Security and compliance
Security is a critical integral component of ThinkAgile CP. Our security approach helps our customers alleviate the burden of worrying about security so that they can focus on creating and consuming applications that drive business strategy.
Some of the key features and benefits of the ThinkAgile CP security implementation include:
Micro-segmentation
Traditional purpose-built networks offer perimeter-based protection, but they cannot guard against threats that may exist within the network. ThinkAgile CP delivers highly granular security controls using micro-segmentation on a per-application basis. Micro-segments offer complete isolation of each micro-segment from all other micro-segments and provide a zoned defense on a per-application basis.
With the ability to set up micro-segments within minutes, ThinkAgile CP combines ease of use with high levels of control, limiting any effects of application exploits to an application’s micro-segment.
Distributed firewalls
ThinkAgile CP employs distributed firewalls for added security. As the name suggests, distributed firewalls are deployed across the platform on all compute nodes. With distributed authorization, rather than a single, traditional firewall, network traffic is no longer evaluated only at one point on the network but is evaluated or authorized at every network endpoint.
Application security profiles
Application security profiles are defined via a combination of micro-segmentation and distributed firewalls. While firewall security policies allow or block traffic on a given micro-segment (or VNET), application security profiles layer “allow-but-scan” rules on top of firewall policy, which invoke scanning of authorized applications for threats, such as viruses, malware, spyware, and DDoS attacks.
SaaS-based management
The ThinkAgile CP platform is managed by a single, secure SaaS portal, the ThinkAgile CP Cloud Controller. ThinkAgile CP separates the management services from on-premise infrastructure to deliver increased business agility with greater flexibility and speed of service provisioning. Unlike other management systems, the Cloud Controller maximizes security by leveraging an inbound-only approach. This way you are not required to open any inbound firewall ports; only outbound ports. All communication is initiated from the on-premises infrastructure in your datacenter to the SaaS portal by using SSL and TLS encryption. Upon authentication, the SaaS portal communicates back with the on-premises infrastructure. Importantly, the SaaS portal does not hold any sensitive customer data, which protects on-premise infrastructure and data.
Multi-tenancy
The ThinkAgile CP platform simultaneously offers both logical and physical multi-tenancy. Multi-tenant partitions are created by using virtual datacenters. Virtual datacenters use authentication, authorization, and role-based access control to create the logical partition between tenants on the shared platform. For physical multi-tenancy, ThinkAgile CP uses migration zones, compute categories and compute tags, which apportion physical partitions for true isolation of individual tenants.
For more information about migration zones and compute tags, see the following topics:
Secure control plane
The control plane uses industry standard secure and encrypted communication between the ThinkAgile CP Cloud Controller and the infrastructure (storage, compute, and network). This secure method provides confidentiality, integrity, and authentication through encrypted channels. Control plane encryption protects against man-in-the-middle and other attacks that could compromise network security.
Data-at-rest encryption
To enable businesses to safeguard their data to meet their organizational security and compliance requirements, ThinkAgile CP encrypts all data residing in the storage pool by default. All data residing in the storage pool is automatically encrypted prior to persisting to storage and is decrypted prior to retrieval. Encryption, decryption, and key management are transparent to users. Additionally, customers seeking to achieve NIST FIPS 140-2 Level 2 compliance have the option of using a KMIP-compliant key management service to manage encryption keys.
Government standards compliance
ThinkAgile CP automatically secures each customer’s platform to the highest standards. The ThinkAgile CP powered by Red Hat is accredited and validated to meet government compliance standards, including:
- Common Criteria (CC)
- FIPS 140-2
- Secure Technical Implementation Guidelines (STIG)
- USGV6 (DOD IPv6)
- USGv6 Tested Product List
- TAA
Additionally, ThinkAgile CP is compliant with HIPAA-specific policies, procedures, and safeguards to protect client data and PHI, in accordance with HIPAA guidelines.
Two-factor authentication
ThinkAgile CP uses two-factor authentication (2FA) security measures to prevent unauthorized access to user accounts in the ThinkAgile CP Cloud Controller. By requiring more than one factor during the authentication process, there is increased assurance the user access is authorized. Two-factor authentication requires the following details before allowing access to user accounts:
Enter user name and password to log into the account.
Validate the login by entering a security code received via mobile phone or e-mail.
For more information about logging in to the ThinkAgile CP Cloud Controller, see the following topic: