Data Center Security
All main WebsiteAlive services are hosted by and located within Amazon Web Services (AWS), a leading cloud computing provider.
AWS is certified by following standards:
SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70 Type II), SOC 2, FISMA, DIACAP, and FedRAMP, PCI DSS Level 1, ISO 27001, ITAR, FIPS 140-2.
- Only approved tech personnel have the clearance to connect to the network through a bastion host that restricts access to network devices and other cloud components, logging all activity for security review.
- Both WebsiteAlive and AWS incident management teams follow industry standard diagnostic procedures and provides 24x7x365 coverage to detect incidents and to manage the impact and resolution.
- All network devices, including firewalls, are under monitoring and control connections at the external boundary of the network and at key internal boundaries within the network.
- Proprietary DDoS mitigation techniques are used. Additionally, AWS’s networks are multi-homed across a number of providers to achieve Internet access diversity.
- Personal login information with restricted access is used to manage services by WebsiteAlive via the Amazon web console.
- There is a strict process of decommissioning storage devices in place. This process is to prevent customer data from being exposed to unauthorized individuals. It is based on DoD 5220.22-M “National Industrial Security Program Operating Manual” and NIST 800-88 “Guidelines for Media Sanitization”.
Server and Network Security
- All AWS services are deployed behind a network firewall that routes all deployment into isolated private networks.
- Servers have access to the Internet only via Network Access Translation (NAT).
- Remote access to the servers is granted only via Virtual Private Network (VPN) with personal (not shared) login information.
- User’s authentication and authorization on servers is handled by Microsoft's Active Directory technology.
- Operating System software security updates are installed on a weekly basis. The most critical updates are installed within one business day.
- All servers' resources are monitored by two separated monitoring systems.
- Remote access to the servers is logged continually.
- The WebsiteAlive IT team is in place 24/7 to handle issues and receives urgent requests via phone SMS.
- All sensitive information in WebsiteAlive is accessible only via HTTPS protocol (Industry standard 128-bit encryption provided by DigiCert High Assurance CA-3).
- All web services are located behind an application firewall.
- Commercial external service runs both network and application-level scans of web services for security vulnerabilities on a daily basis.
- Enterprise level antivirus with central management has been installed on all WebsiteAlive servers.
- A Central logging system is used to store real-time software errors for review.
- Sensitive web content is encrypted with industry standard algorithms across web, database, and cache instances.