Security & Compliance

Our infrastructure is protected via a number of mechanisms and controls, including firewalls, IDS/IPS and access control. We perform a variety of scans regularly to prevent issues from materialising or ensure that any exposed vulnerabilities are quickly found and patched, as well as penetration tests performed on a regular basis. Customer data is securely stored and processed at Stormnet Hosting Data Centres around the UK. Access to information and systems is restricted to specific, named individuals based on "need to know" and zero trust principles and actively monitored and audited for compliance. We use encryption for all data in-transit, and customers can elect to encrypted their own data at rest, in addition to our disk-level encryption. Our Services are solely hosted, operated and managed in-house by Stormnet Hosting, and all data centres we use are independently audited to ISO 9001 & ISO 27001 and Tier III+ (3) Standards. To ensure that we maintain the highest possible levels of information security, Stormnet internally conforms to ISO 27001 & ISO 9001 and has procured auditing solutions from reputable third party auditors, including those who audit our information security practices at least annually. All data hosted by Stormnet Hosting is stored on encrypted disk volumes, including any backups we make. We believe this level of protection strikes the right balance between confidentiality and availability.

We provide DDoS protection on all of our services, for no additional charge. This uses the GTT Corero Smartwall platform, which has a large global filtering capacity. We don't redirect on-attack either, all traffic flowing into the network is filtered 24/7/365 and automatically inspected for attacks. This means that the time to mitigate an attack is under one second. Further to this, we have our own cross connects in our London Edge Data Centres and no GRE tunnels, which ensures consistent reliability and performance with zero overheads. For customer deployments that need additional protection, we can increase filtering sensitivity on a granular basis, as and when required.

Since the outset, we have worked with external and internal stakeholders alike to ensure our data centres points of presence feature a stringent and multi-layered security model. This should encompass granular levels of access control, to ensure access is granted on a "need to" or bona fide basis only and access is removed for anyone who does not require access to a specific level (or "layer"). A very limited number of people are on a pre-approved access list at any one time for data centre campuses, data centre buildings, plant rooms/facilities, data floors and individual racks. Any access authorisation or approval granted is ephemeral and is audited and set to automatically expire after a short period of time. In addition to our multi-layered approach to physical security, our data centres are equipped with security-aware and trained personnel, video surveillance cameras (CCTV), automatic numberplate recognition (ANPR) systems, granular access control at all levels, biometrics, perimeter fencing and individual levels of access to the data floors and individual racks. Those that do have a bona fide reason to access our data centres, are subject to approval, review and access the data centres the only way possible; through security access corridors which implement anti-tailgating mechanisms, multi-factor access control using security badges, government issued identification checks, access clearance checks, biometrics and escorts by authorised personnel.

Our Security Operations Centre (SOC) operates 24/7/365 to monitor, detect, and respond to security incidents. We maintain a comprehensive incident response plan that includes detailed procedures for identifying, containing, eradicating, and recovering from security incidents. Our team uses advanced security information and event management (SIEM) systems to correlate and analyze security events across our infrastructure. We follow a structured incident response process that includes immediate threat containment, thorough investigation, and detailed post-incident analysis. All security incidents are documented, tracked, and reviewed to improve our security posture. We also maintain communication protocols to ensure timely notification to affected customers when necessary, in compliance with regulatory requirements.

We implement a comprehensive zero-trust security model across our infrastructure, following the principle of "never trust, always verify." This approach requires strict identity verification for every person and device trying to access resources on our network, regardless of whether they are sitting within or outside the network perimeter. Our zero-trust implementation includes: - Multi-factor authentication (MFA) for all access attempts - Micro-segmentation of network resources - Least-privilege access controls - Continuous monitoring and validation of security posture - Real-time access policy enforcement - End-to-end encryption for all data in transit

We maintain a comprehensive inventory of all physical and virtual assets across our infrastructure. Our asset management system provides real-time visibility into all hardware, software, and network components, enabling us to track, monitor, and secure every asset effectively. Our asset security measures include: - Regular automated asset discovery and classification - Continuous vulnerability scanning and risk assessment - Automated patch management and updates - Hardware and software lifecycle management - Asset access control and monitoring - Regular security compliance checks

Our email security infrastructure employs multiple layers of protection to safeguard against various email-based threats. We utilize advanced threat protection systems that include: - Advanced spam filtering and phishing detection - Real-time link and attachment scanning - Domain-based Message Authentication (DMARC) - Sender Policy Framework (SPF) and DKIM implementation - Zero-day threat protection - Data loss prevention (DLP) controls - Encrypted email options for sensitive communications

We implement robust security measures to protect all web interfaces and applications. Our web security framework includes: - Web Application Firewall (WAF) protection - Regular security assessments and penetration testing - SSL/TLS encryption with perfect forward secrecy - Protection against common web vulnerabilities (OWASP Top 10) - Rate limiting and DDoS protection - Content Security Policy (CSP) implementation - Regular security updates and patch management - Secure session management and authentication controls