Details of
Janus Group Security System
The Janus Group has taken extensive
measures to ensure maximum security and data integrity of the sensitive
or confidential information that resides on our server. Our server is on
a Windows 2003 platform and uses Microsoft's web server software.
Through the close integration of Internet Information Server and Windows
2003, Janus Group is able to provide the highest level of security for our
clients.
Microsoft Windows 2003 Server offers the
most robust security model of any server operating system on the market
today. It is the only server operating system that provides U.S.
Government C2-level security at the desktop and server level.
"C2-level" security is a designation in a computer security
system developed by the U.S. Department of Defense, the final
specifications of which has been in effect for over 10 years.
Standard Security
Criteria
Trusted Computer Standards Evaluation
Criteria (TCSEC), or the "Orange Book", lays out the
requirements for security at various levels according to parameters such
as the ability of a system to be audited, to control access, and to
authenticate users. The Orange Book applies to stand-alone machines and
operating systems. More than 20 subsequent books in this Rainbow Series
have interpreted tile criteria for other system components. The Red Book
interprets the criteria for network components, the Lavender Book for
databases.
Security categories are D (minimal protection) B (mandatory protection),
C (discretionary protection-the highest level of security that a
non-governmental institution can reach.), and A (verified protection).
C2, or controlled access protection, is the lowest that offers viable
security. For C2 certification, a system must:
- Have good documentation at both the
user and administration level and have documentation on security
testing
- Authenticate all users as unique
individuals
- Not allow objects to he reused or
recovered once deleted
- Let systems administrators audit all
security events and the actions of individual users
- Protect all objects and processes from
all others
The National Computer Security Center (NCSC) developed the criteria for
military computer systems, and systems used for many federal government
projects must also have C2 certification. But today, the broader
computer industry is using the Orange Book criteria.
Windows 2003 Server is a
C2-level Secure Operating System.
On the Windows 2003 server, Janus Group's
clients are protected by:
- File level access control. This allows
the owner of a resource (such as a tile) to control access to the
resource
- Extensive auditing, allowing Janus
Group's system administrators to audit security-related events and
the actions of individual users.
- Protection against object reuse so
that data stored in memory for one process is not accessible to
other processes. This protection also extends to the disk, monitor,
keyboard, mouse, and any other device.
- User identification and authentication
requiring each user to uniquely identify him/herself. The system
uses this unique identification to track and audit the activities of
the user.
- The ability to identify and
authenticate legitimate users (for example, subscribers) in order to
provide them with access to information, content, and services,
while denying service to impersonators.
- Security system with a fine-grained
access control that will allow legitimate users access to resources,
while protecting sensitive resources from hackers and unauthorized
users.
- Ensure that Janus Group's clients can
set up private and tamperproof communications channels over the
Internet for commerce and sensitive business-to-business
transactions using SSI (secure sockets layer).
Windows 2003-based
Internet Server Security
Building on a solid foundation, Janus
Group's web server is the fully integrated Microsoft Internet
Information Server (IES). IES operates as a service of Windows 2003 Server
and inherits the strong security provided by the Windows 2003 platform. It
has the depth and breadth of security features required by the most
demanding Internet site.
IIS security is fully integrated with Windows 2003 security. This gives it
a number of advantages including the ability to:
- Take full advantage of the strong,
secure underpinnings of the US Government C2 and ITSEC FC2-rated
Windows 2003 security.
- Eliminate possibilities for security
weaknesses and holes by not adding additional redundant security
layers. This sets the Windows 2003 Internet server apart from other
operating systems and Web servers that have multiple security layers
and thereby increases their complexity and possibility for security
holes.
- Better performance by eliminating
unnecessary overheads of additional security and access control
layers.
Janus Group utilizes Microsoft's feature of access control by
permissions on Internet Information Server services to provide even more
security for your information.
Windows 2003 provides a secure file system (NTFS) that allows
administrators to restrict access and sex fine-grain permissions (read,
write, or execute) on individual files and directories. This gives the
administrator a great deal of flexibility and control on who can access
which resources. Internet Information Server allows our administrator to
set read-only or execute-only permissions on the virtual directories For
every request, IIS examines the URL and type of request and ensures that
the permissions set on the virtual directory or virtual root are honored
This will ensure that users cannot read files with execute-only
permission or execute tiles with read-only permissions
Internet Server Fault
Tolerance, Backup, and UPS
Janus Group's fault tolerant system
duplicates all data to a separate hard disk on our server as the data is
being written on the main hard disk. This protects all data on the
server from a hard disk failure. If one hard drive fails, Janus Group
will be back on-line within minutes with no data loss. Janus Group also
uses frequent backups to protect the integrity of the data stored on our
system. In the unlikely event of a complete power outage Janus Group's
server is protected by a uninterrupted power supply that protects our
server from power surges and power outages.
Confidential and
Tamperproof Communication
Secure Sockets Layer (SSL)3 is an
industry-standard protocol that allows clients and servers to Set LIP I
secure communications channel This secure communications channel
encrypts and fingerprints the data, ensuring message privacy end
integrity. Further, it also allows servers and clients to mutually
authenticate each other. Internet Information Server supports industry
standard SSL 3 with client authentication and is fully interoperable
with products from other vendors. IIS uses very strong and secure
128-bit encryption for the North American version and 40-bit encryption
for the international version (to comply with the U.S. Government
restriction on Crypto export).
Secure Electronic
Commerce
Janus Group is able to provide secure
private communication sessions for our clients and site visitors by
using VeriSign's Server Digital IDs. Digital certificates such as
VeriSign are considered the standard for server authentication Over
16,000 commercial sites are using VeriSign Server Digital IDs to create
secure communication channels with customers.
Janus Group uses digital certificates to
give its customers the assurance that the personal information they
submit in an insurance claim credit card transaction, or a Human
Resource form cannot be read by anyone else.
This is possible because exchange on information between the client and
the server is performed using SSL. Secure Socket Layer negotiates and
employs the essential functions of mutual authentication, and data
integrity for secure transactions. When a connection is established
between a client and a secure server, the client software automatically
verifies the server by checking the validity of the server's Digital ID.
The key pair associated with the server's Digital ID is then used to
encrypt and verify a session key that is passed between the client and
server. This session key is then used to encrypt the session. A
different session key is used for each client-server connection, and the
session key automatically expires in 24 hours. Even if a session key is
intercepted and decrypted (highly unlikely), it cannot be used to
eavesdrop on subsequent sessions.
Top of Section
|