Securing Data in the Cloud

Document version 1.991

2012-06-26

www.symanteccloud.com

Table of Contents
Scope of this document

Building a secure environment

Maintaining operational security

Physical infrastructure security

Data security

Business continuity, disaster recovery and service availability

Human Resources

Customer assurance

Scope of this document

Scope of this document

This document is intended to give a broad overview of Symantec.cloud security posture: our policies, processes
and practices. Some specific examples are given, but the absence of evidence for a specific control from this
document should not be interpreted as evidence of absence. Our policy is to restrict circulation of detailed
information about specific mechanisms, where disclosure could potentially lead to those of malicious intent
using that information to their advantage.
Note that this description applies to Symantec.cloud Web, Email, Instant Messaging, Endpoint and Backup
Services. It does NOT apply to Symantec.cloud archiving or policy based encryption products.

Building a secure environment

Security considerations are considered from the earliest stage of software design. Security requirements are
included in Product Requirement Documents. Security is considered throughout the lifecycle from the business
process level through technical details of a design to implementation.

Microsoft Secure Development Lifecycle (SDL) processes, which are formally documented and mandated
by policy. Practices such as threat modelling, enumeration of the attack surface are used.

Detailed security testing during development. This includes testing to abuse cases as well as the more
traditional use cases; these specify what the system should not do, as well as what it should.

After code is released from development, the Quality Assurance group carry out their own independent
security testing.

Major enhancements and new systems or services are subject to a security review by an industry leading
independent third party, including code review, design analysis and black/white/greybox penetration testing
methods as appropriate.

Appropriate role-based security training is provided to all developers.

Some specific examples:

o
o
o
o
o
o
o

Process Rate limiting;

Passwords are never stored in plaintext;
Robust encryption is used (no weak ciphers);
Insecure ciphers and protocols such as SSLv2 or Ssh v1 are forbidden;
Static analysis tools are used to check code for vulnerable design patterns, libraries and functions
internal to the code;
Multiple vulnerability scanners and test tools are used to automate checks for externally accessible
vulnerabilities;
All sessions on the ClientNet customer portal, used for service configuration and reporting, are
encrypted with SSLv3;

Strong passwords are enforced by technical mechanisms wherever possible;

Web application sessions time outs implemented.

Page 3

Maintaining operational security

Maintaining operational security

Our operational processes emphasize security throughout a systems lifecycle, from the selection of Data
Centre facilities, network and system architecture through to the processes used to operate and maintain live
systems. The Symantec.cloud Operations Department, responsible for delivery, maintenance and support of
services, operates an Information Security Management System which is independently audited and certified
ISO 27001 compliant by KPMG.

Two-factor authentication is used for access to all Linux production systems.

All administrative activity is carried out over a segregated Management Network, which runs over encrypted
site-to-site IPSec VPNs. In addition protocols such as RDP over SSL and Ssh v2 are used to add an
additional layer of protection.

ClientNet implements granular, role-based access restrictions, configured and managed by each customer.

Network Operations Center (NOC) engineers and analysts are subject to background checks.

NOC engineers and analysts receive role-based security training, including mandatory annual Security
Awareness training.

Privileged activity on all Linux systems is associated with a named account and centrally logged; regular log
reviews are conducted. Permissions are granular, ensuring correct privileges for differing support tiers. No
direct root logins are permitted.

System access privileges are regularly reviewed, verifying that correct account management has been
applied to employees who have changed roles or left the organization.

Physical infrastructure security

Strong physical security protects all production systems. All production systems are located in highly secure
industry-leading Data Centre facilities, all use a combination of:

Multi-factor authentication for access to (e.g. smartcard or biometric technologies) our dedicated suites and
cages.

All site visitors must be on a pre-approved list held by the facility operator.

Multiple independent power and network connectivity feeds.

Comprehensive environmental monitoring for heat and humidity.

Centrally-monitored fire detection and suppression; intruder and movement sensors and alarms.

Our own independently operated CCTV monitoring system in addition to the facility operators systems.

Page 4

Data security

Data security
The fundamental focus of customers is security of their data. Logical controls over data include:

No routine access by developers to production systems.

Formal Change Control policy and procedures that strictly enforce criteria that must be met before changes
are made to production systems. Criteria include peer review, sign-off by system owners and a roll-back
plan. A formally constituted Change Approval Board meets weekly. Provision is made for emergency
changes to be made out-of-cycle, although stringent review processes are still enforced.

Regular Access Entitlement Reviews to ensure only authorized personnel have access to systems which
process customer data.

Regular log reviews to ensure no malicious or other unauthorized activity is occurring.

Carefully designed network architecture for secure traffic segregation.

Broken or obsolete media such as server hard drives from systems that have handled either customer data
or Symantec proprietary information are physically destroyed through secure channels.

Business continuity, disaster recovery and service availability

The Symantec.cloud services operate an ISO 27001 certified Technical Service Continuity Plan ensuring that all
the correct mechanisms for meeting availability SLAs are in place. In 2007 the global HQ (of what was then
MessageLabs) became inaccessible after an historic, 1-in-400-year flooding event, for two weeks. Service
availability was maintained and all customer-facing services and support was available 24/7, as normal thanks
to the Technical Service Continuity Plan.
Additionally Symantecs dedicated global BCP department is responsible for business continuity planning and
operation of emergency plans of all Symantec facilities.
We have a presence in multiple geographically dispersed data centers through the U.S., EMEA and APJ. In
normal operation we run systems at 40% of capacity; this ensures that increases in service demand can always
be met and does not exhaust available capacity. A dedicated Capacity Planning Team monitors usage and
forecasts future demand.
Our systems are architected to ensure massive resilience. For instance if a single mail server fails, the load is
automatically taken up by other servers in a cluster. If an entire data center goes offline under disaster
circumstances, load is automatically balanced across other geographically diverse data centers belonging to the
same cluster.

Human Resources

The Human Resources department maintains an ISO 27001 certification covering its on-boarding and
terminations processes and related HR controls pertinent to .cloud.

The HR Department has also completed a Safe Harbor compliance program and is applying for Safe Harbor
self-certification registration.

The Legal Department operates mandatory annual CBL training that has covered subjects ranging from
handling confidential data, information security, privacy / data protection, etc. Successfully passing an exam
at the end is part of the mandatory requirement.

Page 5

Customer assurance

Customer assurance
Our customers demand high levels of assurance about our security standards, to meet this demand
Symantec.cloud has:

ISO/IEC 27001 certification covering the entire Operations Department, which includes all production
infrastructure.
o

ISO 27001 certification scope reads The Symantec.cloud ISMS scope applies to the people, processes
and technology within Symantec.cloud Operations for the delivery of the Symantec.cloud Web, Email,
Instant Messaging, End Point and Back Up services. This is in accordance with the Statement of
Applicability v1.4.

All US Data Centers hold current SAS 70 Type II or the updated SSAE 16 accreditations. Data Centers
located on the European continent are ISO27001 certified.

As a publicly traded US-based corporation, Symantec is subject to Sarbanes-Oxley audits as well as a wide
variety of other regulatory requirements, both internal and external.

A comprehensive Data Protection and Privacy Audit of Symantec.cloud has been conducted by a major
global audit firm as part of an annual cycle of ISAE3000 audits.

Symantec operates a number of independent internal groups to ensure strong governance and
management of information security and other risks, including Customer Assurance, an Information Security
Department, a Trade Compliance group and an independent Ethics and Compliance team, a Privacy and
Data Protection Team, Corporate Risk Assurance, and Legal.

Page 6

United Kingdom - Gloucester

United Kingdom - Reading

United States

1240 Lansdowne Court

Gloucester Business Park
Gloucester GL3 4AB
United Kingdom

350 Brook Drive

Green Park
Reading RG2 6UH
United Kingdom

512 Seventh Avenue

6th Floor
NY 10018 New York
USA

Sales: +44 (0) 800 917 7733

Support: +44 (0) 870 850 3014
+44 (0) 1452 627766
Main: +44 (0) 1452 627 627
Fax: +44 (0) 1452 627 628

Sales: +44 (0) 800 917 7733

Support: +44 (0)870 850 3014
+44 (0)1452 627766
Main: +44 (0) 203 009 6500
Fax: +44 (0) 203 009 6552

Sales :+1 866 460 0000

Support: +1 866 807 6047
Main: +1 646 519 8100
Fax: +1 646 452 6570
Toll-Free: +1 866 460 0000

Australia

Austria

Belgium/Luxembourg

Level 14
207 Kent Street
NSW 2000 Sydney
Australia

Wipplinger Strasse 34
1010 Wien
Austria

Telecom Gardens
3rd floor Medialaan 38
1800 Vilvoorde
Belgium

Sales: 1800 080 759

Support: 1800 088 099
Main: +61 2 8220 7000
Fax: +61 2 8220 7075

Sales: +43 1 532 8533

Support: +44 (0) 870 850 3014
+49 (0) 696 64 10 336
Main: +43 1 532 8533
Fax: +43 1 532 8533 3999

Canada

Denmark

France

3381 Steeles Avenue East

4th floor
ON M2H 3S7 Toronto
Canada

Business Center Nord

Lyngbyvej 20
2100 Copenhagen
Denmark

17 avenue de l'Arche
Tour Ege
92671 Courbevoie
France

Sales: +1 866 460 0000

Support: +1 866 807 6047
Main: +1 646 519 8100
Fax: +1 646 452 6570
Toll-Free: +1 866 460 0000

Sales: +45 33 32 37 18
Support: +45 88 71 22 22
+44 (0) 870 850 3014
Main: +45 33 32 37 18

Sales: +33 1 41 38 57 00
Support: +44 (0) 870 850 3014
+44 (0) 1452 627766
Main: +33 1 41 38 57 00

Germany

Hong Kong

India

Konrad-Zuse-Platz 2-5
81829 Munich
Germany

Room 3006
Central Plaza
18 Harbour Road
Tower II
Wanchai
Hong Kong

4th Floor Wing C Plot No C-3

Block G
Fortune 2000 - Bandra Kurla Complex
400 051 Mumbai
India

Support: +44 (0) 870 850 3014

+49 (0) 69 6641 0336
Main : +49 (0) 89 94302 120

Support: +852 6902 1130

Main: +852 2528 6206
Fax: +852 2526 2646

Sales: +32 2 257 13 00

Support: +44 (0) 870 850 3014
+44 (0) 1452 627766
Main: +32 2 257 13 00
Fax: +32 2 257 13 01

Support: 000-800-001-6406
Main: +91 22 3067 157

Italy

Japan

New Zealand

Via Rivoltana
2/d
20090 Segrate (MI)
Italy

Akasaka Intercity
1-11-44 Akasaka
Minato-ku
107-0052 Tokyo
Japan

Regus Office Suites

Plaza Level
37-41 Shortland Street
8061 Auckland
New Zealand

Sales: +39 02 703321

Support: +44 (0) 870 850 3014
+44 (0) 1452 627766
Main: +39 02 703321
Fax: +39 02 70 3323 60

Sales: 0120-47-4220
Support: 03-5114-4600
Main: +81 3 5114 4540
Fax: +81 3 5114 4020

Support: 0800 443 696

Main: +61 02 9086 8663
Fax: +64 9 375 4101

Norway

Singapore

Spain

Martin Linges vei 15-25

1330 Fornebu
Norway

6 Temasek Boulevard
#11-01 Suntec Tower 4
038986 Singapore
Singapore

Paseo de la Castellana 35
Planta Baja
28046 Madrid
Spain

Sales: +47 2257 7780

Support: +47 2257 7779
+44 (0) 870 850 3014
Main : +47 2257 7780
Fax: +47 2270 8299

Support: +800 120 4415

Main: +65 6333 6366
Fax: +65 6235 8885

Sales: +34 9 17 00 5580

Support: +44 (0) 870 850 3014
+44 (0) 1452 627766
Main : +34 9 17 00 5580
Fax: +34 9 17 00 5585

Sweden

Taiwan

Kista Science Tower

Farogatan 33 fl5
164 51 Kista
Sweden

2F-7 No.188
Sec.5
Nanjing E.Road
105 Taipei
Taiwan

Sales: +46 (0) 8 5792 9090

Support: +46 (0) 8 5792 9089
+44 (0) 870 850 3014
Main: +46 (0) 8 5792 9090
Fax: +46 (0) 8 5792 9091

Symantec 2012
All rights reserved

Sales: + 886 2 87615800

Support: 801 13 6215
Fax: +886 2 2742-2838