Please contact your support team if you have a question or need assistance for any Rackspace products, services, or articles.
Much like the Amazon or Azure cloud, the Rackspace Public cloud is public environment shared by many different users, and this does raise pertinent questions about security. Rackspace have spent time engaging hundreds of customers about the issue, and it has been noticed the common theme is that when customers talk about 'security in the cloud', it means different things to different people.This article is presently in draft form. Please standby.SERVICE SPECIFIC SECURITY FOR CLOUD SERVERS™ & CLOUD FILES™
Rackspace Cloud Servers is a multi-tenant public cloud environment utilizing Xen-based hypervisors and a set of proprietary logistics and middleware nodes, offering both Linux and Microsoft Windows guest Operating System (OS) images. Customers may interact with their guest instances through the control panel or via the RESTful Application Programming Interface (API). Both methods enable customers to retain full control over your Cloud Server configuration. Rackspace implements controls for the physical security and environmental resilience of the underlying hardware, including network connectivity, and the management and maintenance of the shared infrastructure up to the hypervisor level. While Rackspace provides industry-leading levels of support around the underlying infrastructure, customers are considered the primary system administrators and are ultimately responsible for the configuration and maintenance of their Cloud Server instances, unless utilizing our Managed Cloud product as referenced previously.
As Cloud Servers are given pre-allocated physical storage resources upon creation, Rackspace is able to provide data persistence whether your Cloud Server is in an active state or shut down. Physical drive arrays are in a Redundant Array of Independent Disks (RAID) 10 configuration, providing a measure of data redundancy. Customers are able to snapshot Cloud Servers images and upload them to their Cloud Files account. Rackspace recommends that customers perform regular snapshots of their Cloud Servers to provide for better availability of data and processing facilities. The snapshots can also be used to create new identical instances to provide scalability or further redundancy.While Rackspace cannot guarantee that each of a customer’s Cloud Server is located on separate physical resources, the logistics algorithms underlying the creation of new customer Cloud Servers is designed to heavily favor the separation of an individual customer’s machines. Rackspace does not support a multi-data center or geographic redundancy of the Cloud Servers product at this time.The Cloud Files environment automatically enforces the replication of hosted data. On initial upload, the Cloud Files environment replicates an incoming file across multiple separate zones in the data center. The zones are supplied with redundant utilities and connectivity. The infrastructure enabling the Cloud Files product is fully redundant, and the hash tables containing the location of uploaded files are distributed over all storage and proxy nodes. Like Cloud Servers, Cloud Files does not currently support multi-data or geographic redundancy of data.
Our United Kingdom (LON 3 and LON 5), Hong Kong and Australian data centres are certified to the international standard for information security, ISO 27001. This certification also includes our internal International Global Security Services and Information Technology Infrastructure Services functions.
This standard provides a framework for managing a business’s security responsibilities and provides external assurance for customers as to the scope and scale of our secure environment via our Business Security Management System.
Since 2009 our system has provided the foundation for an integrated and sustainable security model working in tandem with our other security controls such as PCI-DSS. It is subject to on-going external assessment by our certification body, BSI with a full re-assessment every three years.
A copy of our certification can be viewed here and our Commitment to Security Policy here
Fanatical SupportTM underpins who we are. To help formally recognise this, our UK management, delivery and support functions are certified to this internationally recognised standard.
This provides evidence of our commitment to the end-to-end delivery of customer service: from your very first contact with Rackspace right through to the completion of service requests – and everything in between! ISO 9001 also aligns neatly with our Fanatical Support Promise ensuring the quality principles of ISO 9001 are actively embraced in our day-to-day Fanatical Support to customers.
A copy of our certification can be viewed here: ISO 9001 certificate
Rackspace utilises this globally recognised standard for reporting on service organisation controls to demonstrate that selected Rackspace processes, procedures and controls have been formally evaluated and tested by an independent accounting and auditing company (service auditor) for our dedicated hosting customers, cloud servers & cloud files customers and all our data centres. The examination includes controls relating to security monitoring, change management, service delivery, support services, back-up, environmental controls, logical and physical access, providing a detailed description of our controls and the effectiveness of those controls.
Rackspace Hosting has completed an examination in conformity with the International Standard for Assurance Engagements (ISAE) No 3402 Type II Service Organization Control (SOC1 and SOC2) for the period between between 1st October 2014 to 30th September 2015. This is repeated on an annual basis for each reporting period. Rackspace recognises the needs of our global customers and has worked with the service auditor to have the report issued with a joint opinion (SOC1 & SOC2) that satisfies the requirements of both the ISAE 3402 and the SSAE 16 (created by AICPA (American Institute of Certified Public Accountants) for use in the US mirroring ISAE 3402). The SOC2 report is available upon request to customers and prospects.
Due to the restricted distribution of the SOC2 report, Rackspace has obtained a SOC 3 report from our service auditors. The key difference between SOC 2 and SOC 3 reports is that the former contains a detailed description of the service auditor's tests and results of controls as well as the auditor's opinion on the description of the service organisation's system. A SOC 3 report provides only the auditor's report on whether the system achieved the trust services criteria. There is no description of tests and results or opinion on the description of the system.
To view Rackspace's SOC 3 Report, please click here.
Within the Cloud Servers product, newly created instances are configured with two network interfaces by default. The front, or public, facing interface is allocated a unique IP address that is used to route traffic from the instance to the Internet. A secondary interface is allocated and assigned an IP address that is not routable to the Internet and is used for communication between instances in the same data center and with other Rackspace services.Customer segregation in Cloud Servers is enforced by the hypervisor. Hypervisor controls are in place to prevent MAC, ARP and IP spoofing on the public and private virtual interfaces of each Cloud Server. If a malicious user attempts to spoof IP or MAC addresses, those specific malformed packets are discarded. These rule sets prevent a given Cloud Server from sniffing the traffic of another, even one hosted on the same physical resources. Logical network security is the responsibility of the customer.
Segregation of physical resources such as memory, hard-drive space and CPU usage is also enforced by hypervisor controls. Each Cloud Server is allocated a volume when it is created and each server is aware of only the storage assigned to it. The Cloud Servers hypervisors are only accessible to Rackspace and only via on the private management network and require appropriate administrative SSH keys.
When a customer deletes an instance, the instance is turned off and stored for as long as the instance has been in use, or 12 hours, whichever is shorter. After this interval, the instance is then scheduled for deletion from the system and the instance data is consequently rendered unrecoverable from the hypervisor’s disk. This retention period allows administrators to recover instances that were deleted by accident within a reasonable timeframe. After the retention period, latent data from previous Cloud Server instances cannot be read from new instances that are launched on the same hypervisor. For more details, see Data destruction – Cloud Servers and Cloud Files.
Managed Cloud instances provide Rackspace administrator access. The password for this account is rotated on a set schedule by Rackspace management systems. When a Rackspace administrator accesses this data, it is logged and the password for the account is rotated.
Cloud Servers that are part of a RackConnect configuration contain a RackConnect user that is built in to provide the RackConnect system access to manage network and software firewall settings, which are part of the RackConnect solution. This is an administrative account, but the credentials are not accessible by Rackspace administrators, only by the RackConnect automation system. Essentially, it is a system or service account. The password for this account is rotated on a set schedule by Rackspace management systems. Access and use of this account is logged, just as with the “rack” user for managed cloud instances.
Rackspace Cloud Files offers scalable, utility-billed file storage accessible via control panel, API and third-party applications. The Cloud Files environment automatically replicates uploaded customer data across multiple zones within a single data center, served by redundant power and networking utilities.Cloud Files is an object storage solution, and does not implement encryption, virus detection, or compression on objects entering and/or exiting the system. Many of these functions are available through third-party tools such as swiftly, but they are ultimately the responsibility of the customer, not the Cloud Files system. Customers can monitor their data activity via logs that can be automatically delivered to their account.
Customer SegregationCloud Files enforces customer segregation via the environment’s proxy and authentication systems. As a massive array of redundant storage, the actual location and management of data within the Cloud Files environment requires administrative activity by the proxy servers. A location and account for each file is maintained, and the appropriate tokens supplied by the authentication servers are required before the proxy will serve up any given file.
Rackspace encourages customers to make routine backups of their Cloud Servers environments. These backups can be done by making a copy of the current server image and placing it on Cloud Files. As these images could contain sensitive information, it is important for customers to ensure that only authorized personnel have access to the Cloud Files buckets containing the images.
Rackspace is responsible for the Cloud Server up through the hypervisor level. Customers have full administrative access to their cloud environments and they are considered to be the system administrators responsible for the upkeep of the system including maintaining compliance with their internal security or operational policies.In general, Rackspace recommends that customers include a host-based firewall in their configuration, such as IPTables or the Windows Firewall. The firewall should be configured with a default deny policy and only necessary ports should be enabled for access. Both the public and private network interfaces should be protected. In addition to firewalls, Rackspace recommends that customers maintain a regular patch policy so that the server operating system and applications are updated regularly with their respective security patches
Rackspace Limited takes its environmental and workplace responsibilities seriously, from ensuring we provide a safe and healthy working environment for our employees through to our commitments to the wider world: legally and morally. Our joint policy attests to these commitments.
In support of this, our UK data centre and offices are certified to both the international environmental management standard, ISO 14001, which provides a framework for managing our environmental responsibilities, including energy and waste management, and BS OHS 18001 for our commitment to workplace wellbeing.
Both certifications are subject to on-going external assessment by our certification body, BSI (British Standards Institution), with a full re-assessment every three years.
Our ISO 14001 certificate number is EMS 581182 which you can view here and our BS OHS 18001 is numbered OHS 587454, available here.
The role of the customer in the configuring their server and consuming the service; both cloud provider and cloud customer must accept responsibility for different aspects of the system and both must implement a range of controls in order to properly secure the service. This document is intended as a shortened overview of the Rackspace Information Security (all sites) document.
Cloud providers like Rackspace have a responsibility for physical security of their data-centers and cloud infrastructure hosted within them. Rackspace has implemented many physical security measures to secure its data-centers.
Data security starts with assessment and identification of unique risks customer may face when hosting in a cloud environment. Rackspace implement controls to manage the risk of compromise on our internal networks, and via the hardware and hypervisor layers responsible for virtualization of your virtual machine instance. Rackspace also provides services and guidance on addressing risks identified by the customer. As the data owner and the primary system administrator of their cloud solution, the customer is ultimately responsible for data security issues. If in doubt, ask.
In any outsourced hosting solution these are key areas of concern. As a customer you require that only authorized users maintain access to your solution and that accountability is maintained. Rackspace utilizes Openstack which has in place appropriate safeguards to tightly restrict access to back-end infrastructure and is capable of tracking changes which are made to your account over time.Rackspace can recommend services to assist customers in efforts to enforce account security and access controls on the hypervisor layer.
Rackspace maintain an internal security management system to ensure that it meets the requirements of applicable legal and regulatory obligations. IT is the customer's responsibility to comply with relevant laws and regulations that impacts their data hosted in the cloud. However Rackspace can advise you at best ways to go forward, specifically what the best industry standard, recommended security practices are. This is just part of the value that Rackspace can give your business.This document mainly discusses the specific Cloud Servers (TM) and Cloud Files (TM) detail in this framework as well as small differences between Managed Rackconnect and traditional Cloud. The article is aimed at as a 'glance' at a summary article which shows relevant certifications and relevant compliance in the Rackspace Cloud for customers planning to use Rackspace Openstack Public Cloud.
Please do note that this article is in draft format and may contain several inaccuracies at present.This information is sourced from the Rackspace official document 'Rackspace Information Security (all sites) Cloud FAQ.'
CloudServers instances themselves maintain no logical access to physical storage resources or disk sectors. Therefore, the data is rendered effectively unrecoverable from the instance after a server instance is deleted via control panel or API. Latent data from previous cloud server instances cannot be read from new instances that are launched on the same hypervisor. Deletion of data from the Cloud Files environment via control panel or API removes the file entry from the file table. As the files are stored on a distributed massive storage array with zero non-API or proxy meditated network access, the files are therefore effectively undiscoverable and unrecoverable by a public connection. Requests for deletion of local files are stateful and a success or fail result will be returned for every action. Where files have been distributed to the Akamai network by enabling CDN distribution, Cloud files also supports edge pure functionality to clear the files from the CDN provider's edge distribution nodes. CDN edge purges are asynchronous and purge assurance can be tracked via the automated success/failure email alerts. Customers are limited to a maximum number of CDN purges a day. Whole container purges are only available through support ticket.
For those interested in PCI compliance, please see:https://community.rackspace.com/products/f/25/t/6132
Very helpful note Adam - is this still 'draft'? Can it be taken to be official Rackspace policy/description?