Technical and Organizational Security Measures
IntelePeer provides a cloud-based Communications Platform as a Service environment for a wide range of customer and business needs. Recognizing the importance of information security, we have invested considerable time and effort into ensuring our platform’s security.
This document summarizes various technical and organizational security measures we have implemented to protect our customers’ data from malicious or accidental destruction, alteration, loss, unauthorized access or disclosure.
Physical Access Control
IntelePeer’s production environment is built on industry leading application, networking, and voice switching platforms with geographically distributed and redundant Tier IV data centers. Those data centers are designed to host mission critical servers and computer systems, with fully redundant subsystems (cooling, power, network links, storage, etc.) and compartmentalized security zones controlled by biometric access control methods. Our Tier IV data centers comply with various security standards, including ISO 9001:2008, ISO 27001, ISO 14001, ISO 50001, PCI-DSS, FISMA-NIST SP 800-53, GLBA, Monetary Authority of Singapore Act (MAS), HIPAA, SSAE 16, ISAE 3402, SOC 2, SOC3 – and guarantees protection of physical infrastructure and facilities.
IntelePeer stores all production data in physically secure data centers, including local storage, Amazon, and Google facilities. IntelePeer’s cloud storage vendors (Google Cloud Datastore, and Amazon Simple Storage Service (S3/Glacier)), are compliant with ISO/IEC 27001:2013, ISO/IEC 27017:2015, ISO/IEC 27018:2014, SOC 2, and SOC 3. In addition, Google Cloud Datastore complies with NIST 800-171.
IntelePeer’s data center facilities are secured 24/7 by guards, interior and exterior video surveillance, alarm systems, security gates, and doors equipped with access card readers or locks. Visitors on time sensitive authorized list are provided with escort-controlled access.
System Access Control
IntelePeer data processing systems are designed to ensure that only authorized staff, with a need to know, have access to sensitive customer data.
Only a limited number of authorized personnel have access to the data processing environment via a Virtual Private Network (VPN) endpoint defining specific access scope based on the assigned functional role. Access scope is enforced on multiple levels including VLAN-based isolation at the data link layer. The authentication mechanism employed is based on login/password credentials and, where possible, multi-factor authentication. Our password policy mandates that passwords to access the data processing environment follow composition, minimum length, reuse, and expiration rules.
The granting or modification of access rights follows an established workflow with a mandatory approval from line management. Workflow tools, supported in most of our data processing environments, provide accountability through audit logs that allow us to trace all account actions to the particular user taking action on the account. The time, date, and type of action are recorded for all privileged account actions.
Data Access and Personnel Security
Only properly authorized personnel are allowed to access and manage customer data. Team-wide security roles covering critical tools and applications are applied.
IntelePeer’s onboarding process mandates that domain credentials for each employee are requested by the hiring manager, in a formal, accountable manner. Employment termination, or re-assignment, triggers either revocation or revision of issued credentials.
IntelePeer ensures that personnel are notified of Information Security requirements, as well as personal and corporate consequences of engaging in improper activities. All employees complete annual Information Security training and a Code of Conduct training covering business ethics and professional standards.
IntelePeer supports HTTPS and SMPP over TLSv1.2 as main protocols for authentication and encrypted communication. IntelePeer holds a public 2048-bit encryption certificate covering *.IntelePeer.com for authentication purposes.
IntelePeer supports secure SIP signaling over TLS for protection of the multimedia communication control plane in both inbound and outbound directions. Security, if any, of PSTN-terminated/originated SIP control channel is determined by the individual carrier and cannot be guaranteed by IntelePeer. Media plane encryption via SRTP and SRTCP is supported by IntelePeer, as are IPsec tunnels and secure direct connections.
Network Security and Segmentation
IntelePeer’s data processing environment is separated from the outside world and from the internal development/staging/test environment with firewalls, access control lists, and/or individual user login/password credentials. Fine-grained segmentation inside production development and test environments is achieved with the help of private VLANs.
IntelePeer’s data processing environment is comprised of Linux servers each being protected by a host-based netfitter-type firewall. Applications are grouped by types/categories with little or no platform sharing between applications of different types.
IntelePeer employs a multi-fold vulnerability management strategy which includes proactive updates of 3rd-party applications, code scans to ensure that licensing requirements are met and that potential security risks are identified and mitigated, and external vulnerability scans, and penetration tests, performed quarterly. IntelePeer keeps up to date with patches/upgrades and updates 3rd-party applications promptly, for its Atmosphere CPaaS platform, as new versions are released. Identified vulnerabilities are assessed on an individual basis. Emergency patching for threats of imminent danger to systems or data occur within 24 hours.
IntelePeer’s development process is built on the principle of segregation of duties and employs mandatory reviews and approvals. Each change to a production environment is submitted by Development or Engineering, tested by Quality Assurance, and reviewed by Operations before deployment.
Formal Change Management meetings are held weekly to ensure change activities are properly coordinated and communicated. Non-emergency scheduled maintenance activities are planned and customers are notified at least 30 days in advance. Emergency maintenance activities are reviewed and approved on an as-needed basis.
Web applications and APIs provided by IntelePeer go through a rigid internal and external assessment process.
IntelePeer’s business continuity planning incorporates procedures to sustain critical functions, backup and recover data, and protect company assets.
Single points of failure are eliminated for critical services with a multi-node and multi-channel network design and a load-balancing strategy.
IntelePeer follows a Data Backup Policy which mandates regular backups of configuration and account data required for continuous service operation and usage of off-site storage, and data restoration tests.
Customer connections include multi-switch and geographic data center redundancy.
Media Protection and End-user Security
IntelePeer recognizes a potential internal attack surface originating from compromised end-user machines used by IntelePeer employees, and to mitigate this threat implements a set of security measures including virus/malware protection with automated updates, centralized domain-based authentication, and secure data erasure upon laptop decommissioning.
IntelePeer utilizes data encryption, both in transit and at rest, for all customer data, except for a few instances where the data is short lived and secure in our private IP address space.
IntelePeer retains audit logs to track provisioning and configuration changes.
Report a Security Vulnerability
If you believe that you have found an IntelePeer security vulnerability, please contact us at firstname.lastname@example.org for further investigation.