The Cesnet complies with the requirements of CSN EN ISO/IEC 27001:2014 and is the owner of the relevant certificate. All working and safety procedures shall comply with this standard. All infrastructure managers have a working relationship with Cesnet and are instructed within the GDPR Directive.
Hypervisors and all of internal infrastructure are addressed in a separate network that is not accessible from outside of the datacenter. Private addressing is used where available. Access for admins is restricted via ACLs on network devices. Virtual servers are located in several L2 networks. Machines of external organizations are placed in a separate network for security reasons. There are no restrictions on virtual server communication between them. Critical virtual servers are protected by a network security IDS/IPS element that protects critical services from Internet security threats.
Virtual server management (VMware vCenter Server) is available via IPv6 protocol only and is restricted to the enumerated networks ranges of administrators and a central VPN service. Authentication is linked to the central OpenLDAP which contains all employees of the organization. This solution automatically solving the user's life cycle, and only a user with a valid employment relationship be able to sign in to the management console. The infrastructure itself does not retain any sensitive user’s data. In reasoned cases, the administration of virtual servers is enabled to external users, theirs account must be guaranteed by an employee of the organization.
Our hardware is physically located in server rooms with restricted access protected by two-factor authentication. Entry is protected by an electronic ID card reader and biometric data reader.
Activities of users and administrators are logged within the service and a copy is sent to a central syslog server. Non-standard activities (such as bad username and password attempts) are immediately notified to administrators. Logs on the central syslog server are stored for 6 months and then automatically deleted. Statistics data on resource usage are kept for a year and are deleted after processing. See ISMS Directive.
The whole infrastructure is monitored by internal tools and external monitoring from the central Nagios server. The whole infrastructure is monitored, as well as all production virtual servers running here. This solution ensures that the administrator is noticed of the problem even in a fatal network outage inside the data center. Global oversight of the infrastructure is provided by a central Service Desk available 24/7. If necessary, Service Desks staff will report on the current situation and provide solutions to any troubles.
The virtualization infrastructure is distributed to two physical sites that can back up each other. Both locations are in the Czech Republic (Prague and Brno) and all HW is fully under our control. In case of maintenance, virtual machines can be migrated between sites. All virtual servers are daily backed up by Veeam Backup & Replication. The backups are primarily stored in our data center and then are copied to the separate storage infrastructure of DÚ Cesnet. Backups are available for 4 months. Backups leaving datacenters are encrypted. Backup consistency is checked automatically each month. The Veeam Backup & Replication tool allows run virtual server directly from a remote backup if needed. The own restore can be run in the background. This can significantly reduce recovery time for critical systems (RTOs).
With regular update cycles, we take advantage of two linked data centers. New versions are always tested in one, and after verification, the change is applied to the other data center. In the case of major interventions, we also use the possibility to pre-migrate critical virtual servers to the other location. Changes made are recorded in the operations log and, if required, reflected in working procedures.
Each virtual server must have an administrator/owner. A name, email and eventual phone number are kept for quick contact in case of problems. Email is also used for automatically reporting non-standard states. Personal data can only be accessed by infrastructure managers and personal data is handled in full compliance with the Cesnet global GDPR Directive.
CESNET, z. s. p. o.
Generála Píky 26
16000 Prague 6
Tel: +420 234 680 222
Fax: +420 224 320 269
info@cesnet.cz
Tel: +420 234 680 222
GSM: +420 602 252 531
Fax: +420 224 313 211
support@cesnet.cz