CenturyLink Cloud is entrusted with hosting many sensitive, business-critical systems for clients that include some of the world’s largest corporations. This guide describes how CenturyLink Cloud manages security for its clients. It starts by reviewing CenturyLink’s “Shared Responsibility Model” for security. The guide then outlines CenturyLink Cloud security features, processes and best practices used to secure the cloud platform and its data and explains the role of customer and provider for managed services. It goes into detail on change and incident management, data and storage segregation, cage protection, personnel policies, access controls, network security, replication, and disaster recovery.
CenturyLink is entrusted with managing the information assets of some of the world’s largest corporations. This is not a responsibility we take lightly. Our commitment to security for our clients’ data and systems is central to almost everything we do in our business. This guide outlines how we approach securing client information assets hosted in a multitenant environment. While not exhaustive, this guide was created to answer the most frequent high-level questions that our clients have about CenturyLink’s security policies and procedures for its public cloud.
CenturyLink operates on a “Shared Responsibility Model” that delineates CenturyLink’s obligation to secure physical and virtual environments and the customers’ obligation to secure their applications and unique instances with tools that we and our
partners provide. The client’s security roles and responsibilities will vary based on service type. For instance, CenturyLink’s responsibilities will be different in a Platform-as-a-Service (PaaS) scenario versus Infrastructure-as-a-Service (IaaS).
Overall, CenturyLink takes a “defense in depth" approach to
securing customer environments, securing physical equipment,
cloud resources, and customer data. In addition, an extensive
permissions system, that extends to the group and individual
VM levels, ensures only authorized users can access and alter
systems. We’ve worked with leading IT auditing firms to ensure
our systems are ready to support most global organizations:
CenturyLink operates on a “Shared Responsibility” model for security. The shared responsibility model delineates CenturyLink’s obligation to secure the underlying infrastructure as well as the customers’ obligation to secure their own virtual servers, applications, and systems with tools that we and our partners provide. We commit to security roles and responsibilities that are within our ability to manage, while the client commits to security areas that are within the client’s control.
Figure 1 shows a simplified diagram of security responsibility sharing between CenturyLink and the client. At a high level, CenturyLink is responsible for security of the infrastructure, including the data center and network, and basic services of compute, storage, and network. The client is responsible for what it controls, such as the application software and data. The level of responsibility depends to some degree on the type of service in use.
Figure 1 - Basic shared security responsibilities for CenturyLink and client
Security responsibilities are different for clients who use CenturyLink Cloud’s Managed Services. CenturyLink is providing the managed operating systems or application, so we take on a greater role in securing the managed service. Specific security parameters vary depending on the service offering.
Table 1 – CenturyLink's responsibilities: Paas vs Iaas
Table 1 shows — CenturyLink’s security responsibilities are more extensive when the client uses the CenturyLink Cloud for Platform-as-a-Service (PaaS) versus Infrastructure-as-a-Service (IaaS). With IaaS, the client is undertaking a greater scope of IT activity on top of the cloud platform, so in that case the client has a greater share of security responsibility. With on-premise environments, the client assumes all responsibility.
In a PaaS scenario, the customer and the provider have a more balanced share in the areas of responsibility related to securing the customer’s critical information. The provider is responsible for things like the underlying operating system of that platform, its availability, and the software versions as well as configuring all that software sufficiently and securely. The customer is responsible for the applications they write, how the applications interact with data, and secure coding principles.
The client is also responsible for authentication and authorization of users.
For the customers hosted in a multi-tenant environment operating on an IaaS basis, CenturyLink focuses on the security of the infrastructure and underlying platform. Our goal is to enable the customer to secure critical data and remain compliant with various regulatory regimens, such as those that cover personally identifying information (PII). The customer is responsible for overall security controls around their data, managing access, securing virtual machines (VMs), and the operating systems on those VMs — including patching and configuring it securely. The customer is responsible for securing their data, encryption-at-rest where needed. To that end, we have partners who specialize in encryption-at-rest solutions, such our ecosystem partner Vormetric.
CenturyLink Cloud secures its platform through multiple sets
of tasks and work streams. These include Secure Architecture,
Change and Incident Management, Data Segregation, Physical
Protection, and Personnel Practices. Each work area is distinct, but
they overlap and form a defense-in-depth approach to security.
CenturyLink Cloud employs a thorough Secure Architecture Review process based on the SOC 2 Type 2 Audit Standard. SOC 2 Type 2 is designed to report on controls that are relevant to security, availability, processing integrity, confidentiality, or privacy. Based on the AICPA Guide, the SOC 2 Type 2 audit covers oversight of the organization, vendor management, internal corporate governance and risk management processes, and regulatory oversight — if applicable. We focus specifically on the areas of security and availability.
For CenturyLink, the core of our security model comes from the concept of isolation. A new CenturyLink Cloud customer is set up in an isolated environment on our platform.
By default, the new customer is in a secured, isolated Cloud environment with a “nothing open to the world” perspective. We ensure isolation in our multi-tenant environment by adhering to six internal principles:
CenturyLink uses work-based controls to isolate one customer from another as well as from the public network. We also take advantage of the capabilities of our virtualization platform to enforce isolation between customer environments at the hypervisor and storage layers. Other relevant isolation controls include:
CenturyLink has established change and incident management processes. The goals are to ensure that all changes to the production infrastructure are properly planned, tested, and approved. Change management processes are audited. Our incident management program is designed around a quick response to customer tickets and incidents, regular communication about status of incidents on our platform, and quick resolution to incidents.
Our Change Management Process is designed to provide an orderly method in which changes to the IT environment are requested and approved prior to installation or implementation. This covers any and all changes to the hardware, software or applications. This process also includes modifications, additions or changes to the LAN/WAN, network or server hardware and software, and any other environmental shutdowns (electrical).
The process is put into action for any change that might affect one or all of the environments CenturyLink Cloud relies on to conduct normal business operations. The purpose is to ensure that all elements are in place, all parties are notified in advance, and the schedule for implementation is coordinated with all other activities within the organization.It also includes any events that may alter the normal operating procedures. All changes require a technically qualified engineer other than the person implementing the change review and approve the change. Changes are recorded and tracked in a master change management calendar, and all changes that may impact customers are required to meet the notification timelines published in the SLA on our public website.
CenturyLink’s Incident Management program is designed around three principals: Quick response, frequent communications, and swift resolution. Our Ticket Prioritization Matrix explains the process in detail.
Given that incidents tend to vary, there is some flexibility built into the response though the CenturyLink Cloud team adheres to the following general steps when handling a security incident:
How data is segregated in a shared environment?
CenturyLink enforces data segregation in its environment using the VMWare hypervisor. We allocate customers’ data on VMWare’s Virtual Machine File System (VMFS), in virtual disk files (VMDK) files. VMWare enforces permission on the VMDK files so that the only file visible to the virtual machine is one to which the customer has directed the VMWare software to grant permission. CenturyLink’s automation enforces a policy wherein when a customer creates a new virtual machine, that virtual machine creates its own dedicated disks. They are not shared. The CenturyLink Cloud Control Portal does not have any ability to share or create a shared file between multiple VMs. We can have thousands of customers, each with VMs, on a shared data store. Each machine will only see the disk files that have been assigned to it, and the disk files can be seen by no other machine on the platform. While this also means that customers cannot grant shared access from different VMs to the same SAN, we believe this security model is in the best interest of our customers long term.
CenturyLink’s Cloud nodes are hosted in 13 data centers around the world. All of our data centers are governed by security standards for the protection of our cloud environment within those data centers. Those security standards include an isolated and protected cage that is dedicated to the CenturyLink Cloud equipment and is secured separate from the other customers in that given data center or facility. For instance, a CenturyLink Colocation customer cannot gain physical access to the CenturyLink Cloud’s cages. CenturyLink data center have security cameras, and 24/7 alarms at the physical data center layer. We maintain tight control over our lists of authorized users, who can access facilities, and who can authorize work in, or authorize vendors into our cage.
CenturyLink includes personnel policies and practices into its overall security program. The company emphasizes the reliability of the personnel we hire and who have access to the platform. We have rigorous screening and interview processes that make sure that we only hire highly qualified and trained candidates who are experts in the technical area for which they’re being hired. The hiring process includes industry standard background checks, looking for any issues that contradict our standards for employee conduct. These include criminal background checks.
Our onboarding process includes training in all of our security
policies and procedures as well as training in our Change and
Incident Management procedures.
Our onboarding also includes supervised training and knowledge transfer prior to individuals being given access to production systems. Ongoing training follows at regular intervals, including refresher courses on our security policies and procedures. They receive training on updates or changes, policies and procedures and ongoing technical training as the technology that we use changes over time. Policies are vigorously enforced through Human Resources.
CenturyLink Cloud’s network security starts with our commercial-grade, clustered, highly available firewall. With this, we can do stateful packet inspection. We have implemented intrusion prevention screens to block well-known web-based attacks. With our “isolated by default” model, each customer account is given their own VLAN. That VLAN by default has no connectivity to
anything other than through a standard VPN server, a default VPN
server that is provisioned for each account. This is the only way a customer can access its virtual machines by default.
We provide load balancing, either on a shared load balancer service or through a dedicated load balancer appliance if the customer needs more sophisticated configurations. Customers have the ability to open and assign public IPs to their virtual machines and specify open ports as needed for their business and use of the platform. VMs are isolated on the network. For instance, when a customer creates virtual machines in four different data centers, by default they are all isolated from each other. They can’t communicate with each other. The customer has the ability to create firewall rules that will allow those different VLANs to communicate with each other, if they choose. The customer can create powerful network isolation architectures that can include a DMZ if one is required.
Our recommended practice is that the client should never assign a public IP address or open a port unless they have a specific need to do so. They should never expose SSH or RDP protocols to the public network because these are common attack vectors. We allow them to do it, but we strongly recommend they do not take this course of action. If there is business reason that they need to have SSH or RDP exposed to the public network, then they should use our source IP limitation feature, which will restrict traffic to those ports from specifically authorized external IP addresses.
The CenturyLink Cloud platform is built for performance, reliability, and security. Our IaaS platform offers on-demand provisioning of high-performing virtual machines with any combination of operating system, storage, and memory. VMs can be extensively customized for myriad workloads and security/compliance requirements. Virtual servers rely on fully redundant enterprise-class hardware connected through private high-speed virtual LANs. The customer is able to deploy to data centers around the globe. Each security-audited data center contains “Nodes” that are engineered to include fully redundant enterprise-class hardware from front-end firewalls to storage.
CenturyLink’s Data Center Intrusion Prevention System (IPS) attack prevention feature screens incoming and outgoing traffic for potential
attacks. This protection is available data center-wide, and is enabled by default for all cloud customer instances. The IPS feature is a standard feature of our edge firewall product. The CenturyLink Cloud platform uses “screens” to look for specific and common attack traffic.
If a specific attack or event is detected, CenturyLink offers numerous, flexible remediation activities. They vary depending on the source, target, number of customers affected and type of exploit. CenturyLink Cloud resources will work closely with our customers to take appropriate steps to resolve these events in a timely manner. This includes, but is not limited to, isolating a specific Virtual Machine to blocking IP addresses of attack sources.
CenturyLink Cloud provides sophisticated Identity and Access Management features. These include granular Role-Based Security settings. Role-based access control (RBAC) is designed to make it possible for certain common customer roles, such as Account Administrator or DNS Manager, to have access to preset admin functions.
For example, a Billing Manager will only see billing information, not configuration settings for VMs. See our Role Permissions Matrix.
The CenturyLink Cloud Control Portal can be configured to do single-sign-on against the customer’s existing identity infrastructure using Security Assertion Markup Language (SAML) 2.0. SAML lets the customer leverage their existing identity management processes and tools and mechanisms. This allows the customer to implement whatever multi-factor authentication or enhanced authentication schemes that they need to control access to the Control Portal. For example, the CenturyLink portal can authenticate against Microsoft Active Directory Federation Services (ADFS), Oracle Identity Manager, Microsoft Forefront Identity Manager, and so forth. The Control Portal is used to manage the customer’s Cloud environment, create/modify/delete machines, change the firewall, connectivity, and so forth.
CenturyLink has a disaster recovery program known as Safehaven from Data Gardens. Safehaven for CenturyLink Cloud is a solution that offers protection for production workloads in a cost effective, low investment model. SafeHaven for CenturyLink Cloud protects both at the level of virtual IT infrastructure (VMs and data volumes) and at the level of active business processes. Customer benefits include:
Disaster Recovery is a complex topic area and that there are many protection strategies to achieve the desired results. We created this service offering in response to customer feedback as yet another option for our customers to protect their production IT environments.
We also recognize this solution is not a panacea for DR; rather it’s a solution oriented tool that may help you service certain production workloads in a cost effective, low investment model. And for those workloads that require a different protection technique we have the depth of resources to help you realize your goals.
In addition to the security features and services provided in CenturyLink Cloud, CenturyLink offers many others that go beyond the basic platform capabilities. Some of these services require consultation and customization by CenturyLink. In other cases, CenturyLink makes it possible for the customer to install and configure specialized security software or add third party security services to their accounts.
For example, the customer can have CenturyLink set up and manage Windows Server running IIS or Active Directory, RedHat Linux machines running Apache Tomcat, Cloudera, and so forth. With these managed services come certain built-in security features and various security options.
CenturyLink managed services are run on the same secure CenturyLink Cloud infrastructure that is used for all customer cloud instances. We also secure our managed Operating Systems with industry-standard (McAfee) anti-virus protection, regular virus and malware signature updates. Managed Operating Systems come with basic OS-level hardening, such as closed ports, to mitigate risk. Support is available for all critical and vendor-recommended patches, though the customer must request patching based on their specific corporate policies.
This includes keeping the system current with all patches and “hot fixes” to help prevent security compromises or operational reliability issues. CenturyLink ensures that only OS vendor-recommended patches are installed.
Managed Services are set up for uniform baseline security
using a “blueprint” that configures the OS and application with
CenturyLink’s standard security policies. We employ a shared
domain controller to authorize customer administrators. With this
approach, a customer administrator cannot access any managed
services product except their own. Only CenturyLink staff can
access multiple customer managed service instances.
CenturyLink’s Managed Security Service reduces the costs and complexities associated with comprehensive threat protection and Internet security by providing flexible, around-the-clock protection against known and unknown Internet threats.
Managed Security Service provides comprehensive threat protection, options for malware mitigation, Web filtering, spam filtering, access control, and VPN support. As a managed security service provider, we offer 24/7 monitoring, management, and support-including easy visibility into service information through an online self-service portal. Services include:
CenturyLink logs multiple streams of activities in its cloud datacenters. Selected logs are available to customers as needed. By default, CenturyLink does not do OS level logging. However, we do have optional services available to provide a complete logging solution based on LogLogic and Tibco based solutions.
With IaaS, the customer is responsible for data encryption. However, we offer guidance on best practices and enable customers to use many different encryption technologies and third party providers in their cloud instances, including Vormetric.
The Vormetric Data Security Platform offers an enterprise cloud security solution that can help you address compliance concerns that delay or minimize the migration of sensitive assets into private, public and hybrid clouds with its robust, comprehensive security capabilities. For instance, we recommend encrypting data at rest and encryption at the application level, not at the OS layer. This practice helps mitigate the risk of unauthorized data access by an entity that has attained access to the OS.
Anti-Virus is a customer security responsibility, though
CenturyLink is able to facilitate the use of many third party antivirus
tools. Nessus vulnerability scanning is also available.
CenturyLink’s Email Defense safeguards the customer’s business from unsolicited spam e-mail, viruses, worms before they can enter the network. This is a gateway-based managed security service that filters and cleans e-mail from the Internet before it reaches the customer’s network. The service can also block inappropriate content coming in and going out, and prevent e-mail malware from infiltrating the network.
CenturyLink's network security assessment services can help protect the customer’s business against all these threats. Table 2 summarizes the Security Service offerings. Our security experts will analyze and assess data vulnerabilities and then design and implement a portfolio of solutions to help build you a better data security system.
Secure IP Gateway, offered through CenturyLink IQ Networking Enhanced Port, diverts Internet traffic designed to meet customer-defined security policies. This is one of the most secure methods for connecting your on-premises infrastructure to our cloud, hosting and colocation services.
Secure IP Gateway provides a convenient and cost-effective solution that eliminates the need to maintain separate network ports and premises-based firewall services. Features include:
Table 2 – CenturyLink Security Services
Web Defense, powered by McAfee, is an easy-to-use business Internet security solution. By routing client web traffic through CenturyLink Web proxy server, the web security solution enables the client to conduct business on the Internet more safely and cost-effectively. Web Defense effectively blocks quickly evolving Web threats, including spyware, viruses, and phishing attacks. It also helps prevent access to inappropriate sites. Web Defense adds several necessary layers of protection by enabling administrators to enforce policies that prevent users from accessing popular Web mail sites and fraudulent phishing sites.
CenturyLink Web Security service features protection of the
customer network, including remote users.
It provides continuous updates to protect against the latest threats and reliable, around-the-clock service and support. The service includes a wide variety of threat activity and Internet usage reports. Benefits include:
CenturyLink Cloud is entrusted with hosting many sensitive, business-critical systems for clients that include some of the world’s largest corporations. This guide describes how CenturyLink Cloud manages security for its clients. It starts by reviewing CenturyLink’s “Shared Responsibility Model” for security.
The guide outlined the CenturyLink Cloud security features, processes and best practices used to secure the cloud platform and its data and explains the role of customer and provider for managed services.
It went into detail on change and incident management, data and storage segregation, cage protection, personnel policies, access controls, network security, compliance and audit frameworks, replication, and disaster recovery. Please note that this guide did not go into specifics about CenturyLink Cloud’s compliance programs. A subsequent guide will go into depth on this topic and will be available later this year (2015).
CenturyLink Cloud is the complete platform to easily manage your entire business application portfolio, from application development to business-critical workloads across public and private cloud infrastructure. CenturyLink Cloud offers high-performance, scalable, self-service virtual machines across our global network of data centers. Built-in automation, orchestration, and management tools provide a flexible, scalable, cost effective IT-ready and developer-friendly platform.
CenturyLink Business delivers innovative managed services for global businesses on virtual, dedicated and colocation platforms. It is a global leader in cloud infrastructure and hosted IT solutions for enterprise customers. Parent company CenturyLink, Inc. is the third largest telecommunications company in the United States, and empowers CenturyLink Business with its high-quality advanced fiber optic network. Headquartered in Monroe, LA, CenturyLink is an S&P 500 company and is included among the Fortune 500 list of America’s largest corporations.