Security

Identification, Authentication, and Authorization


Virtustream believes proper identification, authentication, and authorizations are critical to preserving the integrity of Virtustream cloud services for our customers.

Identification

Virtustream requires unique intrusion detection systems (IDS) to confirm the identification of users accessing our cloud services. Roles are then assigned to verified users based on needed access only, ensuring that the identity of a user appropriately matches their corresponding authorization.

Authentication

When using the xStream portal, our customers are authenticated via a user-selected PIN and a token generating a one-time password. This provides a high degree of confidence that access to the Virtustream management console is restricted to only authorized users whose identity has been verified. Virtustream supports software tokens on diverse platforms including iOS, Android, and desktop systems, and Virtustream’s management portal console is secured with https.

In addition to authentication for our customers, Virtustream privileged users must also use two-factor authentication to gain access to the Virtustream management zone. Our authentication process adheres to associated PCI DSS password requirements.

Authorization

Access to Virtustream cloud services is controlled through a combination of user roles and IP address based firewall rules, guaranteeing integrity for our customers. We leverage Role-based Access Control (RBAC) to restrict access based on the roles of individual users, in addition to blocking unauthorized access. Virtustream’s RBAC is aligned with the need-to-know and least privilege principles.

RBAC provides a way to give different types of users access only to the resources they need to perform their work. Default roles include Read Only, Resource Creator, System Administrator, Tenant Administrator, and User. Each role contains a set of default permissions. Only a few steps are required to create new roles to customize permissions that align with an organization’s inner workings. For auditing purposes, all privileged users are monitoring and logged 24x7x365.

Additionally, the Virtustream xStream Cloud Management self-service portal lets customers designate specific source IP addresses that can access the enterprise-cloud portal. This effectively limits the IP addresses from which users can log into their xStream portal, further increasing security and reducing the chance of unauthorized access to the cloud.