30(a) Security Policy: Summary of the security policy for the proposed registry
|gTLD||Full Legal Name||E-mail suffix||Detail|
|.cloud||Top Level Domain Holdings Limited||gmail.com||View|
SUMMARY OF SECURITY POLICY
Registry services are outsourced to Minds + Machines & their subcontracted partners, PCH (DNS, DNSSEC), NCC (data escrow) & Tucows (Secondary Failover Site). The registry is built to meet the security & stability requirements as defined in the ICANN new gTLD Applicant Guidebook. It is a secure, stable, scalable registry with high availability, dependability, & the flexibility needed to meet new gTLD requirements.
Appropriate security features will be documented & embedded within the registry services. Data confidentiality, integrity, & availability is the goal of the security policy. This response provides an explanation of how the security controls & mechanisms that will be put in place are relevant & how independent auditors will validate those controls. In the following discussion, all features mentioned in the present tense currently exist; those in the future tense will be implemented prior to operations.
Registry operations will be run in accordance with the ISO27001 framework. ISO27001 specifies a high level of requirements & best practices for managing internal company & external customer information. It incorporates periodic risk assessments appropriate to all threat scenarios. The policy covers the infrastructure, data centers, & services including SRS⁄EPP, Whois, & DNS.
Once the registry is operational, ISO27001 certification will be pursued. We are committed to providing the highest level of data security. A formal program to maintain the certification will be established, providing the registry with a current & sustainable security policy that is able to handle emerging security threats.
A layered security model will be employed. This approach increases the cost & difficulty of penetration for an attacker. Layering creates multiple points of resistance to intruders, ensures high availability, & decreases the likelihood that attackers will pursue attacks against our organization.
The computing environment is comprised of networks, operating systems, applications, & databases. Customer data is the basic underlying component of the business that we strive to protect; therefore, we focus on providing multiple layers of resistance to unauthorized access to that data.
There will be four basic security functions that will work in a complimentary manner to secure each layer of our computing environment: examination, detection, prevention, & encryption.
Examination identifies vulnerabilities in all computing layers before they become compromised. Automated examination appliances will be employed at the network layer, operating in-line with the network, discovering all assets in the network & then identifying vulnerabilities in each asset.
Using the monitoring tools described in Q 42, each layer of the operating system is monitored, providing detailed information about each host by discovering user accounts, fingerprinting software, & OSes. Vulnerabilities will be scanned for & thus identified by using a pre-defined, regularly-updated rules set. Examination at the OS level provides more in-depth information about a host than network-level examinations, & will be deployed with the use of agents on each host.
In addition to network & OS layer examination, applications & databases are also examined, focusing on vulnerabilities of a software application or database environment.
These products, fully described in Q 32, are written for our software packages & database. Examination products focused on software packages & databases provide the most granular level of security in a layered security model.
Detection products search for pre-existing problems in a computing environment. In-line detection and intrusion prevention products will be employed at the firewall layer, allowing attack signatures to be used to detect intrusions prior to entering our network.
Information will also be kept secure by using prevention products described in the response to Q 32 & Q 42. These tools filter entry into a specific network, & include virtual private networks (VPNs), access control for router & switches, & advanced state-full firewalls using policies to evaluate network traffic.
Firewalls at the network & host layer will use network addresses, port numbers, host names, & services to evaluate whether traffic is allowed into a specific network. Network-based firewalls are the first line in guarding against intrusion. Since this is a multi-site architecture, firewalls have been implemented at the edge to increase intra-site security while protecting against intrusion from the internal network & the external Internet.
Encryption products for data security both in transmission & storage will be employed. Encryption tools modify readable text into a non-readable state prior to decryption. VPN tools, further described in Q 32 (see: Firewall Specifications) focus on creating a secured transmission medium that prevents interception & deciphering of data. Other encryption products focus on securing stored data, both in databases & applications.
Encryption tools allow for secured remote management of critical system resources; allowing establishment of a connection through a secured tunnel to firewalls, servers, & other critical systems.
Regular security audits by an accredited independent third party are commissioned to formally test & evaluate vulnerabilities & controls within the operations environment. Biannual internal security reviews are performed. The reviews emulate the evaluation performed in a security audit, but also provide detailed reviews of processes, procedures, & systems performance metrics. The documentation that results from internal reviews & external audits are securely archived, & these records can be made available for third parties with management approval.
Systems supporting the registry are protected by the state-of-the-art tools described in Q 32 & Q 42, & are maintained in a secure manner. Network access is managed & logged. Access to systems, networks, peripheral devices, power, or other data center services is restricted. At data centers, keycard protocols & round-the-clock interior & exterior surveillance are used to monitor access. Only authorized personnel are granted access to data centers. No one else may enter the production area without prior clearance & an appropriate escort. Every data center employee undergoes background security checks before being hired. Physical access is provided only to personnel who are pre-authorized to perform maintenance. Devices requiring service or maintenance will have parts available to swap in as replacements.
All employees will be screened prior to hire & must agree to the System Access & Usage Policy as part of their contract. Security Awareness training will be provided. A security policy acknowledgement form must be completed & signed by new employees to acknowledge acceptance. Usage-policy statements outlining usersʹ roles & responsibilities will be maintained. Acceptance of Information Security policies & procedures is required from contracted companies & individuals.
At the primary & secondary facilities, access privileges begin with HR. Once the HR team has a signed offer letter & start date, they begin the process to procure equipment, assign seating, create system accounts & grant access. The security team is required to approve all system access requests, whether a new hire or existing hire. Based on the job role, the security team has built access profiles so that all Operations & NOC staff tasked with creating accounts implement the appropriate levels of access.
External access is treated identically. If the profile calls for external access, the employee must be provided with a VPN client & encryption certificate from the Operations team that uniquely identifies the user & provides a second level of authentication. This ensures that external access authentication is two-factor & cannot be shared. External access follows the same profiling hierarchy & is simply an extension, i.e. if an internal employee does not have access to databases, they will continue to NOT have access to databases externally.
The only direct access to the network for Internet traffic is application traffic to & from pre-determined IP Addresses used in combination with recognized protocols on defined port numbers. Security at the network & protocol levels is controlled by the Internet routers & firewalls & is restricted by Access Control Lists.
Network access requires multiple layers of authentication. The system will identify who is connected & where they are, thereby assuring that users will have access to the network resources they need for their defined jobs while business systems & processes are protected from compromise.
For remote access to the system, specific points of entry for special access required by system or network administrators & the security team will be achieved by use of a VPN requiring a client profile & a private shared key, & a unique username⁄password validated against authentication databases.
System, Firewall, Network & other configurations will be updated at scheduled maintenance. The configuration changes are stored in a revision control system for review by security & network personnel, who must approve the changes prior to implementation.
A variety of physical security systems are used to ensure that unauthorized personnel have no access to sensitive equipment or data.
All servers containing sensitive data are physically secured. Only a controlled list of people can obtain access. All internal networks are isolated from public access, & external Internet links are firewall-protected to prevent intrusion.
Physical precautions inside the server rooms include 24⁄7 video cameras to alert security personnel in case of intrusion. Alarms are fitted to all doors that access the data centers. Trained Data Center security staff are present at all times. Appropriate personnel will be contacted when necessary to help contain the situation as per the incident escalation procedure.
Access to the server room is controlled via two-factor authentication system. All access to the server room is logged & archived. Lost or stolen access card are immediately deactivated. Closed circuit TV is in place at all sites.
CAPACITY TO WITHSTAND ATTACKS
Operational security practices are employed to safeguard the registry infrastructure. Network & server resources are over-provisioned to ensure they can handle large attacks without performance degradation. IP transit link sizes are also over-provisioned, ensuring that capable routing & switching hardware is employed & that servers are sufficiently powerful to serve large query loads.
Hardware firewalls & Deep Packet Inspection (DPI) systems are used to ensure that only required UDP & TCP ports are exposed to the Internet. DPI systems check packet structure & DNS protocol validity on the wire to ensure that correctly-constructed DNS packets are answered by the name servers, reducing the burden on individual name servers by pre-filtering invalid traffic. Strict physical & administrative access policies are enforced.
RESOLUTION PROVISIONING AND DNS SERVICES
The anycast DNS network provided by PCH is designed to provide ample network resources to withstand extreme load situations such as DDoS attack. For overburdened Internet connections the placement of name servers in key exchange points allows DNS responses to reach the servers via an alternative provider. In the event a given site has both Internet connections overburdened, the geographical diversity & number of locations means that there will be another DNS server available.
The PCH anycast networks has more than 70 locations across the globe. The .CLOUD TLD will be available at all times, & registrants will be able to count on resolution services.
Integrity between the registry & name servers in the PCH anycast cloud is ensured via TSIG-signed IXFRs or AXFRs, ensuring the DNS provider is receiving the zones from a valid source.
The PCH DDoS mitigation approach involves knowing what attack profiles to watch for, having the technology capability & capacity to identify & deflect attacks while allowing legitimate traffic to reach its destination, & possessing the skills & experience to address issues appropriately. See Q 35 for a complete description of the DDoS mitigation approach.
Support engineers follow established standard operating procedures consistent with the ISO27001 framework. These procedures will be continually reviewed & updated. Responsibilities & escalation amongst response teams will be clearly defined. Measures to test contingency plans for short-term, medium-term, & long-term network or service outages will be employed. These periodic tests will ensure the viability of the procedures, escalation model, & accountability.
THIRD PARTY AUDITS
Regular security audits performed by an accredited third party will be commissioned. Audits involve formally testing & evaluating vulnerabilities & controls within the operations environment. Internal security reviews will also be performed. These reviews involve the evaluation performed in a security audit in addition to detailed review of processes, procedures, & systems performance metrics. The resulting detailed documentation from each internal review & external audit will be securely archived. These records & documents can be made available, with management approval, for third parties when necessary.
Information Security Certification or Assessment
The .CLOUD registry will undergo annual information security assessments once it is operational. Minds + Machines undergoes annual assessments as well. Tucows, our secondary facility provider, undergoes yearly to bi-yearly IT audits. Tucows has gone through SOX audit & compliance & are PCI certified. Attached as Q 30a Security-Attestation to Compliance is the PCI certification questionnaire. While its purpose & intent are to protect the Cardholder environment, it is very exhaustive & has been extended across all systems when possible.
Multi-factor authentication, user identification, passwords & IP range checking will be required for all restricted services including but not limited to access to the Registry database, servers, zone files, & DNS services.
Secure File Transfer Protocols will be used for all file transfers between the Registry & registrars (RFC2228, RFC2577, or similar equivalent).
System maintenance will be performed via SSH, VPN or similarly secured connections.
Each system will operate a very restricted set of basic services in the relevant sections for DNS, Contact Info, FTP, SCP & WWW services. Systems are firewall-protected in hardware, & IP filtering rule sets are in place to reject inappropriate packets.
DNS servers run a limited set of applications & system services. Frequent checks take place on all DNS servers to ensure that data integrity is maintained.
IP-restricted services have each IP address specified individually. Network addresses will not to be used, as this adds the risk that a host could masquerade as a spare IP address on an internal network.
Packet sniffers, designed to check all traffic passing through a network interface, will be in place to catch suspicious traffic. These actively scan for incorrect or illegal packets, & alert the security team. They also give further indications of the source of an attack, used for profiling & preventing that attack in the future.
Network security practices will be verified by a security audit process which involves scanning all TCP & UDP ports on servers operated by the registry.
Security tests will be periodically performed on the servers & the corresponding report is reviewed on a regular basis. Tests attempt to take advantage of specific security flaws using a variety of attack methods, & the results are reported & archived. Known attacks include:
* Buffer overflow exploit
* Missing format string exploit
* Packet fragmentation attack
* Data flooding (SMURF ping, etc.)
* DNS⁄IP spoofing
* FTP spoofing
* Dictionary passwords
* Replay attack
* SQL injection
Tests will be updated as new vulnerabilities, security flaws, or techniques are discovered. These updates are based on industry best practices.
Backups are performed through a secure network. Encryption for the backup of all sensitive data is employed. Data is sent to secure locations where it is stored, maintained & recovered for later use. Please see the response to Q 37 for a complete review of the backup security & measures taken to ensure integrity & security of the registry data.
AUDITING & REPORTING
Security reviews are run regularly. In order to maintain ISO27001 certification, there will be an annual external third party security audit performed. Security audits & reviews test all systems for configuration issues and security holes, & compliance with both internal processes & ISO27001 standards. Results of audits form the basis of security reports, which detail any recommendations for system alterations & the timeline for remediation. All security breaches will be recorded, documented, & reported to management.
ROBUST PERIODIC SECURITY MONITORING
Comprehensive monitoring ensures stability & security of critical systems & services. Industry-standard monitoring & alerting practices will be used & will ensure remediation when an impacting event is detected.
See the response to Q 42 for a complete description on security monitoring.
Network access control lists, network & system activities, VPN access, EPP system access logs, & any other form of logging are backed up & stored securely locally & off-site at the secondary data center. Access to backup information is restricted by policy. Archives are encrypted & password-protected on a limited-access server & are retained for a minimum period of one year.
Minds + Machines’ security capabilities are consistent with the requirements of the data centers & with the overall business approach & planned size of the registry. The CTO & ISO will be responsible for enforcing the Registry Security Policy & ensuring that the registry technical system complies with ISO27001 standards.
COMMITMENTS MADE REGARDING SECURITY MEASURES
Security levels are appropriate for the nature of the use & level of trust associated with the .CLOUD TLD. Registrants can expect a registry environment with the same or better security levels & functionality that current gTLDs provide. The Registry Policies define commitments made to registrants, specifically regarding privacy & protection of personal data.
ADEQUATE RESOURCING IN THE PLANNED COSTS
The planned costs detailed in the financial section show that our registry operations, including security, are provided by Minds + Machines in exchange for a fee. The secure NOC, Firewall & VPN hardware, & staffing for compliance, enforcement, & further security development are all considered in the cost discussion noted in the response to Q 47.
The Information Security Officer (ISO) is responsible for identifying, developing, implementing & maintaining processes across the organization to reduce risks to information & information technology. The ISO also responds to incidents, establishes appropriate standards & controls, & directs the establishment & implementation of policies & procedures. The ISO is responsible for information-related compliance & ensures security policies are kept up-to-date & followed by staff.
Each member of the technical team is tasked with ensuring the registry remains secure. They also ensure the integrity of updates between registry systems & nameservers.
Similar gTLD applications: (86)
|gTLD||Full Legal Name||E-mail suffix||z||Detail|
|.app||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.design||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.book||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.realestate||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.video||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.flowers||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.home||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.free||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.hotel||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.art||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.beauty||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.baby||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.eco||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.coupon||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.vodka||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.fashion||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.school||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.fishing||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.property||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.pizza||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.love||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.horse||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.gay||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.garden||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.sale||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.beer||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.science||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.casa||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.bradesco||Banco Bradesco S.A.||pppadvogados.com.br||-4.03||Compare|
|.green||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.country||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.rodeo||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.site||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.dog||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.guide||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.surf||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.vip||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.fit||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.tech||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.store||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.style||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.website||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.wedding||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.review||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.yoga||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.work||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.immo||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.restaurant||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.soccer||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.spa||Top Level Domain Holdings Limited||gmail.com||-4.03||Compare|
|.MUSIC||Entertainment Names Inc.||gmail.com||-3.98||Compare|
|.group||Tucows TLDs Inc.||tucows.com||-3.98||Compare|
|.poker||Dot Poker LLC||hotmail.com||-3.98||Compare|
|.bayern||Bayern Connect GmbH||gmail.com||-3.98||Compare|
|.Miami||Top Level Domain Holdings Limited||gmail.com||-3.98||Compare|
|.budapest||Top Level Domain Holdings Limited||gmail.com||-3.98||Compare|
|.luxe||Top Level Domain Holdings Limited||gmail.com||-3.98||Compare|
|.ZULU||Top Level Domain Holdings Limited||gmail.com||-3.98||Compare|
|.TUBE||Latin American Telecom LLC||esqwire.com||-3.98||Compare|
|.BIBLE||American Bible Society||gmail.com||-3.98||Compare|
|.BASKETBALL||Fédération Internationale de Basketball (FIBA)||gmail.com||-3.98||Compare|
|.online||Tucows TLDs Inc.||tucows.com||-3.98||Compare|
|.RUGBY||IRB Strategic Developments LImited||gmail.com||-3.98||Compare|
|.GOP||Republican State Leadership Committee, Inc.||gmail.com||-3.98||Compare|
|.MEDIA||Tucows TLDs Inc.||tucows.com||-3.98||Compare|
|.MARKETING||Tucows TLDs Inc.||tucows.com||-3.98||Compare|
|.BROADWAY||Celebrate Broadway, Inc.||gmail.com||-3.98||Compare|
|.KIWI||DOT KIWI LIMITED||dot-kiwi.com||-3.98||Compare|
|.RADIO||BRS MEDIA, Inc.||gmail.com||-3.98||Compare|
|.tickets||Shubert Internet, Inc.||shubertorg.com||-3.96||Compare|
|.london||Dot London Domains Limited||londonandpartners.com||-3.96||Compare|
|.deals||Top Level Domain Holdings Limited||gmail.com||-3.96||Compare|
|.cooking||Top Level Domain Holdings Limited||gmail.com||-3.96||Compare|
|.latino||Top Level Domain Holdings Limited||gmail.com||-3.96||Compare|
|.cricket||Top Level Domain Holdings Limited||gmail.com||-3.96||Compare|
|.Roma||Top Level Domain Holdings Limited||gmail.com||-3.96||Compare|
|.data||Top Level Domain Holdings Limited||gmail.com||-3.96||Compare|
|.llc||Top Level Domain Holdings Limited||gmail.com||-3.71||Compare|
|.cpa||Top Level Domain Holdings Limited||gmail.com||-3.71||Compare|
|.dds||Top Level Domain Holdings Limited||gmail.com||-3.71||Compare|
|.lawyer||Top Level Domain Holdings Limited||gmail.com||-3.71||Compare|
|.inc||Top Level Domain Holdings Limited||gmail.com||-3.71||Compare|
|.abogado||Top Level Domain Holdings Limited||gmail.com||-3.7||Compare|