We provides customers with role-based access to their cloud environments through authentication and authorization permissions set explicitly per resource type. Users access the Control Portal with a username and password, or by Single Sign On through SAML. All actions performed by users through the Control Portal — such as provisioning servers, adding public IP addresses and powering-on a server — are logged and auditable. These logs are never deleted, and customers can view access logs on an entity by entity basis.
CenturyLink Cloud establishes a robust digital perimeter around your cloud environment. All environments reside within private networks created or extended by an Active Directory Domain. Access to customer servers can only be done via a certificate-based VPN connection unless specific public ports have been explicitly opened up by the customer. Customers can extend to two-factor authentication via LDAP (Microsoft Active Directory or OpenLDAP on Linux) for additional security where needed.
Customer environments on the CenturyLink Cloud are protected by a series of redundant Juniper SRX firewalls employing Unified Thread Management (UTM) technology. Each customer service runs on its own private VLAN, and each virtual machine is isolated with zone-based firewalls. Customers can also use secure connections such as Persistent\User VPN, Direct Connection, or MPLS.
Datacenter Intrusion Detection System (IDS) and Intrusion Detection and Protection System (IDP) attack detection and prevention features screen incoming traffic for potential attacks. This protection is available data center-wide, and is implicitly enabled. In unique cases, customers may request deep content inspection policies and enable IPSEC at the OS level to encrypt all network traffic. We also provide customers with Microsoft Forefront for additional identity and access protection. Read this KB article for more details on CenturyLink Cloud and IDS & IDP.
In addition to real-time monitoring and NOC support, we perform Nessus vulnerability scans upon request. Then, we work with the customer to remediate any identified vulnerabilities. To make sure that cloud servers are regularly protected with the latest operating system patches, CenturyLink Cloud offers customers an auto-patch service that keeps customer machines up-to-date with vendor updates.
Each CenturyLink Cloud data center is housed within private, caged enclosures. Entry to the data center premises requires an electronic proximity key card. Data center facilities are staffed 24x7x365 and monitored by cameras. An electronic proximity card control portal, biometric scan, and onsite data center personnel provide additional security inside the facility. Only CenturyLink authorized staff are allowed access to the private cage enclosure and they access physical hosts via two factor VPN authentication (SSH or RDP Access with Local administrator/root account and password required). All access is logged in both the control panel and the ticketing system.