Operations and Security

The Assessment Architecture (64 Bit)

Command & Control

Communication from the virtual appliance to the RISC Networks Data Center is performed using 256-bit SSL encryption. The command and control interface that exists allows us to instruct each remote appliance with a set of predefined commands. The command and control interface is not remote access to the appliance, but rather a controlled, monitored, and logged interface that enables us to deliver the more comprehensive analytics engagements possible anywhere in the world.

We do not support engagements that utilize web filtering or proxy servers. The virtual appliance requires “proxy-free” access to the Internet via SSL (TCP port 443). If needed, the customer may limit access to the following URLs, which are assigned to our websites in our global data centers:

 

  • US / North and South America – orchestration.riscnetworks.com ( 34.192.184.110, 34.192.195.90 )

  • US / North and South America – dataup.riscnetworks.com ( 34.192.12.37, 34.192.197.132 )

  • US / North and South America – initial.riscnetworks.com ( 34.192.43.78, 34.192.198.28)

  • US / North and South America – app1.riscnetworks.com (34.192.198.73 )

  • US / North and South America – Backup & Growth (34.192.99.153, 34.192.185.36)

 

If requested by the customer, a RISC Networks Service Delivery Manager, who will be identified to the customer as such, can provide remote diagnostic support for virtual appliances. This access is only performed at the request of the client. No service delivery personnel, other than senior managers, have the ability to perform these diagnostics and they are only performed at the request of the customer.

 

Analytics log updates and communications

Communication is critical for a successful engagement. RISC Networks provides a secure online portal for customers and partners to communicate. All communication input into the portal is archived in the North American Data Center in the United States. For this reason, no personal data should be put into the log as that data will leave the respective theatre.  Information that is sensitive should not be placed into the log file. Credentials such as SNMP Strings, Windows Passwords or CUCM and VMware logins should only be placed in the local appliance through the web interface.

If RISC Networks personnel review Analytics data, whether as part of an engagement or at the request of a customer or partner, this data must necessarily travel to the United States. This review is optional. 

 

Data handling and security

All data is uploaded from the virtual appliance to the RISC Networks NAC using 256-bit SSL encryption. Before being uploaded the raw data is encrypted using a 2048-bit asymmetric public key.   Data uploads will occur on regular intervals in order to limit the upload size

Sensitive credentials, such as windows passwords, SNMP strings, VMware login information, Cisco CallManager credentials or any other secure credential entered into the appliance during the bootstrap process are never uploaded. These credentials stay in the virtual appliance and are used by the local processes on the appliance. RISC Networks delivery engineers never know or have access to the credentials used to bootstrap the appliance.

Once the secure, encrypted data upload is complete, the encrypted raw data is stored in a secure repository that is not directly accessible from the internet. RISC Networks provides full auditing for every access of this data on request. Customers may request a complete audit trail of anyone who accesses their raw data, their final reports for download, and deletion of raw data and final reports.

The encrypted raw data is accessed by RISC Networks’ UCEL reporting engines and is decrypted, stored in transient database instances and accessed for report generation. Final reports are placed into storage and accessible only through the RISC Networks secure web portal for download by customers and partners.

HealthCheck, CloudScape 1.0 and Solution Mapper

Raw customer data is held in RISC Networks NAC for a period of 90 days after the engagement has ended. After 90 days, the data is deleted and the storage device that data was stored on returns to the pool of data storage available for other RISC Networks engagements. When a storage device has reached the end of its useful life, procedures include a decommissioning process that is designed to ensure customer data are not exposed to unauthorized individuals. RISC Networks storage device are decommissioned using the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process. If a hardware device is unable to be decommissioned using these procedures the device will be degaussed or physically destroyed in accordance with industry-standard practices

CloudScape 2.0

Raw customer data for CloudScape 2.0 engagments is held in RISC Networks’ NOC for a period of up to 35 days past the subscription end date. After the CloudScape 2.0 subscription expires, the data is deleted and the storage device that data was stored on returns to the pool of data storage available for other RISC Networks’ engagements. When a storage device has reached the end of its useful life, procedures include a decommissioning process that is designed to ensure customer data are not exposed to unauthorized individuals. RISC Networks storage device are decommissioned using the techniques detailed in DoD 5220.22-M (“National Industrial Security Program Operating Manual “) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as part of the decommissioning process. If a hardware device is unable to be decommissioned using these procedures the device will be degaussed or physically destroyed in accordance with industry-standard practices.

Data confidentiality and compliance

Privacy and security of Customer’s information, including personal data, are a primary concern for RISC Networks. RISC Networks’ data centers adhere to strict regulatory compliance standards such as:

  • PCI DSS Level 1
  • SAS 70
  • ISO 27001

At the end of any engagement, RISC Networks anonymizes data for aggregation reporting. RISC Networks does not collect personal user data such as:

  • User logins or passwords
  • Data Files (office documents, text files, etc)
  • Email Files
  • Database Files

  • Any files containing user information
  • Application payload information

To the extent that any particular engagement requires the processing of personal data in the EU and their subsequent transfer outside of the EU, RISC Networks, will, as a data processor, upon request, enter into the EU Standard Contractual Clauses for the transfer of personal data to third countries. In addition, RISC Networks is classified as a “Data Processor” under EU privacy laws and shall act only on instructions from its Customer and will have adequate technical and organizational security measures in relation to the processing of any personal data.

Data anonymization and aggregation

In order to continually improve the RISC Networks experience for customers around the world, RISC Networks will anonymize customer inventory and performance data and aggregate them in a data warehouse at the completion of every engagement. This data warehouse is then used to build models that provide valuable insight for customers as they attempt to determine their relative performance from the overall IT population.

Data Resource Sample: Statistics show you are likely having back-up failures right now. Why?

Network failures pie

Are you one of the 57% with back up failures? Find out before it’s too late.

Data based on 3467 Servers from 117 assessments

 

RISC Networks archived data consists of inventory information (without IP addresses, serial numbers, or hostnames), and performance metrics. Any identifiable characteristics are stripped and only performance metrics and or anonymous asset information is kept.

Customers can request that their data not be aggregated by emailing help@riscnetworks.com within 10 days of the completion of the engagement. These requests will be positively acknowledged but must be made after the engagement has completed.