply OWASP (Open Web Application Security Project) principles in the product architecture and code development. Code development processes are integrated directly into automated vulnerability scanning tools where vulnerabilities are identified and rectified prior to implementation to customer environments. Through implementation of new products and new architecture, the security team is directly involved in the full lifecycle at all stages of development to ensure the Infrascale platform remains secure.
• Supplier relationship management
  Supporting a large customer platform requires many internal solutions. Infrascale prescribes and requires a dedicated process to validate the security and integrity of all suppliers and subprocesses required to deliver a world-class platform.