Earlier, we shared 5 FAQ's about the Physical security of the iOffice Portal. Today, I'm listing 7 FAQs surrounding the topic: Host Security.
Host security refers to the layer between the physical hardware and the iOffice application.
1. Does iOffice co-mingle customer databases and co-locate customer applications with non-customer applications on physical servers?
The iOffice portal is an application shared by customers, however, databases are private for each and every customer. Your personal data is NOT associated with any other organizations data.
2. How does iOffice keep up on security vulnerabilities, and what is the policy for applying security patches?
Rackspace handles all patching and OS upgrades for software provided by it. Patch updates are thoroughly tested in Rackspace test environment prior to installation in iOffice environment to confirm that they will not adversely affect your system.
Rackspace typically deploys critical patches immediately, with limited testing. All other patches are tested and delayed for at least 7 business days to allow for assessment of impact. Notifications of standard patches are released to iOffice on a monthly basis with critical patch notifications performed within 7 business days.
Rackspace's process for implementation updates is as follows: As security fixes are released, Rackspace will proceed to test the updates internally to make sure that these will not cause complications on your system. Once the patches have been tested and approved a ticket will be generated to notify you of the updates ready to be applied to your servers. You will have 2 days from the time the ticket is created to respond with your request to not be updated or specific instructions concerning updates. If there are no further instructions from the customer, Rackspace will proceed to apply the released patches to your configuration by the end of the week. When servers are kicked in the managed segment, the schedule day and schedule time are randomized. This means that these servers will patch at different times. The default patching week is week 4 of the month. Starting the 4th Monday of the week, these servers will patch according to the setting on server.
3. How does iOffice monitor the integrity and availability of the hosts that run the Customer's application?
Availability is monitored in three ways:
- Rackspace internally monitors the application and infrastructure
- iOffice monitors the application's availability and performance
- iOffice uses multiple tools that monitors the availability and performance of the application externally from many different sources.
4. What is iOffice's policy on Customer password creation?
iOffice Portal allows length restrictions for the password to be defined for the application. Additionally when using SSO the password requirements are handled completely by the customers authentication systems.
5. How does iOffice handle synchronization of passwords?
We offer multiple types of SSO solutions allowing your existing authentication systems to hook into iOffice. We have advanced integrations with SAML (IDP and SP) and hash based authentication options.
6. Can iOffice explain account generation, maintenance and termination process, for both maintenance as well as user accounts?
Account generation, maintenance and deactivation is determined by policies set by you, the customer. In some instances where SSO, HR or Active Directory integrations are in place, account management can be determined by these systems as the record of authority. Manual account management is dictated by the customer.
7. Does iOffice support SAML based federated authentication (SSO)?
Yes, iOffice supports both SAML 2.0 and WS-Federation. It can be either SP or IDP initiated, meaning that you can authenticate to us from your internal portal or we can link to your authentication from our login page.
Those are the top questions we get asked about Host security for our portal application. In our next FAQ blog post we will answer the most frequently asked questions about Application Security.