Beruflich Dokumente
Kultur Dokumente
com
1 | © 2019 ZINFI Technologies Inc. All Rights Reserved. ZINFI Confidential & Proprietary Document - Shared under NDA.
www.zinfi.com
Contents
Section 1: Introduction ...................................................................................... 3
Section 2: Core Security Layers ....................................................................... 4
2.1 Hardware Infrastructure ......................................................................................... 5
2.1.1 Security of Physical Premises ......................................................................................................... 5
2.1.2 Secure Boot Stack and Machine Identity ......................................................................................... 5
2.2 Secure Service Deployment ................................................................................... 6
2.2.1 Service Identity, Integrity and Isolation ............................................................................................ 6
2.2.2 Inter-Service Access Management .................................................................................................. 6
2.2.3 Encryption of Inter-Service Communication..................................................................................... 7
2.2.4 Access Management of End User Data ........................................................................................... 7
2.3 Secure Data Storage ............................................................................................. 8
2.3.1 Encryption at Rest ........................................................................................................................... 8
2.3.2 Data Center Security ....................................................................................................................... 8
2.3.3 Third-Party Tools to Secure the Data Center ................................................................................... 9
2.3.4 Cryptographic Key Management ..................................................................................................... 9
2.3.5 Deletion of Data ............................................................................................................................... 9
2.4 Secure Internet Communication ........................................................................... 10
2.4.1 Network Security ........................................................................................................................... 10
2.4.2 Denial of Service (DoS) Protection ................................................................................................ 11
2.4.3 User Authentication ....................................................................................................................... 12
2.5 Operational Security ............................................................................................ 12
2.5.1 Safe Software Development .......................................................................................................... 12
2.5.2 Keeping Employee Devices and Credentials Safe ........................................................................ 12
2.5.3 Reducing Insider Risk .................................................................................................................... 12
2.5.4 Intrusion Detection ......................................................................................................................... 13
Section 3: Conclusion...................................................................................... 13
2 | © 2019 ZINFI Technologies Inc. All Rights Reserved. ZINFI Confidential & Proprietary Document - Shared under NDA.
www.zinfi.com
Section 1: Introduction
This document provides an overview of how security is designed into ZINFI’s Unified Channel Management
(UCM) technical infrastructure. This global-scale infrastructure is designed to provide security through the
entire information processing lifecycle at ZINFI. The infrastructure provides secure deployment of services,
secure storage of data with end user privacy safeguards, secure communications between services, secure
and private communication with customers over the Internet, and safe operation by administrators.
The security of the infrastructure is designed in progressive layers starting from the physical security of data
centers, continuing to the security of the hardware and software that underlie the infrastructure, and finally,
the technical constraints and processes in place to support operational security.
ZINFI invests heavily in securing its infrastructure with hundreds of engineers, including many who are
recognized industry authorities, dedicated to security and privacy distributed across the organization.
3 | © 2019 ZINFI Technologies Inc. All Rights Reserved. ZINFI Confidential & Proprietary Document - Shared under NDA.
www.zinfi.com
Operational Security
• Intrusion Detection
• Reducing Insider Risk
• Safe Employee Devices & Credentials
• Safe Software Development
Internet Communication
• Network Security
• DoS Protection
• User Authentication
Storage Services
• Encryption
• Deletion
• User
User Identity
• Authentication
• Login Abuse Protection
Service Deployment
• Access Management of End User Data
• Encryption of Inter-Service Communication
• Inter-Service Access Management
• Service Identity,Integrity, Isolation
Hardware Infrastructure
• Secure Boot Stack and Machine Identity
• Security of Physical Premises
Figure 1.0
4 | © 2019 ZINFI Technologies Inc. All Rights Reserved. ZINFI Confidential & Proprietary Document - Shared under NDA.
www.zinfi.com
Figure 2.0
ZINFI has authored automated systems to ensure servers run up-to-date versions of their software stacks
(including security patches), to detect and diagnose hardware and software problems, and to remove machines
from service if necessary.
Figure 3.0
5 | © 2019 ZINFI Technologies Inc. All Rights Reserved. ZINFI Confidential & Proprietary Document - Shared under NDA.
www.zinfi.com
ZINFI’s source code is stored in a central repository where current and previous versions are auditable. The
infrastructure can be configured such that it requires that a service be built from a reviewed specification and
tested source code. These requirements limit the ability of an insider or adversary to make malicious
modifications to source code and provide a forensic trail from a service back to its source.
Figure 4.0
6 | © 2019 ZINFI Technologies Inc. All Rights Reserved. ZINFI Confidential & Proprietary Document - Shared under NDA.
www.zinfi.com
Figure 5.0
Figure 6.0
7 | © 2019 ZINFI Technologies Inc. All Rights Reserved. ZINFI Confidential & Proprietary Document - Shared under NDA.
www.zinfi.com
Figure 7.0
Performing encryption at system layers allows the system to isolate itself from potential threats at the lower
levels of storage. That said, the infrastructure also implements additional layers of protection. We enable
hardware encryption support in our hard drives and SSDs and meticulously track each drive through its lifecycle.
Figure 8.0
8 | © 2019 ZINFI Technologies Inc. All Rights Reserved. ZINFI Confidential & Proprietary Document - Shared under NDA.
www.zinfi.com
RescueLayer®: Boot failed servers into a RAM-disk recovery kernel with the failed server’s regular IP addresses,
giving it full access to private and public networks, NAS and backend service network servers, a wide range of
tools and disk recovery utilities, on-board file systems, and locally attached storage.
Network IDS/IPS Protection: Through partnerships with leading hardware and software vendors, a complete
array of intrusion protection and assessment options at both the network and host level.
Nessus® Vulnerability Assessment and Reporting: The world leader in active scanners, featuring high-speed
discovery, configuration auditing, asset profiling, sensitive data discovery and vulnerability analysis of security
posture.
9 | © 2019 ZINFI Technologies Inc. All Rights Reserved. ZINFI Confidential & Proprietary Document - Shared under NDA.
www.zinfi.com
IPsec solves an important problem (see Fig. 9.0) that arises when embedded systems are connected to the
Internet. Since the Internet protocol has no data security built in, both application and user data is sent in clear
text. This enables a third party to inspect or even modify data from the embedded system as it traverses the
Internet. For example, passwords are sent in the open and can be seen and used to compromise a system.
Figure 9.0
IPsec is designed for both IPv4 and IPv6 operation and is optimized for deployment in embedded systems.
10 | © 2019 ZINFI Technologies Inc. All Rights Reserved. ZINFI Confidential & Proprietary Document - Shared under NDA.
www.zinfi.com
Integrating an Embedded Web Server in a dedicated device presents special requirements on the server in
terms of memory consumption, performance, security and functional requirements. The Secure Embedded Web
Server is a versatile, configurable, high-performance HTTP server (Fig. 10.0) that has low ROM and RAM
footprint. It is specifically designed for operating in an embedded environment.
Figure 7.0
The HTTPS protocol was developed to address the inadequate security features of the HTTP protocol. HTTPS
introduces Secure Socket Layer (SSL) functionality in the communication between the web server and the
browser. This eliminates the risk of most security breaches, and has now become the de facto standard for
secure web communication.
The Secure Embedded Web Server has built-in support for SSL which is configurable and can be removed to get
minimum footprint. Features of Secure Embedded Web Server include:
After our backbone delivers an external connection to one of our data centers, it passes through several layers of
hardware and software load-balancing. These load balancers report information about incoming traffic to a
central DoS service running on the infrastructure. When the central DoS service detects that a DoS attack is
taking place, it can configure the load balancers to drop or throttle traffic associated with the attack.
11 | © 2019 ZINFI Technologies Inc. All Rights Reserved. ZINFI Confidential & Proprietary Document - Shared under NDA.
www.zinfi.com
We now turn to describing how we operate the infrastructure securely: We create infrastructure software
securely, we protect our employees’ machines and credentials, and we defend against threats to the
infrastructure from both insiders and external actors.
The sheer scale of our infrastructure enables ZINFI to simply absorb many DoS attacks. As a final check, we use
manual security reviews that range from quick triages for less risky features to in-depth design and
implementation reviews for the riskiest features. These reviews are conducted by a team that includes experts in
web security, cryptography and operating system security. The reviews can also result in new security library
features that can then be applied to other future products.
We also make a large investment in monitoring the client devices that our employees use to operate our
infrastructure. We ensure that the operating system images for these client devices are up to date with security
patches and we control the applications that can be installed. In addition, we have systems for scanning user-
installed apps, downloads, browser extensions and content browsed from the web.
This includes requiring two-party approvals for some actions and introducing limited APIs that allow debugging
without exposing sensitive information. ZINFI employee access to end user information can be logged through
12 | © 2019 ZINFI Technologies Inc. All Rights Reserved. ZINFI Confidential & Proprietary Document - Shared under NDA.
www.zinfi.com
low-level infrastructure hooks. ZINFI’s security team actively monitors access patterns and investigates unusual
events.
Section 3: Conclusion
We invest heavily in securing our infrastructure. We have many hundreds of engineers dedicated to security and
privacy distributed across ZINFI.
As we have seen, the security in the infrastructure is designed in layers starting from the physical components
and data center, moving on to hardware provenance, and then on to secure boot, secure inter-service
communication, secured data at rest, protected access to services from the Internet and, finally, the
technologies, people and processes we deploy for operational security.
13 | © 2019 ZINFI Technologies Inc. All Rights Reserved. ZINFI Confidential & Proprietary Document - Shared under NDA.