Data Security

Strategic Benefits Advisors, Inc. (SBAI) takes security associated with client data extremely seriously and has developed and implemented world-class technology and processes to ensure unsurpassed protection. We have installed technology that prevents the downloading of any data to laptops, workstations or any other device. Our goal is to lead the industry in the protection of sensitive information.

SBAI’s network infrastructure consists of three major components – the data center, headquarters, and the remote users. Each component works together to ensure maximum security as well as usability for the users of the SBAI network. Every user has a laptop running Windows XP Professional and most users travel between multiple locations.

HEADQUARTERS

Headquarters for SBAI consists on a single, dedicated T-1 connection to the data center protected by a SonicWall TZ170W firewall. This device provides basic NAT functionality as well as stateful packet inspection, deep packet inspection, anti-spyware functionality, anti-virus functionality, and intrusion protection services. Wireless services are also provided by the firewall using 128-bit WEP encryption and a strong WEP key. No users have access to the management console for the local SonicWall. All unsolicited inbound traffic to the office is blocked by the SonicWall.

Headquarters generally consists of numerous users onsite. All users connect to the network secured at the data center via a Netgear 10/100 ethernet switch or the wireless services provided by the SonicWall firewall. All networking equipment at headquarters is secured in a separate room, using restricted card access, within the SBAI facility and none is shared with other tenants in the building.

Each workstation is kept up-to-date on Windows Critical Updates via a management agent. All workstations are additionally protected by an antivirus agent on each machine, TrendMicro Client/Server/Messaging Suite, which is managed from a central server.

A persistent site-to-site IPSEC VPN tunnel using the AES encryption algorithm is maintained by the SonicWalls to the data center for access to servers and data contained within. No company/client information, cached email, or other sensitive information is stored on any laptops/workstations. In addition, the network is configured to completely prevent any downloading of any information from the data center to any laptop or workstation. No SBAI computer outside of the data center can ever have any client data stored on it.

Users access all data through a terminal services session to the terminal server, which will be explained in further detail in the data center section. Direct mapping of drives to the servers is not permitted and all data must be accessed through the terminal services session.

REMOTE USERS

Remote users consist of any users that normally work outside of the headquarters office or any users that work outside of the office on occasion, such as from home or from a client site. Remote users must establish an IPSEC VPN connection using the 3DES encryption algorithm to the data center using the SonicWall VPN client. Establishing this connection requires the VPN settings for the connection, the pre-shared key, and finally a valid user account with VPN permissions. VPN user authentication is handled via RADIUS authentication to allow for a single source of user account information.

Once a user has successfully established a VPN connection, the user then has the ability to establish a terminal services session to the terminal server as discussed above in the headquarters section.

In addition to VPN/Terminal Services connectivity, remote users also have the option to access email via an encrypted SSL Outlook Web Access webmail session. This requires that the user has been granted the right to use Outlook Web Access and can successfully authenticate to the server using their Windows credentials.

DATA CENTER

The data center is a world-class facility featuring state-of-the-art layered physical security including: single point of entry, coded key cards, biometric fingerprint and iris scanners, onsite security force 24x7x365, and comprehensive surveillance camera coverage. The SBAI servers are located within the main facility of the data center in a locked cabinet to which only SBAI’s representative has access.

The hosting environment is temperature-controlled and provides backed up, redundant power sources. The environment also features redundant internet connections. Each server features redundant power supplies, redundant network connections, and redundant disk storage.

The SBAI network segment at the data center is protected by a SonicWall Pro2040 firewall which provides NAT, stateful packet inspection, deep packet inspection, and VPN services. This device is the endpoint for the Headquarters VPN connection as well as the endpoint for all Remote User VPN connections. Only VPN connections, inbound e-mail, and webmail requests are allowed to pass through the firewall unsolicited. The SBAI equipment is located on a dedicated VPN with no other client access.

Each of the three servers used by SBAI is a dedicated Windows-based server with no other client access. The system is setup as a Windows Active Directory domain with all servers and user workstations as members. All users use domain accounts and no users are granted access above “standard user.”

An EMC Clarion SAN device with RAID-5 redundancy is used as primary storage for all user data and all e-mail. Exchange 2007 provides secure email and stores all mail in the information store located on the SAN. While calendar and contacts sharing is allowed between users on an opt-in basis, all e-mail boxes are accessible only to the owning user.

Each user has a dedicated folder on the SAN which is accessible only from the terminal server for all data. This is the only permitted storage location for user data. NTFS permissions are used to ensure that each user has access only to his or her directory and no user is permitted access to any other user’s directory.

Backups of user data and e-mail are performed on the SAN and do not leave the equipment dedicated to SBAI usage. Offsite backup of data to a secure secondary facility is performed weekly.

User accounts are managed via Active Directory. Password policies are enforced and require users to adhere to Windows password complexity guidelines as well as a minimum length of 7 characters. Thirty day password changes are also enforced. All servers are monitored by SBAI representatives, which includes firewall logs, event logs, performance data, and other vital metrics.

All servers are kept up to date on critical Windows vulnerabilities via automatic and monitored patching mechanisms.

Additional Security Measures

All of SBAI’s stringent security technology is completely supported by security policies and procedures that are detailed in our employee manual. Employees are trained on all security procedures on their first day of employment and receive scheduled refresher training ongoing. Employees are clear that deviation from our stated security policies is grounds for immediate termination. We perform thorough background checks on all new employees.

Physical security at headquarters starts with card reader access and monitored security systems but continues to strict policies of keeping all client files securely locked in cabinets at all times when not in use. As stated above, no electronic client data is ever stored at headquarters or any other location other than the secured data center.

Audited Security

Recently, a Fortune 100 client sent in their security audit team to thoroughly access all areas of data security at SBAI. The exhaustive process spanned two complete days and covered hundreds of audit points. In the end, SBAI scored higher than any of the client’s facilities world-wide.