Tupelo Cloud Security - Tupelo Technology Ltd

The Platform

The Tupelo Hosted Virtual Desktop, employs Windows 2016 (Windows 10 Experience) as the Remote Desktop Services platform.

The platform runs in our secure data centres operated by The Bunker at Sandwich Kent with the backup data centre at Newbury Berkshire.

When a user is authenticated by our SSL enabled web interface, a Citrix XenApp session is established presenting the user with a Windows desktop which appears to the user as if he was using a local PC, however the applications and the data are fully contained within the custody of the data centre.

There is no customer data transmitted to their local office PC’s which act as thin clients. The local machines require Internet Explorer, Citrix Receiver and local printer drivers. No other software is required on the local machine.

We recommend the use of thin clients, or thin client software from IGEL Technology. Thin clients provide access to the Remote Desktops and do not run Microsoft Windows Software. Thin clients act as an appliance only, supporting the VDU, Keyboard, Mouse and Network.

Security Model

A layered security system is employed to protect the Hosted Virtual Desktop and client data.

For any exploit to affect the user requires the malicious code to have to pass through all of the security layers. Tupelo have not in the last 4 years of operation received a Virus on the platform.

All communications to and from the data centre are encrypted using authenticated SSL certificates. No data is transferred in plain text. Not forgetting that Citrix does cause actual data to be moved from the data centre, only mouse and keyboard updates are transmitted.

The layers of security we employ are:-

Layer 1: Mimecast secure email gateway

The outer layer of our security system will scan all incoming emails and the attachments checking for known exploits, virus, phishing and ransom exploits. Emails containing malicious code will be deleted silently, whereas emails which fall into the spam category are quarantined and may be request by the users. White lists and black list can be maintained by the users.

Layer 2 : Web Browser lockdown

The web browser is protected from a malicious web sites by not allowing a web site to find or explore personal information related to the user, and will police the usage of Flash, Java and JavaScript. The browser, virtual machines and windows patches are updated weekly to block known exploits.

Layer 3: Intel Security Enterprise

This is the traditional Anti-virus layer, which is operated by Intel Security. This software in not the same as would be installed on PCs. we use the “Enterprise” editions which cause every file used to be checked on demand by a dedicated AV servers to ensure the platform processing is not loaded by the AV scanning process.

Layer 4: Desktop Lockdown

This is the fail-safe layer which blocks any software operation for being able to access the system files or registry. The lock down is the most critical aspect of our security. It is the lockdown which has provided us with a zero exploit and no downtime over the last 4 years. Applications are installed by us and are carefully monitored for vulnerability.

Vigilance

The security model is under constant review and is updated and improved in line with industry best practice. Our clients may become complacent because we have not experienced any virus or crypto locker since we started operations. This does not mean there is 100% certainty when it comes to security so we ask our clients to be always vigilant when browsing, opening attachments or following email hyperlinks.

Local Machines

We recommend the employment of Thin Client Technology in the local office. Our platform will operate with standard Windows 7, 8 and 10 if needed. In which case we would normally employ Microsoft Security Essentials, (MSE), or Kaspersky Antivirus on windows machines.

The local machines can be lightweight in processor and memory since they are not processing any user data. Tupelo have not in the last 4 years of operation received a Virus on the platform. or seen any downtime.

Network

We operate Dell SonicWall security firewalls at the local client site to provide Unified security to the local network, however there is no security risk locally since our platform is the custodian of the users data.

Business Continuity

Where clients have mission critical systems on-site we are able to stage backups to a local store before sending the data off site. The staging server can then be used to quickly reprovision any failed server on-demand. All of the current data is ready to run and users will hardly notice that a server failed. This reduces recovery times following a server failure from several days down to 15 minutes.

Disaster Recovery

Disaster recovery from loss of hardware by the Client’s staff or denial of access to the Client’s premises is assured, as users will be able to log on from home or other internet locations. Resilience to N+1 (i.e. capable of maintaining service after one failure) will be designed in throughout the network.

Cloud Backup

Several times a day (not less than two times) a shadow copy of all file data is accessible by users for the immediate retrieval of recent backups.
Full Backups are taken daily of all file and Email data Daily – 7 day rotation Weekly – 5 week rotation Monthly – 12 month rotation

Recovery Point Objective: 24 Hours
Recovery Time Objective: 24 Hours

LET’S WORK TOGETHER

We work as a single united team with market leading firms around the world and give our clients the highest quality advice possible.

MAKE ENQUIRY