Philosophy
Our approach to securing your company's data starts with the belief that it's only a matter of time before someone attempts to break in and steal it. Furthermore, we believe the large public cloud providers suffer from a fundamental architectural flaw - master admin accounts. Code Spaces, a cloud solution provider utilizing Amazon's Cloud platform, went out of business due to a hacker gaining access to their Amazon account and deleting almost all of their customers' data. As stated in their public apology to their customers: "In summary, most of our data, backups, machine configurations and offsite backups were either partially or completely deleted."
​
At briteVAULT, we take a multi-layered, segregated and siloed approach to data distribution, authorization, and access. The following sections detail the various aspects of the security of our platform.
Security
Site Segregation
No admin account exists at briteVAULT that can access and manipulate data in more than one data center. In fact, our data centers are completely siloed from each other - admin accounts with access to one data center are not valid in another data center. Data centers are connected via private lines but we still firewall them from each other and only allow encrypted traffic. No traffic traverses data centers that is unencrypted. Replication traffic that is allowed to traverse between data centers is not accessible via the admin accounts - these accounts can only tell the replication process to start or stop. The only ports open between data centers are encryption-specific ports.
Data segregation
In the same way that we segregate and silo our data centers from each other, we also segregate and silo our customers from each other. All customer machines exist in their own dedicated network space and do not have access to any other customer environment. Customer backups reside in dedicated, encrypted volumes that other customers cannot access. Strict firewall rules prohibit customer cross-traffic communication. Dedicated IP addresses further ensure healthy segmentation.
Additionally, customers who maintain Microsoft Active Directory domains within the briteVAULT cloud have no domain trust or relationship with any briteVAULT domain or customer domain. Some cloud providers create a parent or 'Forest Root' domain and then maintain their customers as Child Domains of the root. Or alternatively they establish trust relationships between the provider's domain and the customer's domain. We consider this a security risk not worth entertaining as simple administration errors could result in exposing one customer's data to another - or worse.
Access Control
Physical access into each data center is a multi-authentication, multi-location procedure. 24x7 video surveillance documents and records any individual who attempts to gain access. Magnetic card readers, 'man traps', and bio-metric scanning executed at different locations during the entry procedure ensures only authorized administrators have physical access.
Digital access mirrors the rigors of granted physical access: multiple, secure encryption channels requiring disparate, unique credentials is only part of the picture. Dual-factor authentication is also required of any administrator to successfully transverse the multiple layers of firewalls before the admin can begin work.
Accountability
All data centers that briteVAULT operates from are carrier-neutral, SSAE 16 SOC 2 Type 2 audited facilities. All employees that briteVAULT employs must undergo a thorough criminal and financial background check. briteVAULT and all its customers authorize mutual non-disclosure agreements so as to help ensure the protection of their intellectual property as well as briteVAULT's intellectual property.