www.virtustream.com

Virtustream provides enterprise-class cloud solutions for private, virtual private, public and hybrid clouds — available as xStreamTM cloud software, xStream private cloud appliances or as a Virtustream cloud service (IaaS – Infrastructure as a service). Virtustream’s cloud solutions use Virtustream® μVM™ technology, delivering enterprise security, compliance, advanced multi-tenant cloud efficiency and performance SLAs for all mission-critical and production applications—both legacy and web-scale. In the 2013 "Critical Capabilities for Public Cloud Infrastructure as a Service" published by Gartner, Virtustream received the highest rating on security (5 out of a possible 5) of the 15 leading cloud providers included in the report.Virtustream’s cloud solutions are designed to meet the exacting requirements of complex enterprise, government, and service provider customers. xStream provides a wide range of innovative and unique features to help businesses automate and meet these requirements. In each area of security and compliance the Virtustream cloud solutions, both cloud IaaS services and xStream software, follow the core tenets of cloud security:> Trust> Visibility> Control> Compliance> Defense in Depth

TrustTrust is the cornerstone of any security strategy. This is critical for cloud-based systems, where clients depend on systems, operations and personnel provided by their IaaS provider. Myriad challenges and risks must be understood and mitigated. Distributed users, systems and software must be able to validate identity, track and log access to ensure the integrity of the environment. xStream employs industry-leading innovations and compensating controls such as Intel TXT, two factor authentication with One Time Password, and encryption throughout the system to enable secure cloud computing environments.> Two-Factor Authentication: xStream utilizes strong two-factor authentication for users accessing its

management portal, requiring a one-time password generated via a software-based token running on iOS, Android, BlackBerry or desktop operating systems or a dedicated hardware token.

> Encryption: High efficiency encryption technologies are deployed to protect the entire data lifecycle and is utilized throughout the Virtustream cloud environment to secure: data at rest including the entire virtual machine and its related data storage, transactional databases, data in archive, data in motion, and the authentication of the various components of the xStream cloud stack. We can also maintain encryption and policies as data is moved and replicated. We support a wide variety of integrated key management options from sole responsibility to any flavor of shared responsibility.

Security at a Glance

www.virtustream.com

Security at a Glance

> Intel Trusted Execution Technology (TXT): Virtustream xStream software supports Intel TXT, which protects critical system integrity and software by monitoring host machines from emerging threats such as hypervisor attacks, BIOS and firmware attacks, malicious root kit installations, or other software exploits.

VisibilityVisibility into the state of your cloud computing environment is foundational to security. xStream ensures full visibility into the entire cloud stack—from the network layer up through the organization’s overall security and compliance posture, resource consumption, Disaster Recovery status, archive information, ticketing —all via an integrated management interface.> Single Pane of Glass Management Console: xStream simplifies management and governance by

centralizing all visibility, control and compliance aspects of xStream via an integrated management portal.> Auditing: xStream logs relevant auditable events to ensure that everything that happens within the cloud

is traceable. Details of what we do on your behalf are all logged. We can share that log feed directly with clients requiring raw logs.

> Alerting: xStream’s alerting engine allows administrators to set alerts and alarms on a wide variety of System, security, SLA, and consumption threshold events.

> Security Information and Event Management (SIEM): xStream’s SIEM module offers advanced log management, event correlation, alarms, alerts, reports and comprehensive security dashboards.

> Monitoring: Continuous Monitoring monitors changes to the system asset components and situational awareness data from monitored assets and also enables ports and protocol analysis using vulnerability analysis tools.

ControlWith trust and visibility established, a healthy security plan puts controls in place to enforce enterprise policy. xStream offers several features to enact enterprise security controls, including role-based authorization, network controls and advanced multi-tenancy and cloud federation features.> Role-Based Access: xStream management is protected by role-based access with controls capable of

providing granular authorization, based on user-defined roles, enabling least privilege access.> Virtual Firewall/IPS: xStream’s full-featured, VMsafe-certified virtual firewall/IPS technology can be

enabled to provide protection within the customer's VLAN and supplements our perimeter firewalls and security controls with additional protection and granular access control

> Multi-tenancy: xStream provides robust multi-tenancy controls that enable complete segregation of customer data and organizational units.

> Elastic Security Zones: xStream’s Elastic Security Zones feature provides advanced technology for enabling secure federated clouds utilizing TXT and Geographic/Location-based policy that is continuously enforced, and maintained during migration and provisioning events.

ComplianceA key requirement for enterprise, government, and service provider clients is to maintain compliance with a variety of laws, regulations, and mandates. Virtustream’s xStream Software is architected and developed to satisfy the highest security and compliance standards in a highly transparent manner.

The xStream governance, risk, and compliance (xGRC) module enables an enterprise to attain and maintain the following: > Compliance Frameworks: We support 3rd party audits and can report on the following frameworks:

SSAE16/SOC2, ISAE3402, PCI-DSS 2.0, FISMA, FedRAMP, CSA, ODCA, IS0 27001-2005, ISO 9001-2008, HIPAA/ HITEC, NIST 800-37, NIST SP 800-53, DODI 8500.2 and other certifications and compliance frameworks when coupled with appropriate customer-provided operational and management controls.

> Continuous Audit: xStream’s SIEM and GRC tools analyze a massive amount of incoming security data to display an organization’s real-time security and compliance posture via an easy-to-use dashboard and an extensive suite of pre-built reports.

> Reporting: xStream enables the creation of the audit, compliance, C&A/A&A and continuous monitoring artifacts such as the System Security Plan (SSP), Security Assessment Report (SAR)/Security Test and Evaluation (ST&E) documents and other artifacts using built-in customizable templates. Our toolset supports NIST 800-37 specified implementation of multiple ‘Common Control’ profiles and supports full inheritance capability for audit results. Enterprises are able to create multiple Common Control profiles (CCPs) and import their data into the C&A/A&A packages for further customization.

Defense in DepthComplex enterprise, service provider, and government IT environments need a strategic approach to delivering defense-in-depth. By designing architectures and software solutions that include multiple layers of defense, the risks of penetration and loss can be reduced. Through a separation of layers, similar types of data and applications can be ‘quarantined’ in areas relevant to their business use. Virtustream’s secure cloud environment is built around best practices using a defense in-depth model with the following security methodologies and practices: > Complete documentation sets of all security related practices are maintained and available> Strong multi-factor authentication of all Virtustream system users and administrators> Role based access controls (enabling least privilege operations and access management)> Virtustream cloud solution is segregated into physical zones based on level of trust associated with

intended purpose: Management, Public DMZ, Core, Cloud Platform, and Backup Zone> Within our cloud design, all routers, switches, storage, and compute platforms are securely configured

and audited> We follow rigorous SDLC practices and scan our code and applications during development> Secure system builds (OS, Applications, Databases and related architecture)> Separation of resources (network traffic, data storage)> Encryption of data at rest (archive encryption), in motion (IPSec/SSL), and in use (DB encryption)> Optional Vulnerability Scanning & associated patch management> System integrity attestation and Continuous System monitoring of machine system log data> Compliance monitoring and management of environment assets> All employees are security trained and tested yearly> A wide variety of optional security services are available from Virtustream to operate in the

customer environment

Security at a Glance

www.virtustream.com