|
|
|
|
|
|
by mbubb
4003 days ago
|
|
|
Not just 'some' of your servers. Looks like infrastructure is US based. https://www.fastmail.com/help/ourservice/security.html Physical location security
Our main servers are located at New York Internet (NYI) in New York City, USA. Their facility is a high security, video monitored location; with backup power, air conditioning, fire systems, 24x7x365 monitoring, and onsite technical support.
I am familiar with NYI - they are a good datacenter - but I do not think they are in any way more or less secure than the Equinixes, Internaps, Telxs, etc.The security of fastmail is really the security of end to end TLS with forward security. All good practices but industry standard, no? Do you encrypt traffic between servers? ie
http://www.forbes.com/sites/benkepes/2014/03/20/in-an-attemp... What differenitates Fastmail sec practices? |
|
|
"main" servers. Most services are mastered at NYI, with replicas at other sites (currently Amsterdam, soon LA as well). Soon some services will have the option of being mastered elsewhere. Maybe I should reword that help doc a little bit.
Our security is about as good as is practicable. It might not be the absolute best but I'd wager its better than most, especially when balanced with the usability and reliability guarantees we make. Obviously encasing your server in concrete and dropping it into the ocean is more secure, but that doesn't give you much of a service.
I don't think I can say NYI do better than every other datacentre, because I haven't used ever other datacentre, but they certainly seem to be far above most other players. It also helps that we've worked with them for years and know most of the key staff personally.
We don't currently encrypt traffic between our servers within the same datacentre. We own all our servers and network equipment, so there's no inter-server traffic leaving our own equipment. Of course its possible for some kind of network tap device to be installed but at that point the attacker already has physical access to our servers so we've already lost. This point was addressed in the first blog post alfiedotwtf linked to.
We do encrypt between datacentres, of course.
So to your final question, what differentiates us from other services, its hard to say exactly because I don't know which other services you're talking about. Our general approach is to use the best tools and techniques available, and to understand everything we use so we know what compromises we're making at what our attack surface looks like. Our ops staff know this stuff well, respond quickly (eg we patched Heartbleed before start-of-business in the US, when most of the mainstream media hadn't picked it up yet), we talk very openly about what we do and how we do it, and we offer a generous security bounty to anyone that finds an exploit.
If you think we could be doing more, let me know! I'm happy to be contacted directly (robn@fastmail.com or @robn on twitter) or you can open a support ticket or ping @fastmailfm.