The 6 core competencies of our BIO FRIENDLY IT services
Privacy
What do we do?
Your Data Belongs to You!
Your data belongs to you! We offer you your "own" cloud - either on your own servers or strongly secured on our German servers. Your data stays only with you and will never end up in the hands of third party providers or large corporations. Our cloud solutions are open to our customers and the data is only accessible to our customers.
Compared to data protection, we are concerned with protecting your data, whether it is related to an individual or not. This term therefore also includes data that does not relate to a person (e.g. your design plans), both digital and analog. Here we want to minimize security risks and protect your data from manipulation, loss or unauthorized copying. So the issue here is not whether data may be collected and processed (that is a question of data protection), but what measures are necessary to protect your data. We ensure your data security in the context of data protection by implementing appropriate technical and organizational measures.
The legislation in the USA is completely different from ours. Since 9/11, US authorities have been able to access data on the basis of the Patriot Act or, since March 2018, with the CLOUD Act even if companies also store their data outside the USA. Therefore, European data protection regulations (DSGVO) do not help here. Thus, all communication is stored. Edward Snowden, among others, has revealed that this is happening on a large scale.
Third-party Connections
In principle, we strongly recommend being careful with your IT assets when connecting to third-party providers. Cloud connections are only in order if they are trustfully managed by a certified BIO FRIENDLY IT professional. This, of course, excludes services that connect your office to the public internet and telephone network so that you and your employees can make phone calls and do internet research. For your security, we check the connections to third-party providers for all your IT components. The optimal solution we recommend for you is that your software/website only connects to perform software updates and no data is transferred other than the version, operating system, or hardware used.
For security reasons, we generally refuse if your software/website stores data in a non-certified cloud, e.g. Microsoft Azure, OneDrive, Apple iCloud, or in the Amazon cloud. Possible culprits here are virus/malware scanners and website plugins that usually upload your data without being asked. To protect the privacy of your users (DSGVO), we strongly advise against loading parts of your website from third-party providers. Here, data protection is to be valued higher than speed; for example, the unfortunately common use of content delivery networks (CDN), Google fonts, or Javascript libraries just to make these parts load faster. Likewise, we reject tools such as Google Maps or Google Statistics. If we provide these features on our own web server, it remains the only "point of contact" for your users and you therefore retain control. Links to other websites, on the other hand, are not problematic if you point them out to the end user on your website.
If an indispensable piece of software has a backdoor that forwards data to unknown destinations, we recommend that you switch to an open-source alternative with viewable source code. If this is not possible, we can block these unwanted connections as well as possible here at your site through pro-active firewall management and monitoring as part of a so-called patch solution
.
Full Backups
We recommend that you have us set up your workstations, servers, and virtual machines to automatically perform daily cloning (mirroring). It is also important that we regularly perform necessary recovery tests for you to check the quality of the backups. This way we ensure that we can restore your data or devices immediately in case of failure. We recommend cloning all your devices every 24 hours. Your data should not be backed up locally, but in your private cloud, so that even in case of total loss (e.g. fire) your data can be restored. We set this up for you so that the data is stored in 256+bit encrypted form and transferred via a 256+bit encrypted VPN tunnel. At least once per quarter, we do a recovery test for all affected devices.
Instead of mirroring, we manually back up some of your devices with a single encrypted configuration file. After each update of such a device, we perform a manual backup. For example, the settings of your VoIP telephone exchanges or your firewalls can usually be backed up with just one file.
Incremental Backups
We would like to point out that mirroring described above is not always sufficient. For example, faulty, accidentally deleted/corrupted, or even malware-infected files may be mirrored as well. In that case, using such mirroring for recovery is nonsensical or even dangerous. In order to restore your data cleanly and completely, we also perform incremental backups. Here we store a history of revisions of all your files and folders over a desired time in a separate location. If data and folders have been accidentally deleted or infected, it is possible to restore such data and folders through the history. The backup and restore process is more complex in this case. Therefore, only the most important data should be backed up in this way.
Data Access in your Office
It is important that access to your active data on your work devices and servers in the office is protected. For each device, server, or virtual machine, we check that all your data on the device is encrypted and can only be unlocked with a password when booting. We recommend that you do not store your passwords anywhere or share them with other people. You should apply strict password policy guidelines in your company, e.g. with fixed number of digits, characters or capital letters. Your employees should always log in, and again after a short absence. We recommend that you secure the premises where your devices are located with a lock or other special access.
Generally, we recommend that you encrypt all your files on your devices to prevent data theft. For certain devices, encryption is not always necessary, e.g. if it is a firewall appliance, where encrypting against theft is more costly than simply renewing these files after a possible data loss, e.g. with new credentials. [Reference: Netgate: Whole disk encryption]
BIO 7-Level Data Access Concept in your Cloud (© Gaastra GmbH 2021)
To protect your data, we divide your system into several separate areas. The respective separations of our data access concept can be illustrated by comparing the seven areas in our data center to a hotel. Each level has its own access permissions, its own protections and is mostly inaccessible to the other levels:
- Level 1 - "Your city at the backbone" - Data Center: Only Level 1 employees have access here. Secured against fire, weather, power failures and network failure.
- Level 2 - "Your BIO Aparthotel in the city center" - Colocation Partner: In principle, only Level 2 has access here. Level 3 gets special physical access to its own floor level 3, but only under the escort of an employee of level 2. Also secured against fire, weather, power failures and network failure, especially against "Distributed Denial of Service"(DDoS) attacks.
- Level 3 - "Your premium BIO floor in the hotel" - Physical Server: Only Level 3, i.e. we, Gaastra GmbH, have the management access here via strongly secured VPN tunnels. Although employees of Level 2, theoretically, have the physical access, the floor Level 3 remains protected because these employees do not have appropriate VPN tunnels and passwords.
- Level 4 - "Your wing inside the floor" - Virtual Sub (Sub) Network: From level 4, everything is virtual and there is no physical access. We, Gaastra GmbH, have console access here via our management VPN tunnels. The customer can also get optional access via their own VPN tunnel.
- Level 5 - "Your Apartment" - Virtual Server: As with Level 4, there is only access for Gaastra GmbH and optionally for you, as a customer, again with its own protection. Unlike Level 4, Level 5 is a single server (rather than a network of several servers).
- Level 6 - "The home automation of your apartment" - The backend(s) of the platform: This area is used by the administrator to configure the platform. Here, we protect the access by IP address or VPN tunnel. In addition, the customer needs a "strong" password here. Here, there is only access to level 6 and level 7.
- Level 7 - "The Salon" - The front end(s) of the Platform: Access for end customers is secured via passwords with possible multi-factor authentication (MFA), where access authorization is verified by several independent characteristics (factors). In the case of a website, this access can also take place without authentication. In the case of a public server, we aim that only level 7 is accessible via the public Internet.
Why is this interesting for you?
We separate all connections to external providers at your site so that your data remains only with you. We protect you from possible data loss through a sophisticated data backup strategy. Likewise, we build step-by-step security concepts at your site to protect your data from unauthorized access. Our security concept is another core point that, together with the other core points, makes our system BIO FRIENDLY IT unique.
Health ⇄ Privacy: Wired connections (LAN) offer the best possible data security. If you use WLAN or Bluetooth, no reputable IT service provider can guarantee the protection of your personal data. When using WLAN, it is always possible to access your data from the outside. Hackers have many public tools available for attacks, for example: https://github.com/wifiphisher/wifiphisher
Open Source ⇄ Privacy: Caution is advised with data protection/data security for manufacturers of closed source software, because US and also Chinese companies are bound by the laws of their country without exception. Laws in these countries lead to the forwarding of customer data to their own state institutions, if the government or authorities require it. So-called "back doors", built into the respective software, could also allow arbitrary access to the purchased software in Europe. Closed-source products are therefore problematic for data protection reasons. As a positive side effect, it can be observed how companies are gradually understanding that data security is a value proposition for customers - especially in Europe.
Adding: Europe's Greens (EFA) demand: no proprietary software for public computers!"
[Reference: Time Online]
With macOS, there are specific policies to protect against privacy breaches. Through our knowledge, we can guarantee data security with privacy on Macs; however, this assumes that you do not use iCloud.
IT Security ⇄ Privacy: IT Security
and Data Privacy
not only go hand in hand, but are mutually dependent. With other IT service providers, these terms are sometimes combined by mistake
. Here, we separate all security aspects directly related to data
as data privacy
. Under the broader term IT security
, we are concerned with protecting the technical processing of information. Mainly, it is about the error-free functioning and reliability of your IT systems. Reference: Dr. Datenschutz
Independence ⇄ Privacy: More independence from third-party providers also means that less data falls out of its own protection. Nowadays it can easily happen that your data - without your consent - ends up on the servers of Microsoft or stored in China. Our goal is to protect your data as good as possible.
How do we do it? Our own BIO-certification
Third-party Connections
In principle, we strongly recommend being careful with your IT assets when connecting to third-party providers. Cloud connections are only in order if they are trustfully managed by a certified BIO-FRIENDLY IT professional. Services that connect their office and cloud to the public internet and phone network are excluded. We verify third-party connections on all IT equipment:
- BIO PT Cl 1 OK: The software/website connects only to perform software updates. No data other than the version, operating system or hardware used is transmitted.
- BIO PT Cl 2 FAIL CLD: The software/website stores data in an uncertified cloud, e.g. Microsoft Azure, OneDrive, Apple iCloud, or in the Amazon cloud. There is software in your system, such as virus/malware scanners, that upload your data to foreign or non-certified servers for matching.
- BIO PT Cl 3 FAIL CDN: The website uses a content delivery network (CDN) to make parts load faster from the website. Examples here are the Google Fonts, Maps or Statistics. If you want to protect your privacy, this cannot be tolerated. Links to other websites are umproblematic if end users are made aware of it.
- BIO PT Cl 4 FAIL BKD: The software has a backdoor to forward data to unknown destinations. We therefore always recommend open source software, where yes the source code can be viewed.
Through pro-active firewall management and monitoring, problems such as BIO PT Cl 2 FAIL CLD or BIO PT Cl 4 FAIL BKD can be partially prevented as part of a so-called patch solution
.
Full Backups
Daily cloning (mirroring) of workstations, servers and virtual machines with regular recovery tests should allow data or devices to be restored immediately in the event of hardware failure.
- BIO PM Cl 1 OK: A cloning of all devices is performed at least every 24 hours and stored in your private cloud. This is done in 256+ bit encrypted form over a 256+bit encrypted VPN tunnel. A recovery test for each type of device is performed at least once per quarter.
- BIO PM Cl 2 OK MAN: Some devices can be manually backed up with a single encrypted configuration file. After each update, such a manual backup is performed to another device that can be assigned to the code "BIO PC Cl 1 OK". This applies, for example, to the settings of a telephone switchboard, which can be backed up with one file
- BIO PM Cl 3 FAIL TRN: Same as Cl 1, but the transport is not sufficiently secured by a 256+bit encrypted VPN tunnel.
- BIO PM Cl 4 FAIL ENC: Same as Cl 1, but the storage medium is not sufficiently encrypted with 256+bit encryption or the password(key) of the encryption is known outside the circle of authorized access.
- BIO PM Cl 5 FAIL LOC: Same as Cl 1, but the destination of the backup matches the source location and thus is not secured in different locations.
- BIO PM Cl 6 FAIL TMG: Same as Cl 1 if cloning is not adhered to more than five times per month or the recovery test(s) are not completed in the last 6 months.
- BIO PM Cl 7 FAIL SAN: The storage medium is defective or full.
- BIO PM Cl 8 FAIL NA: There is no backup strategy.
Incremental Backups
Incremental backups store a history of revisions of all files and folders over a desired time. If data and folders have been accidentally deleted, it is possible to restore such data and folders through the history. The recovery process is more complex. Therefore, only the most important data should be backed up in this way.
BIO PI Cl 1 OK / BIO CI Cl 2 MAN / BIO PI Cl 3 FAIL TRN / BIO PI Cl 4 FAIL ENC / BIO PI Cl 5 FAIL LOC / BIO PI Cl 6 FAIL TMG / BIO PI Cl 7 FAIL SAN / BIO CI Cl 8 FAIL NA - as described above, then for incremental backups.
Data Access in your Office
It is important that access to your active data on your work devices and servers in the office is protected. For each device, server, or virtual machine we check:
- BIO PO Cl 1 OK: All data on the device is encrypted and can only be unlocked with a password at boot time. The user uses a password when logging in or when logging in again after a short absence. The password complies with the facility's password policy guidelines. It is not stored anywhere or shared with anyone else. The room where the device is located is secured with a lock or other special access.
- BIO PO Cl 2 OK PUB: All data on the device may be publicly accessible, therefore the criteria of "BIO PO CL 1 OK" need not be met, e.g. Macs for guests.
- BIO PO Cl 3 OK ENC: Certain data on the hard disk need not be encrypted, e.g. if it is an
appliance
for a firewall, where encrypting against theft is more costly than simply renewing this data. [Reference: Netgate: Whole disk encryption] - BIO PO Cl 4 FAIL ENC: The data on the hard disk is not (sufficiently) encrypted and can be read immediately in case of theft.
- BIO PO Cl 5 FAIL LEAK: The password is known to several people.
- BIO PO Cl 6 FAIL POL: The password does not meet operational guidelines, e.g. with the number of digits, characters or capital letters.
- BIO PO Cl 7 FAIL NLO: The user is not logged out, so another person can access the device.
- BIO PO Cl 8 FAIL PHY: Physical access to the device is not secured, e.g., the room has no access control.
BIO 7-Level Data Access Concept in your Cloud (© Gaastra GmbH 2021)
To protect your data, we divide your system into several separate areas. The respective separations of our data access concept can be illustrated by comparing the seven areas in our data center to a hotel. Each level has its own access permissions, its own protections and is mostly inaccessible to the other levels:
- Level 1 - "Your city at the backbone" - Data Center: Only Level 1 employees have access here. Secured against fire, weather, power failures and network failure.
- Level 2 - "Your BIO Aparthotel in the city center" - Colocation Partner: In principle, only Level 2 has access here. Level 3 gets special physical access to its own floor level 3, but only under the escort of an employee of level 2. Also secured against fire, weather, power failures and network failure, especially against "Distributed Denial of Service"(DDoS) attacks.
- Level 3 - "Your premium BIO floor in the hotel" - Physical Server: Only Level 3, i.e. we, Gaastra GmbH, have the management access here via strongly secured VPN tunnels. Although employees of Level 2, theoretically, have the physical access, the floor Level 3 remains protected because these employees do not have appropriate VPN tunnels and passwords.
- Level 4 - "Your wing inside the floor" - Virtual Sub (Sub) Network: From level 4, everything is virtual and there is no physical access. We, Gaastra GmbH, have console access here via our management VPN tunnels. The customer can also get optional access via their own VPN tunnel.
- Level 5 - "Your Apartment" - Virtual Server: As with Level 4, there is only access for Gaastra GmbH and optionally for you, as a customer, again with its own protection. Unlike Level 4, Level 5 is a single server (rather than a network of several servers).
- Level 6 - "The home automation of your apartment" - The backend(s) of the platform: This area is used by the administrator to configure the platform. Here, we protect the access by IP address or VPN tunnel. In addition, the customer needs a "strong" password here. Here, there is only access to level 6 and level 7.
- Level 7 - "The Salon" - The front end(s) of the Platform: Access for end customers is secured via passwords with possible multi-factor authentication (MFA), where access authorization is verified by several independent characteristics (factors). In the case of a website, this access can also take place without authentication. In the case of a public server, we aim that only level 7 is accessible via the public Internet.
To give you an overview of how good your data access concept is, we rate compliance on a scale from 0 to 100%. In your cloud, is data access divided into maximum levels among several people / institutions, each with limited access?
- BIO PC Cl 1 OK: In your case, the 7-level concept is fully complied with, or there are in some cases even stricter requirements: 100%
- BIO PC Cl 2 FAIL: No aspect of the 7-step concept is adhered to: 0%
.