DPoD Marketplace Architecture and Security White Paper
Executive Summary
Thales has produced industry leading products for over 20 years. These platforms include:
- Hardware Security Modules (HSMs) are hardened, tamper-resistant hardware devices that strengthen encryption practices by generating keys, encrypting and decrypting data, and creating and verifying digital signatures. Some HSMs are certified at various FIPS 140-2 Levels.
- Enterprise Key Management solutions manage and protect keys on behalf of a variety of applications including database TDE, KMIP clients, file encryption, tokenization and embedded encryption solutions.
In today’s market, there is a growing trend to consume solutions through an “as a Service” model (as opposed to traditional on premises or deploying hardware in remote data centers). “as a Service” model adoption is being done to increase operational efficiency while ensuring organizations maintain an effective security posture to meet audit and compliance requirements.
Thales Data Protection on Demand (DPoD) is a cloud based marketplace that provides a wide range of on-demand encryption and key management services. With Thales DPoD, security is made simpler, more cost effective, and easier to manage because there is no hardware to buy, deploy or maintain.
- The Thales Luna Cloud HSM service is a generic HSM key vault that can be used for a wide variety of use cases. By using Luna Cloud HSM as a service, you can manage a wide variety of complex use cases easily from the cloud. The Luna Cloud HSM service can be used as a root of trust for the CipherTrust Manager, and other appliances, applications and services. Luna Cloud HSM can also be used to secure many standard applications with our broad partner ecosystem integrations including over 400 applications such as PKI, IoT, blockchain and code signing.
- The Thales CipherTrust Data Security Platform as a Service (CDSPaaS) provides an integrated suite of data-centric security solutions that significantly reduces business risk and simplifies data security administration across on-premises and cloud environments. It is based on the CDSPaaS product portfolio and is intended to offer customers another option to deploy solutions for encryption and key management. The service enables rapid deployment of key management and data protection services without the need to manage hardware or fund large upfront investments.
This document discusses the measures Thales has taken to ensure the security, robustness, and availability of the Luna Cloud HSM and CDSPaaS Services, as well as outline the measures taken to provide a robust SLA for these services.
Key Takeaways
- DPoD marketplace uses a multi-tenant, and multi-tier architecture with full segregation of tenants.
- Backed by a 99.95% Service Level Agreement (SLA), the Luna Cloud HSM and CDSPaaS free customers from ongoing infrastructure maintenance on data security and compliance requirements focus monitoring, HA, Resilience, Backup, Performance.
- The architecture leverages HSM technology to ensure that only authenticated administrators have access to a tenant's key materials.
- The scalable nature of the services ensures high-availability and disaster recovery capabilities to guarantee 24x7 operations.
- All network traffic in and out of the services are encrypted.
- Thales applies multiple measures and best practices such as vulnerability and penetration tests to ensure robustness and adherence to industry security and privacy standards.
Introduction
Today’s security strategy includes coverage areas such as breach prevention, meta-data protection, compliance requirements, security audits, and understanding when and how to integrate industry best practices for end-to-end data protection, just to name a few. This list of focus areas is ever growing and is on the verge of out-pacing most enterprises’ abilities to staff enough individuals that have the necessary experience to create and sustain an effective end-to-end data protection strategy.
In the past, enterprises have preferred to manage every aspect of their data protection strategy in-house due to the sensitive nature of the data they have access to, but the trend of outsourcing this function to organizations that specialize in the subject matter expertise necessary to manage an end-to-end data protection solution is gaining momentum and acceptance. Outsourcing this critical business component allows enterprises to focus more on their core competencies, and less on developing and maintaining sufficient data protection strategies. Many enterprises are enjoying the benefits of trusting “as a Service” offerings as part of their standard IT environment.
“as a Service” offerings are often complemented by Managed Solution Service Providers (MSSP’s). Such organizations are equipped with the expertise to work closely with an enterprise to develop an ideal data protection solution that will address most of their business use cases. Among the numerous benefits to the enterprise are the ability to reduce data protection capital expenditures, minimize data protection strategy implementation times and eliminate the routine tasks associated with maintenance, and refocus security and IT teams to working on value-add projects that align with the enterprise’s core competencies. For any enterprise to invest in outsourcing their data protection strategy to an MSSP, it is imperative that they be confident in the fact they will be receiving comprehensive security paired with privacy solutions that can sufficiently protect their data—whether at rest, in motion, or in use—without the capital investment needed to manage critical security requirements.
The ability to move easily to and from cloud or managed services has resulted in a rapidly growing demand for hybrid solutions where customers can combine the benefits of outsourcing certain elements of security, while keeping others; such as control over Hardware Security Modules (HSMs) or Key Management. This new architecture has opened new security challenges. This white paper details the general architecture of the Thales DPoD, Luna Cloud HSM and CDSPaaS services powered by Thales, and the functional and operational security measures put in place by Thales to ensure the high availability, privacy, and protection of customer data.
DPoD Marketplace
The Thales DPoD Marketplace is a trusted, certified, global platform operated by Thales that provides a baseline set of functionalities to the services it hosts.
DPoD provides common set up functions for managing the onboarding of new accounts, billing and subscription management, audit logging, usage tracking reporting and identity and access management. Services are provisioned and purchased from the DPoD Marketplace or from one of our 3rd Party Marketplace Partners.
DPoD Multi-Tenant and Multi-Tier Structure
DPoD Marketplace operates in a multitenant mode where HSMs and key management services can be loaded and scaled across the infrastructure. There are several supporting services that provide scheduler and orchestrator capabilities ensuring that both Luna and CipherTrust Services are always available.
Access to the multi-tenant services is provided by credentials created by the individual customer (service owner) and they cannot be accessed by Thales or any other resources - only the customer can grant permission for anyone to access their services.
The Marketplace organizes tenants into sub-tenants in a multi-tier fashion. Tenants may also be associated with other external marketplaces at the same time. Access controls in DPoD do not inherit between tiers (such as a Managed Service Provider and its tenants) and are under the sole control of tenant administrators.
Data stored within the platform for tenant management is limited to the services which require it in a least privileged model.
The multi-tier marketplace design allows Managed Service Providers to make services available to their customers, allowing them to provide more value-added services (such as offering first line support or activity dashboards).
Within a tier there are Tenant Administrator accounts which can view all the services and users within that tier. A level below the Tenant Administrator is the Application Owner. Users are placed in logical groupings called subscriber groups and only have access to services within their subscriber group.
The parent of a tier can only see data, including aggregated metadata, which is useful for billing. Parent tiers do not have access to any confidential material such as secrets or keys.
The figure below illustrates the multi-tier and multi-tenant environment.
An Inside Look at Luna Cloud HSM
The Luna Cloud HSM service spans multiple environments. The Thales HSM and supporting software-based services, are designed from the ground up with security in mind. They are stored in trusted, audited data centers which have been strategically positioned globally to support proximity with customer data. They also employ a microservice architecture to enable a high degree of isolation and enable added security controls such as rapid patching, credential rotation, and repaving of the environment.
The microservices based, cloud native architecture allows Thales to adopt a completely cloud neutral approach and select the best of breed infrastructure for each operating environment.
Physical access is limited to authorized personnel on an approval basis.
Use and access to customer key material is performed using externally created and managed credentials. Thales has no access either physically or virtually to these customer credentials.
A connection to a Luna Cloud HSM Service instance goes from the client application to the HSM. There are two independent cryptographic tunnels protecting the information between the client and the HSM, including an outer HTTPS tunnel ending at the service boundary, and another established between the HSM and client. For further information, please see Service Client Communication Protection.
When a client is given access to a Luna Cloud HSM Service, the service is completely empty and contains no secrets. The client must take control by initializing the service and creating the Security Officer and Crypto Officer for the HSM. The Security Officer is in sole possession of the secrets required to authenticate and manage the Crypto Officer role from this point. Without those credentials, no one (including Thales) can access the keys.
Luna Cloud HSM Services
HSMs are secure cryptographic processing devices purpose-built for managing and protecting encryption keys. They are tamper-resistant and protected from physical or logical attempts to break into the device and gain access to the encryption keys. The HSMs used for Thales DPoD are FIPS 140-2 Level 3 certified. The algorithms offered by the pool, which runs under strict FIPS enforcing mode, are subject to the ongoing updates of the FIPS standard, such updates are applied as soon as possible following any changes by NIST.
Within each point of presence, the HSMs are operated in two distinct groups. One group operates in FIPS approved mode, and one which doesn't. Customers are encouraged to choose the group which is right for their needs. Our FIPS certificates may be viewed at the NIST CMVP validated modules page.
For the Luna Cloud HSM service instances, the service will generate initial private keys for tunnel establishment from clients to the boundary of the Luna Cloud HSM layer. These keys are used to enable a connection to the Luna Cloud HSM boundary only. The key is one factor in allowing a connection to be opened to the environment.
Once the client application establishes the tunnel to the service boundary, it will perform attestations that it is talking to a valid Thales HSM and establish a shared session key. All the secure communication between the client and HSM is protected by negotiated keys completely opaque to all other levels of the system.
HSM Supply Chain Security
The HSMs used for Thales DPoD are manufactured in a secure facility. During manufacturing, the devices generate their own identity (RSA 4096-bit key), which is signed by the manufacturing key; which is in turn signed by a Thales root. This PKI (Public Key Infrastructure) is used to identify genuine Thales HSMs.
Root Key Generation Ceremonies are performed for each Point of Presence under strict guidelines, following leading industry best practices, and using resources who have been qualified and trained to perform the processes. Segregation of Duties is maintained at all times under dual custody and strict oversight, ensuring that the chain of custody is supported throughout the ceremony and for the life of the root key pair and its associated assets.
Communication between HSM cards establishes an ephemeral tunnel and is authenticated using key material chaining to the device identity (Hardware Origin) key/certificate. A device cannot be a member of multiple domains and the device must be reset to factory conditions before it can join another domain.
Luna Cloud HSM Client Software
The Luna Cloud HSM client software is available for Linux and Windows operating systems. The client software supplies standard cryptographic APIs (PKCS#11, Java jCA/JCE, Microsoft CAPI/CNG, and OpenSSL) for applications to perform cryptographic operations in high-assurance hardware. The library establishes a TLS tunnel to the service endpoint and an underlying internal TLS tunnel established with the Luna Cloud HSM service. The Luna Cloud HSM service may be resident on multiple physical HSMs and may be migrated for load management, but only authenticated HSMs, which are part of the same service pool, may decrypt the data coming from the client. The transport key is derived independently for each Luna Cloud HSM. A successful TLS connection/authentication with an HSM allows the HSM to deliver a transport key (AES 256-bit) and associated metadata (including a nonce) to the client. The TLS cipher suites include both long-length RSA and Elliptic Curve options.
For further information please see the Luna Cloud HSM Service Documentation.
The figure below illustrates the secure connection to the Luna client.
An Inside Look at CipherTrust Data Security Platform as a Service
CDSPaaS is available within the Thales DPoD Marketplace. A DPoD Marketplace tenant is required to create a CDSPaaS.
The following figure illustrates the features available in the CDSPaaS.
.
Upon completion of registration for the service in DPoD Marketplace, CDSPaaS is enabled in the tenant and can be operated by the tenant administrator. The user interface is accessible through a web-based Management Console. In addition, tenants may also access functionality through our REST API. Every tenant has the ability to define administrative and role-based access controls based on their unique needs and has full access to all log information generated by their service. The CDSPaaS service registration process automatically generates a unique Luna Cloud HSM partition for the tenant to act as a transparent Root of Trust for their Service.
A dedicated DevOps team manages the backup, availability, and updates of CDSPaaS, allowing customers to focus on key management and the use cases needed in their organization. Like Luna Cloud HSM, CDSPaaS offers a 99.95\% Service Level Agreement (SLA) to provide customers with the assurance of availability. Failure to adhere to this performance standard will result in the allocation of credits to the tenants' next subscription. Should the tenant wish to remove keys from the service, keys can be exported so they can be consumed by other applications. The customer can then delete their service, which will remove the associated Luna Cloud HSM partition and access to any account information.
CDSPaaS auto scales capacity for a given tenant based on processing requests being made to the service. In addition, the service is architected to support disaster recovery (DR) to alternate locations. Data is replicated from primary to DR sites continuously, allowing service restoration to be accomplished with minimal downtime. Combined together, these features ensure customers will have the required processing capacity and availability expected from an Enterprise SaaS offering.
The following CDSPaaS services are currently available:
Note
In the future, CDSPaaS will offer additional functionality from the CipherTrust Data Security Platform, including CipherTrust Transparent Encryption (CTE), KMIP and other CDSP Connector offerings.
Enterprise Key Lifecycle Management
- Provides customers with the ability to generate symmetric and asymmetric encryption keys and centralized administrative and user controls for keys.
- Developer friendly REST APIs allows customers to remotely generate and manage keys.
- All activities are logged and accessible to the tenant, allowing information needed for audit and compliance to be more easily captured.
CipherTrust Cloud Key Management (CCKM)
- Leverage the value of BYOK and HYOK services with full lifecycle cloud encryption key management.
- Gain higher efficiency with centralized key management across hybrid, single- and multi-cloud environments, including key discovery, management of native cloud keys and automated key rotation.
- Comply with the most stringent data protection mandates with secure key origination.
- Amplify the benefits of native keys by using a robust multi-cloud platform with outstanding UI with built in reporting to meet compliance mandates.
- Respond to encryption key requests from cloud providers, supporting a variety of BYOK and HYOK offerings from the major public cloud and SaaS/PaaS vendors. For a current list of supported integrations see the CCKM Documentation.
Integration with Luna Cloud HSM
All software is provided within the service and no additional downloads are required. The service registration process automatically generates a unique Luna Cloud HSM partition for the tenant to act as a transparent Root of Trust for the CDSPaaS Service. Separation of tenants and their respective key hierarchy ensures:
- Sovereignty maintained in region with control of the key hierarchy based on the HSM partition (hosted in a private data center).
- Control of information (allowing customers greater independence of key ownership and the data protected by these keys).
- Ability to integrate with leading global CSP’s to ensure best of breed operations.
For further information please see the CDSPaaS Documentation.
Marketplace and Service Security Model
Thales DPoD utilizes a distributed architecture consisting of a hosted web application and private data center based HSM hosting. The solution architecture addresses the availability concern, considering the specificities of the Cloud Provider. Best practices for availability are continually enforced from the early stages of the system design. The Thales DPoD architecture has been designed and deployed with full redundancy, ensuring availability.
Compliance
Thales DPoD Marketplace and its services operate from data centers where all internal operations have been certified to the highest standards for data security, privacy controls, and operational reliability put in place by industry standards organizations.
Thales DPoD physical data centers have received Independent Service Auditor’s Report SOC2 Certification on Controls Relevant to Security and Availability. This is a Type 2 report - a report on management's description of the service organization's system and the suitability of the design and operating effectiveness of the controls, proving compliance with the defined five trust service principles: security, availability, processing integrity, confidentiality, and privacy.
Thales DPoD operations, and operations-related IT are fully compliant with the ISO 27001:2022 standard, having achieved independent ISO 27001 certification for their Information Security Management System and processes.
In addition DPoD achieved CSA Star Level 2 Third-Party Audit Certification further solidifying our commitment to transparency and trustworthiness in cloud services.
Certifications such as ISO 27001 and SOC2 are awarded retrospectively based on the successful assessment of the operation of a service over the preceding 12 months. As a result, it is not possible for new Thales DPoD data centers to have these certifications until 12 months of operation have been completed. For a complete list of Thales DPoD data centers see Data Centers.
As part of its most recent re-certification, CDSPaaS also achieved ISO certification and the DPoD SOC II report includes CDSPaaS in scope.
Data Privacy
For many years, the European Union (EU) has had a formalized system of privacy legislation, which is regarded as more rigorous than that found in other areas in the world. Thales hosts the DPoD environment within data centers located in Europe and North America, in countries recognized by the EU Commission as offering adequate levels of protection.
You can learn more about the Thales DPoD Privacy Policy in the support portal article.
Safeguarding Data - Data Recovery
Thales DPoD relies on snapshots to keep copies of storage volumes associated with the application instances. Snapshots are taken and deleted often. Database backups are managed using relational database backups and are taken daily. Application logs are kept online and securely stored for 12 months. Data is kept for a period related to relative compliance specific to the region where the data is being stored - generally 12 months.
In addition, a service wide restoration test is performed annually. For this test, a tape is recalled from off-site storage and the data is restored to a test environment.
Thales deploys a formal Disaster Recovery plan. The plan is maintained and tested annually. Any issues identified during the test are formally discussed and remediation plans are put in place. In addition, Thales has a formal Business Continuity plan, which is reviewed annually to determine if updates are required.
For CDSPaaS, tenant backups are initiated instantaneously as content is generated in the service (adding keys, users/etc.). This incremental backup approach ensures nothing is lost should a DR (Disaster Recovery) event occur.
Procedures to address minor processing errors and outages are documented.
Data Center Physical Security
Physical security underpins our Luna Cloud HSM service, so all data centers have 24-hour staffed security, including foot patrols and perimeter inspections with access controls following industry best practices. This may vary based upon the data center but can include proximity, biometric, key, PIN or a combination of any of those controls listed. The data centers are fully equipped with video surveillance throughout each facility and their perimeters with tracking of asset removal, ensuring that equipment and security of data held within that equipment is assured. The data centers also utilize state of the art technologies ensuring redundancies in connectivity, power, safety and security.
The following is a list of physical security features of the Thales DPoD data centers:
- Video surveillance cameras are spread throughout each facility.
- 24x7 staffed protection—no unsecured access to the data center.
- Multi-factor authentication is always used for entrance to the data center.
For CDSPaaS, the service is configured to run in Google data centers in Western Europe and the United States. All administration and development of the service is handled remotely. Therefore, physical security requirements are not applicable.
Network Resilience
The Cloud HSM private data center is provided with multi-vendor and neutral-network connections to major ISPs and is located near major Internet hubs so that Thales can retain the ability to select the most resilient network at any time. Network connections to the data centers are provided using secure links with high-capacity bandwidth over fiber connections to ensure minimum latency of authentication requests turn-around. All fiber-based connections enter the data center buildings via secure concrete vaults.
The internal network infrastructure of the PoP is built upon a high-speed fiber-based network to ensure high-capacity throughput. This infrastructure uses multiple connections through highly secured network firewalls and routers to deliver full redundancy, as well as optimal traffic delivery. The following is a list of network security features of Thales DPoD Service PoPs:
- Data centers are network carrier neutral.
- Multiple fiber channels at each data center.
- Use of multiple Internet Service Providers to ensure continuous and high-bandwidth Internet access.
Power Supply Redundancy
Power is delivered to the data centers using an underground utility power feed, which is then supplemented and backed up by on-site redundant (N+1) diesel generators with local diesel fuel storage. Power is delivered into the rooms via redundant (N+1) CPS/UPS systems to ensure ongoing supply, with power delivered to the PoP equipment racks using redundant power distribution units (PDUs).
Recovery Time Objectives
Recovery Time Objectives (RTO) are dependent on the type of disruption with most service component failures including physical hardware failures, loss of power and HA (High Availability) zone having an RTO of seconds. Should the loss of all primary, secondary and tertiary systems within a data center occur the auto failover to DR (Disaster Recovery) sites has an RTO of 15 minutes.
Data Center Locations
North America Region
Cyxtera Technologies, Inc.*
1400 Kifer RD
Sunnyvale, CA, 94086, USA
Rogers Communications
436 Hazeldean Rd
Kanata, ON, K2L1T9, CAN
Europe Region
Equinix*
Luttenbergweg 4
1101 EC Amsterdam, NL
InterXion
Hanauer Landstrasse 298
60134 Frankfurt am Main, GER
*Denotes primary data center
Threat Monitoring at Thales
Thales's company-wide mission statement extends to those individuals that work on and with Thales DPoD. The Thales DPoD’s control environment reflects the company’s philosophy concerning the importance of the robustness of such a fundamental information security service. As Thales’s core business is data protection, the company has several teams that constantly monitor Thales’s ecosystem to address new risks and vulnerabilities, as well as to identify ways of mitigating them. Monitoring logs exist to track activity in the key applications and firewalls and are reviewed weekly. Proper separation of duties is in place between individuals accessing the log and individuals reviewing the log.
Intrusion detection is deployed throughout the internal network to capture and report events to a security event management system for logging, alerts, and reports—thus delivering a high degree of network traffic auditability. A reputable third-party service provider scans the network externally and alerts of changes in the baseline configuration to increase audit levels. Additional levels of network traffic monitoring are conducted 24x7 across key points within the infrastructure and automated reports are delivered daily to the network administrator.
Within each PoP, a sophisticated network of routers and firewalls ensures network separation, integrity, and confidentiality of the data and access to that data. Within the network, internal firewalls segregate traffic between the application and database tiers to ensure confidentiality and integrity and deliver high availability.
Thales applications undergo regular application and network penetration testing by third parties, and Thales DPoD adheres to this practice. The assessment methodology will include structured review processes based on recognized “best-in-class” practices as defined by such methodologies as the ISECOM’s Open-Source Security Testing Methodology Manual (OSSTMM), the Open Web Application Security Project (OWASP), Web Application Security Consortium (WASC), and ISO 27001:2013 Information Security Standard.
A grey-box approach of the application security audit is adopted for the audit. The following figure shows some of the security attack vectors that are being tested. Any issues found are resolved as part of the regular development cycle.
Thales Internal Controls and Procedures for DPoD Marketplace and Cloud Services
This section describes the different procedures and controls taken by Thales to ensure the security and robustness of the service. The processes and procedures described below refer to measures implemented internally by Thales in its offices and development centers.
Security of Internal Networks and Information Technology
Thales utilizes Antivirus software within the Thales DPoD cloud environment and Antivirus software is utilized on workstations. Virus definitions are updated in real time as they are released, and monitoring is performed in real-time.
A third-party service provider scans the network externally and alerts the Thales Security Team regarding changes in the baseline configuration to increase audit levels. Additional levels of network traffic monitoring are conducted 24x7 across key points within the infrastructure and automated reports are delivered daily to the network administrator.
Monitoring logs exist to track activity in the key applications and firewalls. These logs are retained and reviewed as per audit policy. Proper separation of duties is in place between individuals accessing the log and individuals reviewing the log.
Logical Access
The following sections describe Thales's logical access policy with regard to Thales DPoD. Only Thales employees and contractors whose job responsibilities require logical access to the environment are provided access. For the production environment, this is limited to the following personnel:
- Personnel with administrative responsibilities for the Thales DPoD service.
- Personnel with responsibilities to maintain the network and systems.
- Personnel with responsibilities to deploy code.
Requests for Logical Access
Requests for access are submitted as a ticket in the Thales ticketing system. Requests are reviewed by the Thales DPoD Infrastructure Manager and approved by the Sr. Director of Infrastructure and Operations before access is granted.
Once a request is approved, access is provisioned by a member of the Technical Support team. Note that this process is strictly governing internal access to the system for administrative or operational reasons. This process is not intended to cover external users.
Requests include the following information:
- Specific list of devices where access is required.
- Level of access required.
- Business justification for access.
Revocation of Logical Access
Access grants are removed if one of the following events occur:
- An employee terminates their employment, which is managed through the Separations process. When employment is terminated, HR creates a formal notice provided to the employee’s manager. The employee’s manager creates a ticket within Thales’s internal ticketing system requesting that the employee’s access be revoked. Additionally, if the employee has access to a shared or administrator level account, a request is made to have the password changed on that account. The ticket is sent to and completed by a member of the Technical Support team.
- The job function of the employee changes and their new role no longer requires access. Changes in employee status are noted in a weekly report and reviewed to see if changes in logical access are warranted.
Review of Personnel with Logical Access to the Thales DPoD Environment
The Thales DPoD Infrastructure Manager maintains a listing of all personnel with access to the operational environment. The authorized access list is reviewed and signed off monthly by the Sr. Director of Infrastructure. If this manager determines that an individual no longer needs access, he/she requests that access be revoked by the Technical Support team.
Privileged Accounts Access
The credentials associated with privileged accounts (Administrator for Windows or root for Linux) are known by only two senior individuals:
- Thales DPoD Infrastructure Manager
- Client Services Engineer
In addition, a copy of the privileged account credentials is maintained in a sealed envelope in the company safe.
Logical Access Monitoring
Logical access to the Thales DPoD Infrastructure is monitored as follows:
- Use of Local Admin accounts, privileged accounts, as well as access to the Thales DPoD databases. These logs are reviewed weekly by the Sr. Director of Infrastructure, who does not maintain the prior mentioned levels of access being reviewed.
- Access to and actions taken through the operator console are monitored via the monthly operator console report.
Physical Access and Environmental Controls for Luna Cloud HSM
Scope
This procedure applies globally to all facilities that house Thales computing assets. This includes corporate data centers, third party data centers (including those used to host Thales DPoD), server rooms, and server closets. Each of these facilities is secured in accordance with this policy.
Physical Access
Access to Thales data centers/computer rooms is strictly limited to personnel who have a job requirement that necessitates physical access to the data center. The following criteria is used in determining who can be allowed unescorted physical access:
- Thales employees responsible for the facility itself including the electrical and mechanical systems supporting the facility.
- Thales employees directly responsible for the support and maintenance of computing and network equipment housed in the facility.
- Thales employees designated to provide local hands and eyes in support of server and network maintenance/troubleshooting.
A member of the local Corporate Information Services staff is designated by the Sr. Director of Global infrastructure to act as the local data center manager. This individual handles requests for data center access and ensures all personnel who are granted access meet the criteria above.
New Requests for Data Center Access
New requests for data center access are submitted as a help desk ticket and assigned to the appropriate data center manager. The ticket should include a justification indicating they meet the access criteria. Once the data center manager has verified that the requester meets the criteria, the data center manager emails a request to the Facilities Manager authorizing the Facilities Manager to grant access.
Termination of Data Center Access
Physical access to the data center is revoked from employees who leave the company, or whose job responsibilities change such that they no longer meet the access criteria. The data center manager is alerted of a termination through the Thales Separation process.
Physical Access Monitoring
Access logs are reviewed quarterly to ensure only authorized individuals access the data center. Attempts to gain unauthorized access are investigated to see if they warrant escalation to Thales Security personnel. Emails and documentation associated with such investigations are maintained. The access list is reviewed bi-annually to ensure personnel on the list should continue to have access.
Problem Management
When a potential security incident is detected, a defined incident management process is initiated by authorized personnel. Corrective actions are implemented in accordance with defined policies and procedures.
If customers and external users wish to inform Thales of possible security breaches and other incidents, they can do so by reporting vulnerabilities to Thales.
Risk Management
The main control objectives of this instruction are:
- to identify and assess information security risks.
- to build and share a good understanding of them at the management level.
- to establish, prioritize and conduct risk treatment plans.
- to involve stakeholders in risk management decisions and keep them informed of risk status.
- to maintain residual risks at acceptable levels.
Change Management
Thales maintains two separate change management policies for changes required to Thales DPoD. The first discusses changes to the IT environment while the second discusses changes in the software deployed as part of the service.
Engineering Group
The engineering group is responsible for design, development, testing and operation of the software deployed as part of the service in a devops model that includes in-service upgrades and incident response. Several info security and cryptography specialists are security specialists on the team. The security specialists are responsible for design issues related to the robustness of the system, for crypto-analysis based on specific engineering requirements, and for code-reviews where the robustness of the reviewed software is examined.
Thales engineering teams are working using a formal Application Development Lifecycle methodology. Thales DPoD is developed using the agile development methodology that ensures quick, yet reliable turnaround between requirements gathered until service delivery. The agile methodology enables Thales to react quickly to new risks and changes in the global threat analysis.
IT and Service Operations Change Management
Thales maintains a formally documented Change Management policy and procedure that outlines how changes to Thales cloud computing environments are controlled. The policy is reviewed and updated annually. All changes are tested and signed-off by the tester and/or applicable business owner. Evidence of testing and the requisite approvals are attached to the change request ticket.
Emergency changes follow the standard change management process on an expedited timeline. However, unlike normal changes, approvals for emergency changes may be obtained after the fact within a reasonable time.
Application Change Management
Thales’s process was developed to ensure changes to corporate applications and infrastructure are completely tested and approved prior to being implemented in the production environment. Based upon this commitment, the following change management process is being followed and practiced by all Corporate Information Services personnel.
All proposed changes to production environments/applications are subject to this policy. No changes may be made to production environments/applications without approval from the Change Management Approvers group.
All change requests are discussed, and decisions are made during the weekly change management meeting. Ad-hoc requests can be made for changes that must be completed within 24 hours. The requester must attach:
- Change management requests
- Evidence of testing
Requests submitted without any of these documents are not accepted. While all change management requests are managed by a Change Management Tracking application located on the corporate intranet, ad-hoc requests are communicated and approved using emails to the change management committee using a designated committee.
Ad-hoc requests are kept for archival purposes in the Change Management Tracking system as well.
Change Management Meeting
This meeting reviews current in-progress Change Management requests and requests submitted since the last Change Management meeting. This meeting occurs weekly and is attended by representatives of each of the core Information Solutions and Services (ISS) teams:
- ISS—Infrastructure
- ISS—Applications
- ISS—Security
- ISS—Help Desk
- Technical Support
Engineering Change Management
Thales maintains a formally documented development life-cycle policy and process. Thales DPoD is developed using the agile development methodology that ensures quick, yet reliable turnaround between requirements gathered until service delivery, and each release is accompanied by an approved Engineering Test Report (ETR).
All changes are developed and tested by the appropriate engineering teams in development sprints. All changes are tested and signed off by the QA (Quality Assurance) team leader and Thales DPoD product manager. Evidence of testing and the requisite approvals are documented in the engineering project tracking system.
System Software Change Management
To ensure service security and robustness, Thales engineering teams are working using a formal Application Development Lifecycle method. Thales DPoD is developed using the agile development method that ensures quick, yet reliable turnaround between requirements gathered until service delivery. The agile methodology enables Thales to react quickly to new risks and changes in the global threat analysis.
Requirements Definition
Product managers gather requirements as part of their day-to-day duties. In accordance with Thales’s development methodology, these requirements are turned into user-stories. The input for these user stories comes from analysis of the market, requirements from Thales prospects and customers as well as innovative ideas coming from Thales’s CTO Office or from the engineering teams.
As part of this step, threat modeling is carried out. The process considers the macro cyber-security environment and all known attacks. Changes to the current working assumptions are translated into user-stories and gain work priority during Sprint Planning.
Sprint Planning
Sprints are followed as the process of developing/coding to meet a specific requirement. Development sprints are scheduled periodically. The team, in consultation with product management and engineering leaders, evaluate the user-stories in the backlog and decide on the content of the specific sprint.
Sprint Testing
After all the different teams working on a specific sprint submit their developed code, sprint testing is shared responsibility within the engineer team and is carried out on a continual basis by the team. Following successful testing, code undergoes source code review, and walk-throughs are conducted using a structured approach. Throughout the testing phases, an emphasis is put on security related aspects. In addition to the above testing, unit testing is performed by each developer.
Implementation
Upon approval, developed code is released into the production Thales DPoD environment.
- Penetration testing: Penetration testing is done on a dedicated non-production system but runs in the same environment as the operational service.
- At the last stage, all data is backed up from the operational service, which allows Thales to rollback immediately in case of any unexpected challenges.
Thales Organizational Structure and Functions
Thales's unwavering commitment to data security, privacy, and availability is a top-down approach that encapsulates everyone—from executives to individual contributors and contractors. The following is the organizational structure, functions and roles of the group that runs and manages Thales DPoD and its associated services (Luna Cloud HSM and CDSPaaS):
- Corporate. Executives, senior operations staff, and company administrative support staff, such as legal, training, contracting, accounting, finance, and human resources.
- Service Operation/Technical Support. Staff that administer Thales DPoD providers and take care of the daily operations related to Thales DPoD. Thales Cloud Operations administer the entire Thales service offering.
- Engineering group. The group develops and maintains the entire Thales DPoD portfolio. Members of this group are in Thales offices in Austin, Texas, Belcamp, Maryland, Tewksbury, Massachusetts, Ottawa, Canada and Noida, India. These groups are responsible for service design, development, and quality assurance aspects. In addition, these groups are responsible for information security and cryptography design aspects as well as business continuity design issues.
- QA (Quality Assurance) department/group. Reporting to VP, Global Business Operations and in-line with Group Quality and Customer Satisfaction governance, the DIS (Digital Identity & Security) GBU's Quality and Customer Satisfaction department is responsible for showing quality guidelines and setting objectives for the BLs and Domains, in conjunction with the Quality Directors concerned.
Information security and availability aspects are handled by two different groups:
- The engineering group is responsible for designing software elements that protect critical data and for the secure development of all software elements.
- The service operations group handles the deployment aspects of information security and availability. In some cases, they are helped by information security and networking specialists from Thales's IT group.
Employees are subject to background checks as part of the initial hiring process and undergo performance reviews during employment. In addition, Thales has a formalized whistle blower hotline and policy.
Next Steps
We hope this overview provides you with a better understanding of the Thales DPoD Marketplace and our Cloud Services. We recommend the following resources for additional information.
Product Briefs:
Product Documentation:
- Data Protection on Demand Product Documentation
- Luna Cloud HSM Product Documentation
- CipherTrust Data Security Platform as a Service Product Documentation
About Thales
Thales is a global technology leader with more than 77,000 employees on five continents. The Group is investing in digital and “deep tech” innovations – Big Data, artificial intelligence, connectivity, cybersecurity and quantum technology – to build a future we can all trust.
In the markets of defense and security, aerospace and space, digital identity and security, and transport, Thales provides solutions, services and products to help its customers – companies, organizations and governments – to carry out their critical missions.