ServiceGrid Article - Security Policy
To run the Cisco ServiceGrid application in a high available and secure network environment, the following means of security policies are applied in ServiceGrid:
- Authentication - Verifies the identity of the process in an end to end connection.
- Authorization - Provides the rights or permission to access system resources or data, sometimes seen in conjunction with authentication, when an already authenticated user is authorized for defined activities.
- Encryption - This is security mechanism that provides confidentiality, that encrypts data by using a mathematical algorithm before sending them, and decrypts data before forwarding them for further processing.
- Integrity - Ensures that the transmitted data has not been modified or destroyed in an unauthorized manner. It also ensures to detect these modifications and alterations.
- Non-repudiation - Ensures that a transferred message has been sent and received by the parties claiming to have sent and received the message. Non-repudiation is a way to guarantee that the sender of a message cannot deny a message that has been sent, and that the recipient cannot deny a message that has been received.
The following provides the scope of Cisco ServiceGrids's Security Policy:
- Defense of the hosted application and data against external attacks.
- Availability of functions and data.
- Secure communication of data between service customers, service providers and Cisco ServiceGrid.
- Access through Web functions.
Concept and Implementation
The concept and implementation of Cisco ServiceGrid Security Policy are provided in the following:
- Security policy implementations on the ServiceGrid platform such as the hardware, middleware, and software architecture
- Security policy implementations in the data center environment
- Security policy implementations in the connectivity methods (transaction based access and interactive access)
- Security policy implementations in the ServiceGrid test platform
- Security policy implementations in the ServiceGrid development environment
- Security policy implementations in the Cisco office
ServiceGrid Platform with Defence Measures
To protect the Cisco ServiceGrid platform against external attacks and to avoid intrusion through hackers, a segmentation into “zones” bordered by “perimeters” is implemented.
The complete network layout for the Cisco ServiceGrid application is based on the following structure:
- (External) Internet Zone
- ServiceGrid Outer Security Perimeter
- ServiceGrid DMZ : Frontend Services
- ServiceGrid Middle Security Perimeter
- ServiceGrid Business Logic Area
- ServiceGrid Inner Security Perimeter
- ServiceGrid Data Zone
NOTE: A detailed network plan or list of the infrastructure (services and communications) is confidential and cannot be part of this document. The Technical Operations team maintains the appropriate information.
The Cisco ServiceGrid connections, processes, applications and databases run in the following four zones:
- DMZ (demilitarized zone)
- Business Logic Area
- Data Zone
Internet is the publicly used area and common infrastructure. This area is the so called “Red zone” as there is no specific security mechanism installed to protect and secure information passing on.
All necessary frontend processes of ServiceGrid are running within the DMZ to communicate with service customers and service providers. This area is also called “Yellow zone”, as the Internet DMZ is zoned to the Internet using the “outer security perimeter”, which ensures that only the data which are allowed to have access to the frontend server will pass. The frontend processes are typically web services (HTTPS), mail services (SMTP), or file services (SFTP).
Business Logic Area
All processes located in the Business Logic Area should necessarily implement the business logic for the frontend services. This considers mainly the Application Server.
The Data Zone runs the middleware (partially Java Message Service (JMS) server, content and customer data in databases), which has to be treated as an absolutely high secure and high confidential area. This area is also called “Green zone” as the “middle security perimeter” ensures that only the processes in the Business Logic area, have access to the application server and its data.
The borders between the different zones are built up by following perimeters:
- Outer Security Perimeter - The perimeter takes care that only the data that have access to the DMZ that are intended for the frontend processes. This security gateway is a dedicated firewall.
- Middle Security Perimeter - This perimeter divides the DMZ (frontend processes) from the Business Logic area and ensures that only data traffic from the frontend processes is passed to the application server for further processing, and vice versa. This security gateway is a dedicated firewall.
- Inner Security Perimeter - This perimeter devides DMZ (frontend processes) and the Business Logic area from the Data Zone (middleware) and ensures that only the data traffic from the frontend processes, respectively the application server, is passed to the Data Zone for further processing and vice versa. This security gateway is a dedicated firewall.
The firewalls for different security perimeters are logical views of one physical firewall cluster. All the parameters and settings are defined by the ServiceGrid team in collaboration with internal and external security experts. Only those IP addresses and ports are opened, which are absolutely necessary to access the appropriate services. All other addresses and ports are blocked. This guarantees a secure and reliable area to run the application on this platform.
Defense against Denial of Service (DOS) Attacks:
ServiceGrid uses more ways to protect its systems from DoS attacks:
- All ServiceGrid systems placed in the Outer Security Perimeter and all systems which forward network traffic use a hardened GNU/Linux TCP/IP stack. This type of defense should prevent some packet [SYN,...] flood attacks.
- To prevent attacks focused on HTTPS DoS, ServiceGrid uses a two-way load-balancing system that uses IP LVS [ldirectord] to forward the requests to two separate Load-balancers (that use non-blocking I/O – nginx), which is extremely well performing. This HTTPS server is also not vulnerable to “Slow loris” type attacks. As back end servers Apache Tomcat application servers are used.
- All connections are monitored and grouped by network, which enables us to block particular traffic from a network after serious suspicion of a DoS attack.
All the data are stored in a relational database in the Data Zone. The connection to the database management system (DBNS) is established only with a valid user/password combination.Access is restricted to authorized users.
Database structure and company data
The data in the database are organized by company account. Each record in a table containing company-specific private data refers to the company (account) and can only be viewed by an authorized user who is a member of the company account.
The connection to ServiceGrid is through encrpted connections and needs authentication:
| Access Method|| Authentication|| Encryption|
| Online through Web (Browser)|| Authentication through Login and Password|| HTTPS (SSL)|
| Transaction-based through SMTP|| Authentication through Mail account|| Recommended|
| Transaction-based through HTTPS POST|| Authentication through Login, Password|| HTTPS (SSL)|
| Transaction-based through HTTPS SOAP|| Authentication through Login, Password|| HTTPS (SSL)|
| Transaction-based through SFTP|| Authentication through Login, Password|| SFTP (SSH)|
Transaction Based B2B Data Exchange
ServiceGrid provides six standard communication types for transaction based communicaton as used with ServiceGrid connectors:
- HTTPS SOAP
- HTTPS POST
Based on the communication type used as transport protocol, there are different possible options for security. In all cases, the Internet protocol is used as network protocol. In terms of security, two options can be applied:
Internet through SSL
The public internet provides a simple and commonly used standard to connect and to exchange data using TCP/IP. The communication partners are authenticated and the transferred data is encrypted using Secure Socket Layer (SSL). SSL is the underlying mechanism of HTTPS and SMTP (through TLS).
Connect over the Internet through IPsec
As an alternative to the easy transport through internet, ServiceGrid provides the possibility of an IPsec connection. IPsec allows a secure and encrypted way of communication between service customers or service providers and ServiceGrid application.
Types of Users
Access to the ServiceGrid application and to the system layers is restricted to dedicated groups of users.
- System Administrator: Any person with access to servers of the ServiceGrid main platform on operating system level.
- Application Root Administrator: Any person with administrative access to all company accounts within the ServiceGrid platform.
- Application Developers: The application developers provide updates and new releases of the ServiceGrid application. Application developers are also responsible for 3rd level support in case of incidents or system malfunctions. Therefore, application developers need a limited access on operating system level.
- Application Administrator: Any person with administrative access to certain company accounts within the ServiceGrid platform.
- End User: Any person who uses the ServiceGrid application through browser for his daily job (for exam create calls) without doing any administrative tasks.
Persons involved in the administration and operation of the ServiceGrid main platform are defined as ServiceGrid Technicians. Roles include:
- System Administrators with root access to the servers.
- Application Developers with limited system administration access to the servers.
- Application Administrators with superuser access to the application (members of the ServiceGrid root account).
- The (first) Application Administrator of a ServiceGrid customer.
Each modification of user access rights on the platform (OS-level and application administration), which is subject to internal controls, needs the approval of the system owner. It must be assured, that the segregation of duties is taken into consideration.
- The user’s manager requests permission
- The delivery manager grants the permission
- An administrator (OS or application) implements the permission
Access to the System Layers
System Access for system administration tasks is allowed for ServiceGrid Technicians only.
System Access is allowed only from
- fixed known IP addresses of the technical operations team,
- the monitoring and web cluster for receiving monitoring data
From these IP addresses, access to the DMZ is allowed using the SSH service.
Access to the ServiceGrid Application
The interactive access to data and functions is implemented through HTTPS sessions. A login process is required to start the session. There is no other interactive access possible. The ServiceGrid application is accessible through the following URLs and provides the services mentioned here:
|https://sdcall-portal.solvedirect.com||.. ServiceGrid Web Application|
|https://sdcall.solvedirect.com||.. Legacy ServiceGrid Web Application|
|https://mobile.solvedirect.com||.. Mobile version of the ServiceGrid Web Application|
|https://ws.solvedirect.com||.. WebServices (SOAP) and HTTPS POST|
| VIE2 Platform|| |
| https://vie2-portal.solvedirect.com|| .. ServiceGrid Web Application|
| https://vie2.solvedirect.com|| .. Legacy ServiceGrid Web Application|
| https://vie2-mobile.solvedirect.com|| .. Mobile version of the ServiceGrid Web Application|
| https://vie2-ws.solvedirect.com|| .. WebServices (SOAP) and HTTPS POST|
| SJC1 Platform|| |
| https://sjc1.portal.solvedirect.com|| .. ServiceGrid Web Application|
| https://sjc1.solvedirect.com|| .. Legacy ServiceGrid Web Application|
| https://sjc1-mobile.solvedirect.com|| .. Mobile version of the ServiceGrid Web Application|
| https://sjc1-ws.solvedirect.com|| .. WebServices (SOAP) and HTTPS POST|
Application Administrator Login
For application administrators, the following measure is implemented additionally:
- The first login date and the last login date is stored in the ServiceGrid application database and
- can be displayed as part of the user’s basic data.
Application Login Procedure
Access to the ServiceGrid platform through Portal is only possible for authorized users. An authorized user is defined through a user record in the ServiceGrid database:
- Each user has access only to the company ("account") data of the company, where the user is a member.
- Creation of new user records or disabling of users is managed and controlled by the company’s administrator only.
- Membership and permissions (login, password) of users are managed and controlled by the company’s administrator only.
The login process requires login name and password. The user has to enter login name and password. When the application is not used for a certain period of time (30 minutes), the session is automatically closed and the user has to login again. Passwords in the ServiceGrid database are encrypted, using an SHA-256 salted hash algorithm.
Application administrators can define IP ranges to restrict the access to the ServiceGrid application to defined networks for their company. If a user tries to log in and is member of an organization which has restricted access, the destination IP address is checked and the login is refused if the IP address does not match.
Password Policy for Customers
The password policy is controlled and managed by the companies administrator only.The password policy contains rules for format, content and the duration of validity of passwords as follows:
- Minimum password length
- Maximum password length
- Maximum number of wrong password attempts
- Password history length
- Minimum password change interval in hours
- Password duration in days
- MustUse capitals
- MustUse digits
Encryption using HTTPS (SSL)
HTTPS should be used when
- accessing the platform as an interactive user
- using SOAP as a transport protocol
- when using HTTP POST as a transport protocol
In these cases, no other (weaker) encryption method is possible.
Tunneling through IPsec
As an alternative to the direct transport using SSL/TLS through Internet, ServiceGrid provides the possibility of an IPsec connection. IPsec allows a secure and encrypted way of communication between service customers or service providers and ServiceGrid application.
Environment - Data Centers
The ServiceGrid platform is installed and operated out of data centers implementing a secure environment.
- ServiceGrid has a collocation contract with the data center operator including the providing of space and connections to the internet.
- The ServiceGrid platform itself is operated by the ServiceGrid technical operation team.
The ServiceGrid platforms infrastructure (servers and local network components) are installed in rack mounted server boxes inside the data centers. The boxes are locked and can only be unlocked by the ServiceGrid operation team.
Security measures are provided by the data center operator:
- Personal access control, authorization mandatory
- Video surveillance
- Visitors escorted
- Fire extinguishing system
The security measures are part of the contracts between Cisco and the data center operator.
Environment - Office
The scope of this section covers all employees and their computers, and the technical infrastructure of ServiceGrid, if involved in administration, maintenance or development of the ServiceGrid platforms or the ServiceGrid application.
Software development and technical operation activities are carried out in the Cisco office, Vienna, providing a secure environment.
Dedicated firewalls are installed to protect the ServiceGrid lab network from the Internet. All the parameter settings are defined by Cisco Security in collaboration with external security experts. Only those IP addresses and ports are opened, which are absolutely necessary to access the appropriate services. All other addresses and ports are blocked.
Personal Access control
Access to the Cisco office follows a two stage access procedure:
- Access to the building is possible only via a reception desk or a badge.
- Access to the Cisco office within the building is only provided for authorized persons or guests and protected via the Cisco reception desk or a personal badge.
- Servers are installed in a dedicated locked lab environment. Access is restricted to authorized persons.
- Guests are always escorted.
Computer Malware Prevention
If malware is introduced to the Company IT network, data loss, corruption, or misuse of company computing resources or information may occur. All technically and economically justifiable actions need to be taken to prevent the introduction of malware to the company IT network. The standard operating procedures are defined in the Cisco internal security policies.
All staff members of Cisco have signed a Non-Disclosure Agreement with their contract.
For a complete list of Cisco ServiceGrid Articles, go to the List of Articles page.