At OrionVM, security is paramount across all levels of our platform stack.
Our entire cloud infrastructure, including servers and networking, reside in Tier 3 datacenters in Sydney, Australia and San Francisco, California, United States. These datacenters require stringent security measures, including full registration of parties prior to access.
We also enforce our own security procedures. Only senior management and operations staff are registered for access to the data centers and internal documentation about the location and configuration of hardware. We perform police background checks on all employees, and mandate a clean criminal record before employment. We’ve also informed datacenter security to contact us for confirmation before giving access to anyone claiming to be an OrionVM employee.
All our racks are locked, and have strict access controls. All premises have CCTV recording, including the datacenters and our corporate offices. Both are protected with biometric scanners and at least two locked doors. We also mandate all employees use full drive encryption on their workstations, use automatic security updates and are routinely audited.
Under no circumstances do we allow third party access to any of our facilities.
Our architecture was developed from the ground up with security in mind. We use the Xen hypervisor with a proven security track record.
We operate segregated networks for command and control, storage and customer traffic. These are air-gapped networks running on different switches. For example, storage runs on InfiniBand and customer traffic runs on a secure, encrypted Ethernet network. These are not connected to prevent customer traffic from leaking into internal networks and also to secure our command and control channels.
All access to our internal network is performed over a certificate based VPN with strict access controls, and only tier 3 engineering staff have access to this network. All external communications are performed over SSL encrypted connections. Plain text passwords are never stored; OrionVM encrypts and salts all credentials.
We have strict access control systems to ensure that all customer data is contained within their user account and isn’t able to be mounted by any other user.
As an infrastructure provider, we allow partners to encrypt their instance storage if they require.
As a company policy, we do not mount instance partitions in storage devices. This means we cannot perform certain management services for customers, but we believe this is the only acceptable position.
When partners create Linux instances, root accounts must be protected with a password before in-band access with SSH can be gained. Windows Server instances are provisioned with temporary, high entropy pseudo-random passwords which Windows requires changing upon first successful login. In both these cases, we are either never privy or cannot know the passwords used by partners or customers.
As an alternative, our administrative panel allows partners to import public SSH keys into instances using our internal context system upon provisioning. This ensures customers never have to submit passwords to us.
Our platform segregates networks, customer accounts and instances. That said, customers attempting unauthorized or illegal access to networks, instances or customer accounts will not be tolerated and will result in account termination. This includes interfering with, or circumventing, security measures.