Pantheon Systems Inc. maintains customer privacy and security as a primary tenet of our operation, striving for defense in depth over reactive solutions. Security encompasses three aspects of our systems: confidentiality (the ability to control access to your data), integrity (the ability to verify the content of your data), and availability (the ability to read and write data).
Pantheon is the professional website platform that gives Drupal and WordPress developers everything they need to build, launch, and run solid websites. Customer support is available on-demand via a web-based ticketing system with 24/7 emergency incident response. Pantheon provides a fully managed and horizontally scalable production environment for running websites. Additionally, Pantheon provides development tools and a staging environment to assist ongoing maintenance of the site, including regular Drupal & WordPress security updates.
Pantheon is built on a cloud architecture. Building a next-generation platform is more than just using a cloud service like EC2, deploying a traditional "cluster" architecture. Instead of viewing the cloud as merely an API that replaces the traditional server acquisition process, Pantheon uses an architecture more similar to what is used by Google App Engine or Heroku, optimized to run Drupal and WordPress. With this architecture, there is no need to spin up separate VPSs, Dedicated Servers or clusters for each customer or site. We are able to deploy software fixes across our entire infrastructure. We can be nimble, efficient and responsive and keep our stack secure in the face of security challenges.
Pantheon’s primary datacenter is located in Chicago, Illinois and managed by RackSpace. Pantheon has chosen Rackspace as an infrastructure provider because of its best-of-class service, technology and reputation. As a Rackspace Cloud Marquee Customer and Tool Provider, Pantheon has 24x7 direct support access on any hardware issue.
Pantheon provides redundancy though our architecture, and maintains automated tools to facilitate recovery where redundancy is not feasible. For example, customer application processes can be redundant across servers in a single zone, while customer database and files are restorable from backups. Pantheon’s internal services are designed to tolerate process and server-level failure. We maintain a minimal server footprint in multiple datacenters to facilitate restoration in the event of a datacenter-level failure. When possible, we use redundant providers for upstream services like DNS.
Many of the core parts of Pantheon are fully redundant and highly available with no single point of failure. These parts include the internal Pantheon API, the edge routing layer, DNS, and files directory storage. For sites with more than one "DROP," the PHP/nginx servers are also high availability. Pantheon can also enable database replication for enterprise customers.
Pantheon additionally provides access via standard tools for customers to maintain separate Disaster Recovery infrastructure.
Customer Content (database, uploaded files, code) Durability
Pantheon uses industry-standard practices for on-disk storage, including writing to multiple physical disks with hardware-level RAID. Despite these precautions, there is a chance of hardware failure that can lead to data loss or corruption. We encourage customers to make regular backups, either using Pantheon’s scheduled backups or other means, to mitigate the risk of data loss. Backups have over 99.99% durability and availability, are stored in multiple datacenters, and are encrypted at-rest. If you have specific data retention and durability needs, contact sales about High Availability options and recommendations.
Backups can be scheduled or triggered manually. Each backup, containing all site-related customer data, is shipped to Amazon S3 as a compressed archive. Read-only access is granted via signed, expired URLs to site owners and Pantheon support staff. Backups are encrypted during transfer and encrypted at-rest with 256-bit Advanced Encryption Standard ciphers, storing private keys and encrypted backup data on separate servers.
The backup and restoration process is tested regularly via continuous integration. Users have the ability to test restoration via the dashboard for any site for any manual or scheduled backup. Additionally, users have access to all backups and have the ability to restore from a backup to a new Drupal site, on Pantheon or elsewhere.
Our policy is to ensure that backups start within 2 hours of their scheduled or requested time. We monitor the time it takes to start backups, and will investigate and address instances where backups are not starting within this window.
We take measures to make sure backups are performed as quickly as possible, but the duration of backup and restore operations is largely a factor of the size of the code, file, and database. While there is not hard limit of backup execution time, a smaller footprint will yield more successful backups and restorations, and we may notify users with backups taking an unreasonably long time.
Disaster Recovery (DR) are the processes related to preparing for recovery or continuation of technology infrastructure after a disaster.
Please refer to Pantheon's Disaster Recovery Procedures for more information about how Pantheon ensures that our customer data and websites are protected in a disaster situation.
Incident Response Procedures
Pantheon adheres to our motto "Transparency is Trust" in our operations and communications with our customers about incidents.
Pantheon strives to identify, consistently report and resolve any known or suspected security or privacy problems, incidents or breaches. Our incident response procedures requires the identification, reporting, containment and notification to affected parties be completed within the mandatory timeframes required by applicable laws.
In resolving any disruption of service, it is Pantheon's procedure to first post details of any significant disruption of service to http://status.getpantheon.com. Status updates are automatically tweeted at https://twitter.com/pantheonstatus.
Pantheon’s procedure is to conduct a post-incident (post-mortem) review of events and actions taken regarding any security or privacy breach or issue. A public version will be posted on http://status.getpantheon.com, and detailed versions given to affected parties.
We employ the same technology that provides isolation for virtual machines: ‘cgroups’ - a kernel-level facility for resource isolation for memory, disk, cpu, and other server resources. This means that process and memory-level isolation are effective for all customer processes from PHP to MySQL. Pantheon’s distributed filesystem is accessed over encrypted channels using client-server authentication. Once-mounted, customer account files protected through standard linux permission controls. System level logs are isolated from customers on external logging systems while customers own logs are isolated with strict file permissions.
We monitor network, server and application resources on a sub-minutely basis, and are acutely aware of performance and security issues if they arise. We have multiple engineers on call 24x7.
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS)
Intrusion Detection Systems and Intrusion Prevention Systems help detect and prevent attacks at various levels of the infrastructure, including the network, the platform, the server, and the application.
Pantheon operates primarily in a public cloud environment (Rackspace Cloud), and rely on our network infrastructure providers to manage network level IDS/IPS protections for DDoS and other attacks. Rackspace is an industry leader managing tens of thousands of servers with expert 24/7 Network Operations Center, competent at mitigating DDoS and other attacks.
At the platform layer, Pantheon has regular experience working with clients to mitigate site-specific DDoS attacks and have a variety of procedures in place to address different attack vectors at the server or application layer. We employ centralized IPS to detect failed logins via multiple ingress points and prevent dictionary and brute-force attacks. IPS runs for any services with user-chosen passwords, including the dashboard, SFTP, git, and Drush. Our logging infrastructure records the identity of blocked accounts for later investigation.
Our platform features a defense-in-depth design to contain the impact of potential first-line security breaches. For example, obtaining root privileges on one application host does not create a general platform compromise, nor would downloading the central API database provide access to user HTTPS certificates or payment details. Even a breach of a user’s own website would not allow the attacker to delete the most recent backups for a site. Services within the platform only have keys and certificates to access data on a “need to know” basis.
At the server layer, in addition to maintaining up-to-date security patches and firewall rulesets, Pantheon employs IPS to detect and prevent unauthorized host access. Security logs from the servers are centrally collected, processed and stored for 60 days. Additionally, Pantheon employs best practices around securing servers, including use of RSA key pairs in place of passwords, x.509 certificates for API and web-based administration tools, centralized tamper-evident security log collection, and user-specific accounts.
IDS/IPS at the application (Drupal, etc) layer, are only as good as the rules provided, and generally Drupal security updates will mitigate attack vectors as fast as IDS/IPS/application-firewall ruleset updates (and Pantheon provides integrated workflows for deploying security updates). Clients are able to implement application-level IDS/IPS, including blocking users by IP after failed login attempts, etc.
Pantheon runs exclusively Linux-based server operating systems and therefore prevents the installation of malware using established vendor repositories for software, software package signature verification, cryptographic validation of Pantheon’s own platform code during deployment, and auditable change-management. It’s safer to whitelist what’s allowed to run than blacklist software that’s known to cause trouble. Pantheon also regularly rebuilds servers (the same way many providers only do after a known breach), ensuring even an undetected, one-time breach would not persist.
The platform runs user-published site software in containers with multiple layers of isolation. We run configurations that prevent direct execution, even within the containers, of files uploaded through the website. Customers are responsible for ensuring the software they publish via git (whether through the dashboard or via remote pushes) meets their own security standards.
Pantheon provides the ClamAV antivirus/anti-malware utility with up-to-date databases for the use of our customers. The ClamAV Drupal module can be installed in your application to verify that files uploaded to a site are not infected and prevent them from being saved if they are. This allows customers to reduce their chance of disseminating malware to vulnerable site visitors (even though such dissemination would not affect the site’s or Pantheon’s own security).
Drupal Application Security Support
Pantheon manages the security of our platform, and at the Drupal application layer, Pantheon helps developers keeping their application secure by providing:
- One Click Drupal Security and Core updates for Drupal. Drupal's success and wide adoption is because it is open source. Updates and security improvements are frequent, keeping Drupal far ahead of proprietary Content Management Systems. Pantheon makes it easy to update Drupal with one-click core and security updates. Our customer sites are more up to date and secure than if they hosted them elsewhere.
- Easy to add SSL certificates. More Pantheon sites use SSL for secure online transactions because Pantheon makes the process of installing and using SSL certs easy.
- Anti-Virus. Pantheon maintains the ClamAV utility on our infrastructure with up-to-date virus/malware databases. The ClamAV Drupal module can be installed in your application to use ClamAV to verify that files uploaded to a site are not infected with a virus or malware, and prevent infected files from being saved. This allows users to guarantee that their sites are not used for disseminating malware.
Pantheon is currently developing a formal incident response plan. Current forensics and evidence gathering include obtaining a snapshot of server and quarantining the server until we are able to detect the source of the breach. Pantheon maintains close relationships with third party security vendors for any additional analysis needs.
Software Patch Management
Pantheon Systems - not our infrastructure providers - manages and updates our packages. Our package management procedure includes hourly checks of each server against upstream security patches. Additionally, we are part of Fedora's 'Proven Testers' program which gives us advanced access to security patches.
Drupal Patch Management
Facilitating integration of Drupal’s upstream patches and updates for our customers results in improved security for our customers. We provide a one-click tool for deploying Drupal patches and security updates from our development environment.
Pantheon Systems firewall procedures include a preference for strong encryption and authentication in favor of a short firewall whitelist. Pantheon systems controls the firewalls, and allows users to enable BasicAuth for websites. SSL is used for all customer authentication and dashboard interactions.
We will work with customers of of any size to mitigate DDoS attacks. Some Distributed Denial of Service attacks can only be mitigated at the upstream network level. We are a Rackspace Cloud Marquee Customer and Tool Provider, and have direct, 24x7 access to our provider to deal with issues such as a DDoS. For application-level and infrastructure-level DDoS attacks, our engineering and ops team will work with customers to address the issue.
Periodic Risk Assessment
Pantheon performs regular quarterly internal risk assessments, and leverages external risk-assessments as necessary. Known risks are catalogued by severity and added to a prioritized backlog.
Pantheon adheres to strict hiring criteria. All Pantheon employees and contractors sign NDA agreements. Pantheon supports employees interested in pursuing formal security certification and education.
Employee access and management
We operate on a “principle of least privilege” where employees are granted access only to the resources required in their work. Employees are limited in which servers they can log into and which commands they can run. Advanced Configuration Management allows us to manage user permissions across our entire infrastructure in minutes. Pantheon maintains a centralized log of all server access and command execution. Additionally, Pantheon employs ‘API Driven Infrastructure’ which allows employees to interact with servers via authenticated, encrypted, auditable APIs with no server access necessary. Where server access is required, SSH-key based authentication is used to access all servers.
Rackspace Physical Security
Rackspace has no contractual arrangement with Pantheon regarding their specific policies and procedures in regards to physical security of its infrastructure. Rackspace, however, does promise the following practices for its data centers http://www.rackspace.com/whyrackspace/network/datacenters/ Access to every one of Rackspace’s data centers is granted though keycard protocols, biometric scanning protocols and round-the-clock interior and exterior surveillance monitoring. Only authorized data center personnel are granted access credentials to Rackspace data centers. No one else can enter the production area of the datacenter without prior clearance and an appropriate escort. Every Rackspace data center employee undergoes thorough background security checks before hiring.
Developer Team Management
Our development platform manages git, sftp, MySQL and drush access to the a project’s codebase and database all through a single password. Password authentication to Pantheon’s web application occurs through a SSL connection. Our platform passwords are stored as salted hashes, so compromising our database will not compromise passwords.
Pantheon adheres to the U.S. CAN-Spam Act of 2003. Specifically, Pantheon strives in all mass email communications to:
- Not use false or misleading header information.
- Not use deceptive subject lines.
- Identify the message as an ad.
- Tell recipients where Pantheon is located.
- Tell recipients how to opt out of receiving future email from Pantheon.
- Honor opt-out requests promptly.
- Monitor what others are doing on Pantheon’s behalf.
Pantheon adheres to the Telephone Consumer Protection Act (TCPA) the Telemarketing Sales Rule and the Junk Protection Act of 2005.
The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to enhance and make more consistent cardholder data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect cardholder data. Pantheon’s Rackspace datacenter has been accredited under PCI DDS. That accreditation does not make your site PCI compliant. While Pantheon manages the security of our infrastructure and platform, PCI compliance for any given website depends on proper ecommerce implementation by our customers. Pantheon customers requiring PCI compliance should follow best practices such as using third party credit card transaction services to store and process sensitive credit card information and properly using SSL with their Drupal sites. Please refer to https://www.pcisecuritystandards.org/index.shtml for more information.
SOC 2 Type II and SOC 3 and ISO 27001
Pantheon's underlying infrastructure provider - Rackspace - has received global security certifications and compliance verifications for Service Organization Controls SOC 2 Type II and SOC 3, in addition to complying with the ISO 27001 standard. Rackspace security attestations and certifications provide assurance of the security of the infrastructure and network layers of Pantheon.
Pantheon has physical infrastructure and customers in several jurisdictions. We strive to abide to all applicable laws in the jurisdictions where Pantheon operates. Specifically, we adhere to the laws of the state of California and federal law. Pantheon retains legal counsel for evaluating any request from law enforcement.
Pantheon complies with the requirements of the US-EU Safe Harbor Framework on data privacy. To learn more about the Safe Harbor program, and to view Pantheon’s certification, please visit http://www.export.gov/safeharbor/.
Please report security vulnerabilities to the Pantheon security team via email at email@example.com, or via a support ticket from your dashboard.