Security is paramount across OrionVM’s business and its cloud platform. This page provides a high-level summary of the security controls in place.
Partners with further questions should contact their account manager. OrionVM staff are happy to assist and comply with your documentation requirements. Security and Privacy documentation packs are available upon request.
OrionVM’s cloud infrastructure, including servers and networking, reside in Tier 3 datacenters in Australia (Sydney, Melbourne), the United States (Santa Clara CA, Ashburn VI), and Canada (Toronto BC). These datacenters mandate stringent security measures, including full registration of parties prior to access, auditable entry logs, and compulsory security and safety training. Data centre operators inform OrionVM of each entry.
OrionVM also enforces additional security procedures. Only senior management and operations staff are registered for access to the data centers, and internal documentation about the location and configuration of hardware. Junior staff or those involved in traning are accompanied by authorised staff at all times and are not permitted access to hardware.
All of OrionVM’s hardware racks and cages are physically locked, and have multiple levels of access controls. All premises have CCTV recording. Access is only permitted from the street with keycards and visual identification by data centre staff. Access to the cages require prior registration, keycard and biometric controls, transit through at least one mantrap, and a minimum of four locked doors.
OrionVM mandates all employees use full drive encryption on their workstations, use automatic security updates, and require multiple redundant VPNs to gain access to core systems. Security training is mandatory.
Under no circumstances do we allow third party access to any of our facilities.
OrionVM’s cloud architecture and associated services were developed with security in mind. OrionVM’s cloud uses the Xen hypervisor with a proven security track record. OrionVM is among fewer than twenty companies globally with access to the Xen project’s embargoed security mailing lists.
All networks are segregated for command and control, storage and customer traffic. These are air-gapped networks running on different switches. For example, storage runs on InfiniBand and customer traffic runs on a secure, encrypted Ethernet network. These are not connected to prevent customer traffic from leaking into internal networks and also to secure our command and control channels.
All access to our internal network is performed over certificate-based VPNs with strict access controls and audit logs, and only tier 3 engineering staff have access to this network. All external communications are performed over TLS encrypted connections. Plain text passwords are never stored; OrionVM encrypts and salts all credentials.
OrionVM’s storage platform uses strict access control systems to ensure that all customer data is contained within their user account, and isn’t able to be mounted by any other user.
As an infrastructure provider, OrionVM allow partners to encrypt their instance storage if they require for additional security.
As a company policy, OrionVM does not mount instance partitions in storage devices, even if compelled to by customers for support reasons.
When partners create Linux or FreeBSD instances, root accounts must be protected with a password or a customer SSH key before access is granted. Windows Server instances are provisioned to the point where an Administrative password is requested by the end-user. OrionVM is not privvy to these passwords.
As an alternative, our administrative panel allows partners to import public SSH keys into instances using our internal context system upon provisioning.
Our platform segregates networks, customer accounts and instances. That said, customers attempting unauthorized or illegal access to networks, instances or customer accounts will not be tolerated and will result in account termination. This includes interfering with, or circumventing, security measures.