banner-legal

Security Policies

Implementation BACKGROUND

Information networks and systems play a crucial role at the global level. Due to the transactional nature of operations, a serious disruption of these elements, whether deliberate or not, and regardless of where it occurs, can affect different actors in a country's economy. Cybersecurity is global, because it is fought against a common enemy. Despite the fact that each region of the world and each country has its own regulation and technological development model, cybersecurity needs are practically shared in many of them.

Attacks inflicted in cyberspace have a number of characteristics that have contributed to their proliferation. Cyber-attacks can be carried out at low cost, are difficult to trace and therefore it is not possible to determine their authorship. Given this reality, specifically in Latin America, most of the States have a capacity to respond to cyber-attacks, but the truth is that only a few have designed a Cybersecurity Strategy.

Developing in step with an increasingly globalized business environment, the communications industry has contributed to increasing productivity and interconnecting communities around the world, in virtually every branch of industry. Much of this success is due to the development of standards by organizations such as ITU-T.

While existing standards facilitate the efficiency of existing networks and systems and pave the way for future ones, the increased use of open protocols and interfaces, the variety of new players, the impressive diversity of applications and platforms, and implementations that are not always efficiently tested have increased the potential for malicious use of networks.

This raises the question of how an open communications infrastructure can be supported without exposing its information to security problems. The answer lies in the efforts of standardization groups to combat security threats in all areas of telecommunications infrastructure, ranging from details in protocol specifications and applications to network management. IFX Networks relies on the various recommendations developed by ITU-T and ISO to ensure the reliability and quality of its telecommunications infrastructure and related services and applications.

In consensus with what is defined in the United Nations General Assembly, in resolutions 55/63 and 56/121 related to the "Fight against the Use of Information Technology for Criminal Purposes", as well as the work carried out by the Inter-American Committee against Terrorism (CICTE), as reflected in the Comprehensive Inter-American Strategy to Combat Threats to Cyber Security, as well as in the various documents that relate to cybersecurity strategies of each country where IFX Networks operates, as a company we define the strategies for network security:

  1. General definitions.

For a better understanding of the approaches that IFX NETWORKS makes in this document, it must be interpreted according to the following general considerations.

1.1. Internet access: Physical access that includes all the functionalities and national and/or international connections necessary to allow a user to establish communication with an Internet node, the latter being understood as a TIER-1 point or a national access point (NAP).

1.2. Switched access: A form of Internet access in which the connection between the user's terminal and the access equipment of the operator providing Internet access is made through dial-up over a telephone line of the TPBC network.

1.3. Broadband: The transmission capacity whose bandwidth is sufficient to allow, in a combined manner, the provision of voice, data and video, either wired or wireless.

1.4. Narrowband: Wired or wireless transmission capacity with an effective data transmission speed lower than that established in the definition of broadband.

1.5. Quality of Service (QoS): The overall effect of the performance of a service that determines the degree of satisfaction of a user with the service.

1.6. Data rate: In digital systems, it corresponds to the amount of information that can be transmitted in time through a communication channel, expressed in bits per second (bps) and its multiples.

1.7. Authentication: Process intended to allow the system to ensure the identification of a party.

1.8. Authorization: Process of attributing rights or granting permissions to perform certain activities and their relationship with certain processes, entities, legal entities or natural persons.

1.9. Cyberspace: The physical and virtual environment composed of computers, computer systems, computer programs (software), telecommunications networks, data and information that is used for interaction between users.

1.10. Cybersecurity: The set of tools, policies, security concepts, security safeguards, guidelines, risk management methods, actions, training, best practices, insurance and technologies that can be used to protect organizational and user assets in the cyber environment. Cybersecurity ensures that the security properties of assets and users are achieved and maintained against the corresponding security risks in the cyberenvironment.

1.11. Data confidentiality: Preventing unauthorized disclosure of data.

1.12. Availability: Access by an authorized entity to information and computer systems, when required by this entity.

1.13. Entity: Natural or legal person, organization, element belonging to a piece of equipment or a computer program.

1.14. Critical Infrastructure: The set of computers, computer systems, telecommunications networks, data and information, whose destruction or interference may weaken or impact the security of the economy, public health, or the combination thereof, in a Nation.

1.15. Data Integrity: Property or characteristic of maintaining the accuracy and completeness of information.

1.16. Interception: The acquisition, visualization, capture or copy of content, data or part of the content of a communication transmitted by wire, electronic, optical, magnetic or other means, carried out during transmission, using electronic, mechanical, optical or electromagnetic means.

1.17. Interference: The action of blocking, hiding, preventing or interrupting the confidentiality, integrity of computer programs, computer systems, data or information, by means of the transmission, damage, deletion, destruction, alteration or suppression of data, computer programs or data traffic.

1.18. Interruption: The event caused by a computer program, telecommunications network or computer system that interferes with or destroys a computer program, telecommunications network, data and information contained therein.

1.19. Non-repudiation: Service that aims to ensure the availability of evidence that can be presented to third parties and used to prove that a certain event or action has taken place, with the purpose of preventing a person or entity from denying having performed a data processing action, by providing proof of such actions in the network.

1.20. Pharming: The action of modifying the Domain Name System (DNS) server, changing the correct IP address for another, in such a way as to make the user enter a different IP in the belief that he/she is accessing a personal, commercial or trusted site.

1.21. Phishing: The act of sending an e-mail whose purpose is to deceive the user by directing him/her to a false web page and by this means, obtain private information that will be used for unauthorized or illicit purposes such as identity and password theft.

1.22. Malicious Software (Malware): A computer program that is inserted into a computer or computer system without authorization, with the purpose of compromising the confidentiality and integrity of the computer system, the telecommunications network, data and data traffic. This type of program comes in the form of viruses, worms, electronic Trojans and others, which can be distributed via email, web site, shareware or freeware.

1.23. Vulnerability: Any weakness that could be exploited to breach a system or the information it contains.

1.4. Guarantee of network security and service integrity, to avoid interception, interruption, and interference of the service.

IFX permanently performs successive monitoring on each of the services it provides, so that it can identify in a timely manner any event or anomaly in the network, using equipment placed at strategic points of the network that monitors, among other things:

  • Status of network equipment
  • Logs of activities performed on the equipment
  • Monitoring of traffic behavior in different sectors of the network such as interconnection points, peering, and node concatenation.
  • Firewall control reports specifying and detailing traffic through critical network points, attack signatures, vulnerability analysis in mission critical devices and servers, as required.
  • Backups of network devices and backups, protected under minimum public exposure structures.
  • Security Assessment Committees, where vulnerabilities and critical network points are detailed and exposed and tools are established to cover the detected flaws.

1.5. Security models, according to the characteristics and needs of the network, which contribute to improve the security of access networks, in accordance with the security frameworks defined by the ITU.

IFX NETWORKS COLOMBIA, in the exercise of its activity as a telecommunications service provider, and in compliance with the orders of the surveillance and control authorities of the activity, has implemented the models listed below, for the purpose of protecting the networks and end users, under the terms established by the regulations in force:

1.5.1. Authentication

In accordance with ITU standards X.805 and X.811, authentication consists of proving the veracity of the identity claimed by an entity. In this context, entities are considered to be not only individuals but also mechanisms, services and applications. Authentication is also intended to ensure that an entity is not attempting to usurp an identity or to issue an unauthorized response to a previous communication.

The messaging and collaboration services offered by IFX to its customers have authentication systems based on LDAP architecture, which in addition to being robust and reliable, allows the use of password encryption, so that the credentials are only known by the end user, thus ensuring an additional level of confidentiality of information.

Additionally, IFX in the suite of messaging and collaboration products, allows the configuration of digital signature controls, so that the customer can guarantee to its recipients the authenticity of the origin of the mail, avoiding identity theft or the issuance of an unauthorized response to a previous communication.

For our shared and dedicated web hosting services, IFX applies the security model at domain level, understanding domain as the security scope that encapsulates the services of each client. Under this model, once authenticated, the subscriber has full access to their information, including the databases of which they are the owner, and with this control they can create users with specific privileges within their security domain, whose responsibility falls directly on the client who owns the domain.

In dedicated hosting services, IFX delivers total control of the hardware systems, base operating system and software to the customer, so that the administration of the authentication services is under total responsibility of the customer.

1.5.2. Access Control

The security dimension of access control protects against unauthorized use of network resources. Access control ensures that only authorized persons and devices can access network elements, stored information, information flows, services and applications. Access control is defined in clause 6.3/X.810 and ITU-T X.812. Although it is related to authentication, it is outside the scope of authentication.

  1. a) Physical Security, IFX Networks has several years of experience in designing, building and operating medium and large scale data centers in all of our direct points of presence in the United States and Latin America. This experience has been applied to our platform and infrastructure.

IFX Networks data centers are located in facilities with physically protected perimeters including surveillance systems with 7 x 24 x 365 coverage. For our data centers located in Tier III facilities we have strict security measures with perimeter control. Physical access is strictly controlled both at the perimeter and at points of entry to the building by security professionals using video systems, intrusion detection systems and other electronic means.

Authorized staff members must meet at least two-factor authentication to physically access a data center. All visitors and contractors must present identification and fingerprint, after which they are accompanied at all times by an authorized staff member.

IFX Networks only provides access to data centers to employees who have a legitimate business need for the privilege, and their access is immediately revoked when that need ends, even if they remain employees of IFX Networks. All physical and electronic access by employees to IFX Networks data centers is routinely logged and audited.

  1. b) Logical access security. Logical access security to IFX Networks' various hosting platforms is provided at multiple levels: operating system, virtual instances, applications and firewall. Each of these items builds on the capabilities of the others. The goal is to ensure that the data contained within the various IFX Networks Hosting platforms cannot be intercepted by unauthorized systems or users and that the various IFX Networks service instances provide the highest possible security without sacrificing the flexibility in configuration and functionality that customers demand.
  • Operating System Level Security: IFX Networks System Administrators with a business need related to Hosting services must provide credentials to gain access with basic privileges to the different systems. This access process is carried out in a centralized security environment through LDAP authentication, and using SSH and Kerberos protocols depending on the operating system being accessed.

This access security control, at the operating system level, allows the construction of systems that are designed and configured to protect the management plane of the hosting platforms. Once connected to this initial level of security, authorized administrators can use commands to escalate privileges to a second level of authentication. Such accesses are routinely logged and audited. When the respective business need no longer exists, privileges and access to this security level are revoked.

  • Virtual instances: virtual instances, also known as virtual servers, are completely controlled by the customer, who has full administrative access to the instance and to the additional accounts, services and applications running on it. IFX Networks system administrators do not have access to customer virtual instances, and cannot authenticate to gain access to them at the operating system level. Therefore, customers must employ an authentication-based elevation of privilege mechanism to access the virtual instance's operating system.
  • Firewall: IFX Networks provides a firewall solution for the different Shared Hosting platforms, such as web hosting, messaging and collaboration systems. This firewall is configured in deny mode by default for incoming traffic, and it is the customer who must explicitly specify the ports and protocol for which traffic should be allowed as long as it is directly related to the contracted service. The customer must also specify the IP address, set of IP addresses or source networks allowed for their service.

For dedicated hosting services, including virtual instances, the firewall service is optional for the customer, and in case of not acquiring it, any incident related to an unauthorized intrusion to your system from the Internet is your responsibility.

Administrative access via SSH or RDP for IFX Networks System Administrators is only allowed through VPN connections, thus achieving an adequate level of encapsulation of information and access credentials.

1.5.3. Audit logs for mail and hosting

In its messaging and collaboration services, IFX Networks maintains a log of emails sent and received at the SMTP service level. The retention period of this log is established by IFX Networks and informed to the customer within the service offer process prior to the contracting by the customer. As part of the value-added messaging and collaboration product portfolio, IFX Networks offers optional mail backup and auditing services.

For shared web hosting services, IFX Networks maintains a log of access and content manipulation activities. The retention period of such log is established by IFX Networks and informed to the customer as part of the pre-contract service offering process by the customer.

Since the customer has full control of the administration of the Dedicated Hosting services, including virtualized services, it is the customer's responsibility to record logs and work related to Non-repudiation services.

1.5.4. Principle of data confidentiality

IFX Hosted Services offers a scalable, high-availability platform, and allows users to manage a wide range of products. Ensuring the privacy and confidentiality of customer systems and data is of paramount importance to IFX.

The ITU-T X.805 standard makes an explicit distinction between privacy and confidentiality of data, the former having to do with protecting the association of users' identities and activities, while the latter refers to protection against unauthorized access to data content.

1.5.5. Privacy

IFX internal policies that refer to data privacy in accordance with the provisions of the ITU X.805 standard ensure that the information provided by users at the time of registration to any of our systems is not disclosed to third parties without the prior authorization of the customer.

  1. a) Data confidentiality. To guarantee the confidentiality of data, methods such as encryption, access control lists and file access permissions are usually used.

Web access to the mail services offered to our customers is done through secure sites using SSL certificates issued by entities recognized worldwide. Additionally, we offer our clients messaging and collaboration systems whose access through their traditional email clients is done through the RPC protocol over HTTPS, thus guaranteeing the confidentiality of their information.

As part of our products, the client has the option of acquiring mail encryption services in which it is guaranteed that only previously authorized recipients can access the information contained in the messages sent by our users.

For our shared and dedicated web hosting services, we apply security policies based on access control lists, which guarantee that access to information and its manipulation can only be performed by a valid user with privileges previously authorized by the client. All control panels offered to customers for the administration of their hosting services are protected with SSL certificates.

1.5.6. Principle of data integrity

As referenced in the ITU X.800 and X.815 recommendations, the principle of data integrity is a property that data has not been altered in an unauthorized manner. In addition, data integrity ensures that the information is protected against the following unauthorized operations: modification, deletion, creation, and copying of data.

All IFX Networks shared hosting services use a common security framework that protects the integrity of customer information through the use of ACL's and profiles with different levels of access, which ensures that the information can only be manipulated by its owner user, and according to the privileges previously established according to the contracted service.

IFX Networks performs regular updates on all its shared hosting systems in order to prevent intentional manipulation of information that can be performed by an external agent exploiting vulnerabilities at the operating system level, database engines, or mail software.

On the other hand, IFX Networks has antivirus software for those systems, both mail and web hosting, which may be the target of computer virus attacks, which can affect the integrity of customer information.

Dedicated Hosting customers, including those of virtualized services, are responsible for ensuring the integrity of the information stored on such systems, as IFX Networks has no control over them at the logical level.

1.5.7. Principle of availability

Availability, as a dimension of security, described in the ITU X.805 recommendation, ensures that a network outage does not prevent authorized access to network elements, stored information, information flows, services and applications. This category includes solutions for disaster recovery and network restoration.

IFX Networks guarantees the levels of availability previously agreed with the customer during the contracting process through an infrastructure designed and implemented for each of the services offered at the Hosting level.

All IFX Data Centers at regional level have redundancy systems in power supply systems. For our TIER III Data Centers, we have n+1 redundancy schemes for power supply, temperature control and humidification systems, which allow us to provide high availability for shared hosting services hosted in these facilities.

Depending on the level of criticality of each system, and as previously stipulated in the service level agreements, the different hosting platforms have server farms that provide high availability in the event of a failure at the operating system, hardware or even service level.

The storage equipment implemented by IFX Networks for mission critical systems in its various shared hosting platforms have redundant processing options in case of failure of one of its controllers, likewise all our storage systems are implemented using RAID technologies to minimize the impact on availability caused by physical failures at the disk level.

In case of an eventuality that affects the availability of services and that exceeds the scope of the systems and methods of high availability described above, IFX Networks has backup systems that guarantee the possibility of information recovery in case of an IT contingency for all its shared hosting services.

These backup systems, together with the methods and procedures established by the team of system administrators of IFX Networks allow to restore the provision of services in case of a computer disaster and according to the times established in the levels of availability offered to our customers.

1.6. Measures in relation to the networks and services provided, with regard to ensuring the principles (confidentiality, integrity and availability) and security services (authentication, authorization and non-repudiation) of the information, required to ensure the inviolability of communications, the information that is processed through them and the personal data of subscribers and / or users, with regard to the networks and / or senses provided by such operators.

The set of activities, actions and methods are detailed in the previous steps, it is the whole set of authentication parameters, protection, encryption services aimed at the development and assurance of each of the network components, likewise diagnostic services control and monitoring allow to permanently visualize changes in the network structure.

Similarly IFX NETWORKS has staff dedicated exclusively to network management, such staff administers and permanently visualizes the behavior of the network and each of the services offered, allowing a quick visualization of threats or problems that threaten the stability of the services offered and the network backbone.

1.7. Measures in relation to the interception, violation or repudiation of network communications.

Access controls to Backbone and CPE equipment (equipment located at subscribers' premises), in addition to the event detection and monitoring systems for the entire network Backbone, access network and Customer-Side, which allow visualization of actions executed and/or denied to users and third parties linked to side-to-side communications.

1.8. Formal processes for the treatment of information security incidents, which are part of the provider's security management, when the violation comes from a third party, and the network and/or telecommunications service provider is aware of said violation, in addition to the report of the necessary measures to stop the behavior, as well as the report to the competent authorities of the alleged violation.

Forensic analysis is a regular procedure, applied in a situation of imminent disaster. IFX has equipment capable of recovering post-disaster information, in such a way that it can obtain detailed information about origin, type of action taken, indirect impact, potential impact in the medium, long and immediate term, fast-recovery mechanisms and information tracking, storage structures and databases in HD mode. For these purposes, it has traffic sensors and traffic observation mechanisms (origin-destination-service) configured on access interfaces, UP-LINKS, NAPs and other points of interaction and integration of multi-operator and multi-access public networks.

1.9. Mechanisms to ensure the confidentiality, integrity and availability of subscriber and/or user data. Which will be used for the prevention and control of fraud in telecommunications and compliance with regulatory obligations that so require.

Taking into account the trends in telecommunications and the globalization of information, it is necessary that government agencies constantly regulate, through legal tools, the exchange of user information between telecommunications service providers in order to ensure the confidentiality of their information and thus avoid misuse and mishandling of such information.