Omegabit directly operates a private VMWare based cloud infrastructure that is purpose built for Liferay secure operations.  Omegabit directly owns and manages all computing layers including edge routers and firewalls, servers, storage, and interconnecting equipment at each physical hosting location and relies on Digital West and its facilities providers for secure physical plant operations, redundant power, cooling, private redundant private cross-POP interconnects, and Internet connectivity.

All environments are provisioned within a firewall protected private VLAN that is exclusive to each customer's specific purpose.  Only public facing services are exposed via the firewall.  Customers may only access and control applications and data located within their respective private cloud, only.  

Common SAN storage is utilized at the abstracted VMWare layer and is completely isolated from customer access.  Encryption at rest is available.

All customer facing virtual machines, storage, access and network paths are exclusive to the use of that specific customer.

Omegabit uses industry leading VMWare based storage and virtualization technology combined with enterprise-class servers, storage, and network infrastructure to provide Liferay-optimized host environments. All servers and virtual host environments are fully patched and protected against Meltdown/Spectre and similar virtualization exploits.  Omegabit also operate 100% AMD chipset based server infrastructure, which is inherently more secure.

For a comprehensive explanation of VMWare based infrastructure please see:

http://www.vmware.com/pdf/vi_architecture_wp.pdf                                                                                                                                                                                

The proposed solution is based upon standard Liferay reference architecture optimized for the stated use case and cost efficiency. 

Omegabit is able to supply an always-on VPN connection that can support secure back-channel links to core infrastructure (e.g. system of record, SSO or directory services, e-commerce transaction processing) over a dedicated BOVPN link.

Omegabit is also able to support special security rules and configurations at the Firewall and Apache rules layers, which can be used to enforce specific client/destination restrictions (as a complement to Liferay logic).

Please see the supplied addendum "Third Party Privacy-Security Questionnaire" for a detailed explanation of Omegabit security features, controls, and options.

Data is segregated at the virtual machine disk image level. All control is limited exclusively to Omegabit authorized administrative personnel.

From the CLIENT perspective, all environments are dedicated for its sole purpose.  We operate a secure, private cloud infrastructure that runs on top of large-scale enterprise class servers and high performance SAN storage, which are clustered and shared collectively across our tenant installations using VMWare technology.  This provides more flexibility, scalability, and performance-on-demand as compared to dedicated physical hardware and is preferred for these reasons. 

All resources reservations are guaranteed.  Omegabit follows strict environment isolation, discrete configuration, and data management practices to ensure separation between hosted environments, and is PCI-I, HIPAA/FERPA, FEDRAMP compatible.

We are able to accommodate private dedicated host infrastructure but do recommend leveraging our secure, already redundant, and Liferay-optimized cloud infrastructure for the best balance of cost, performance, resilience and manageability.  

We build to suit and are happy to accommodate any special requirement in this regard.  However, building a similarly capable dedicated infrastructure specific to Babson many have a substantial impact to cost.

Data encryption is supported as a special requirement in the runtime. All backup and archive storage is encrypted. Typically, it is most practical and efficient to consider satisfying any encryption requirements inside Liferay at the metadata storage level during the application design phase. However, Omegabit is able to accommodate bulk file-system level storage encryption in the runtime on a needs basis.

This is documented in Omegabit Internal Operations Wiki

This is dependent on Kindred's specific implementation of the Liferay portal.  Liferay can be configured to expire content, and has indicated it is working to implement purging capabilities for GDPR compliance.  APIs are also available to actuate purging functions. 

Omegabit is able to advise on best practices relating to the design and implementation, and can also support maintenance and data preening as an optional Professional Service.

All electronic data is returned/made available for retrieval  by the Client until fully acquired and verified.

All data managed by Omegabit is assumed to be confidential in nature.  All physical manifestations of Client data are destroyed and cataloged where applicable using PII and HIPAA compliant shredding methods.   

Terms of data protection, retention, and destruction are enforced per SLA and Customer Compliance Policy Agreements.

N/A; trust relationships are typically configured at the application layer and are specific to design and implementation of the customer portal. Digital signatures are typically employed for validation.

This is documented in Omegabit Internal Operations Wiki.

This is documented in Omegabit Disaster Recovery Handbook, Section 1.1 to 1.4 and Section 2.3

ref: Omegabit Disaster Recovery Plan TOC

Yes. Per agreed upon SLA. 

Yes. ref: Omegabit Disaster Recovery Plan TOC

Yes. ref: Omegabit Disaster Recovery Plan TOC

Yes. ref: Omegabit Disaster Recovery Plan TOC, Omegabit Operations Portal, and Training curriculums

Yes. The DR plan was recently exercised and updated in Q2 of 2017. A certified statement can be provided by executive management certifying this, provided the vetting proceeds to the next round.

ref: Omegabit Disaster Recovery Plan TOC

● Logical and physical redundancy at the VMWare, JVM, repository and other critical layers of the runtime environment stack

● Warm-spare redundant Liferay architecture (proposed)

● Server failover capability

● Rapid nearline backup recovery

● Comprehensive off site DR for catastrophic failure

In the event that a high-availability portal configuration is required, redundant nodes of the HA configuration will be purposefully isolated to discrete server and backend infrastructure as a complement to that logical HA configuration, to the benefit of higher reliability and faster recovery under various logical/physical architecture failure scenarios.

Omegabit operates comprehensive SNMP and service level monitoring of all configured hosts and services.  Triggers are adjustable and set by default to detect failures as well as symptoms of imminent failure.  Monitor alerts are responded to by live personnel, 24x7x365, and acted upon according to severity, per the terms of our SLA.

The core physical host infrastructure is inherently HA in terms of disk arrays, storage and network paths, physical servers, switching, etc.  Omegabit operates a modern VMWare based infrastructure.  In the case of most physical failures services are designed to continue transparently with no observable interruption to operations.  In the case of logical failures, the VM, JVM, and Liferay backend service configuration is proposed as an HA setup, to practical limits.  If a higher level of resilience is required than is proposed, we are able to accommodate that as additional scope.  Disaster Recovery (DR) is an inherent component of the regular day-to-day operations performed by Omegabit, as a core function of the hosting operations is supplied for all tenants.

Omegabit offers multiple redundant layers of protection including but not limited to:

● Logical and physical redundancy at the VMWare, JVM, repository and other critical layers of the runtime environment stack

● Warm-spare redundant Liferay architecture (proposed)

● Server failover capability

● Rapid nearline backup recovery

● Comprehensive off-site DR for catastrophic failure

Backups snapshots of the entire VM stack are performed every 2hrs, and the offsite archives of those backups are continuous to a second physical location.  Retention for 2hr snaps for 48hrs, dailys for 30 days, and weeklys for 16 weeks.  We can accommodate longer retention if necessary.  Some of these retention policies impact RPO.  

For PCI, you may want logs to last up to 1yr but, that can be accomplished through application design or by depending on our backups.  We recommend using both strategies depending on your reporting needs.

Backups should be considered for disaster recovery purposes only.  Our retention policy is variable and based upon data volume.  Depending upon the environment, rollbacks to the previous day, several days, weeks are available, but with sporadic snapshots between periods.  Therefore, a specific point-in-time recovery may not be possible.  We are typically able to restore backward up to several weeks depending upon the total size of your store.

Omegabit can provide additional backup and archival services to meet specific requirements on a needs basis.  Please contact your sales representative for more information.

Omegabit features a comprehensive alternate-site DR recovery plan that includes regular off-site archives using Omegabit owned and managed equipment.  Backup to the public cloud (e.g. Amazon), is optional but requires special arrangement and may not be compatible with some PII/HIPAA requirements.  Specific features for disaster recovery vary by tier of service; please see the SOW for complete details on RTO/RPO times and obligations.

We operate active firewalls capable of thwarting common DOS attacks and also are able to work with upstream carrier providers on more widespread attacks. We are susceptible to the same limitations as any hosting provider. Clients can mitigate this in some cases by adding additional infrastructure in the form of regional site redundancy, clustering, and round-robin DNS, 3rd party CDN services, and similar strategies. Liferay and Omegabit are expertly equipped to help evaluate and apply these strategies to the custom environment configuration, where adopted.

This is documented in Omegabit Disaster Recovery Handbook, Section 1.1 to 1.4 and Section 2.3 ref: Omegabit Disaster Recovery Plan TOC

We consider any intrusion to be a "Severity I" class event.  Which, per our SLA requires a response time of <2hrs.  In reality, our 24x7 operations staff will respond to any Severity I event the instant it is detected.  I've attached  boiler-plate/generic copy of our SLA and am happy to produce a named/completed version for a given stack if of benefit (this one calls out "sticker" and a la carte pricing and is OK to share as-is).  

In the event of any detected incident, including known breach or ongoing security intrusion, performance degradation, major change in performance profile, etc., notice is provided to the customer as soon as practical. Typically, within minutes provided we are not actively triaging and providing emergency responding to the issue.  We consider the ownership of security related issues to be a joint-responsibility along with the application sponsor.  Because, in many cases the risk may be specific to the customer's implementation of the portal, and we must be in communication with the owner to permanently resolve the issue if not to triage and block it, temporarily.  A 24hr point of contact with the customer is preferred for emergency incident notification, which can include email and telephone contact depending on severity and customer preference.

Yes, for specific audit log event analysis we use a combination of tools including but not limited to Splunk and Dynatrace SaaS; additional software subscription and fees apply for a dedicated implementation of reporting facilities for Client use and self-reporting.

Multiple options are available as a special feature enhancement to your host infrastructure. Please contact your Omegabit Sales representative for more information.

Full SOC-2 compliance is available from all primary and alternate colocation facilities (additional "generic" certifications for PCI and HIPAA compliance are also available but, not technically relevant to custom application hosting due to software control and design; that certification must be obtained specific to Client's implementation). A formal report for our primary facility is included in the submission bundle. See also for secondary locations: http://www.coresite.com/data-centers/data-center-design/compliance and http://www.equinix.com/services/data-centers-colocation/standards-compliance/#/ (@ San Jose/SV1)

Yes

Yes

Yes

Yes

All layers of the infrastructure are fully redundant and fault tolerant as is typical of any cloud infrastructure, including but not limited to:  power, cooling, Internet connectivity, operational connectivity, physical servers, switches, network paths, virtualization containers, virtual machines. Optionally, Clients may elect for a clustered and/or high-availability configuration, which can provide additional runtime failure protection, "hot" fault protection for SPOF of the application software infrastructure, and the ability to perform rotating outages without impact to production operations.  

Most failure scenarios are handled automatically and may be transparent, or, necessitate and restart of the affected service.

If a physical server fails, the vhost will automatically restart on another server and automatically rejoin service (minutes, typically).  

This is documented in Omegabit Internal Operations Wiki. Omegabit operates advanced active firewalls from Cisco and Watchguard, which feature Active Intrusion Detection and Prevention, Layer 7 inspection, DLP, Zero Day, and other live-updated countermeasures. These features are on by default where appropriate, and advanced features like DLP and Zero Day may be enabled on request. Firewall configurations are tuned specifically for each customer. Private BOVPN tunnel links to Client infrastructure are also available.

Omegabit provides an infrastructure that is typical of the Liferay Reference Architecture.  High Availability and Fault Tolerant features will vary by SLA.

Omegabit facilities are SOC-2 audited and compliant (see attached certification statement).  This addresses the standards and controls that are needed and typical of a HIPAA, FERPA, or PCI-I compliant implementation.  Our NOC has also been PCI-I certified for other tenants that have elected for an independent audit.  However, in order to promise compliance to HIPAA, FERPA, or PCI, typically requires that an independent audit be applied throughout the logical application layer, including your specific Liferay implementation.  Our standard compliance is usually sufficient for these applications, but assumes that the application owner/sponsor (you), are taking responsibility for compliance that must occur at the OS and application layers, for which you are in control.  Omegabit hosts a number of healthcare related sites that are customer self-certified as HIPAA compliant based on this rationale and their own security practices.  (Caution:  Any provider that tells you that you get HIPAA compliance out-of-the-box is skirting the issue). 

Omegabit does and will advise on these best practices, and is happy to participate and support an ongoing standards audit for any of these levels of compliance by a third party entity.

Costs for actual HIPAA/FERPA or PCI-I type certification specific for a given Customer implementation typically run $40K-$65K/year to perform an annual audit and maintain the necessary standards and compliance procedures and documentation required to satisfy future audits.

Omegabit facilities are SOC-2 compliant; this is considered the modern and more scrupulous replacement for SAS 70 compliance in industry. The SOC-2 compliance audit is performed every 18-24 months.  

Omegabit's primary support role is to ensure a stable and reliable environment, to monitor for signs of trouble and to provide assistance with issues like plugin deploys and configuration adjustments.

Omegabit monitors for and responds to outages 24x7x365 with a response time of 4hrs or less.  The infrastructure is highly redundant to help protect against unplanned outages at the physical layer, and we will work with you to ensure a similarly stable logical configuration to the best of our abilities.  We do not assume responsibility for outages due to customizations or modifications to the system; for example, if a custom plugin causes breakage to the portal, our recommendation will be to uninstall the plugin.

If a higher level of resilience is required, a clustered configuration is recommended instead.  Contact your Omegabit representative for more information

A robust pre-release testing strategy using an independent Liferay environment is always recommended prior to deploying customizations to production.

Email support is responded to 10am-6pm PST, except holidays, and non-critical support requests can take up to 48hrs, but are typically responded to on the same-day.

Actual size and licensing costs may vary according to details of the implementation that will be refined with the cooperation of the implementation team and Omegabit project team during the design phase of the engagement, under the direction of the client.

Omegabit services are incremental (e.g. changes to RAM, CPU, bandwidth, etc.), and month-to-month.  Omegabit will honor fixed pricing and in some cases may be able to extend discounts for longer-term obligations, and is also able to support multi-year term commitments.  The proposed costs are framed as annual costs, but can be pro-rated.  Omegabit also supports monthly and annual pre-paid billing with rollover support for unused resources.