networksecurity

We Always Encrypt Data.

All information that we receive and transmit is fully encrypted. We are committed to using the most advanced encryption techniques to ensure that you are as protected as possible.


We Employ Strict Access Controls.

We employ significant controls to ensure your data remains secure. PBXDOM actively employs a policy of least provisioning where employees are only granted the minimum system access to perform their assigned job function. PBXDOM employees cannot decrypt encrypted account data.


We use only SSL (HTTPS protocol) for communication.

All communication to/from PBXDom to your side is completely encrypted and can not be accessed by any middle man.


We Employ Secure Data Centers.

PBXDOM stores its data in AWS . All of the data centers have achieved ISO/IEC 27001:2005 certification, PCI DSS Level 1 compliance, and SAS70 Type II compliance. Learn more about AWS.


Benefits of AWS Security


AWS Global Infrastructure Security

AWS operates the global cloud infrastructure that you use to provision a variety of basic computing resources such as
processing and storage. The AWS global infrastructure includes the facilities, network, hardware, and operational
software (e.g., host OS, virtualization software, etc.) that support the provisioning and use of these resources. The AWS
global infrastructure is designed and managed according to security best practices as well as a variety of security
compliance standards. As an AWS customer, you can be assured that you’re building web architectures on top of some
of the most secure computing infrastructure in the world.


AWS Compliance

Amazon Web Services Compliance enables customers to understand the robust controls in place at AWS to maintain
security and data protection in the cloud. As systems are built on top of AWS cloud infrastructure, compliance
responsibilities will be shared. By tying together governance-focused, audit-friendly service features with applicable
compliance or audit standards, AWS Compliance enablers build on traditional programs; helping customers to establish
and operate in an AWS security control environment. The IT infrastructure that AWS provides to its customers is
designed and managed in alignment with security best practices and a variety of IT security standards, including:
SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70)
SOC 2
SOC 3
FISMA, DIACAP, and FedRAMP
DOD CSM Levels 1-5
PCI DSS Level 1
ISO 9001 / ISO 27001
ITAR
FIPS 140-2
MTCS Level 3
In addition, the flexibility and control that the AWS platform provides allows customers to deploy solutions that meet
several industry-specific standards, including:
Criminal Justice Information Services (CJIS)
Cloud Security Alliance (CSA)
Family Educational Rights and Privacy Act (FERPA)
Health Insurance Portability and Accountability Act (HIPAA)
Motion Picture Association of America (MPAA)
AWS provides a wide range of information regarding its IT control environment to customers through white papers,
reports, certifications, accreditations, and other third-party attestations. More information is available in the Risk and
Compliance whitepaper available on the website: http://aws.amazon.com/compliance/.

Physical and Environmental Security

AWS’s data centers are state of the art, utilizing innovative architectural and engineering approaches. Amazon has many
years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied
to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities. Physical access is strictly
controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance,
intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a
minimum of two times to access data center floors. All visitors and contractors are required to present identification and
are signed in and continually escorted by authorized staff.
AWS only provides data center access and information to employees and contractors who have a legitimate business
need for such privileges. When an employee no longer has a business need for these privileges, his or her access is
immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access
to data centers by AWS employees is logged and audited routinely.

Fire Detection and Suppression

Automatic fire detection and suppression equipment has been installed to reduce risk. The fire detection system utilizes
smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms
and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or
gaseous sprinkler systems.

Power

The data center electrical power systems are designed to be fully redundant and maintainable without impact to
operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in
the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide
back-up power for the entire facility.

Climate and Temperature

Climate control is required to maintain a constant operating temperature for servers and other hardware, which
prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain
atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at
appropriate levels.

Management

AWS monitors electrical, mechanical, and life support systems and equipment so that any issues are immediately
identified. Preventative maintenance is performed to maintain the continued operability of equipment.

Storage Device Decommissioning

When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process that is
designed to prevent customer data from being exposed to unauthorized individuals. AWS uses the techniques detailed
in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media
Sanitization”) to destroy data as part of the decommissioning process. All decommissioned magnetic storage devices are
degaussed and physically destroyed in accordance with industry-standard practices.


Network Security


The AWS network has been architected to permit you to select the level of security and resiliency appropriate for your
workload. To enable you to build geographically dispersed, fault-tolerant web architectures with cloud resources, AWS
has implemented a world-class network infrastructure that is carefully monitored and managed.


Secure Network Architecture

Network devices, including firewall and other boundary devices, are in place to monitor and control communications at
the external boundary of the network and at key internal boundaries within the network. These boundary devices
employ rule sets, access control lists (ACL), and configurations to enforce the flow of information to specific information
system services.
ACLs, or traffic flow policies, are established on each managed interface, which manage and enforce the flow of traffic.
ACL policies are approved by Amazon Information Security. These policies are automatically pushed using AWS’s ACLManage
tool, to help ensure these managed interfaces enforce the most up-to-date ACLs.

Secure Access Points

AWS has strategically placed a limited number of access points to the cloud to allow for a more comprehensive
monitoring of inbound and outbound communications and network traffic. These customer access points are called API
endpoints, and they allow secure HTTP access (HTTPS), which allows you to establish a secure communication session
with your storage or compute instances within AWS. To support customers with FIPS cryptographic requirements, the
SSL-terminating load balancers in AWS GovCloud (US) are FIPS 140-2-compliant.
In addition, AWS has implemented network devices that are dedicated to managing interfacing communications with
Internet service providers (ISPs). AWS employs a redundant connection to more than one communication service at
each Internet-facing edge of the AWS network. These connections each have dedicated network devices.

Transmission Protection

You can connect to an AWS access point via HTTP or HTTPS using Secure Sockets Layer (SSL), a cryptographic protocol
that is designed to protect against eavesdropping, tampering, and message forgery.
For customers who require additional layers of network security, AWS offers the Amazon Virtual Private Cloud (VPC),
which provides a private subnet within the AWS cloud, and the ability to use an IPsec Virtual Private Network (VPN)
device to provide an encrypted tunnel between the Amazon VPC and your data center.

Amazon Corporate Segregation

Logically, the AWS Production network is segregated from the Amazon Corporate network by means of a complex set of
network security / segregation devices. AWS developers and administrators on the corporate network who need to
access AWS cloud components in order to maintain them must explicitly request access through the AWS ticketing
system. All requests are reviewed and approved by the applicable service owner.
Approved AWS personnel then connect to the AWS network through a bastion host that restricts access to network
devices and other cloud components, logging all activity for security review. Access to bastion hosts require SSH publickey
authentication for all user accounts on the host. For more information on AWS developer and administrator logical
access, see AWS Access below.

Fault-Tolerant Design

Amazon’s infrastructure has a high level of availability and provides you with the capability to deploy a resilient IT
architecture. AWS has designed its systems to tolerate system or hardware failures with minimal customer impact.
Data centers are built in clusters in various global regions. All data centers are online and serving customers; no data
center is “cold.” In case of failure, automated processes move customer data traffic away from the affected area. Core
applications are deployed in an N+1 configuration, so that in the event of a data center failure, there is sufficient
capacity to enable traffic to be load-balanced to the remaining sites.
AWS provides you with the flexibility to place instances and store data within multiple geographic regions as well as
across multiple availability zones within each region. Each availability zone is designed as an independent failure zone.
This means that availability zones are physically separated within a typical metropolitan region and are located in lower
risk flood plains (specific flood zone categorization varies by region). In addition to utilizing discrete uninterruptable
power supply (UPS) and onsite backup generators, they are each fed via different grids from independent utilities to
further reduce single points of failure. Availability zones are all redundantly connected to multiple tier-1 transit
providers.
You should architect your AWS usage to take advantage of multiple regions and availability zones. Distributing
applications across multiple availability zones provides the ability to remain resilient in the face of most failure
scenarios, including natural disasters or system failures. However, you should be aware of location-dependent privacy
and compliance requirements, such as the EU Data Privacy Directive. Data is not replicated between regions unless
proactively done so by the customer, thus allowing customers with these types of data placement and privacy
requirements the ability to establish compliant environments. It should be noted that all communications between
regions is across public Internet infrastructure; therefore, appropriate encryption methods should be used to protect
sensitive data.
As of this writing, there are eleven regions: US East (Northern Virginia), US West (Oregon), US West (Northern
California), AWS GovCloud (US), EU (Ireland), EU (Frankfurt), Asia Pacific (Singapore), Asia Pacific (Tokyo), Asia Pacific
(Sydney), South America (Sao Paulo), and China (Beijing).
AWS GovCloud (US) is an isolated AWS Region designed to allow US government agencies and customers to move
workloads into the cloud by helping them meet certain regulatory and compliance requirements. The AWS GovCloud
(US) framework allows US government agencies and their contractors to comply with U.S. International Traffic in Arms
Regulations (ITAR) regulations as well as the Federal Risk and Authorization Management Program (FedRAMP)
requirements. AWS GovCloud (US) has received an Agency Authorization to Operate (ATO) from the US Department of
Health and Human Services (HHS) utilizing a FedRAMP accredited Third Party Assessment Organization (3PAO) for
several AWS services.
The AWS GovCloud (US) Region provides the same fault-tolerant design as other regions, with two Availability Zones. In
addition, the AWS GovCloud (US) region is a mandatory AWS Virtual Private Cloud (VPC) service by default to create an
isolated portion of the AWS cloud and launch Amazon EC2 instances that have private (RFC 1918) addresses. More
information about GovCloud is available on the AWS website: http://aws.amazon.com/govcloud-us/


Network Monitoring and Protection

AWS utilizes a wide variety of automated monitoring systems to provide a high level of service performance and
availability. AWS monitoring tools are designed to detect unusual or unauthorized activities and conditions at ingress
and egress communication points. These tools monitor server and network usage, port scanning activities, application
usage, and unauthorized intrusion attempts. The tools have the ability to set custom performance metrics thresholds for
unusual activity.
Systems within AWS are extensively instrumented to monitor key operational metrics. Alarms are configured to
automatically notify operations and management personnel when early warning thresholds are crossed on key
operational metrics. An on-call schedule is used so personnel are always available to respond to operational issues. This
includes a pager system so alarms are quickly and reliably communicated to operations personnel.
Documentation is maintained to aid and inform operations personnel in handling incidents or issues. If the resolution of
an issue requires collaboration, a conferencing system is used which supports communication and logging capabilities.
Trained call leaders facilitate communication and progress during the handling of operational issues that require
collaboration. Post-mortems are convened after any significant operational issue, regardless of external impact, and
Cause of Error (COE) documents are drafted so the root cause is captured and preventative actions are taken in the
future. Implementation of the preventative measures is tracked during weekly operations meetings.

AWS security monitoring tools help identify several types of denial of service (DoS) attacks, including distributed,
flooding, and software/logic attacks. When DoS attacks are identified, the AWS incident response process is initiated. In
addition to the DoS prevention tools, redundant telecommunication providers at each region as well as additional
capacity protect against the possibility of DoS attacks.
The AWS network provides significant protection against traditional network security issues, and you can implement
further protection. The following are a few examples:
Distributed Denial Of Service (DDoS) Attacks. AWS API endpoints are hosted on large, Internet-scale, worldclass
infrastructure that benefits from the same engineering expertise that has built Amazon into the world’s
largest online retailer. Proprietary DDoS mitigation techniques are used. Additionally, AWS’s networks are multihomed
across a number of providers to achieve Internet access diversity.
Man in the Middle (MITM) Attacks. All of the AWS APIs are available via SSL-protected endpoints which
provide server authentication. Amazon EC2 AMIs automatically generate new SSH host certificates on first boot
and log them to the instance’s console. You can then use the secure APIs to call the console and access the host
certificates before logging into the instance for the first time. We encourage you to use SSL for all of your
interactions with AWS.
IP Spoofing. Amazon EC2 instances cannot send spoofed network traffic. The AWS-controlled, host-based
firewall infrastructure will not permit an instance to send traffic with a source IP or MAC address other than its
own.
Port Scanning. Unauthorized port scans by Amazon EC2 customers are a violation of the AWS Acceptable Use
Policy. Violations of the AWS Acceptable Use Policy are taken seriously, and every reported violation is
investigated. Customers can report suspected abuse via the contacts available on our website at:
http://aws.amazon.com/contact-us/report-abuse/.

When unauthorized port scanning is detected by AWS, it is
stopped and blocked. Port scans of Amazon EC2 instances are generally ineffective because, by default, all
inbound ports on Amazon EC2 instances are closed and are only opened by you. Your strict management of
security groups can further mitigate the threat of port scans. If you configure the security group to allow traffic
from any source to a specific port, then that specific port will be vulnerable to a port scan. In these cases, you
must use appropriate security measures to protect listening services that may be essential to their application
from being discovered by an unauthorized port scan. For example, a web server must clearly have port 80
(HTTP) open to the world, and the administrator of this server is responsible for the security of the HTTP server
software, such as Apache. You may request permission to conduct vulnerability scans as required to meet your
specific compliance requirements. These scans must be limited to your own instances and must not violate the
AWS Acceptable Use Policy. Advanced approval for these types of scans can be initiated by submitting a request
via the website at: https://aws-portal.amazon.com/gp/aws/html-formscontroller/contactus/AWSSecurityPenTestRequest

Packet sniffing by other tenants. It is not possible for a virtual instance running in promiscuous mode to receive
or “sniff” traffic that is intended for a different virtual instance. While you can place your interfaces into
promiscuous mode, the hypervisor will not deliver any traffic to them that is not addressed to them. Even two
virtual instances that are owned by the same customer located on the same physical host cannot listen to each
other’s traffic. Attacks such as ARP cache poisoning do not work within Amazon EC2 and Amazon VPC. While
Amazon EC2 does provide ample protection against one customer inadvertently or maliciously attempting to
view another’s data, as a standard practice you should encrypt sensitive traffic.

In addition to monitoring, regular vulnerability scans are performed on the host operating system, web application, and
databases in the AWS environment using a variety of tools. Also, AWS Security teams subscribe to newsfeeds for
applicable vendor flaws and proactively monitor vendors’ websites and other relevant outlets for new patches. AWS
customers also have the ability to report issues to AWS via the AWS Vulnerability Reporting website at:
http://aws.amazon.com/security/vulnerability-reporting/