common

Cloud Security Architecture of eNlight

IT Infrastructure Security is one of the major concern areas for most organizations today, considering the volume of malicious activities taking place through the internet. bodHOST has designed its infrastructure and its cloud ecosystem in keeping with the latest trends in security. The cloud infrastructure at bodHOST, including eNlight cloud, is designed to ensure adherence to all the security measures required in today's world. bodHOST has certified professionals to implement total security against data theft and information leakages diminishing risks and un-complicate server security.

Security measures have been implemented at multiple layers, which are:

Physical Security

Physical access to data centre Infrastructure is controlled throughout the facility and managed by professional security staff. Security Systems such as video surveillance, biometric access control, motion and entry detection cameras with alarms are installed throughout the premise. The security professionals ensure that only authorized personnel have access to the datacentre facility, and all visitors are required to provide identification only after which they are allowed a facility visit escorted by a staff member.

Cloud Infrastructure Security

Enterprise storage devices with multiple security layers are utilized to store eNlight data. These security layers are further strengthened by the best security practices, including Isolation of storage from public network and thick provisioning of storage to negate sharing. eNlight's hardware virtualization technology isolates cloud servers at the hypervisor layer for additional data security. This virtualization of physical resources ensures separation of guest and hypervisor layer, resulting in additional security. Customer instances have no access to raw disk devices, but instead are presented with virtualized disks and chunks of storage used by a customer are reset as soon as they are separated from any VM.

Server Security

The isolation layer replicates cloud resources (processors, memory, storage, etc.) to match the execution requirements of the original server in eNlight. Servers and applications run on eNlight cloud "as is" without requiring modification or redesign, and without any disruption. eNlight's tightly integrated modules easily expand to ensure server, application, and data security across physical, virtual, and cloud servers, as well as virtual desktops.

Storage Security

bodHOST staff members aren't allowed to see the content of files stored on eNlight VMs, they can only view the metadata info. Storage Servers are set up in a Private NetworkIsolated from Public Network eliminating all the threats & attacks that may arise from the internet. Traffic to and from eNlight Cloud stays within the corporate firewall without crossing the Internet.

Network Isolation

eNlight Cloud,through Network virtualization techniques, separates different networks on the same hardware and resources are partitioned accordingly, ensuring excellent isolation and regulated network resource sharing. Network Isolation ensures that viruses can't enter eNlight's network, malicious users and external software are unable to attack eNlight servers as they lack the authentication credentials required to establish communication within eNlight's Isolated Network.

Network Security

security-arch

Each client is provisioned in VLAN with L3 Switch reducing network vulnerabilities and providing protection against traditional network security issues such as Distributed Denial of Service (DDoS) Attacks, Man in the Middle (MITM) Attacks, IP Spoofing etc. Multi-level security is provided through operating system (OS) of the host, the virtual instance OS or guest OS and firewall.

IP Spoofing & Theft Protection

eNlight Cloud has IP-MAC-Binding policies ensuring "zero" IP thefts, thus IP addresses get bound with MAC address of the VM they have been provisioned on. Routers are also set up on similar policies so if MAC gets spoofed, the router still does not forward traffic on unknown MAC address. eNlight interface doesn't accept IPs within the internal range as the source. eNlight ensures authentication measures are in place and carried out over a secure (encrypted) channel.

Security against Internet threats

Various threats prevalent over the internet are handled through multiple protection mechanisms of eNlight cloud:

  • Firewall enabled on all servers
  • Router is connected with an IDS in parallel to continuously monitor traffic and block known threats such as application and network virus(es) and help detect / eliminate DDoS attacks
  • 24 x 7 NOC teams keep a close watch on aberrant behavior of network
Copyright © bodHOST Ltd. All rights reserved.