Infrastructure and network security

ACRONIS CLOUD DATA CENTERS: A PRIMER ON SECURITY, PRIVACY, AND COMPLIANCE www.acronis.com Copyright © 2003-2022 Acronis International GmbH. 5 Acronis hosts data and cloud products at trusted geographically-distributed data centers in the U.S., U.K., France, Germany, Japan, Singapore, Switzerland, and multiple other locations, as displayed on our website (https://www.acronis.com/data-centers/). Customers can choose which region or data center to store their data, making it possible to ensure compliance with regional requirements for data placement, as in the case of GDPR and other local privacy and data protection regulations. When selecting our data center providers and data center locations, we thoroughly assess providers taking into account the capabilities of the facility, the current evaluation of the threats (constructional, technical, environmental, political, etc.), and the relative attractiveness and business requirements for the specific region. To confirm the reliability of data centers providers and ensure their capability to maintain the security, availability, confidentiality and integrity of information, our data center providers are audited regularly by respected, independent organizations. The scope of such audits may include the following standards and requirements1 : Acronis demands that data centers employ the highest standards of physical security to restrict unauthorized physical access and protect the safety of customer data. Only authorized personnel have access to the data centers, based on strict access control measures and monitoring by surveillance cameras (CCTV). The level of protection from intruders exceeds anything that small to medium businesses can hope to implement alone. The electrical power systems in these data centers are designed to provide an uninterrupted power supply to the entire infrastructure 24 hours a day, 7 days a week. The data centers are powered by at least two independent power sources. The use of automatic, noninterruptible power supplies protects against power surges in the case of switching power lines, and provides power support during the switchover to diesel generators. High availability and redundant infrastructures are designed to minimize associated risks and eliminate single points of failure. Acronis follows the approach of need plus two (N+2) for greater redundancy across all hardware layers of its infrastructure. This ensures that if there is a failure in a hardware-layer component, it does not affect either the Acronis critical infrastructure or Acronis customers. This redundant infrastructure allows Acronis to fulfill most types of preventive and maintenance activities without service interruption. Scheduled maintenance and changes to the infrastructure are carried out in accordance with the manufacturers’ specifications and internal documented change management procedures. Every piece of equipment is under warranty and all elements of the infrastructure are covered under each respective vendor’s SLA. A dedicated team manages all vendor maintenance contracts, which are subject to annual revision. The team follows a standardized maintenance approach designed to improve infrastructure availability and reduce operating and maintenance costs. Acronis monitors all official repositories and bulletins for the latest information about new or existing vulnerabilities. Security and critical updates have the highest priority and are rapidly installed. Every update is fully tested before it is implemented. Acronis employs skilled technology professionals and experts at every Infrastructure and network security • ISO/IEC 27001, ISO/IEC 20000, ISO 9001, ISO 14001, etc. • SSAE 18 and ISAE 3402 • Industry standards (PCI DSS, HIPAA) 1 Exact list of certifications and standards may vary for specific data centers. Please request additional information from your account manager or support team. ACRONIS CLOUD DATA CENTERS: A PRIMER ON SECURITY, PRIVACY, AND COMPLIANCE www.acronis.com Copyright © 2003-2022 Acronis International GmbH. 6 level of its infrastructure and actively collaborates with its third-party vendors to resolve issues. Acronis commissions security audits from third parties to verify that all components and configurations are free from security issues. Acronis performs daily scans of critical infrastructure and regularly checks the configuration of all network security components. Acronis reviews the security of new services and the architecture of network interaction with these services before integrating them into the company’s network. The Acronis network is multilayered and zone based. The managed network equipment separates and isolates internal, external and customers’ environments, and provides routing and filtering of network protocols and packets. Acronis provides real-time encryption for all data transferred. Acronis utilizes secure data transfer protocols (HTTPS, TLS, SSH, OpenVPN, etc.) with cryptostrong encryption algorithms, and provides security of cryptographic key exchange (Diffie-Hellman, RSA) to protect the transmitted data and reduce the risks of unauthorized access to the transmitted data and compromised key information. Acronis continuously monitors the security of its entire IT infrastructure to protect against advanced persistent threats and cyberattacks. Acronis controls and monitors its boundary, DMZ networks, VPN and remote connections, and internal flows. Acronis utilizes automated tools in conjunction with organizational controls to guard against human intervention. To ensure network security and minimize the risks of external penetration, Acronis uses the most modern web application firewalls (WAF), which include instant protection against SQL injection, cross-site scripting, unauthorized resource access, remote file inclusion, and other open web application security (OWASP) threats.

https://dl.acronis.com/u/rc/White-Paper-Acronis-Cloud-Data-Centers-Privacy-and-Compliance-EN-US-2111012.pdf