Last updated on May 25, 2018
Physical Security Measures
All the computing equipment which supports the Elium platform is stored in secure racks hosted in Data Centres located in Belgium.
Protection against illegal intrusion, theft or any other risk that impacts the availability and confidentiality of our hardware is guaranteed by security measures taken by the Data Centres, like presence of security guards, fences and external gates, secure/armoured doors, individual badge access to rooms and cages, outside and inside building CCTV with 1 week recording storage, intrusion detection system with external monitoring. The Data Centres have TIER 3+ facilities with all required security measures against natural or industrial disasters, such as fire detection, raised floors, ceiling wiring, a backup generator, HVAC.
Hardware Security Measures
In order to provide a high-availability solution, our architecture provides, when possible, redundancy at the hardware level.
Network and power lines are physically segregated for safety purposes.
For networking equipment and servers (physical and logical), we provide at least an N+1 redundancy, ensuring that the service can be taken over by the remaining ones in case of failure, or scheduled maintenance.
Network Security Measures
There are two individual and separate Internet access lines to the Data Centre. One is the active Internet access to the elium network, and the other is used in case of issue or attack on the former. In case of network attack, we are able to switch between the two Internet access lines.
We execute regular review of network configuration for accessing online services. Each time a main change is applied to the network configuration, we perform penetration testing and record the result.
Internet access is protected against illegal remote intrusions with the help of rules on network devices that restrict access only to authorised traffic. Only required "facing" service (see below) ports are open to Internet (HTTP, HTTPS, SMTP,...)
Software Security Measures
There are different groups of services used by Elium. Each group of services have different security measures.
These internal services are used to access Elium. They are directly connected to the Internet and impact mostly the availability, confidentiality and integrity of elium.
These services are set-up to be redundant and provide high availability.
These internal services are used to support Elium. They are not directly exposed to the Internet.
These external services are used to support Elium. We are not responsible for the management of these services and thus have no impact on their availability, confidentiality and integrity.
Access to Elium is encrypted using HTTPS connection (supporting TLS1.0/TLS1.1/TLS1.2 based on RSA with AES128/AES256/CHACHA20). Our aim is to provide a good balance between compatibility and security for Elium customers (We have an A+ rating on SSLlabs).
Elium provides an administrative management of access rights and roles for users or user's groups, and full traceability of user activity and attempted abuse.
Elium also allows the customer's administrators to enforce advanced security options to their instance:
- multiple complexity level of user passwords
- download threshold
- virtual firewall
In any case, all passwords in Elium are stored hashed with strong hashing function and salting.
System Operations Security
Management and maintenance of Elium services are supervised by a small team of qualified engineers that are responsible for the day-to-day tasks in the objective to always provide stability, availability and security to Elium.
Updates and Security Patches
We stay informed about any security risks or breaches requiring security patches for the software used by Elium services. In any case, we apply these patches as soon as possible.
Data Security Measures
Elium customer data security is a priority for us. We use a series of security measures to ensure availability, confidentiality and integrity of customer data.
Elium customer data are stored on a distributed system (Ceph). Each data are replicated on different disks on different servers.
In case of handling confidential data (like customer data) outside production infrastructure, they are encrypted using a strong and robust mechanism. All encryption keys are stored in a secure/protected area.
All data is stored redundantly in near real-time (with at least 3 copies) to different servers to ensure resilience against hardware failures.We perform incremental snapshots regularly and store them encrypted on a secure area.
Customer data are logically segregated. This means that the data of each customer can be stored in the same physical storage but in different logical databases/buckets.
We guarantee full restitution of content stored by customers in their Elium instance. Either for internal archiving purposes during the life of the project, or for re-injecting it into another platform (typically upon project termination).
We have no obligation to retain the data of the customer after any effective date of termination, and undertake to destroy all content after at least 30 days following the customer's request.