Security

The purpose of this document to provide introduction of security framework that willensure the protection of the Data/Information, inside iMEGH’s Datacenters, from unauthorized access, Data Loss and Damage during contract with the customer.

iMEGH Private Limited is certified as compliant with ISO/IEC 27001:2022, ISO/9001:2015 which is globally recognized as the premier information security management system (ISMS) standard.

We’re committed to the security of our customer’s data and provide multiple layersof protection for the personal and financial information you trust to iMEGH

SSH keys are a pair of cryptographic keys that can be used to authenticate to an SSH server as an alternative to password-based logins. A private and public key pair are created prior to authentication.

The private key is kept secret and secure by the user, while the publickey can be shared with anyone

To configure the SSH key authentication, you must place the user’s public key on the server in a special directory. When the user connects to the server, the server will ask for proof that the client has the associated private key.

The SSH client will use the private key torespond in a way that proves ownership of the private key. The server will then let the clientconnect without a password

With SSH, any kind of authentication, including password authentication, is completely encrypted. However, when password-based logins are allowed, malicious users can repeatedly attempt to access the server. With modern computing power, it is possible togain entry to a server by automating these attempts and trying combination after combination until the right password is found.

Setting up SSH key authentication allows you to disable password-based authentication. SSH keys generally have many more bits of data than a password, meaning that there are significantly more possible combinations that an attacker would have to run through. Many SSH key algorithms are considered uncrackable by modern computing hardware simply because they would require too much time to run through possible matches.

A firewall is a piece of software that controls what services are exposed to the network. At iMEGH we use SDN based Firewall, this means blocking or restricting access to everyport except for those that should be publicly available.

On a typical server, a number services may be running by default. These can be categorized into the following groups:

Public services that can be accessed by anyone on the internet, often anonymously. Agood example of this is a web server that might allow access to your site

Private services that should only be accessed by a select group of authorized accounts or fromcertain locations. An example of this may be a database control panel.

Internal services that should be accessible only from within the server itself, without exposingthe service to the outside world. For example,this may be a database that only accepts localconnections.

Firewalls can ensure that access to your software is restricted according to thecategories above. Public services can be left open and available to everyone and private services can be restricted based on different criteria.Internal services can be made completely inaccessible to the outside world. For ports that are not being used, access is blocked entirely in most configurations.

Firewalls are an essential part of any server configuration. Even if your services themselves implement security features or are restricted to the interfaces you’d like them torun on, a firewall serves as an extra layer of protection.

A properly configured firewall will restrict access to everything except the specific services you need to remain open. Exposing only a few pieces of software reduces the attack surface of your server, limiting the components that are vulnerable to exploitation.

Private networks are networks that are only available to certain servers or users. For example, iMEGH’s private networks enable isolated communication between servers in the same account or team within the same region.

A properly configured firewall will restrict access to everything except the specific services you need to remain open. Exposing only a few pieces of software reduces the attack surface of your server, limiting the components that are vulnerable to exploitation.

A VPN, or virtual private network, is a way to create secure connections between remote computers and present the connection as if it were a local private network. This provides a way to configure your services as if they were on a private network and connect remote servers over secure connections.

Utilizing private instead of public networking for internal communication is almost always preferable given the choice between the two.However, since other users within the data center are able to access the same network.

You still must implement additionalmeasures to secure communication between your servers.

Using a VPN is, effectively, a way to map out a private network that only your serverscan see. Communication will be fully private and secure. Other applications can be configuredto pass their traffic over the virtual interface that the VPN software exposes.

This way, only services that are meantto be consumable by clients on the public internet need to be exposedon the public network

Publickey infrastructure, orPKI, refers toa system thatis designedtocreate, manage,and validate certificates for identifying individuals and encrypting communication. SSL or TLScertificates can be used to authenticate different entities to one another.After authentication, they can also be used to establish encrypted communication.

Establishing a certificate authority and managing certificates for your servers allows each entity within your infrastructure to validate the other members identity and encrypt their traffic. This can prevent man-in-the-middle attacks where an attacker imitates a server in your infrastructure to intercept traffic.

Each server can be configured to trust a centralized certificate authority. Afterwards,any certificate that the authority signs can be implicitly trusted. If the applications and protocols you are using to communicate support TLS/SSL encryption, this is a way of encrypting your system without the overhead of a VPN tunnel (which also often uses SSL internally).

Similar to the above service-level auditing, if you are serious about ensuring a secure system, it is very useful to be able to perform file-level audits of your system. This can be doneperiodically by the administrator or as part of an automated processes in an IDS.

These strategies are some of the only ways to be absolutely sure that your filesystemhas not been altered by some user or process. For many reasons, intruders often wish to remain hidden so thatthey can continue toexploitthe server for an extendedperiod oftime.They might replace binaries with compromised versions. Doing an audit of the filesystem willtell you if any of the files have been altered, allowing you to be confident in the integrity of your server environment.

Isolating execution environments refers to any method in which individual components are run within their own dedicated space.

This can mean separating out your discrete application components to their own servers or may refer to configuring your services to operate in chroot environments or containers. The level of isolation depends heavily on your application’s requirements and therealities of your infrastructure.

Up until now, we have discussed some technology that you can implement to improveyour security. However, a big portion of security is analyzing your systems, understanding theavailable attack surfaces, and locking down the components as best as you can.

Service auditing is a process of discovering what services are running on the servers inyour infrastructure. Often, the default operating system is configured to run certain services at boot. Installing additional software can sometimes pull in dependencies that are also auto-started.

Service auditing is a way of knowing what services are running on your system, whichports they are using for communication, and what protocols are accepted. This information can help you configure your firewall settings.