- Using our solution at home, how does it prevent opening personal/corporate files or personal emails of other users?
- Personal files/emails should never be allowed into any corporate environment. Personal email and or file are defined as an email account(s) or file(s) (inclusive of sharing services such as drop box, google drive, etc.) that are not used for corporate business, not authorized by corporate policy or are of a personal nature. The commonality of today's connected world makes this particularly challenging for businesses. We approach this from two vectors of security management; mitigation and transference. First let's refer to mitigation: while it is impossible to prevent a user from accessing their personal email, the Connected Workspace Environment ensures that any and all files on the virtual desktop itself are scanned for malware (inclusive of ransomware, viruses, etc.). Virus definitions are updated and automatically applied if necessary every two hours, and email threat protection is applied to all Star2Star Managed Office 365 accounts. The second vector of management, transference, is the support of recommendation to the Channel Partner or Customer to ensure that they have a then current privacy policy. This transference of risk allows both our channel partners to add value and enables their/our customers to ensure that they are providing clear direction of expectations to their employees on how to operate within the constraints of their individual policies.
- What alerts/proactive measures do we have in place for responding to data breaches?
- Data breaches are defined as directed attacks attempting to deny access to a customer's given set of data. We have proprietary policies, procedures, and processes in place that alert us upon access attempts to unauthorized files. Additionally, we do not allow access to the platform outside of a Citrix Workspace connection for any third party; no tunnelling, direct connection, etc. is allowed in the multi-tenant workspace. All of these solutions are in place to ensure that all connections route through a single fabric ensuring that the platform is monitored for any potential anomalies that represent a threat, allowing us to respond in kind to mitigate said threat.
- Is our corporate data encrypted?
- Corporate data is not encrypted during access due to the significant impact upon useability and performance to the end user computing experience. We do offer this service if necessary in our single tenant workspace upon request. Backup data (based on backup policies) is encrypted and inaccessible to anyone outside of Star2Star. This is a critical component of our mean time to recover from any security incident and is documented in our incident response procedures.
- What additional security technologies (email security, ransomware/malware, endpoint monitoring) can a partner incorporate into this offering?
- A channel partner can implement a third party email security solution should they so desire. Ransomware, malware, and/or endpoint monitoring additions can only be implemented in a single-tenant environment on a per customer basis and at the discretion of Star2Star. It is our desire as a business to provide transparency to our partners and/or customers. However, in order to protect our business from a legal point of view we have to maintain control of certain aspects of the system, but we are willing to make exceptions with the understanding that a legal addenda transferring the responsibility of risk would be required.
- With a hybrid deployment, am I more exposed to security risks?
- A hybrid deployment is a deployment model that includes some resources and their associated workloads being maintained locally and some workloads and their associated resources being maintained in Connected Workspace. This deployment model is not currently released but is targeted for this calendar year. This solution does not incur additional security risks; baseline policies are required and the solution is implemented in single tenant environments only. Further analysis will be conducted to determine the full impact of potential security risks at a later date.
- If I get ransomware, what is the remediation process?
- All files in Connected Workspace storage, should they become compromised, will be isolated in order to remove the threat of further corruption. A restoration to known safe media will be performed in an isolation environment. All VDAs will be shut down and forced to restart from Gold Image. Isolation environment will be migrated after file remediation is completed in isolation environment. Based on standard data size of 1 terabyte, Mean Time To Recover is estimated at 4 hours from a severe attack. We work diligently to remediate these attacks from ever entering our network and that is our first line of defense.
- If I get ransomware, are there ways for our data to be recovered?
- Yes. The data is recoverable via our backup solutions in Azure Cloud.
- What cloud specific technologies do we use to improve our resilience against security breaches or attacks (prior to breach)?
- There are multiple technologies in play to improve our resilience, some in the cloud, some on the servers and desktops themselves. A cloud service provider security planning and optimization solution is very complex to describe. For example we ship all logs, audit security logs in windows, and execute remediation practices based on both software and experience. Based on our Information Security Policies for this product suite, we choose not to divulge the specific solutions that are used in order to reduce attack vectors from malicious content.
- What isolation is there in a multi-tenant environment?
- VDAs are isolated as well as email, file, and user data (using advanced permission modeling and automation).
- Do we comply with any security standards?
- We endeavor to comply with NIST and ISO27001.
- What are you using for malware, virus, exploits, and ransomware protection?
- In order to minimize our risk footprint we do not divulge the specific tools that we use.
- Are your virus definitions updated regularly?
- Definitions are updated every two hours.
- If you have any attack, what is the remediation and restore process, and is there an SLA for this?
- See question 6.
- Is there a risk of a virus traversing from the local client device into the DaaS environment?
- No known exploits are known within ICA. We do not allow local files from the end users’ desktop to be moved into the environment in order to minimize the footprint. One of the advantages of Connected Workspace is that your data should only exist in one place, which reduces your risk footprint and allows you to transfer that risk to Star2Star.
- Do you have a recommendation for the local machines virus protection, or can we use our current offering, and would your recommendation have any added benefit to the customer?
- We do not provide recommendations for the local computer. Each environment is different with different needs. We rely on the expertise of our Channel partners to support the local computer.
- Can we set up VPN into other services through DaaS?
- Upon request we will analyze this solution scope. However, we only allow this within a single-tenant environment in order to minimize security risk should a third party be compromised representing a point of ingress to our network.
