Infrastructure-level data protection
In this article:
Infrastructure-level data protection#
K2 Cloud architecture and security policy#
For general information about K2 Cloud architecture, visit the starting page.
In addition, we have developed and implemented an information security policy for virtual networks in K2 Cloud and regularly check that the configuration of the virtual networks meets the established requirements.
To learn more about additional information security services offered by CROC Cloud, visit Information security page.
Separation and isolation of resources#
The underlying infrastructure of K2 Cloud is isolated from that of Customers, meaning that they use different components.
Resources in K2 Cloud are isolated at the network level, i.e. the K2 Cloud infrastructure operates in physically or logically isolated networks.
Access to and traffic between K2 Cloud infrastructure components is controlled automatically using dynamic and host firewalls and access control lists on routers. The cloud infrastructure is isolated and cannot be directly accessed from the outside.
Virtual machines running on the same hypervisor are separated at the logical and network layers. In addition, to improve reliability, you can use placement groups to ensure that virtual machines from the same placement group are distributed across different hypervisors.
Using the IAM service, the company can flexibly customize user access privileges within the scope of its project.
Supported TLS versions#
Our services support TLS versions 1.1 and 1.2. Also because some of our users use TLS 1.0, we continue to support them for our services.
If you have to restrict using TLS 1.0 in your infrastructure, for example for PCI DSS compliance, you can configure a proxy server with disabled TLS 1.0 for accessing cloud resources.
Virtual machine security#
Virtual machine security is ensured on several layers:
Operating system configuration management.
Changing configuration in K2 Cloud is a manageable and regulated process, and it includes mandatory change validation in a test environment before they are deployed in production. The OS configurations are defined by code and stored in the repository.
Protection assurance on infrastructure layer.
Edge (bastion) hosts are used for network segmentation when accessing K2 Cloud infrastructure. Log services record any K2 Cloud administrator actions on each host. K2 Cloud security specialists regularly analyze the logs.
SSH key authentication by default.
Using SSH keys provides higher security and easier access to instances in many situations. The public key is stored in K2 Cloud, while the user keeps the private key on their local computer. This authentication method reduces the risk that the credentials of employees having access to the production environment will be stolen.
Vulnerability management.
All the packages installed in the production environment are regularly checked for vulnerabilities and upgraded to the latest version. The inner and outer perimeters are periodically tested for penetration and scanned for vulnerabilities.
Data encryption#
Cryptographic protection methods are used in the following K2 Cloud services.
VPNaaS (Virtual Private Network as a Service)#
Cloud VPN service supports two types of IPsec VPN connections:
ipsec.1 for tunnel mode;
ipsec.legacy for transport mode.
By default, a high-availability VPN connection is created. Two tunnels are created and terminated in different Availability Zones to ensure high availability. If one of the tunnels fails, all traffic is automatically redirected through the second tunnel to make cloud resources available.
In K2 Cloud, you can set tunnel options for a VPN connection. In the case of a high-availability VPN, you can specify tunnel options independently for each tunnel. For details about VPNaaS, see documentation on the service.
SSH#
If an instance is created from a K2 Cloud image then it can only be accessed with SSH key. The keys can be generated in a web interface or API, and 2048-bit key and SHA256 hashing algorithm are used for encryption.
In addition, the user can import the public key and use it to authenticate S3 (object storage) on a virtual machine. An index page with an enabled SSL certificate can be used in K2 Cloud object storage.
Time synchronization#
The entire infrastructure, including the K2 Cloud security tools, uses a unified time, which is continuously synchronized with the master time service.
Physical access control#
K2 Integration has developed and adopted a procedure to manage and control access to information resources, including those in K2 Cloud. An effective access management and control process guarantee that only authorized staff can access the machine rooms and security zones, server, network and information resources, and only within the scope required to fulfil their responsibilities.
All the rights are granted to the staff in accordance with the least privilege principle. Activities on adding and removing users and their privileges are logged. User identification and authentication procedures are regulated and controlled.
The rights to access premises and security zones and server, network and information resources are approved and authorized by the company’s management.
We strictly control the use of privileged utilities – they are only available to authorized personnel, and their use is regularly audited.