1. Privacy Statement

We do not sell or rent personal information. phData infrastructure has security measures in place to help protect against the loss, misuse, or alteration of information under our control. These measures include encryption of data using the Secure Socket Layer (SSL) system and encryption at rest.

2. Network Access

Introduction

phData requires secure network access to customer’s Hadoop infrastructure. phData has three approaches which satisfy this requirement.

• phData Cleanroom
• Customer Client VPN
• Customer Laptop

The least scalable and most expensive solution is the customer laptop.

phData Cleanroom

phData requires the setup of a cleanroom specific to the customer’s environment. The cleanroom is a secure, scalable and trusted access service for phData operations staff to customer Hadoop resources. Cleanrooms are not shared across customers. phData will work with the customer network operations team to setup up the required secure connectivity. phData will publish the location of audit and session data of all operations activity for both security and training.

VPN Connectivity

phData cleanroom setup requires establishing a site-to-site IPSEC VPN between the customer’s network and phData cleanroom. phData follows industry standard RFC’s for IKE and IPSEC encryption and can accommodate multiple different settings for each based on customer security requirements. Below are the required details from the customer’s network operations team.

Network Detail and Example

• Customer internal IP range assigned to phData cleanroom. The range does not have to be large, but must be at least a /29. Example: 10.222.222.0\29
• Customer’s VPN router internet address. Example: 23.23.23.23
• If customers use BGP to setup routes, then a BGP ASN (optional). Example: 65500
• Customer’s network device type. Example: Cisco, Juniper, Palo Alto, etc.

Firewall rules necessary to allow IPSEC connection:
Inbound rules (Internet in)
phData Gateway to Customer Gateway – ESP, UDP 500
Outbound rules (To Internet)
Customer Gateway to phData Gateway – ESP, UDP 500

* If using NAT transversal, then UDP 4500 must be allowed.

With the above details, phData will setup a VPN connection and present the customer’s network operations with configuration details for finishing the VPN setup. In addition, the cleanroom network defined above will need the following ports and network ACLs established.

Network Requirement
Cleanroom network needs routes and access to the Hadoop and Active Directory hosts.
Cleanroom needs the following ports open: 22, 80, 443, and all ports listed here.

Security Details

phData cleanroom strives for the highest standards of security and adheres to the following security practices:

• Not connected to Internet
• Encrypted data disk
• Two factor authentication of phData staff and role based access control
• Hosts are patched and updated automatically every month and critical security patches applied immediately
• All session commands are logged and screenshots will be made accessible
• All network traffic is encrypted
• Staff will use secure randomly chosen passwords unique to each cleanroom
• Centrally managed anti-virus
• Centrally managed Data Loss Prevention (DLP)

Customer Client VPN

Customer provides client VPN software and credentials that can be installed on a local Virtual Machine (VM) for each named customer contact. phData’s employee laptops will serve as the VM host and have the following properties:

• Encrypted data disk
• Centrally managed anti-virus
• Centrally managed Data Loss Prevention (DLP)

Customer Laptop

Customer provides a laptop to access the customer network with client VPN access. This approach is the least scalable and has an additional fee.