Our security is based on the following principles:
- Design security in at every level from the bottom up using a multi layered defense approach
- Evolve with the changing technology and user experience
- Ensure that there are no single points of failure
Sosius believes true system security must be built in from the ground up. In our efforts to protect and preserve the integrity of customer data at all times, we focus on the physical, network, and user levels of our service, and take measures to formulate an impenetrable "ring of security" around each. We continually improve the technological aspects of the network along with the procedural. In our fast-paced technological world, constant evolution is critical to anticipate, react, and stay ahead of security issues, in order to provide the most secure and reliable web application possible.
The network is constantly monitors for intrusions, denial-of-service (DOS) attacks, and other attacks. Between the network and customer data there are three layers of security protection: firewalls, load balancing, and Sosius application servers. The firewall places strict limits on ports and protocols. An additional intrusion detection system behind the firewall provides supplementary intrusion detection above that provided by the hosting facility. The Sosius application server layer runs Windows 2003 using IIS as the Web server. IIS is configured in the minimal configuration required to run our application layer. Microsoft security patches are routinely evaluated, tested, and applied. Application servers are configured to process only HTTP or HTTPS requests. Other Internet protocols are disabled. Customer data is stored only on back-end databases and file servers. The database and file servers have no direct connection to the Internet. Only when data is requested by an authenticated user does it pass through the Sosius application server to service the user request.
For customers requiring encrypted transmissions, Sosius offers an option for 256-bit Secure Socket Layer (SSL) encryption for its sites. SSL technology encrypts the information so unauthorized parties cannot read it during transmission. When the intended recipient receives the information, SSL software on the recipient's machine decrypts it, authenticates that it came from the correct server, and verifies that it has not been tampered with either before or during transmission. SSL makes use of a digital certificate that verifies the identity of the Internet transaction and allows encryption. The use of SSL between a user and the Sosius servers ensures that information exchanged has not been intercepted by unauthorized third parties.
Once access to the workspaces root has been established the user will still need permissions to perform certain actions like viewing, editing, and downloading documents and other items. Our permissions system is flexible enough to handle different access levels for different roles and groups yet easy to use for all users. Permissions are set by the administrator for certain actions and by the workspaces’ coordinator for others. For example, the coordinator of a workspace may invite in another member who can read, add, or manage within that particular workspace. Permissions may be set for individual members, roles or groups, and may be changed by the workspaces’ coordinator or item owners. This permissions system also applies to workspace management. For example, if a person has been given permission by the coordinator to manage a workspaces’ folder, then that user can set permissions as to the level of access others will have to that folder. If a department decides that they want to share their information only within their group, as owners of their folder, they can set "no access" permissions for other users.
Patches and Updates
All servers have been hardened at the operating system and directory levels. Non-essential ports and services have been disabled. Microsoft security patches are routinely evaluated, tested, and applied by the Sosius site operations team. We actively monitor the bug tracking sites and subscribe to all of the common email notification lists. Sosius stays abreast of the latest security developments in the industry and conducts periodic security audits of its systems.
Recovery and Backup
Regular Data Backups and Restore
Sosius’ data backup measures ensure that your previously stored and backed up information will be available to you in the event you inadvertently delete or overwrite critical data. All of our customer data is backed up using industry standard best practices. We perform a full backup each day with twice daily incremental backups of modified files. The backup are archived to a secure offsite facility.
Disaster Recovery Plan
Our hosting facility has been designed to withstand many foreseeable catastrophic failures such as power outages, contractor mishaps, fire, flood, and theft. The site has power that is supplied on separate feeds originating on different sides of the building. It also has full UPS and diesel generator capabilities in case of a power outage. In the unlikely event of a catastrophic site failure, Sosius has a comprehensive recovery plan in place. Additional hosting equipment at a separate location is capable of performing all hosting functions in the case of such an emergency. This site would provide sufficient capacity for customers until such time as Sosius can be restored at its original location or at a replacement hardened hosting facilities.
We provide an industry-leading service level that result’s in less than five minutes of total downtime per month. The measured uptime for Sosius this year exceeds 99.9%. This is exclusive of scheduled maintenance which includes hardware and network maintenance as well as software updates. Hardware maintenance is typically performed in windows between 8:00 pm and 12:00 am GMT so as to avoid inconveniencing our customers and we schedule software maintenance for Sunday to ensure the least possible customer disruption.