We recognise that our infrastructure and information must be well managed, controlled and protected. To that end, We have a team that oversees FyfeWeb’s security program, which encompasses high-quality network security, application security, identity and access controls, change management and control, vulnerability management and third-party penetration testing, log/event management, vendor risk management, physical security, endpoint security, physical security, governance & compliance, and HR security, disaster recovery and a host of additional measures and controls.
Our infrastructure is protected via a number of mechanisms and controls, including firewalls, IDS/IPS and access control. We perform a variety of scans regularly to prevent issues from materialising or ensure that any exposed vulnerabilities are quickly found and patched, as well as penetration tests performed on a regular basis.
Customer data is securely stored and processed at FyfeWeb Data Centres around the UK. Access to information and systems is restricted to specific, named individuals based on “need to know” and zero trust principles and actively monitored and audited for compliance. We use encryption for all data in-transit, and customers can elect to encrypted their own data at rest, in addition to our disk-level encryption. Our Services are solely hosted, operated and managed in-house by FyfeWeb, and all data centres we use are independently audited to ISO 9001 & ISO 27001 and Tier III+ (3) Standards.
To ensure that we maintain the highest possible levels of information security, FyfeWeb internally conforms to ISO 27001 & ISO 9001 and has procured auditing solutions from reputable third party auditors, including those who audit our information security practices at least annually.
All data hosted by FyfeWeb is stored on encrypted disk volumes, including any backups we make. We believe this level of protection strikes the right balance between confidentiality and availability.
We provide DDoS protection on all of our services, for no additional charge. This uses the GTT Corero Smartwall platform, which has a large global filtering capacity. We don't redirect on-attack either, all traffic flowing into the network is filtered 24/7/365 and automatically inspected for attacks. This means that the time to mitigate an attack is under one second. Further to this, we have our own cross connects in our London Edge Data Centres and no GRE tunnels, which ensures consistent reliability and performance with zero overheads. For customer deployments that need additional protection, we can increase filtering sensitivity on a granular basis, as and when required.
Since the outset, we have worked with external and internal stakeholders alike to ensure our data centres points of presence feature a stringent and multi-layered security model. This should encompass granular levels of access control, to ensure access is granted on a "need to" or bona fide basis only and access is removed for anyone who does not require access to a specific level (or "layer"). A very limited number of people are on a pre-approved access list at any one time for data centre campuses, data centre buildings, plant rooms/facilities, data floors and individual racks. Any access authorisation or approval granted is ephemeral and is audited and set to automatically expire after a short period of time.
In addition to our multi-layered approach to physical security, our data centres are equipped with security-aware and trained personnel, video surveillance cameras (CCTV), automatic numberplate recognition (ANPR) systems, granular access control at all levels, biometrics, perimeter fencing and individual levels of access to the data floors and individual racks. Those that do have a bona fide reason to access our data centres, are subject to approval, review and access the data centres the only way possible; through security access corridors which implement anti-tailgating mechanisms, multi-factor access control using security badges, government issued identification checks, access clearance checks, biometrics and escorts by authorised personnel.
As a customer we ask that you ensure that you and your system administrators of the services conform to sound security practices and good cyber hygiene when maintaining access credentials to your services with us. This includes but is not limited to: strong account passwords, access control, RBAC, enforcement of permissions and restrictions etc. Where customers become aware of a compromise to any of their systems, services or account credentials, we ask that you notify our Security Operations Centre immediately by contacting our Abuse, Trust and Safety Team.
We know that data stored in our cloud, collected or created through your use of the service, submitted to your websites, sent to your email, or anything else hosted on-net with us, is free-form and could contain all kinds of information about our customers and other people, including data of the most confidential sort. Due to the nature of our business (hosting, cloud, email, communications, data centre services etc.) our systems process large amounts of potentially highly confidential data. For this reason, we treat all data belonging to our customers as "Client Confidential" which is the highest level of classification for customers within our data classification and handling system and has stringent access restrictions and limitations.
All data transfers inside our data centres are subject to encryption and all data transfers between our datacentres are transferred over encrypted tunnels and links. Where you are using a password to access our systems, we store that password in a non-reversible encryption scheme using current best practices.
Maintaining an up-to-date incident response plan is essential for all businesses. This is a key aspect of the work in our security and privacy management systems. Our incident response and management plan incorporates personnel from across our business, ensuring that resources are well managed and deployed where they are needed, when they are needed. Our Incident Response & Management Policy lists actions, escalations, mitigations, resolutions and notifications for any potential or actual incident which impact or erode the confidentiality, integrity or availability of internal or customer information. Following the successful remediation and resolution of an incident, the incident response team evaluates the lessons learned from the incident. When the incident raises critical issues, the incident commander may initiate a post-mortem analysis. During this process, the incident response team reviews the cause(s) of the incident and FyfeWeb's response and identifies key areas for improvement.
International regulations place significant emphasis on businesses knowing how they process data, who has access to data, and how security incidents will be managed. We have a team of security and compliance professionals who support internal and external customers in navigating their own regulatory compliance and risk management obligations. Our approach includes collaborating with customers to understand and address their specific needs and the like. As new auditing standards are created, our team works to determine what controls, processes and systems are needed to meet them, while facilitating and supporting independent audits and assessments by third parties. In certain situations or circumstances, we also allow customers to conduct audits to validate our security and compliance controls.
FyfeWeb has a "zero-trust" approach when it comes to networks and devices located on them. We enforce significant access controls based on information about a network, a device, its state, its associated user or company, location and more. This considers all networks, including internal and external, to be untrustworthy. This creates a concept of borderless compliance where we dynamically assert and enforce levels of access at the application layer. This enables FyfeWeb's security and compliance team to be as secure and effective during an emergency as they would be at any other time.
We employ a rigorous asset management and disposal system. We use a variety of asset tags and barcodes to closely track the location, status and more of all inventory assets used by the company, whether this be in our data centres, our office areas or otherwise used by our personnel, from acquisition and delivery, installation, usage, retirement and destruction. We have in place a strict chain of custody system which ensures that no equipment leaves a data centre, or anywhere else it is authorised to be, without the appropriate clearance or authorisation. Our strict disposal procedure is adhered to at all times and any anomalies or variations are investigated without delay and are addressed immediately.
When a data-bearing equipment (such as disk drives) is retired, authorised personnel verify it has been properly erased in compliance with the "DoD 5220.22-M" standard which requires:
- Pass 1: Overwrite all addressable locations with binary zeroes
- Pass 2: Overwrite all addressable locations with binary ones
- Pass 3: Overwrite all addressable locations with a random bit pattern
- Final Pass: Confirmation of data deletion and drive wipe
From this point, drives are either: (a) stored in our secure storage locations awaiting re-use, deployment or acquisition; or (b) they are destroyed using a range of secure destruction methods, ensuring that all data bearing equipment is destroyed to a point where no data can be recovered and we receive a certificate of destruction.
We mandate all connections to our servers use Transport Layer Security (TLS) and Secure Sockets Layer (SSL) encryption, for all connections including webmail, services, and IMAP/POP/SMTP email client access. This prevents eavesdropping, tampering, and message forgery on any communication between your computer or phone and our servers. Whenever you send a message to someone outside of the FyfeWeb Network we have to send it across the open internet. Since the outset, we have fully encrypted all connections between us and the receiving server whenever the other server supports it, preventing passive eavesdropping, tampering or forgery. Similarly, we have accepted encrypted connections for mail delivery to our servers since the outset, and we encourage all servers connecting to us to use it.
A Strict Transport Security header is sent with all of our webpages. This tells all modern browsers to only connect to us over an encrypted connection, even if you have a bookmark, click a link or type a URL to an insecure page at our site. Many unexpected forms of attack come from failing to close potential vulnerabilities, including database port access, SSH port access, and so forth. We use kernel-level firewalling to only allow connections to the services provided by each machine.