The European Union (EU) and Canada supervises the private sector’s use of personal data while the US has minimal regulation of their private sector. Canada’s privacy laws focuses on “individual autonomy through personal control of information” (Techvibes).The US focuses more on protection from the government while Europe tends to protect their dignity and public image (Identity Bureau Trulioo).
In addition to two federal laws in Canada that protect personal information, there are also provincial laws in Alberta, British Columbia and Quebec that are similar to PIPEDA (Personal Information Protection and Electronic Documents Act). These laws set out ground rules for how private sectors may collect, use, or disclose personal information in a commercial setting. Unlike the US, Canada’s strict privacy laws are recognized by the EU and privacy compliance is overseen by privacy commissioners and ombudsmen at both the federal and provincial levels (Techvibes).
So what does this mean for businesses in Canada?
In today's business market, service organizations are looking for a partner who can help them deploy IT infrastructure services and have the necessary controls and measures that comply with their local and corporate requirements. One of Canadian Web Hosting's core missions is to help businesses meet their SSAE 16 certification requirements (formerly the SAS70), which meets the new international service organizations standards for Type I and Type II reporting.
The Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) issues the SSAE 16 Type II (formerly SAS 70) to service organizations that typically offer outsourced services. An auditor's report details the ability for a service provider's ability to offer adequate controls and safeguards when they host or process data belonging to their customers.
The CSAE 3416 certification is issued under Canadian Institute of Chartered Accountants (CICA), Canadian Standard on Assurance Engagements (CSAE) 3416 to service organizations that typically offer outsourced services. An auditor's report details the ability for a service provider's ability to offer adequate controls and safeguards when they host or process data belonging to their customers.
Okay... then what does this mean for our customers?
Customers can now outsource web-hosting services including Dedicated Servers, virtual servers (VPS), CA Cloud Servers and/or Shared Hosting to a provider that already meets SSAE 16 requirements. In doing so, you can focus your company's time, money, and manpower on core functions that will drive additional revenue to your business. Here are some examples of Canadian Web Hosting's SSAE 16 compliance controls and physical security that our hosting environment supplements:
- Facilities and asset management
- Logical access and access control
- Network and information security
- Computer operations
- Backup and recovery
- Change and incident management
- Organizational and administrative controls
- Security policies, reporting, and monitoring
- Physical and logical security
Canadian Web Hosting is the industry leader in delivering 100% Canadian web hosting solutions for businesses requiring a SSAE 16 certification with their web hosting environment. When combined with our enterprise-grade web hosting hardware, and a securehosting environment that features many leading technologies including our Unified Security Services, Canadian Web Hosting will help you achieve compliance.
- SSL capability
- Enterprise-level, application level protection
- Hardware/Software firewall
- IP-Restricted FTP
- Managed backups with guaranteed retention
- Advanced 24/7monitoring
- Multi-level intrusion prevention (IPS/IDS)
- Anti-Spam, Anti-Malware, Anti-Virus
- Log Management
With an increase in online business trends, a company’s digital infrastructure should be beneficial to your business and not interfering with its growth. A strong framework is therefore essential to a business’ performance.
Learn the qualities of a good digital infrastructure:
1. Have options.
Your employees should have multiple ways of accessing business applications. With a soaring number of portable electronics being used, employees should have the ability to access their work applications on their phones, tablets, laptops, etc. This increases the rate of communication internally and with customers.
2. Have multi-media applications.
Business applications should be able to handle any type of communication, not just text-based. Think of videos, voice, and other data that could be easily passed between employees and with other businesses and clients.
3. Allow for collaboration.
Increase productivity by using applications that allow for collaboration in real time. Employees that can view and edit projects together save time and get better results.
Understand your current digital infrastructure:
1. Know what your current infrastructure can and cannot do.
Do you know what components you have and whether are necessary?
2. Employees need to know how to use it.
Your employees should have a clear understanding of how to use your digital infrastructure.
3. Think about your physical limitations.
The digital infrastructure needs to be able to handle the environment it is in, such as extreme weather conditions. And when problems arise and employees can’t physically get to work, they need to be able to access your digital infrastructure remotely. Customers also need to be able to get in touch for support.
How to improve your digital infrastructure:
1. Ask your employees and customers.
Find out what they think is missing. Employees and clients are the ones using your infrastructure and providing business.
2. Modify applications and come up with your own if necessary.
Find what’s right for your company and tweak it to make it perfect.
3. Virtualize it.
Use business applications that are accessible outside of your office. Store these systems on a remote server. Virtualizing also helps save you money by lowering support cost.
4. Be up to date.
Consult IT professionals and stay on top of your game. Don’t be spending money and time on developing applications that are soon out of date.
When searching for your business online and you see this -
Your website and business are in trouble. You’ve been hacked. What should you do?
Every day, malicious users, hackers and cybercriminals attempt to compromise thousands of websites. Hacks are often invisible to users, yet remain harmful to anyone viewing the page — including the site owner and/or business. Every day, we see customers who unbeknownst to them, have been hacked and their site has become infected with harmful code which in turn can record keystrokes on visitors’ computers, stealing login credentials for online banking or financial transactions.
You may ask yourself, isn’t it my web hosts job to protect my server? The answer is both yes and no. Your web host, like Canadian Web Hosting, has most likely implemented strong network security mechanisms and other security features that ensure your service works properly including hosting your website. However, where the most common misconception is that your web host does not control your server and your code for your website unless you are utilizing managed services. In an unmanaged environment, each customer is responsible for updating their applications, website code and implementing services to protect their business. We’ve seen some recent vulnerabilities with popular applications like WordPress that have severely impacted customer websites because they did not keep their applications up to date, even after receiving notifications that their code needs to be patched due to emergency vulnerabilities that have been identified. These attacks range from server configuration problems, SQL injections, Code injection, error templates and many more. It is also interesting to note that many customers fall into heavily targeted areas without even knowing that they are in a high risk geography. Trustwave recently release a graphic that shows the most common areas of attack based on country.
So, if you’ve been hacked what should you do? Here is where you ask yourself, do I want to handle it myself? Or get help? Here at Canadian Web Hosting we follow-up a very rigid methodology to quickly identify malware/hacks on customers site, and have built a rigorous process to eliminate the hack as soon as possible. Typically, we will look at the following steps:
1) Scanning your site
2) Quarantining the site
3) Validating backup files
4) Assessing the damage (hacked with spam or malware)
5) Identify the vulnerability
6) Clean and maintain the website
7) 24/7 Monitoring
Now, depending on your own expertise these steps range from basic to advance and may require a security professional to analyze the hack, remove it from your site/code and validate that your site is clean. In the next article, we will spend more time talking about each step and identifying some best practices to minimize any impact on your business and your customers. However, some simple steps can go a long ways in the event that an issue has occurred. Check your user accounts and make sure you have unique passwords that follow secure password principles, update your web applications and operating systems whenever a patch is released, and utilize low-cost 3rd party security providers that can monitor your site 24/7 and will notify you of any potential vulnerabilities or malware attacks on your site.
There are a few services like this available today like stopthehacker and Sucuri that offer basic month-to-month or yearly costs to monitor your site and your reputation and notify you in real time when an issue occurs. Recently, Canadian Web Hosting, the leading provider of web hosting and cloud-based Infrastructure as a Service (IaaS) solutions in Canada, partnered with Sucuri, the leader in malware prevention to deliver a cost-effective solution that is focused on malware detection and removal. The reasons for this are several but are focused on several key principles – 1) extremely effective at identifying issues, 2) low cost threshold, 3) continuous updates to their database and security threads and 4) use of security professionals who review your site code and implement fixes. This last point has been a key benefit for Canadian Web Hosting customers as it avoids common issues that we see with “automated” malware removal where the system just carves out the code without recognizing possible scenarios that will cause a site to crash or become unworkable.
Sucuri, works by actively scans all pages of customers’ websites for viruses and possible web malware threats to see if malicious users have injected harmful code into them. Additionally, Sucuri continually monitors potential new versions of malware and protects online businesses from any emerging threats. Because of potential complexities identified in the process list above, Canadian Web Hosting security experts take a very proactive approach work with our customers and will actively manage any malware notifications or possible attacks. In the event that an issue is identified, Canadian Web Hosting’s security teams take all necessary actions to rectify the situation including validation of clean backups and files, malware removal, and continuous communication with the customer. Here are some of the features of Sucuri:
Standard Malware Detection
Advanced Malware Detection with Artificial Intelligence
Server-side Scanning including .htaccess Hack Detection
Webpage Defacement Detection
Phishing Page Detection and many more
Blacklist and Reputation Monitoring
Server Side Scanning
Speed Monitoring & Up-time Monitoring
Working in combination with Canadian Web Hosting’s Secure IT platform, customers will benefit from using Canadian Web Hosting’s advanced Defense Network layer approach that both protects and monitor botnets, malware and a customer’s website's IP reputation to protect their users and networks from possible malware attacks. This includes malware prevention scanning that blocks inbound and outbound traffic by tracking malicious activities to their firewall gateways to enforce pre-determined security policies, as well as server side and website scanning that when combined are 85% more effective in preventing malware and malicious attacks when compared to traditional malware services.
Canadians know that we have much stricter online privacy laws than most of our counterparts around the world and with that said, as a company, Canadian Web Hosting, always follows and keeps track of stories that breach our Canadians laws. Why? Because Canadian people and Canadians businesses care very much about where their own data are stored which is right here on Canadian soil. Both of our data centres are located in Vancouver, BC, and Toronto, ON and as you can imagine, we pride ourselves in protecting our customers' data very seriously. Your online data.
Now, if you are the kind of user who enjoys apps and texting, you are probably familiar with WhatsApp Messenger, a cross-platform mobile messaging app which allows you to exchange messages without having to pay for SMS since the app uses your data plan instead of your texting plan. The app is readily available for iPhone, BlackBerry, Android, Windows Phone and Nokia.
A few days ago, the media reported that privacy commissioner Jennifer Stoddart said that the mobile chat app WhatsApp violated Canadian privacy law and needed to be updated to comply with all her concerns. The article states:
Investigators found messages were being transmitted unencrypted, which left them vulnerable to being intercepted by hackers, particularly on public WiFi hotspots. The company did begin encrypting messages in September in response to the privacy agencies. But Stoddart says WhatsApp still has work to do to resolve all its identified issues. She was unhappy that users were not getting adequate disclosure about how their status messages could be seen by people not on their contact list. The company says it will address the complaint in a new release expected in the fall.
If you're a heavy app user, you might want to think twice about the purpose of the apps that you are using and how one company is utilizing your personal contact information. We often blog about privacy and you can keep up by following our "privacy" tag. Recently, we wrote about data centre physical security, our deployment of SecureIT Botnet and Malware Prevention, and the roles of StopTheHacker and prevention.
If you're looking for additional information on this topic, you may email us at email@example.com, or call us at 1-877-871-7888. You may also contact us through social media on Twitter at @cawebhosting, through our Facebook Page or leave us a comment below.Kevin Liang
CTO / SEO Guru
In today's ever-growing regulatory compliance landscape, companies and organizations are continually looking for alternatives to reduce expensive in-house IT hosting but continually run into the problem of meeting corporate governance and compliance requirements. What’s more, these companies are seeking to use services from companies like Canadian Web Hosting who can provide assurances that a strong control environment is in place, complete with data centre and physical security best practices.
The focus of this article is to take a deeper look at an equally important aspect of web hosting and that is looking at the facility that the servers are actually hosted in and outlining integral best practices that allow you to meet your governance needs and ensure that the servers are hosted in an environment that provides limited access and ensures physical protection. Because of this, Canadian Web Hosting’s best practices for physical and data centre security, which are tested by an independent CPA firm for SSAE16 (formerly SAS70) audit compliance, are implemented throughout all areas of a data centre, rather than being segmented to cover only specific areas and include both data centre facilities located in Vancouver, BC and Toronto, ON.
Why is it important to look for the SSAE16 auditing standard? Since 1992, SSAE 16 and SAS70 have been, and will continue to be, one of the most effective and well-recognized compliance audits for testing and reporting on controls in place at data centres.
So, how does physical security actually benefit the end user? Let’s take a deeper look at what types of best practices and physical security features each of our data centres has. It is important to note that these processes are the same regardless of location.
Built and Constructed for Ensuring Physical Protection
The exterior perimeter walls, doors, and windows are constructed of materials that provide Underwriters Laboratories Inc. (UL) rated ballistic protection.
Protection of the Physical Grounds
The data centre has physical elements in place that serve as a physical protection barrier that protect the facility from intruders.
Bullet Resistant Glass
Certain areas within the data centre, such as the lobby area and other entrance mechanisms, are protected by bullet proof or bullet resistant glass.
Security Systems and 24x7 Backup Power
The data centre's security systems are functioning at all times, complete with uninterruptible power supply (UPS) for ensuring its continuous operation.
Cages, Cabinets and Vaults
The physical structures which house equipment must be properly installed with no loose or moving components, ultimately ensuring their overall strength and rigidity.
Each data centre has a man trap that allows for secure access to the data centre "floor".
Electronic Access Control Systems (ACS)
Access to all entry points into and within the data centre are protected by electronic access control mechanisms which allow only authorized individuals to enter the facility. Included within the framework of electronic access control should also be biometric safeguards, such as palm readers, iris recognition, and fingerprint readers.
Any individual requesting access to the data centre are enrolled in a structured and documented provisioning process for ensuring the integrity of the person entering the facility.
Any data centre personnel or clients utilizing the facility services must be immediately removed from systems that have allowed access to the facility itself. This includes all electronic access control mechanism along with removal of all systems, databases, Web portals, or any other type of sign-in mechanism that requires authentication and authorization activities.
All visitors must be properly identified with a current, valid form of identification and must be given a temporary facility badge allowing access to certain areas within the data centre. This process must also be documented in a ticketing system.
All exterior doors and sensitive areas within the facility must be hard wired with alarms.
Each Canadian data centre facility has a mixture of security cameras in place throughout all critical areas, both inside and out, of the data centre. This includes the following cameras: Fixed and pan, tilt, and zoom (PTZ) cameras.
"Threat Conditions Policy"
Each Canadian data centre location has a "threat conditions policy" in place whereby employees and customers are made aware of changes in the threat level.
Badge and Equipment Checks
Periodic checks are done on employees to verify badge access and equipment ownership.
Local Law Enforcement Agencies
Canadian Web Hosting Management has documented contact information for all local law enforcement officials in the case of an emergency.
A third-party contractor is utilized for shredding documents on-site, then removing them from the facility, all in a documented fashion, complete with sign-off each time shredding is done.
Data Centre Security Staff
These individuals must perform a host of duties on a daily basis, such as monitor intrusion security alarm systems; dispatch mobile security officers to emergencies; monitoring to prevent unauthorized access, such as tailgating; assist all individuals who have authorized access to enter the data centre; controlling access to the data centre by confirming identity; issue and retrieve access badges; respond to telephone and radio communications.
Additionally, they should also conduct the following activities:
Response and resolution to security alarms; assistance for cage lockouts and escorts; scheduled and unscheduled security inspections; enforcement of no food or drinks on the raised floor area; Enforcement of no unauthorized photography policy; fire and safety patrol inspections.
Physical Security Features
Specific to each location, Canadian Web Hosting also utilizes several additional security processes that enhance the above best practices. This includes, but is not limited to, the following:
• Access to sensitive areas within the data centre is controlled with an electromagnetic badge and/or biometric access system that is maintained, administered and controlled by physical security or operations personnel
• Visitors must be pre-scheduled seventy-two (72) hours in advance and present a valid photo ID or and be pre-authorized to gain admittance to data centre facilities
• To gain access to secured raised floor area, visitors (and documented employee) must sign in and be escorted by authorized data centre personnel
• Monitored through surveillance cameras, CCTV and regular patrols by security and operations personnel 24 hours per day, seven days per week
• Areas housing critical IT infrastructure are protected by a two-door access control system
• Management maintains documented security policies and procedures to guide employees’ activities for controlling and monitoring physical access to and within the facility
• Digital surveillance cameras monitor and record physical access to and within the facility
• Video backups of surveillance activity for a minimum of 30 days
• A dual challenged badge access system that requires an access card and personal identification number (PIN) is used to control access and movement within the facility. This system logs facility access and is available for review purposes.
• Biometric fingerprint scanning is used to control access to the data centre, telecom and power rooms
• Combination or key locks and biometric scanners must be used to access server/network equipment
If you're looking for additional information on this topic, you may email us at firstname.lastname@example.org, call us at 1-877-871-7888, or contact us through social media on Twitter at @cawebhosting or through our Facebook Page. You could also leave us a comment below.