CellarStone Security

Overview
CellarStone Inc. (herein referred to as CellarStone in this document) is committed to ensuring the confidentiality, integrity, and availability of our customers’ information, which is vital to their business operations and therefore to our success. We use a multi-layered approach to protect that key information, constantly monitoring and improving our applications, systems, and processes to meet the changing demands and challenges of security. CellarStone will implement procedures and controls at all levels to protect the confidentiality and integrity of information stored and processed on its systems and ensure that information is available only to authorized persons as and when required. This document details CellarStone policies to ensure the protection of its information assets, and to allow the use, access, and disclosure of such information in accordance with appropriate standards, laws, and regulations. 

Security

  • 24×7 monitoring by guard force and cameras
  • Data center space is physically isolated and accessible only by specified administrators
  • Fully-managed, hardened, stateful inspection firewall technology
  • Fully-managed Intrusion Detection System (IDS)
  • Security, visibility and carrier-class threat management and remediation utilizing Virtual Cloud Networks to compare real-time network traffic, immediately flagging anomalies such as:
    • Distributed Denial of Service (DDoS) attacks, worms or botnets
    • Network issues such as traffic and routing instability, equipment failures, or misconfigurations
    • 24x7x365 Virtual Firewall, IPSec VPN, and IDS support and maintenance
    • 24/7 incident response teams ready to detect and respond to events. 

Key Security Features

Security is part us, and part you. That’s why we’ve developed best practices for securing CellarStone.

  • Customer isolation: Allow customers to deploy their application and data assets in an environment that commits full isolation.
  • Data encryption: Protect customer data at-rest and in-transit in a way that allows customers to meet their security and compliance requirements with respect to cryptographic algorithms and key management.
  • Security controls: Offer customers effective and easy-to-use application, platform, and network security solutions that allow them to protect their workloads, have a secure application delivery using a global edge network, constrain access to their services, and segregate operational responsibilities to reduce the risk associated with malicious and accidental user actions.
  • Visibility: Offer customers comprehensive log data and security analytics that they can use to audit and monitor actions on their resources, allowing them to meet their audit requirements and reduce security and operational risk.
  • Secure hybrid cloud: Enable customers to use their existing security assets, such as user accounts and policies, as well as third-party security solutions when accessing their cloud resources and securing their data and application assets in the cloud.
  • High availability: Offer fault-independent data centers that enable high availability scale out architectures and are resilient against network attacks, ensuring constant uptime in the face of disaster and security attack.
  • Verifiably secure infrastructure: Follow rigorous processes and use effective security controls in all phases of cloud service development and operation. Demonstrate adherence to strict security standards through third-party audits, certifications, and attestations. Help customers demonstrate compliance readiness to internal security and compliance teams, their customers, auditors, and regulators. 
Power and Environment
  • Redundant UPS and generator backups for all systems HVAC (Heating Ventilation Air Conditioning) systems arranged in an N2 redundancy configuration.
  • Automated controls that provide the appropriate levels of airflow, temperature, and humidity. 
Fire Detection and Suppression
  • Multi-zoned, dry pipe, water-based fire suppression systems.
  • Monitors to sample the air and provide alarms prior to pressurization.
  • Dual-alarm activation necessary for water pressurization.
  • Water discharge specific to fire alarm location. 
Flood Control and Earthquake
  • All facilities built above sea level with no basement areas.
  • Moisture barriers on exterior walls.
  • Dedicated pump rooms for drainage/evacuations systems.
  • Moisture detection systems.
  • Location-specific seismic compliance.
  • All facilities meet or exceed requirements for local seismic building codes. 
Network Protection
  • Perimeter virtual firewalls and virtual routers block unused protocols.
  • Internal firewalls segregate traffic between the application and database tiers.
  • A third-party service provider continuously scans the network externally and alerts changes in baseline configuration. 
Disaster Recovery
The CellarStone Incent service performs real-time replication to disk within the data center for business continuity purposes, and offsite data storage at a secure facility for disaster recovery purposes. Note also the following: Data is transmitted across encrypted links. Disaster recovery functionality is exercised regularly to verify projected recovery times and the integrity of customer data. 

Backups
All data is backed up at each data center, on a rotating schedule of incremental and full backups. The backups are then replicated over secure links to a secure archive.

Internal Testing Assessments
CellarStone tests all code for security vulnerabilities before release, and regularly scans our network and systems for vulnerabilities.
  • Web application vulnerability assessments
  • Network vulnerability assessments
  • Selected penetration testing and code reviews
  • Security control framework review and testing 
Login IP Ranges
Login IP Ranges limit unauthorized access by requiring users to login to CellarStone from designated IP addresses — typically your corporate network or VPN. By using Login IP Ranges, admins can define a range of permitted IP addresses to control access to CellarStone. Those who try to login to CellarStone from outside the designated IP addresses will not be granted access. 
 
Educate Users About Phishing
CellarStone highly recommends phishing education for all CellarStone users. Most cyber-attacks use malware (malicious software) to infect a computer with malicious code designed to steal passwords, data, or disrupt an entire computer/network. Fortunately, you don’t need to be a security expert to help stop malware.

Some simple recommendations you can make to your CellarStone users:
Teach users to not be fooled by phishing, and to not click links or open attachments in suspicious emails. One of the most effective cyber-attack techniques is tricking someone to click a link or open an attachment that installs malware. These are called phishing e-mails because they lure you into opening an email. Phishing email can say something intriguing, useful, or appear to be a legitimate message from a real company (package delivery, payroll, IRS, social networking, etc.).

Instruct users to never open emails from unknown sources. Hackers want people to click on their link so that they can infect the user’s computer. Similarly, teach users that emails received from an unknown source should be evaluated based on the source and whether it makes sense. If not, it may be malicious. The sender's address should always be verified and any links to URLs can be hovered over to validate them. For example, if the link says it’s from CellarStone, then hovering over the link should show a URL ending in ".cellarstone.com”.

If you or any of your users are unsure about whether a CellarStone email is legitimate, forward the email to .

Report Issues
System failures, suspected breach, or general incident

If you are experiencing a system failure, suspect some type of technical incident or breach, or have a general issue, please contact us at .

Suspicious Emails
If you believe you may have received a fake email, forward the entire email – including the header information – to us at:  , then delete it from your mailbox.

Security Incidents/Breach
If you find or suspect a security incident, please report this to us at: .

Administrators – Protect Your Company by Implementing IP Restrictions
A great tool for protecting your applications is restricting login to those IP addresses that you specifically approve. To restrict IP addresses, click Setup > Users > User Information, and enter the appropriate address in the IP address field. When enabled, the specified user can only log into the CellarStone Incent application using the specified IP address.

To notify CellarStone about your primary administrative/security contact, contact CellarStone Support.

Secure Employee Systems
One of your goals should be to keep email fraud, malware and phishing attempts, from reaching your users. To help do this, secure all computers used by your employees by doing the following:

  • Update all users to the latest supported browser version.
  • Deploy email filtering technology. Make sure you white list CellarStone Incent IP addresses.
  • Install and maintain virus and malware protection software on all user machines and keep all applications and definitions up to date. 

Decrease Session Timeout Thresholds
Users sometimes leave their computers unattended or they don't log off. You can protect your applications against unauthorized access by automatically closing sessions when there is no session activity for a period of time. 

Read Privacy Policies
Yes, they can be long and complex, but they tell you how the site maintains accuracy, access, security, and control of the personal information it collects; how it uses the information, and whether it provides information to third parties.


Print