Security on the Bigstep Metal Cloud

We do big data and we’ve never lost a single byte. The Bigstep Metal Cloud has been purpose-built to provide the isolation and security of on-premises deployments, with the elasticity of the cloud. Clients benefit from dedicated networks and have full control over their cloud environments.

Purpose-Built for Critical Data

Dedicated Infrastructure

Every Compute Instance is a physically isolated, performance-optimized bare metal server. Security risks associated with multi-tenant virtualized environments are completely eliminated.

Root Access & Data Security

After provisioning, root access credentials can be changed, preventing anyone from accessing client systems. Security procedures such as Active Directory integration or patching can also be applied.

Layer 2 Broadcast Domains

Each client network is physically isolated and switch ports are physically dedicated to individual client accounts. Traffic cannot be intercepted or injected in any way into client controlled networks.

Dedicated Physical Network

You are in complete control of the network, at the physical level. There is no virtual switching involved and no multi-tenancy.

Private Data Encryption

All critical data is encrypted. Clear text passwords are not stored in the database. We only store hashes of passwords with a long salt.

RADIUS Authentication

All operations performed on switches are authenticated by RADIUS to prevent unauthorized access.

Communication Encryption

API and orchestration communications are encrypted, signed with timestamps, and secured against reply attacks, identity theft or request forgery.

WAN Traffic Isolation

Public connections also use isolated layer 2 broadcast domains and feature a dedicated gateway, so no interception or unauthorized traffic injection is possible within our network.

Dedicated Subnets

We automatically allocate dedicated public subnets to each client. Clients also have the ability to choose any private IP Class from RFC 1918 for use within their networks, and also to extend on-premises subnets into the cloud.

Storage Network

This is a key security area. SAN traffic is isolated in multiple ways:

Secure Routing

Storage traffic is routed only inside the subnet allocated to each instance, preventing access to/from any other device in the network. Corresponding switch ports are used as layer 3 gateways for the SAN traffic, to prevent traffic sniffing.

Traffic Filtering

Layer 3 ACLs are in place to filter traffic and allow only specific storage communication to flow to certain instances in the network. Therefore, each instance can communicate only with its designated storage, never with others.

Port Tagging

Our switches enforce advanced security measures on the storage traffic. This ensures that there is no way for one user to impersonate another.

Data Centers & Physical Security

The site is manned 24/7 by dedicated security teams. Physical security barriers around the perimeter of the site, 24/7 monitored CCTV and card-restricted multi-layer access points also guarantee that data is kept safe at all times.

24/7 on-site dedicated security teams

Multi-layer access control system with man-trap access restriction

24/7 live monitored CCTV

Certifications & Compliance

We are ISO 27001 / 2013 certified and in the process of being PCI DSS certified. We also work with our clients in achieving certifications or internal audits if required.

Complex Security Setups: Firewall & VPN

Firewalls are very client-specific as enterprises have different security standards. For this reason, we deploy and connect to each client’s individual solution to create DMZs and isolated areas.

Typical DC Bridging Architecture

Cloud Instance Array On-Premises Gateway On-Premises Server On-Premises Server Firewall Cloud Instance Array VPN Server Instance Firewall Bigstep Bigstep LAN LAN WAN/The Internet The client’s on-premises Gateway Instance

Ready to design your big data architecture?

Enter the Control Center