SECURITY, DATA PROTECTION AND BACKUP POLICY
This Policy Document outlines the official security and data protection policy for CanTrust Hosting Cooperative. This document applies to all of our personnel and all of our different hosting offerings. It describes the measures CanTrust takes to protect the security and privacy of your data.
For information about your responsibilities as a customer, please refer to the CanTrust Acceptable Use Policy (AUP), to which you agreed when setting up your account with us.
Any digital security scheme is only as good as the physical security surrounding the equipment. CanTrust mitigates risks to physical server security by the following means:
- All web-sites are hosted on physical servers owned by CanTrust Hosting Co-operative. No customer data is hosted “in the cloud” or on equipment we did not purchase, provision, and install ourselves. No 3rd party organizations or their staff have access to your server space nor the backups.
- Production servers are hosted in professional co-location facilities featuring 24/7/365 physical security safeguards, locked server cabinets, closed circuit cameras and restricted access. Only authorized CanTrust staff members are able to access the servers and all physical access is logged by the co-location facilities.
- All our servers and infrastructure including our colocation facilities are Canadian owned and operated. Because of this, your data falls entirely under the jurisdiction of Canadian law and Canadian privacy requirements. You data is therefore not subject to disclosure under the US Government’s 2001 Patriot Act or the much more restrictive 2013 CLOUD Act.
CanTrust production server environments are run using a high level of server security. We run the extremely stable and secure Debian Linux operating system, and additionally we take extra measures to ensure server security (sometimes at the expense of convenience):
- Our servers run the latest versions of security-hardened Debian-Linux.
We implement firewalls, enhanced permission settings and other security measures along with Intrusion Detection Systems (IDS) on all our servers. We run anti-virus scans on all our email servers and backup servers to ensure our users are protected.
- All servers in our fleet are updated monthly with the latest security updates and patches. We evaluate and install security updates daily, as they are released. It is our goal to test and roll out any critical security updates within 24 hours of release. This is our “0-day critical security patching policy”.
- On shared hosting plans, all user home directory content is partitioned and permissioned so that no other customer accounts may access it. Your home directory holds all of your private information, including the HTML, CSS, and PHP files that are your website’s codebase, as well as server HTTP logs and any e-mails belonging to your domain. Only your account and the CanTrust super-user accounts have access to these files. Cantrust super-user accounts are only accessible by CanTrust network administrators.
- All SQL databases are secured with one SQL login per customer web site. Following security best practices we do not share database login credentials across clients or domains / sites.
- On-site backup files are stored in secure administrative locations that cannot be accessed by customer servers. These include backups of your Home Directory and Database backups, and are the only other copies of your private information that are made. CanTrust network administrators are the only personnel with access to these backup files.
- Off-site and Off-line backup files are stored encrypted at rest, using industry standard 256-bit AES encryption.
- All servers run a dedicated firewall, allowing only those ports used for hosting and minimizing potential attack surfaces.
- All administrative services run on non-standard ports and with a secure transport (SSL). While reducing user convenience, this ensures we are not vulnerable to detection by 0-day exploits (such as the OpenSSH remote root vulnerability of 2002).
- All servers are regularly audited for security using automated security scanning tools.
If you have specific questions about part of our policy or procedures, please ask. Above all else, we are committed to your privacy and data security. We will be happy to discuss your organization’s requirements and work with you to meet them where possible.
CanTrust backs up all customer data at least twice each day: Once to an on-site backup copy located at the co-location facility, and a second independent nightly backup to an off-site backup computer (to protect against fire/flood/total loss of the colocation facility).
Each of these backups contains a copy of the most recent codebase files, and archived daily snapshots of the MySQL database for the website. Off-site backup data stored outside the colo is AES-256 encrypted at all times and is never stored offsite or on the cloud.
Backups are retained daily for 7 days, weekly for 4 weeks, and monthly for up to 12 months (space permitting). After 12 months all old backup files are automatically purged.
Finally, a complete archive of everything exists on two sets of off-line backup drives. Twice a year these off-line backups are connected and updated and these serve as a backup of last resort that cannot be corrupted by any means.
In order to restore from backups, customers should open a support ticket and CanTrust staff will assist with the recovery process (usually confirming which backup date to restore from and then restoring the files where desired).
DISASTER RELIEF PLAN
For disaster recovery in the event of complete failure of a server or total loss events at a colo, we enact our Disaster Recovery Plan. Everything is backed up both on-site and off-site. As well as providing redundant backups, this allows us to recover even in a total loss situation (fire/flood/natural disaster etc).
Hardware Failure: In the case of a server physically failing, we have a spare server chassis powered off at each colo facility in the rack. CanTrust staff (in case of a local facility in Vancouver) or a NOC technician from the colo (in case of Ontario) will troubleshoot the server directly to confirm that it has failed. If the server will not boot then we remove its drives, place them in the spare failover server, and power it up for immediate recovery with no reconfiguration needed. If for some reason that doesn’t work (perhaps both drives in the RAID failed at the same time) then the fallback plan is the same as for the total loss, the site can be restored from the onsite or offsite backup to the nearest working server. We anticipate 1-4 hours of downtime in the event of a hardware failure. Affected customers will be notified by e-mail.
Total Loss: In the case of total loss for one of the colocation facilities (fire/flood/etc) then the offsite backups allow us to recover to the previous night’s state at one of our other three colo facilities. All user data will be restored to a new webserver location, and DNS pointing to the websites will need to be changed, often by the customer directly. We anticipate less than 24 hours downtime in the event of a total loss event. Affected customers will be notified by e-mail or telephone as soon as possible, to arrange DNS changes.