Sendside Networks takes security to another level by taking a comprehensive approach to data security – beyond what most web-based services or applications rely on today. In nearly all cases, our approach is far beyond what companies are able to design and implement themselves. Using the latest in active and passive firewall systems, intrusion detection systems, industry-standard transport encryption such as 256-Bit Secure Sockets Layer (SSL) technology and/or Transport Layer Security (TLS), authentication and password security policies, key management and proprietary security protocols, Sendside Networks delivers a world-class communication network designed to protect information in motion, and at rest.

Best Practices

Security is a multidimensional imperative that demands consideration at every level – not just the application level – which includes data management and storage, network infrastructure, and physical facilities. Sendside Networks adheres to the best practices and policies to offer world-class security at each of these levels. Plus, Sendside employs industry experts and partners to attempt to find exploits or vulnerabilities on a constant basis. This keeps us one step ahead so we can offer a level of commercial service unmatched in the marketplace today.

Protection at Every Level

Sendside Networks provides comprehensive protection at every level to prevent failures so information is secure, protected and always available. We employ cutting-edge safeguards at each of the following levels:

Network & Transport Level

Application Level

Data Storage Level

Facilities Level

Network & Transport Level Security

• Software and hardware firewalls limit traffic to the minimum ports required for optimal network operation.
  Messages, documents, content and applications are delivered using SSL or TLS to ensure a secure connection from a client application (mail client, web browser, etc.) to the Sendside Network.
• Switches are leveraged in a multi-tiered network architecture to reduce data available to each host and increase throughput.
• The internal network IP addressing uses RFC 1918 space, an established standard for a secure, private network.
• Intrusion Detection System (IDS) sensors protect sensitive network segments and provide real-time view of legitimate and illegitimate traffic.
• Internal hosts are not reachable directly from outside the protected network.
• Support access is abstracted through a specific DMZ host to limit points of entry/exit to data center assets and to add an additional layer of security.
• Redundant equipment has been provisioned to ensure availability.
• Black listing is in force to help combat: Denial of Service (DOS); Distributed Denial of Service (DDOS) attacks; and to deal with habitual problematic situations.
• All networks are certified through on-going internal and third-party vulnerability assessment programs.
• Central logging with utilities is employed to help anomaly detection.

Application Level Security

Sitting atop of the Sendside Network are core applications that allow individuals and organizations to interact and transact in a secure manner. Security from the application viewpoint is comprehensive and includes client use, geolocation (IP address), social networking,pattern analysis, authentication, challenge / response pairing and more. These methods and technologies ensure only the sender and the intended recipient(s) are able to view and/or manage communications or information flowing through the network.

In addition to providing secure and robust application delivery architecture, Sendside takes an extra step by engaging third party security companies to conduct ongoing vulnerability assessments. These assessments ensure that Sendside is a proactively dealing with threats to application security instead of being reactive (status-quo).

Sendside Network's application security policy sets a new standard with additional protections and safeguards:

• Unique Sendside Member ID's - The use of unique user ID's (instead of email addresses) prevents brute force login attacks using an email address as the login variable.
• Client computer enrollment - Each client computer must 'enroll' with the Sendside application to provide two, single-factor authentications.
• Challenge / Response – Even in the unlikely event that a member's login credentials are compromised; a correct response to a challenge question would be needed to successfully log in to the application and compromise member data.
• Login monitoring – Sendside’s Login Sentinel tracks and monitors login attempts and can dynamically restrict access, temporarily suspend accounts or disable them altogether to prevent password guessing and brute-force attacks.
• Encrypted session cookies – The use of encrypted session cookies ensures the member's identity and simplifies the end-user experience.
• Most recently contacted (patent-pending) – Sendside builds a custom login page showing profile photos of people the member most recently contacted. This social networking component makes it virtually impossible to be misdirected to a bogus login page (phishing attack).
• Password strength meter and policy – Sendside works closely with the member to help them select a password that would be impervious to a dictionary-style attack. Additionally, policy prevents users from reusing old passwords.
• Password encryption – Passwords and challenge response values are encrypted on the system using Salted SHA Hashing Algorithm (SSHA) and Salted Message Digest 5 (SMD5).
• Behavior-based pattern analysis (patent-pending) – Application and user behavior are continually monitored for malicious activity to ensure a quality experience for all members.

Data Storage Level Security

Sendside Networks takes active steps to ensure that data residing on the network is encrypted and cannot be compromised by unauthorized access.

• All data stored on the Sendside Network is encrypted using industry standard cryptography to provide another safeguard against unwanted or unauthorized access. Only users correctly authenticating from within a Sendside application are able to encrypt and decrypt information residing in the secure repository. Sendside and our administrators (even with physical access to the equipment) do not have the ability to view customer communication and information stored within the secure repository.
• Encryption keys, for general content stored in the system, reside on different network resources and cannot be accessed by an individual within the organization. Sendside's key management policy ensures that confidential information remains confidential.
• Password protected content provide individuals and organizations with another level of security for ultra-sensitive information. With password protected content, the password is not stored on the system so the information is impossible to decrypt.
• Message Level Authentication (MLA), similar to password protected information, uses a challenge response value known only to the sender and recipient to encrypt and decrypt the data. The value provided by the recipient is hashed using a salted hashing algorithm and it is compared to the value provided by the sender. If they match, the key is used to decrypt the message and it is sent to the recipient. At no time is the key (response) ever stored on Sendside's system. It is important to note that if the sender or recipient cannot recall the response to the challenge correctly, similar to password protected messages and documents, there will be no way to recover the data.

Facility Level Security

In addition to constantly evaluating and managing access to the Sendside Network at the network, application and data layers, it is critically important to maintain the strictest controls at the facilities level. This effort begins in our corporate offices and extends to our data centers. Visitors are required to register and be accompanied by a Sendside representative at all times while in a Sendside office. Unauthorized physical access is prevented by the use of a secure badge and key. Physical access to Sendside’s data centers is even more restrictive.

Following are several examples of the physical security measures we employ:

• Authorized personnel must enter a gated environment with car trap and security guards to arrive at the building.
• Authorized personnel must sign in at a guard station and present two-factor authentication, including biometric scanning and ID presentment to enter the data center floor.
• Man traps control foot traffic coming into and going out of the data center floor to prevent “tag-alongs.” Access to Sendside’s equipment requires another key before physical access can be granted.
• Cameras monitor all entrances and exits, the building perimeter, and loading dock areas.
• The data center is completely anonymous, with bullet-resistant glass and exterior walls in addition to steel fencing around the perimeter.
• Inert gas in the data center provides fire protection.

Uptime & Data Availability

An uninterruptible power source with N+1 generators is in place to ensure system uptime in the event of electrical outage. Network connectivity consists of three individual providers all using SONET based services. Multiple conduits provide extra protection against accidental line cutting. In addition, redundant storage arrays ensure very high uptime and availability of data, and all data is routinely archived based on an organization’s polices and requirements. Finally, the data center also is resistant to earthquakes measuring up to 7.5 on the Richter scale.