Infrastructure Solutions for Managed Services Providers

	Home

Introduction:
Zenith Infotech Ltd, uses industry leading security engineering practices and processes in building its SAAZ OnDemand Platform. This document provides an overview of the security engineering practices that have been incorporated into our SAAZ OnDemand Platform.

Zenith Infotech Ltd, is a leading developer providing a complete managed services infrastructure for over 4 years. Our development team originally designed software for banks and commercial applications. During this time our products have undergone intense scrutiny from all types of security experts – both within and outside of Zenith Infotech Ltd. We applied this experience and security practices when we built the SAAZ OnDemand Platform. Our software is used by governments, financial institutions, and other security conscious organizations. We apply industry best practices when making decisions about security – this includes techniques used in engineering and QA, as well as the way that we’ve implemented our organization and our processes. Where appropriate industry standards exist, we use them to inform our decision.

Data Center:
Our data center is hosted at Hurricane Electric’s state of the art facility in Fremont, CA. Hurricane Electric is rated as one of the top ten data centers in the world with amenities including a 24/7 onsite staff, HVAC environmental systems with up flow air conditioning units, conditioned uninterruptible power and back-up generators to prevent energy surges or loss of power, a high-tech security system with digital video surveillance custom designed to monitor every entrance, exit, and hallway, and a high-security card key system that monitors and limits access to certain areas within the facility. We have three dedicated OC-3 connections providing Internet connectivity to our server farm. Only a select few individuals have administrative access to our SQL Server databases. All other access is at the application level. Information being sent to our databases are first processed by a forwarding server then imported into the database. Our databases are not directly accessible from the Internet.

Firewall:
We are using state of the art firewalls and only allow incoming traffic for ports 80 and 443. Our firewalls are multi-threat security systems which enable secure communications and deliver the best security and performance.

Communication:
The SAAZ Platform operates entirely over secured 128-bit encrypted connections. Our agents send only asset data and performance data to our data center. Confidential information such as user’s passwords does not leave the user’s machine. The agents send this information over outbound port 443 (SSL). There is no threat of a virus spreading or hack over the Internet due to this outbound connection. Client side firewall configurations are not needed with our platform as it operates entirely over outbound connections to our data center. This allows the agents to work in any network configuration without introducing vulnerability to inbound port scans or network attacks.

Agents:
The Desktop and Server Agents are responsible for collecting asset data and performance data. The agents themselves run using the local system account. The Desktop Agent sends a keep-alive request to the data center every 30 minutes over port 443. The server agent sends a keep-alive request to the data center every two minutes over port 443. Only the Registration ID, which is a unique 128-bit code is sent over port 443. There is no information in the keep-alive packet that identifies the machine or that would enable a hacker to identify the machine.

Encryption:
Zenith Infotech Ltd. Protects against 3rd party attacks by encrypting all data sent from the agents to the data center. All information is first compressed at the client side using a compression key then encrypted and sent over a secured 128-bit encrypted tunnel. Once the information reaches the data center it is first decrypted then uncompressed by using a compression key. The information is then imported into a database which is not directly accessible from the Internet.

Remote Management Console:
The Remote Management Console allows the Managed Service Provider (MSP) to securely connect and take remote control over the client machine. There are two methods of remote control supported. The first is an ISL Lite connection that operates over port 443, which is 128-bit encrypted. The second is a RDP connection for server machines. This connection is also 128-bit encrypted and is using the Secure Shell 2 (ssh2) tunnel over port 443. Both methods of remote control access are using client to client encryption. The MSP’s machine initiates the connection and generates the encryption key. The connection is routed through our data center, which is acting as a pass through tunnel, and then the connection is the made to the client’s pc and is decrypted.