Skytap Security and Compliance
Skytap Cloud delivers a secure, scalable cloud-computing platform for customers who develop, test, train, and demo applications across a wide variety of systems and architectures. To provide end-to-end security and privacy, Skytap builds and operates services in accordance with known security best practices, provides security features in those services, and provides comprehensive documentation. Skytap customers use these features and best practices to architect a secure environment for their applications.
The information provided below assists customers in understanding the security measures in place, and how Skytap uses independent auditors to validate those measures. This page contains the following information:
- > Physical security
- > Application security
- > Operational security
- > Penetration and vulnerability testing
- > Standards and validations
All Skytap Cloud infrastructure components are installed and managed in SSAE 16 Type II compliant data center facilities, operated by an industry-leading managed services provider. Some key aspects of physical security include:
- Access to data centers is limited to identified Skytap data center technicians
- Biometric scanning is used for controlled data center access
- Security cameras monitor all data center facilities at all times
- 24x7 on-site staff protects against unauthorized data center access
- Unmarked data center facilities maintain a low profile
- Physical security is audited by an independent firm
Skytap Cloud access security
Skytap Cloud employs industry-standard 256bit SSL (Secure Sockets Layer) to provide secure communications over the Internet. All Skytap Cloud operations, including accessing the Skytap Cloud web application; accessing Virtual Machine consoles using Skytap SmartClient or Remote Access; and uploading (or downloading) files to (or from) Skytap Cloud, are encrypted using HTTPS. Import and export of virtual machine images uses SFTP (Secure File Transfer Protocol), though FTP transfer is supported as well. Authentication and authorization to access Skytap Cloud is controlled at all points of user contact:
- Web Authentication
Skytap users can log in to the Skytap Cloud web application using their login name and password. Authentication data is transmitted over an encrypted SSL channel via HTTPS.
Skytap Cloud provides role-based access control for user account privileges (e.g. administrator accounts, standard user accounts). Customers assign roles to control the level of access provided to the users within their account. Customers can also customize password management policies (e.g., set minimum password length, set password expiry interval) to meet their own needs.
Customers can also leverage the Skytap Cloud OpenID integration and administer their user accounts through a third-party OpenID provider, such as Google or Yahoo.
- IP-Based Access Controls
Access to the Skytap Cloud web application can be further secured by setting policies that restrict login to predefined source IP addresses. With IP access policies defined, users must both authenticate successfully and originate from an authorized IP address. For example, IP access can be limited to a range of addresses allocated to a customer’s corporate network.
- Single-Use Token Authentication
Skytap Cloud provides an additional, optional access security mechanism that allows user logins only from machines that have been authorized for use in Skytap Cloud. When a user tries to log in to Skytap Cloud from an unauthorized machine, access is denied. This feature is implemented by providing a one-time validation code through a channel other than the browser, which results in a secure browser token.
- Authenticated Email
- All Skytap users are required to have a valid email address for notification purposes. The system ensures that users have a valid email address from the point of account creation through any changes that are made to the user’s profile.
Virtual data center security
- Internal network access controls
Each virtual network is isolated from all other virtual networks within Skytap Cloud. Users can enable automatic routing between networks within a single Configuration, or between networks within different Configurations in the customer’s own account. Networks within different customer accounts cannot be connected.
- Outbound internet access controls
Virtual machines access the Internet through a default gateway provided on each network. Internal private addresses are mapped to a public Skytap address using IP masquerading (NAT).
Skytap users have the ability to disable outbound access at any time.
- Inbound internet access controls: port forwarding
Networks within Skytap Cloud are generally not visible or accessible from the Internet, but customers can selectively allow inbound Internet access for specific network services (e.g., HTTP). Network rules in Skytap Cloud permit incoming packets from the Internet on specific ports to reach the virtual machine; all other ports remain blocked.
- Inbound internet access control: public IP addressing
Customers can also acquire a Public IP address from Skytap and attach the address to individual virtual machines. This allows customers to open all ports for both inbound and outbound Internet access without port mapping.
- Internal firewall with Port forwarding or public IP addressing
Customers can customize their network security posture by deploying and configuring their own virtual network appliances with port forwarding or attached Public IP addresses.
For example, a customer can provision a virtual firewall appliance with complex port forwarding and ACL rules on traffic destined to and from other virtual machines within the network.
- IPsec virtual private network (VPN)
Customers can connect their Skytap Cloud networks to external networks through IPsec based VPN tunnels.
For example, Skytap networks can be securely connected to a corporate network through a tunnel. With such a tunnel, all traffic to and from the customer’s virtual network in Skytap Cloud will flow through the secure tunnel to the customer’s in-house network where the traffic can be subject to internal IT network policies. Customers have full self-service control over the IPSec VPN parameters in Skytap Cloud, including the protocols, shared key, and network policies. Skytap Cloud provisions an independent IPSec VPN gateway for each customer.
Figure 2 below illustrates the architecture underlying the network virtualization and security capabilities of Skytap Cloud. Each virtual network created by a user is assigned a dedicated VLAN. Network traffic to and from virtual machines are restricted to only the virtual network(s) they are attached to through VLAN isolation at the physical and virtual hypervisor switch layers. Each Configuration (i.e., virtual data center) may contain one or more virtual networks. Network services for these networks (e.g., DNS, DHCP, port firewall, NAT, routes, etc.) are implemented in an independent virtual gateway appliance dedicated to that Configuration. Internet traffic to virtual machines is thus controlled by two levels of firewall devices—one at the Skytap data center network perimeter and another at the customer Configuration’s network perimeter. In addition, customers can deploy their own virtual network appliances within their virtual networks or configure firewall policies within their virtual machines. If a customer has configured the Skytap Cloud VPN feature, a dedicated VPN gateway is provisioned and connected to virtual networks as specified by the customer.
- The perimeter of the Skytap Cloud infrastructure is protected by redundant firewalls.
- Network and application-level penetration testing is regularly conducted by third parties and Skytap Operations. In the event that vulnerability is found, it is immediately remedied and validated.
- Comprehensive infrastructure monitoring detects and alerts traffic anomalies such as port scanning, and excessive connection rates, then flags the suspect VMs. The situation is evaluated and remedied in cooperation with the owner of the suspect VMs as appropriate. The Skytap Acceptable Use Policy (AUP) strictly prohibits users from running malware, viruses, and spambots; mounting Denial of Service (DOS) attacks; and hacking security mechanisms. See the full Skytap AUP for complete details.
- Infrastructure servers are locked down, to enable only services that are essential for operation.
- Access to infrastructure systems is restricted to a small staff. Industry-standard authentication, access control, logging mechanisms, and periodic audits are employed routinely.
- Skytap Operations follows a third party certified process for controlling all access and changes to production environments.
- Vendor/industry notices related to security vulnerabilities in the products that comprise the Skytap Cloud infrastructure are routinely reviewed, and relevant patches and updates are applied as they become available.
- Operational employees are trained on documented information security and privacy procedures.
- Access to customer confidential information is restricted to authorized personnel only, according to documented and audited processes.
- Access to customer data is prohibited except where explicitly authorized by customers for resolving support issues, and in accordance with documented and audited policy.
- Skytap maintains scheduled offsite backups of critical metadata. Restoration tests are performed routinely to ensure validity.
Skytap Cloud enables customers to create and manage “Configurations,” which are virtualized data centers. Configurations comprise multiple virtual machines, networks, and network services such as VPNs and shared drives. Users can create Configurations with the Skytap self-service web application, or programmatically using the Skytap REST-based API. Skytap Configurations reside on shared underlying physical infrastructure in our data centers, isolated from each other using operating system virtualization, networking isolation, storage isolation, i/o channel isolation, and load balancing. The Skytap Cloud secure architecture also isolates our underlying platform and data channels from customer resources.
By default, resources within customer Configurations are not accessible from the Internet. Users may explicitly enable inbound Internet traffic. Similarly, access to the Internet from within a Configuration can also be prevented. Customers have full control over the settings that manage Internet access.
Securing virtual data centers is one of the primary challenges in delivering a cloud service. Below we describe in more detail how Skytap Cloud accomplishes this.
Virtual machine security
All customer applications are executed in virtual machines hosted on VMware ESXi. Skytap actively monitors and maintains the hypervisor fleet to ensure each has the latest security patches and is operating within defined parameters. The hypervisor provides strong isolation of the processor, memory, network, and disk state between virtual machines. This prevents one virtual machine from inspecting the state, or even detecting the existence of, other virtual machines on the same hypervisor. The only communication channel between virtual machines is through customer created virtual networks that are private to the Configuration, and through customer managed private links between their Configurations. Customers are not permitted access to the hypervisor or physical server layers within Skytap; they can only manage virtual machines through controls exposed by Skytap Cloud.
Customers have full control of the Operating System and application software running in their virtual machines. Customers are responsible for configuring and maintaining Operating Systems and all application software to ensure security of their virtual machine environments. This includes password management, patch management, anti-virus and malware detection/prevention, and running firewalls to secure their virtual machines.
As mentioned, virtual machine networks are by default not exposed to the Internet. This is an important security feature of Skytap and differentiates Skytap Cloud from other cloud providers. Within Skytap, customers control if and when VMs are exposed via public IP addresses, or have mapped ports open to the public Internet. Skytap Cloud customers can also block outbound network traffic from VMs to the Internet. This is discussed in the next section.
Within Skytap Cloud, virtual machines are connected to one or more separate virtual networks. Each network in Skytap Cloud is assigned a unique Virtual Local Area Network (VLAN) as defined in IEEE 802.1Q. With this technology, each network packet sent by a virtual machine is tagged with the VLAN identifier, and intermediate physical and virtual switches ensure the packets reach only virtual machines on the same private subnet. This VLAN mechanism extends into virtual switches within hypervisors hosting virtual machines, ensuring that all customer network traffic flows on fully isolated virtual networks.
The assignment of VLAN tags and switch provisioning is managed within the Skytap platform, and is invisible to virtual machines and users. This prevents virtual machines from discovering or forging VLAN assignments, and makes it impossible to leak (or sniff) network traffic between customer private networks. Customers can enable traffic routing between their own private networks if desired, but it is disabled by default.
Skytap Cloud users can manage their own virtual network services including DNS and/or DHCP. Alternatively, Skytap can automatically provision independent DNS and DHCP service daemons for each Configuration.
Customers can leverage several mechanisms to manage access to their virtual machines and networks, from other Configurations, and on the Internet:
Securing customer data, at rest and in transit, are core requirements for any cloud.
Skytap Cloud maintains customer data—including VM disk images, asset files, and shared drive contents—in virtualized network-attached data stores and exposes it via independent network file-system mounts. This provides isolation between file data for different customers, and between all disk images: when a virtual machine is run, only the disk images for that particular machine are exposed through the mounted file system, and only during the time the VM is running.
Further, movement of data between the storage layer and the physical servers are on an isolated management network that is not accessible to customer environments. Also, as described above, VM disk images are transferred securely over the Internet to or from Skytap Cloud using HTTPS and Secure FTP protocols.
Finally, customers can use encryption within guest VM file systems to provide additional security.
In addition to the security mechanisms built into the Skytap Cloud platform, a number of additional defense and detection mechanisms are deployed by Skytap Operations:
Penetration and vulnerability testing
In conjunction with the ongoing information security programs, Skytap authorizes quarterly and annual third party information security audits of critical information assets, systems, and processes. Skytap has engaged nGuard, Inc., a leading provider of security assessment services. All security testing is performed by nGuard GIAC, ISC2, ISACA, IRCA, PCI QSA, and Security+ Certified security consultants and engineers.
nGuard is contracted to perform a suite of security tests including: external network recon, external network penetration testing, web application penetration and security testing, and internal vulnerability testing. Quarterly external perimeter rescan and penetration testing are also performed.
To perform internal penetration testing, security personal are given full access to a Skytap Configuration. Security tests attempt to both circumvent the isolation between Configurations and penetrate the Configuration from the Internet.
Any issues uncovered by the test are reviewed and remediated as soon as possible, and then becomes part of our internal test validation suite. Once any and all reported issues are remediated, Skytap uses the same third party for a retest.
In addition to leveraging a third party, Skytap internally performs regular security scans using free and commercial vulnerability assessment products.
Skytap has maintained the highest security rating in all third party assessments. To read the latest report, please contact your Skytap representative.
Standards and validations
Skytap has completed an examination in conformity with the Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization, which was finalized by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in January 2010. SSAE 16 effectively replaces SAS 70 as the authoritative guidance for reporting on service organizations. SSAE 16 was formally issued in August 2012 with an effective date of November 26, 2012.