The security of the infrastructure and data

It is important for us to distinguish between the security of customer-hosted data and the security of the infrastructures that host this same data.

Customer Hosted Data Security: You are responsible for the security of your assets and application systems. We constantly support you to protect all your data.

Infrastructure security: we guarantee maximum protection, thanks to an information systems security policy. All GDPR compliant to prevent your data from being violated or damaged.

Regulation and management of safety aspects

1. Safety management system

As a commitment, Shellrent has implemented a systems security policy that describes the set of measures on the matter, which is abruptly updated in the event of changes. The Shellrent Services are in turn governed by information security management systems.

2. Compliance and certification

To evaluate the performance of its systems and infrastructure, Shellrent strives to ensure that they are performed regularly audit safety.

There are various types of audit :

  • Technical audits : Intrusion tests, vulnerability scans, code reviews, carried out by internal auditors
  • Audit of the activities carried out by third parties
  • Datacenter audit : carried out by auditor external, the nature and frequency of which depend on the service provider.

When a security flaw is identified, the most correct way to resolve it is identified and the recovery plan is subsequently planned. All of these are subject to periodic verification to review their effectiveness.

3. Customer Audit

The customer can perform verifications (intrusion tests) on its Services hosted by Shellrent, as well as on the related management components. The conditions for carrying out the checks are managed on request.

As a data processor, Shellrent recommends that the customer perform these checks periodically.

4. Risk management

The customer must ensure that the security measures implemented by Shellrent are adequate for any risks related to the use of the infrastructure.

Shellrent applies a risk management method that is assessed in the event of major changes, also relating to the processing of personal data and sensitive information.

At the end that each verification is done correctly, an identified risk treatment plan is put in place. Each measure is subject to repeated periodic checks to review its effectiveness.

5. Change management

The customer is invited to ensure that the information entered is correct, so that Shellrent can communicate any changes to the active Services to it. Where required, it is up to the customer to implement the necessary actions relating to the configuration of its services, in order to adapt to these evolutions.

Shellrent applies a formal change management procedure:

  • Roles and responsibilities are clearly defined
  • There are certain classification criteria to identify the steps to follow when making changes
  • Priorities are managed; an analysis of the risks relating to the changes is carried out
  • Before each release, software updates are regularly subject to a code review ; any intrusion tests can be performed (if applicable); the change is planned and scheduled with customers (if applicable)
  • In the event of a risk, an operation of rollback
  • An ex post review of the various resources affected by the change is carried out
6. System and application development policy

Processes intended for Shellrent developers follow principles for a secure development process, “privacy by design” measures, as well as a code review policy (vulnerability detection, error handling, access and revenue management, storage and communications protection).

  • They are performed regularly code review
  • Systematic, code-independent proofreading prior to release;
  • Verify new features before release by running tests in the validation environment (if applicable)
  • Separation of roles and responsibilities
7. Monitoring of services and infrastructures

All the services offered by Shellrent are monitored by a specific infrastructure, with the following objectives:

  • Identify production and safety incidents
  • Monitor critical functions by forwarding alert to the supervisory system
  • Notify managers and initiate the necessary procedures
  • Ensure the continuity of the service in carrying out automated operations
  • Ensure the integrity of monitored resources
8. Incident management

The customer is encouraged to make sure that the information entered is correct, so that Shellrent can notify him in the event of accidents; in addition, it is required to implement management processes of the same, relating to its information system, including Shellrent as a potential source of alarm.

Shellrent has an incident management process designed to allow for the prediction, detection and resolution of this type of event, both in the management infrastructure of the Service and in the same.

This process includes:

  • The treatment of security events
  • Communication with the customer
9. Vulnerability Management

The customer must necessarily make sure that the information entered is correct, so that Shellrent can warn him in case of vulnerabilities detected in its information system.

Shellrent, as a hosting provider, undertakes, through its technical team, to guarantee technological control on new vulnerabilities, identified through:

  • Public information sites
  • Alert of the builders and editors of the solutions implemented
  • Observations reported by operations teams, third parties or customers
  • Internal and external vulnerability scans performed regularly
  • Audit technicians, as well as code and configuration review

Upon detection of a vulnerability, dedicated teams perform an analysis to determine the impact on the systems and potential operational scenarios. Actions are immediately implemented to resolve this vulnerability and, if necessary, a corrective plan is defined.

All measures are subject to periodic review to review their effectiveness.

10. Management of business continuity

The customer is responsible for the continuity of his information system and must ensure that the services made available by Shellrent, the options selected and the additional systems implemented by it, enable him to achieve his objectives.

On the other hand, Shellrent, as a hosting provider, guarantees the operational continuity of the infrastructures (devices, applications and operational processes), adopting the following mechanisms:

  • The continuity of the datacenter
  • The management of servers and systems under direct responsibility
  • Technical support of the service
  • The redundancy of the devices and servers used for system administration

At the same time, other mechanisms, such as the backup of network configurations and devices, guarantee recovery in the event of an accident. Based on the service, Shellrent will make available to the customer backup and restore functionality which may be included in the base offering as well as paid options.

11. Management of physical access by third parties

Shellrent, as Data Processor, never intervenes at its customers’ facilities, as they are themselves responsible for the security of their premises.

Shellrent, regulates the circulation of occasional visitors and suppliers:

  • Each visit must be declared in advance
  • Visitors are the responsibility of an employee and are always accompanied
12. Staff awareness and training

Shellrent staff, as a hosting provider, is aware of the security and compliance rules for the processing of personal data:

  • Training sessions are organized on these issues, on the implementation of audit and on technical services for interested teams
  • Awareness is raised on the security of the information system during the integration of new employees
  • The staff is constantly updated through communications regarding safety
13. Management of logical accesses to the Shellrent Srl information system

Shellrent enforces a logical access management policy for employees:

  • Authorizations are assigned and monitored by managers, according to the principle of least privilege and the gradual acquisition of trust
  • As far as possible, all permissions are based on roles and not unit rights
  • The management of the access and authorization rights assigned to a user or a system are based on a procedure of registration, modification and cancellation
  • All employees use named user accounts
  • Login sessions always have an appropriate expiration for each application
  • If the user forgets the password, only the Employee Manager and the Security Officer are authorized to reset it
  • The use of predefined, generic and anonymous accounts is prohibited where possible
  • A strict password policy has been implemented: the minimum size is 8 alphanumeric characters; saving passwords in unencrypted files, on paper or on web browsers is prohibited

Remote access to the Shellrent information system is via VPN and requires a password known only by the user

14. Management of administrative access to production platforms

Shellrent, as a hosting provider, applies a policy for the management of the administrative access rights of the platforms:

  • The connection to the target system is made with a shared service account or with a personal account; the use of predefined accounts on systems is, where possible, prohibited
  • Authorizations are assigned and monitored by managers, according to the principle of least privilege and the gradual acquisition of trust
  • A regular review of rights and access is carried out in collaboration with the competent services
15. Control access to the Manager panel

The customer is responsible for the management and security of his means of authentication.

The management of Shellrent services by the customer is carried out through the Manager panel, accessible only through a nominative account and protected by username and password:

  • The password is chosen by the customer and must comply with the complexity criteria imposed by the interface
  • Passwords are stored on Shellrent servers in an encrypted and secure format
  • All the activities carried out by the customer in the manager panel are recorded
16. Safety of workstations and mobile devices

The customer must ensure the security of the workstations and mobile devices that allow the administration of the Service and systems.

Measures have been identified to ensure the safety of workplaces for Shellrent personnel:

  • Automatic update management
  • Antivirus installation and update, with regular scans
  • Install only applications included in a validated catalog
  • Hard drive encryption
  • Treatment procedure of a potentially compromised workplace
  • Device standardization
  • Procedure for eliminating sessions and restoring employee workstations in the event of a termination of employment
17. Network security

The customer is solely responsible for encrypting the content to be communicated over the Shellrent network.

Shellrent, protects all devices through the following measures:

  • Maintaining a configuration management inventory
  • Implementation of a process hardening , with guides describing the parameters to be changed to ensure a safe configuration
  • Limited access to administration functions
  • The logs are continuously collected and centralized by dedicated systems
  • The implementation of the configurations is automated and based on validated models
18. Business continuity management

A backup policy has been implemented on the servers and devices used by Shellrent to provide its services:

  • All the systems and data necessary for business continuity, the reconstruction of the information system, or the analysis following accidents, are stored
  • The frequencies, storage times and archiving methods of backups are defined according to the needs of each stored resource; the creation of backups is subject to monitoring and management of alert and mistakes
19. Journaling

The customer is solely responsible for the logging policy for their systems and applications.

Shellrent maintains centralized backup and archiving of the systems logs used to provide its services. Here is the list of the main registered activities:

  • Logs of backup servers hosting customer data
  • Logs of the servers that manage the customer infrastructure
  • Logs of servers that provide service to customers
  • Activities and events performed by the customer on his infrastructure through the Manager panel
  • Logs of the administrators’ machines

What is described on this page is purely for information purposes, therefore it has no contractual value. For information on this, go to the page Contracts

Questions? Contact us!

We have all the resources to help you make the right choice.