ServerSuit Security

Your online and mobile safety is our shared responsibility. Learn more about what we do to protect you, then see what you can do to protect your personal information and help shield yourself from account activity you didn't authorize. ServerSuit team perfectly understands what proper security protection means for our clients. In this section we are providing key information about security protection we provide as well as various servers authentication options available for our clients and risk each option involves.

What are ServerSuit security standards and compliance level?

ServerSuit software resides on a set of dedicated servers at OVH data center, in Canada.

The Data Center Provider has received ISO/IEC 27001 certification, SOC 1 Type II and SOC 2 Type II certifications, and maintains high security Data Centers with 24/7 surveillance, redundant power supplies and UPS backup systems among other measures.

More details can be found on provider’s website: https://www.ovh.com/us/about-us/certifications.xml

What client data is stored by ServerSuit

ServerSuit stores SYSTEM account credentials when uses Full Trusted Mode (with or without tokens), custom scripts and templates, your account information (e-mail, address, etc).

We also log and store the following:

  1. login and logout time
  2. duration of each session
  3. time when connect to your servers and disconnect from them.
  4. activity (e.g. scripts executed, software installed, time of backup initiated, configuration changed, etc). Every time an operation is performed from your account we record it and send you e-mail with the summary. This is also part of our effort to prevent unauthorised access and activities.

We do not store:

  1. credit card information
  2. information about other accounts on your servers

How client data is protected?

For better security and data protection ServerSuit Service is going to utilize three -tier approach

  1. "SYSTEM" account credentials are auto generated and never shown to anyone.
  2. All the information pertained to access to managed servers will be encrypted
  3. Encrypted information will be split between several data storage.

Here is a bit more details about particular implementation.

ServerSuit data storage is spread among multiple nodes (Node Servers).
Access to each NS is available only via firewall protected API that limits set of IP addresses from which the servers can be accessed.
The key for reading encrypted data can be obtained only from the one of WAS (Web Application Servers).

After credentials are decoded a SSH connection is created between an NS and a managed server, and scripts that needs to be executed are transferred directly to the managed server.
Once transfer is finished the client is launched using “SYSTEM” account.

While script is running on the client's server, callback is performed periodically to provide information about scripts execution status to a WAS. Callback data contains temporary 256-bit encrypted key identifying the server and executed script as well as process information.   On WAS data is decoded and the execution status on the dashboard is updated. Once it happens the key is destroyed.

Connectivity Protection

All the connections to the managed servers is conducted via SSH, which provides high level of protection.
Callback work via HTTPS which uses a valid 256 bit SSL.

Servers Authentication Options

  1. Full trusted mode.
    This mode assumes that all the credentials of “SYSTEM” account required to access managed server(s) are stored by ServerSuit (details on what we do to protect stored credentials are provided in the section Data and Password Protection). The major advantage of this option is that it enables batch task execution (a task or tasks that can be set up once and then automatically executed against all the servers selected without a need to provide credentials for each server for each session). It will also allow enabling real time monitoring options. Thus, this option provides a significant productivity improvement compared with other options.
    Full trusted mode is the default authentication option. We realize that, for various reasons, some of our clients may find this option is too risky. Continue reading for other available settings.

  2. Full trusted mode with a session token.
    This option will insure that passwords for "SYSTEM" accounts are consisting of two parts: password body (auto generated) and a token (one for all managed servers). Thus the real passwords for servers accounts will be build out of password body and the token. User name/password bodies are stored in our system (like in option #1), while the token needs to be remembered/stored outside of ServerSuit. This option will require a user to enter the token after logging to ServerSuit dashboard and before any connection with managed servers can be made. The token can persist while user is being logged to ServerSuit dashboard, or a user can choose and option that will mandate entering the token before any operation against any managed server. After logging out, managed server’s connections will be dropped, thus this option will allow batch task execution, but will not allow real time monitoring.

  3. Untrusted mode.
    This option will disable storing of password servers credentials within ServerSuit system. User will have to come up with credentials (both user name and password) during registration. Further user will have to enter the password for each server for each session. In order to execute batch tasks, a user will have to connect to each server manually providing credentials. After user logs out of ServerSuit dashboard, all the servers will be disconnected.

To get notified about new Linux server management publications as well as ServerSuit product updates, please provide your e-mail(we will never share your information to anyone).