Channex Security Policy
The Channex Enterprise Connectivity Platform is designed to help Enterprises and Independent Software Vendors (ISVs) securely connect channels and deliver them to hotels, customers, and or partners. Channex realizes that helping to protect our customer’s data, ensure proper security regulations, and mitigate any potential risk is essential to building trust and delivering a high-level of service. Channex takes a risk based approach to security and this paper will detail the many different measures and technologies in place to protect our customers.
Our security implementation allows us to adhere to the following best practices, demonstrating our commitment to customer security and privacy:
- ▸ Abides by the ISO27001 security technical specifications
- ▸ Abides by the PCI DSS security technical specifications ▸ Abides by the EU Data Directive by entering into Model Clauses with applicable customers, partners, and suppliers
- Defense in Depth
- As you’ll see from any best-in-class SaaS provider, there is no single layer that protects customer data, but rather a well-architected solution that considers every layer from the physical security measures at the data center, all the way through the access privileges that determine what data an individual user can access. Channex, as a best-in-class connectivity provider, uses this approach to protect customer data.
Process & Policy
The first layer of defense is having a well-defined and comprehensive set of security processes and policies to ensure the security of our customers’ data and users. Channex’s ISMS employs a number of process and policy measures that instill security as a key priority at our most core layer…. our people.
A formal change control process minimizes the risk associated with system changes. The process enables tracking of changes made to the systems and verifies that risks have been assessed, inter-dependencies are explored and necessary policies and procedures have been considered and applied before any change is authorised.
Channex employees authorised to access the Channex platform undergo periodic training to focus employee attention to compliance with corporate security policies. For example, Channex DevOps and Professional Services personnel who may handle sensitive customer data and information will regularly undergo security, auditing, access, and compliance training (e.g. for GDPR)
In addition to restricted personnel entering the production area, operational access is limited to only a restricted set of Channex operations employees. Access is controlled via a physically separate network that is isolated from the Channex corporate network that serves its general employee population ensuring that only personnel authorised to access the data centre may do so. All Channex personnel with physical or operational access to production environments are subject to training, deep background checks, and all activities are logged for auditability.
All Channex data centres are certified to major InfoSec standards, including ISO 27001 and PCI DSS. These data centres also feature N+1 redundant HVAC and UPS. The physical security adheres to the best practices in the industry and include:
- ▸ Keycard protocols, biometric scanning protocols, and around-the-clock interior and exterior surveillance
- ▸ Access limited to authorised datacenter personnel—no one can enter the production area without prior clearance and appropriate escort
- ▸ Every data centre employee undergoes thorough background security checks
- Between the physical datacenter layer and the Channex Enterprise Connectivity Platform application layer is the infrastructure that supports our solution. Throughout the infrastructure, security is implemented in a comprehensive and coordinated fashion to enhance the safety and security of customer data.
- All network access to the virtual hosts is protected by a multi-layered firewall operating in a deny-all mode. Internet access is only permitted on explicitly opened ports for only a subset of specified virtual hosts. For an additional layer of security, all database servers reside behind an additional firewall.
- Channex platform servers are allocated to the respective security groups, characterised by specific security settings (TCP/IP level), supplemented by individual instance level stateful firewalls. Separate VLANs are used to split production, testing and development environments as well as to segregate end-user and administrative traffic.
- Channex employs a three-tier security model:
Just like any SaaS offering, the Channex Enterprise Connectivity Platform utilises many well coordinated technologies to deliver our service, yet there may be many capabilities that are not required. Consistent with industry best practices, Channex DevOps closely inspects the entire solution to identify unnecessary services and remove and/or disable these capabilities to reduce vulnerabilities to security threats.
No Root Access
All customer access to the Channex Enterprise Connectivity Platform is controlled through user interfaces (UI), APIs, and/or dedicated tools. Use of any of these methods of access require a username and password with privileges appropriate for the requested access.
Customers do not have root or administrative access to any portion of the Enterprise Insights Platform technology stack and access is permitted only via the Enterprise Insights Platform application layer (UI or API).
Shutdown All Unnecessary Ports
As previously mentioned in the Firewalls section, any ports on any server and/or virtual host not required for the operation of the Channex Enterprise Connectivity Platform is disabled eliminating additional opportunities for external intrusion.
Channex has rigorous policies and procedures in place to update all components of the Channex Enterprise Connectivity Platform, including operating systems, VM hypervisors, middleware, databases, etc. with their vendors’ security patches.
Here at Channex, we pride ourselves on the vigilance we employ to protect our customers’ data assets and we continually stress that a mature security organization requires coordinated dedication across technology, policy, procedures, and people. This dedication is underscored by the risk-based approach laid out in this document to demonstrate strength at every layer of security, minimising any potential vulnerability or weakness.
We want our customers to know their data is sufficiently protected by this approach and welcome the opportunity to discuss these practices and approaches further.