Security and Reliability
Our servers, which are hosted centrally between Johannesburg and Pretoria, are not in a direct flight path or low-lying area and is located close to a major power substation. In addition, a geotechnical audit has been done to ensure ground stability.
Our data centre uses 45 internal and external surveillance cameras, as well as 10 perimeter cameras, which are strategically placed and monitored around the clock to ensure that all servers remain off-limits to anyone without security clearance. High-voltage security fences and a 24/7 security presence help to deter any opportunistic crimes.
Customers, employees and contractors have varying levels of authorised access to different areas of our facility, controlled by high-tech biometric scanning systems, with 20 devices and pin-coded keypads.
The facility is custom-designed for low fire risk, with a Very Early Smoke Detection Apparatus (VESDA) installed to trigger alarms at even the slightest hint of smoke particles.
There are no flammable materials present in the ‘white space’ in the Data Centre and all cabling is fire-retardant.
An 11kV power supply from the municipal power utility energises a fault-tolerant, medium-voltage ring that powers two separate low-voltage 2MVA energy centres. These A- and B feeds power mission-critical infrastructure such as IT load, air conditioning, security systems and emergency lighting. They provide seamless electrical failover with their own emergency backup power systems in the event of a power failure.
We have on-site fuel storage sufficient to run our generators for 7 days’ continuously. Our UPS’s provide always-on power, with battery standby time of 30 minutes.
Our network is multi-homed with multiple uplinks per data centre via at least two Tier 1 upstream providers and peering partners. Should a network failure occur, traffic is automatically rerouted via alternate uplinks, significantly increasing our network resilience.
Connectivity is provided through diverse, redundant fibre routes connecting the facility to a 10Gbps fibre ring.
Network level security consists of three main components:
- DDoS mitigation
- VLAN reverse path forwarding protection
- Juniper firewall rules at the network edge and core
A DDoS detection and mitigation system is deployed in our data centre. DDoS attack traffic is diverted to a filter/scrubbing server that can distinguish between valid and malicious traffic. Malicious traffic is scrubbed off while valid traffic is re-injected into the network. The victim IP is not affected during the DDoS attack. DDoS detection and mitigation is fully automated and traffic diversion occurs automatically.
Small DDoS attacks are scrubbed locally in the data centre by the mitigation system. For larger attacks, traffic is diverted to an international DDoS mitigation provider which then sends the clear traffic on to South Africa.
VLAN Reverse path forwarding protection
Reverse path forwarding protection is enabled for all VLANs in our data centre. This policy ensures that only the subnets allocated to a VLAN can generate traffic for that VLAN. This helps to mitigate two kinds of malicious traffic:
- Source-spoofed traffic where a host is sending out traffic for subnets that do not belong to the VLAN.
- Inter-VLAN subnet spoofing, where a host in one VLAN uses IP addresses from another VLAN using source-spoofing.
Juniper firewall rules
Firewall rules on the data centre network edge and at the core are used to protect the network in a number of ways:
- Rate-limiting of certain protocols to protect the network infrastructure.
- Blocking of certain protocols and destination IP addresses to protect our operational systems.
- Restricting access to certain hosts and protocols to defined lists of source addresses.
- Blocking of abusive IP addresses and hosts.
All servers are monitored 24/7 for all critical services and hardware health. Our reactive system administrators react to monitoring alerts as they are identified and escalate issues to data centre staff or platform engineers.
All servers used are physical servers exclusively provisioned and managed by us.
Servers are designed to provide redundancy and reliability, including multi-core, multi-CPU systems, ECC (Error-Correcting Code) memory modules to detect and correct data corruption in real time and enterprise grade storage that includes hard disk and solid state drives.
All data is stored on dedicated, robust RAID storage arrays providing data redundancy and integrity.
Security response policy
All relevant security advisories are evaluated weekly. We make use of Debian Linux and trust their security response to all common vulnerabilities and exposures (CVE).
We are committed to updating all software to the latest stable versions within 7 days of their release, and within 24 hours for critical software updates.
Access to servers is limited by means of Linux firewall software. All servers make use of the same incoming firewall rules and we do not allow any deviation from the standard rulesets
All our servers are automatically backed up in the early hours of the morning. The backup includes all critical data required for disaster recovery.
Our servers run anti-virus which is updated as new virus definitions are released. Servers are scanned daily.
Payment Data Security
Credit/debit card purchases for our services are processed by the third-party vendor, Peach Payments. No credit/debit card information is submitted via our website or stored on any of our systems.
We have implemented an international security solution that provides comprehensive protection against website attacks and vulnerabilities. The solution includes the following components:
- Web Application Firewall (WAF):
A web application firewall (or WAF) filters, monitors and blocks web traffic to and from a web application. All web traffic to the website is routed through the WAF, which filters out malicious attacks and allows legitimate traffic through.
The WAF blocks all kinds of web attacks accurately and quickly with an industry-leading logic-based analysis detection technology, powered by Penta Security Systems. The enterprise level web application firewall protects your websites from unknown web attacks as well as known attacks with the highest precision.
- DDoS Protection:
The solution mitigates and blocks DDoS attacks which attempt to exhaust resources.
We have good incident response plans, procedures, and practices in place that means we respond to incidents or data breaches quickly and effectively.
While we care for the hosting infrastructure including the network and servers, it is our customers’ responsibility to keep their data and account secure.
- Use secure passwords and store them safely