SECURITY, DATA PROTECTION AND BACKUP POLICY
This Policy Document outlines the official security and data protection policy for CanTrust Hosting Cooperative. This document applies to all of our personnel and all of our different hosting offerings. It describes the measures CanTrust takes to protect the security and privacy of your data.
For information about your responsibilities as a customer, please refer to the CanTrust Acceptable Use Policy (AUP), to which you agreed when setting up your account with us.
Any digital security scheme is only as good as the physical security surrounding the equipment. CanTrust mitigates risks to physical server security by the following means:
- All web-sites are hosted on physical servers owned by CanTrust Hosting Co-operative. No customer data is hosted “in the cloud” or on equipment we did not purchase, provision, and install ourselves. No 3rd party organizations or their staff have access to your server space nor the backups.
- Our production servers are hosted in professional co-location facilities featuring 24/7/365 physical security safeguards, locked server cabinets, closed circuit cameras and restricted access. Only authorized CanTrust staff members are able to access the servers and all physical access is logged by the co-location facilities.
- All our servers and infrastructure, including our backups, is hosted in Canada on our own equipment. Your data falls under the jurisdiction of Canadian law and Canadian privacy requirements and is never shared with 3rd parties.
CanTrust production server environments are run using a high level of server security. We run the extremely stable and secure Debian Linux operating system, and additionally we take extra measures to ensure server security (sometimes at the expense of convenience):
- Our servers run the latest versions of security-hardened Debian-Linux.
- We implement firewalls, enhanced permission settings and other security measures along with Intrusion Detection Systems (IDS) on all our servers. We run anti-virus scans on all our email servers and backup servers to ensure our users are protected.
- All servers in our fleet are updated monthly with the latest security updates and patches. We evaluate and install security updates daily, as they are released. It is our goal to test and roll out any critical security updates within 24 hours of release. This is our “0-day critical security patching policy”.
- We use the Xen Hypervisor for Virtual Machines, which opreates at Ring-1 and is the most secure containerization available. We do not use Docker, LXC, or other Ring > 0 technology in shared customer environments.
- All user and website data is partitioned and permissioned so that no other customer accounts may access it. Your home directory holds all of your private information, including the HTML, CSS, and PHP files that are your website’s codebase, as well as server HTTP logs and any e-mails belonging to your domain. Only your account and the CanTrust super-user accounts have access to these files. Cantrust super-user accounts are only accessible by CanTrust network administrators.
- All SQL databases are secured with one SQL login per customer web site. Following security best practices we do not share database login credentials across clients or domains / sites.
- Backup files are stored off-server in secure administrative locations that cannot be accessed by customer servers. These include backups of your Home Directory and Database backups, and are the only other copies of your private information that are made. CanTrust network administrators are the only personnel with access to these backup files.
- Off-site and Off-line backup files are stored encrypted at rest, using industry standard 256-bit AES encryption. Off-line encrypted backup drives are rotated monthly and stored in fire-proof storage when not connected.
- All production servers run a dedicated firewall, allowing only those ports used for hosting and minimizing potential attack surfaces.
- All administrative services run on non-standard ports and with a secure transport (SSL). While reducing user convenience, this ensures we are not vulnerable to detection by 0-day exploits.
- All servers are regularly audited for security using automated security scanning tools.
If you have specific questions about part of our policy or procedures, please ask. Above all else, we are committed to your privacy and data security. We will be happy to discuss your organization’s requirements and work with you to meet them where possible.
Backing up is hard to do. We take care of that for you, to top-tier enterprise standards. Our advanced filesystem level backups provide daily, weekly, and monthly snapshots of your files, going back up to 1 year. This allows you to recover effectively from most problems including site code crashes, site compromises from hackers, and human error.
CanTrust backs up all customer data twice each day: Once to an on-site backup copy located at the co-location facility, and a second independent nightly backup to an off-site backup computer (to protect against fire/flood/total loss of the colocation facility).
Each of these backups contains a copy of the most recent codebase files, and archived daily snapshots of the MySQL database for the website. Off-site backup data stored outside the colo is AES-256 encrypted at all times and is never stored offsite or on the cloud.
Backups are retained daily for 7 days, weekly for 4 weeks, and monthly for up to 12 months (space permitting). After 12 months all old backup files are automatically purged.
Finally, a complete archive of everything exists on two sets of off-line backup drives. Each month the online and the offline drive are swapped, and the offline drive is placed into a fire-proof safe, off-site from its twin. These backups are backups of last resort that cannot be corrupted by any digital means.
In order to restore from backups, an authorized technical contact should open a support ticket and CanTrust staff will assist with the recovery process (usually confirming which backup date to restore from and then restoring the files where desired).
DISASTER RELIEF PLAN
For disaster recovery in the event of complete failure of a server or total loss events at a colo, we enact our Disaster Recovery Plan. Everything is backed up both on-site and off-site. As well as providing redundant backups, this allows us to recover even in a total loss situation (fire/flood/natural disaster/ ransomware attack etc).
Hardware Failure: In the case of a server physically failing, we have a spare server chassis powered off at each colo facility in the rack. CanTrust staff (in case of a local facility in Vancouver) or a NOC technician from the colo (in case of Ontario) will troubleshoot the server directly to confirm that it has failed. If the server will not boot then we remove its drives, place them in the spare failover server, and power it up for immediate recovery with no reconfiguration needed. If for some reason that doesn’t work (perhaps both drives in the RAID failed at the same time) then the fallback plan is the same as for the total loss, the site can be restored from the onsite or offsite backup to the nearest working server. We anticipate 1-4 hours of downtime in the event of a hardware failure. Affected customers will be notified by e-mail.
Total Loss: In the case of total loss for one of the colocation facilities (fire/flood/etc) then the offsite backups allow us to recover to the previous night’s state at one of our other three colo facilities. All user data will be restored to a new webserver location, and DNS pointing to the websites will need to be changed, often by the customer directly. We anticipate less than 24 hours downtime in the event of a total loss event. Affected customers will be notified by e-mail or telephone as soon as possible, to arrange DNS changes.