The 6 core competencies of our BIO FRIENDLY IT services

IT Security

What do we do?

We offer our customers only the very highest level of Internet security. On this topic we recommend open- source solutions and Unix-based operating systems. We describe all parts of BIO FRIENDLY IT security here, and the topic of data security we describe separately on another page. If your company is one of them, you know well that IT security is not your only concern: rather, it's meeting the numerous compliance requirements that must be adhered to in your business.

4D Network Protection (© Gaastra GmbH 2021)

We help you to identify, isolate and secure your data traffic as well as possible. Our ambition is to close possible entry gates and backdoors for malware as far as possible at your end. We analyze your traffic, which is in 3 directions: inbound, outbound and within your network. We always identify the source and destination of the traffic. The type of traffic is defined by protocol and ports. We distinguish the following device classes at your site: Workstation computers depending on the operating system, servers, mobile devices, smart home devices and network appliances such as firewalls, routers and switches.

We secure all your devices from each other based on the device class in their own separate subnets (subnets). If your subnets are not sufficiently separated, an infected Windows machine, for example, can cripple an important server with ransomware. That's why we separate your subnets to avoid such a thing. For your incoming traffic, only the absolutely necessary ports/protocols are allowed for each subnet. For your outgoing traffic and for server subnets, we allow only minimal protocols for certain target devices.

If your server has full access to the Internet, we recommend that you additionally secure the back-end of your platform with its own access, either via its own VPN tunnel or via its own list of permitted IP addresses. In addition, we provide sufficient protection against hostile logins and DDOS attacks here. We help you to detect attacks of this kind as well as possible and redirect them automatically.

Scheduled Software Updates

To ensure maximum security at your end, we consider updates for all your IT components essential. This includes end-user software, server software, plug-ins, firmware, drivers, operating system and BIOS updates. If possible, we recommend enabled automatic updates at your end to keep your components up to date. If automatic updates are not enabled on your end for stability reasons, we recommend that you perform these updates manually within a week after checking. The source of your updates should always be marked as Current. If you only have a source that is no longer updated, we can unfortunately no longer guarantee optimal security here. In this case, we recommend that you replace this component.

Reliability

It can never be excluded that networks fail, hardware components fail or software errors occur. Therefore, as a precaution, we suggest a recovery plan optimized for you for each component. For Internet connectivity in your office, we recommend that you have two or more competing provider lines permanently available, preferably with different technologies, e.g. fiber and DSL. Critical servers in your office, such as firewalls, telephone systems, switches and CRM/financial servers, should have a synchronized hot-standby server as a backup, which automatically takes over the work of the failed server within a few seconds.

As an alternative to the "hot standby server", we offer to equip the cloud hardware with many internal redundancies. This reduces your IT footprint, but still provides sufficient resilience. For example, we configure your servers with two transformers so that if the power or the transformer itself fails, there is another transformer available. With a daily backup within the server, RAID-6 backed up disks can be used in case the main solid state "disks" fail. Also, we always recommend dual 10Gb fiber connections to the Internet backbone on various switches in the data center.

Unnecessary Software

Every software, library, or plug-in leads to an additional security risk. Therefore, we recommend - as already described in the topic "IT footprint" - to use only really necessary software. We only inventory necessary software that is required for your operation. That is why we strongly advise you to remove unnecessary software.

Why is this interesting for you?

BIO_FRIENDLY_IT_shield_alpha_warped

Your benefits are that we help you to optimize your security through network protection, software updates, resilience of your hardware and software as well as by limiting it to necessary software. This all runs hand in hand with the other core points of our BIO FRIENDLY IT.

Health ⇄ IT Security: WLAN always offers potential security gaps compared to wired connections (LAN), because radio signals can be intercepted & manipulated. WLAN access can consequently never be completely secured outside buildings. WLAN, if used at all, therefore, should always be secured within closed LAN networks, each in an OPEN quarantine network.
[Reference: https://www.purevpn.com/blog/wifi-hacking-scty/]

Open Source ⇄ IT Security: Using open-source software can increase data security for larger companies for the following reasons:

  • Quality programmed source code
  • Network automation interfaces
  • Security and compliance automation
  • Perfect integration with our Cloud 4.0

Global open-source community helps detect and close security vulnerabilities faster.

IT Security ⇄ IT Footprint: Through optimal network protection, well-planned software updates, and thoughtful resilience, we assume that your employees and IT infrastructure will be less stressed overall. Fewer hacker attacks and hardware and software recoveries also mean less power consumption.

Less required software and hardware has security benefits because each removed redundant component - or simplification of your IT infrastructure also means one less security risk each time.

IT Security ⇄ Privacy: IT Security and Data Privacy not only go hand in hand, but are mutually dependent. With other IT service providers, these terms are sometimes combined by mistake. Here, we separate all security aspects directly related to data as data privacy. Under the broader term IT security, we are concerned with protecting the technical processing of information. Mainly, it is about the error-free functioning and reliability of your IT systems. Reference: Dr. Datenschutz

Independence ⇄ IT Security: More independence from third party vendors and investors allows us to design your IT security as we see fit. We are not limited to only preset solutions. Of course, fewer partnerships with third-party vendors also means less potential for security breaches.

How do we do it? Our own BIO-certification

4D Network Protection (© Gaastra GmbH 2021)

Every type of traffic should be identified, isolated and secured as well as possible. Our effort is to create segregated subnetworks, and close all entry gates and backdoors as much as possible. We try to do this based on the following important distinctions. Data traffic can be in 3 directions: inbound, outbound and within the network. We will always identify the source and destination of the traffic. The type of traffic is defined by protocol and ports. All devices of the network are considered as subscribers, where we distinguish the following device classes: Computers (depending on the operating system), servers, mobile devices, smart home devices and network appliances such as firewalls, routers and switches.

  • BIO SN SUB Cl 1 OK: All devices of the same device class are secured from each other in their own separate subnets.
  • BIO SN SUB Cl 2 FAIL: Subnets are not sufficiently separated, e.g. an infected Windows machine is on the same network as a server and could therefore cripple this server with ransomware.
  • BIO SN INC Cl 1 OK: Incoming traffic: for each subnet only the absolutely necessary ports/protocols are allowed, e.g. for WebServer only SSL over port 443 and for management only port 22/SSH from a VPN tunnel subnet.
  • BIO SN INC Cl 2 FAIL: Unnecessary ports/protocols are open with very extensive risks.
  • BIO SN OUT Cl 1 OK: For outbound traffic and for server subnets, only minimal protocols are allowed for certain target devices, e.g. only SSL to relevant update servers to update software. Otherwise, all possible backdoors are blocked.
  • BIO SN OUT Cl 2 FAIL: The server has full access to the Internet.
  • BIO INC443 BACK Cl1 OK: Even if an incoming SSL traffic is allowed for the whole Internet, we additionally secure the back-end of a platform with its own access, either via its own VPN tunnel or via its own list of allowed IP addresses.
  • BIO INC443 BACK Cl2 FAIL: The backend is accessible from anywhere.
  • BIO ICN443 DDOS Cl 1 OK: There is sufficient protection against hostile logins and DDOS attacks. These are detected and automatically redirected to protect the server.
  • BIO INC443 DDOS Cl 2 FAIL: Attacks of this type are not adequately identified and redirected.

Scheduled Software Updates

Software updates can lead to a conflict between stability and security. Newer, updated software usually covers more security gaps, but only at the cost of reduced stability. Relevance arises primarily in the case of critical security vulnerabilities. To ensure maximum security, we consider up-to-date updates for all IT components to be indispensable. This applies to end user software, server software, plug-ins, firmware, drivers, operating system or BIOS updates. The following applies to all components:

  • BIO SU AUTO Cl 1 OK: Automatic updates are enabled. This is the only way to keep this component always up to date.
  • BIO SU AUTO Cl 2 WEEK OK: Automatic updates are possible, but are not enabled for stability reasons. Nevertheless, after checks, these updates are performed manually within a week.
  • BIO SU AUTO Cl 3 FAIL: Automatic updates are not enabled and will not be performed.
  • BIO SU MAN Cl 1 OK: Monthly check for new updates and then - after optional verification - implemented within a week.
  • BIO SU MAN Cl 2 HALT OK: No updates take place for certain components if they are not currently needed. However, an update must be performed before the next use.
  • BIO SU MAN Cl 3 FAIL: Manual updates for a specific component are not performed, even though it is in use.
  • BIO SU SOURCE Cl 1 OK: The source of the updates is up to date and marked as current "Stable Branch".
  • BIO SU SOURCE Cl 2 FAIL: An "Old Stable Branch" is used or the source is no longer updated because it has reached "End Of Life" status.

Reliability

In case of network, hardware or software damage, we propose an optimized recovery plan for each server and work device. It can never be excluded that networks fail, hardware components fail or software errors occur. That is why it is important to take precautions.

  • BIO SC WAN Cl 1 OK: For Internet connectivity, two or more competing provider lines are permanently available, even better with different technologies, e.g. fiber optics and DSL.
  • BIO SC WAN Cl 2 FAIL: In their office, either only one line or several lines of the same provider are available.
  • BIO SC CRIT Cl 1 OK: Critical servers such as firewalls, phone systems, switches and CRM/financial servers, have a hot standby server that automatically handles regular data synchronization and outage checks within a few seconds.
  • BIO SC CRIT Cl 2 HW OK: Even without hot standby, the server remains particularly well protected by redundancies in the power supply, SSDs, hard drives and network connectivity.
  • BIO SC CRIT Cl 3 FAIL: A defect leads to downtime. Waiting times must be accepted until the delivery of replacement hardware. The devices must be reconnected and the software must be reinstalled.
  • BIO SC NON-CRIT Cl1 OK: To compensate for the failure of non-critical hardware, a clone (replication) backup is recommended. In some cases, it is useful to create a configuration file for quick recovery. Through a hardware replacement plan, new hardware can be procured quickly.
  • BIO SC NON-CRIT Cl1 OK: To compensate for the failure of non-critical hardware, a clone (replication) backup is recommended. In some cases, it is useful to create a configuration file for quick recovery. Through a hardware replacement plan, new hardware can be procured quickly.
  • BIO SC NON-CRIT Cl1 FAIL: A lot of time is lost when restoring data without a backup or hardware replacement plan.

As an alternative to the "hot standby server", we offer to equip the cloud hardware with many internal redundancies. This reduces your IT footprint, but still provides sufficient resilience. For example, we configure your servers with two transformers so that if the power or the transformer itself fails, there is another transformer available. With a daily backup within the server, RAID-6 backed up disks can be used in case the main solid state "disks" fail. Also, we always recommend dual 10Gb fiber connections to the Internet backbone on various switches in the data center.

Unnecessary Software

Every software, library, or plug-in leads to an additional security risk. That is why we recommend - as already described in the topic "IT footprint" - to use only really necessary software. We only inventory necessary software.

  • BIO SSW Cl1 OK: The software required for your operation.
  • BIO SSW Cl2 FAIL: The software is unnecessary and should be removed urgently.