Security at the core of everything

Our infrastructure is protected by a number of mechanisms and controls, including firewalls, IDS/IPS and access control. We run regular scans to find and patch vulnerabilities quickly, alongside penetration tests performed on a regular basis. Access to information and systems is restricted to specific, named individuals on a need-to-know and zero-trust basis, and is actively monitored and audited. We encrypt all data in transit, and customers can elect to encrypt their own data at rest in addition to our disk-level encryption. Our services are hosted, operated and managed in-house by FyfeWeb, and every data centre we use is independently audited to ISO 9001, ISO 27001 and Tier III+ standards. All data we hold, including backups, is stored on encrypted disk volumes.

We provide DDoS protection on all of our services at no additional charge, using the GTT Corero SmartWall platform and its large global filtering capacity. We do not redirect on attack: all traffic flowing into the network is filtered 24/7/365 and automatically inspected, so the time to mitigate an attack is under one second. Our own cross connects in our London edge data centres, with no GRE tunnels, keep performance consistent with zero overhead. For deployments that need extra protection, we can increase filtering sensitivity on a granular basis whenever required.

Our data centre points of presence use a stringent, multi-layered security model. Access is granted on a bona fide, need-to basis only, and removed as soon as it is no longer required. A very limited number of people are on a pre-approved access list at any one time for campuses, buildings, plant rooms, data floors and individual racks, and any authorisation granted is short-lived, audited and set to expire automatically. Our facilities are equipped with trained security personnel, CCTV, automatic numberplate recognition, biometrics, perimeter fencing and granular access control at every level. Anyone with a legitimate reason to enter does so through security corridors with anti-tailgating mechanisms, multi-factor access control, government-issued identification checks and escorts by authorised personnel.

We ask that you and your system administrators follow sound security practices and good cyber hygiene: strong account passwords, access control, role-based access and the enforcement of permissions and restrictions. If you become aware of a compromise to any of your systems, services or credentials, please notify our Security Operations Centre immediately via our Abuse, Trust and Safety team. Because of the nature of our business, our systems process large amounts of potentially highly confidential data, so we treat all customer data as Client Confidential, the highest level in our data classification system, with stringent access restrictions. All data transfers inside our data centres are encrypted, and transfers between data centres run over encrypted tunnels and links. Where you use a password to access our systems, we store it using a non-reversible encryption scheme that follows current best practice.

We maintain an up-to-date incident response plan as a key part of our security and privacy management systems. It draws on personnel from across the business so resources are deployed where and when they are needed, and it lists the actions, escalations, mitigations, resolutions and notifications for any incident that could affect the confidentiality, integrity or availability of internal or customer information. After an incident is resolved, the response team reviews the lessons learned, and for critical issues the incident commander may run a full post-mortem to identify improvements. We also have a team of security and compliance professionals who help internal and external customers navigate their own regulatory and risk obligations, and we support independent third-party audits and assessments.

FyfeWeb takes a zero-trust approach to networks and the devices on them. We enforce access controls based on information about a network, a device, its state, its associated user or company, its location and more, treating all networks, internal and external, as untrustworthy. This creates a model of borderless compliance where access is asserted and enforced dynamically at the application layer, keeping our security and compliance team just as effective during an emergency as at any other time.

We use a rigorous asset management and disposal system, with asset tags and barcodes tracking the location and status of all inventory from acquisition and delivery through installation, use, retirement and destruction. A strict chain-of-custody system ensures no equipment leaves a data centre without the appropriate authorisation, and any anomaly is investigated immediately. When data-bearing equipment such as a disk drive is retired, authorised personnel verify it has been erased to the DoD 5220.22-M standard: pass one overwrites every addressable location with binary zeroes, pass two with binary ones, pass three with a random bit pattern, and a final pass confirms the wipe. Drives are then either held in secure storage for re-use or destroyed using secure methods, with a certificate of destruction issued.

We require all connections to our servers to use TLS and SSL encryption, including webmail and IMAP, POP and SMTP client access, which prevents eavesdropping, tampering and message forgery between your device and our servers. When you send a message to someone outside the FyfeWeb network it travels across the open internet, so we encrypt the connection to the receiving server whenever that server supports it. We have accepted encrypted connections for mail delivery since the outset, and we encourage every server connecting to us to use it.

A Strict-Transport-Security header is sent with all of our web pages, telling modern browsers to only ever connect to us over an encrypted connection, even from a bookmark, link or typed URL. To close off common avenues of attack, such as exposed database or SSH ports, we use kernel-level firewalling to allow connections only to the services each machine is meant to provide.