SRFax is an internet fax service provider designed with high availability and dependability.
The service enables customers to completely rid themselves of all traditional telephony infrastructure including fax boards, telephone circuits, long distance carriers, and fax machines in order to send or receive faxes.
From its inception in 2004, SRFax decided that safeguarding the confidentiality and integrity its customers’ data/information would take top priority. SRFax understood it would need to meet the strictest demands of its customers’ security policies and requirements especially within the financial, trade, legal and medical sectors of business in order to accomplish this.
NOTE: The SRFax network is designed to store client data dependant on their location. Hence, Canadian clients will have their data located within Canada and US clients will have their data located in the USA. A no time does any data reside outside of these borders depending on your location.
Data Center Environment
SRFax is hosted within the TelIPhone / Navigata Data Center in Vancouver, British Columbia. This data facility is responsible for powering many demanding hosted services and telecommunication needs of numerous prominent companies through Canada.
The data center utilizes an array of security measures to control, monitor, and record access. Security cards are required to enter the building and a unique five digit PIN to enter the data center. Video surveillance cameras are installed throughout the facility to provide continuous monitoring.
- 24 x 7 x 365 security
- All doors, including cages, are secured with key access readers
- Colocation and critical areas have windowless exteriors
- CCTV digital camera coverage of the entire center, including cages, with detailed surveillance and audit logs
- CCTV integrated with access control and alarm system
Redundant Power and Cooling
The data center provides a minimum N+1 redundancy for every power system to maximize uptime availability. The center features two main power feeds distributed through electrical rooms to provide balanced power throughout the facility. Uninterruptible power supply (UPS) systems have been deployed, backed by a diesel generator. HVAC units maintain a consistent operating temperature and provide redundant cooling.
The data center is protected by dual zone, dual interlock, dry pipe pre-action fire suppression systems to safeguard our servers in the event of a fire. Multiple Layers of Network Redundancy Network uptime is of paramount importance to ensure superior Service Level agreements (SLAs), hence multiple layers of redundancy have been implemented to the network and data center architecture.
Carrier Grade Networking Systems
The SRFax network, which includes in excess of 500 lines, makes every attempt to provide for system redundancy and does not allow for any single points of failure.
SRFax has multiple carriers, each with duplicate networks that interconnect in the event of failure. The data center is also home to all of the carriers used by SRFax so interconnects are local to the data center facility.
Some of the carriers used by SRFax are:
- Navigata Westel
Authorized Personnel and Screening
Only authorized and essential SRFax personnel are permitted access to the data center facilities and systems used to support the SRFax network. Additionally, all access must be scheduled in advance both with the appropriate SRFax management/officer responsible for data center support as well as the data center itself.
All SRFax personnel are subjected to criminal background checks prior to employment and are performed at unspecified intervals at the discretion of SRFax management.
Data Access by Personnel
SRFax support staff has access to all call detail records of transmissions, but no access to the physical fax documents sent or received. Clients must login to their account and specifically grant access to support staff in order for the staff member to gain visual access to the fax documents.
The SRFax network provides significant protection against common security threats such as DoS (Denial of Service) and other brute-force attack mechanisms. Threats are continually monitored in real-time and will generate systems alerts to data center personnel, SRFax engineering and support staff, and other parties as deemed necessary. No fewer than 4 times per year, SRFax conducts “unannounced” penetration tests using a third party organization. These tests are conducted at times only known to the SRFax security officers and essential management.
The SRFax network and related systems have been designed to tolerate hardware or system failures with zero to minimal customer impact. Our high availability is achieved using duplicated web services, fax transport systems, telephony infrastructure, carrier interconnects, networking and load balancing hardware, as well as redundant data center sites in the event of a catastrophic failure.
All system configuration and data is backed up to in real-time. Databases are replicated in real-time throughout the SRFax infrastructure to ensure high availability and fault tolerance.
Multi-Layer (Defence in Depth) Security Model
The SRFax network and external interfaces to the system (web service APIs, etc.) were designed to provide information protection to standards defined by organizations like the Council on Cyber Security, NSA and NIST. SRFax meets or exceeds the guidelines defined by these organizations for the protection of sensitive information. To that extent, SRFax employs multiple layers of security also known as a “Defence in Depth” that provides its customers an even greater level of protection against eavesdropping or other forms of cyber-attacks.
Authorization to the web service or administrative interfaces requires an account number and password. Additionally, each customer may define a single, multiple or range of IP addresses authorized to access the system (using CIDR notation). The SRFax network separates credentials for administrative users and access to web services.
Web Service Security Model
The web service interfaces (APIs) are the primary vehicle used by remote client systems to access the fax network for the purpose of sending and receiving fax document transmissions. Access to any of the web services are subject to the authorization systems requiring an account ID and password. In addition, the web service may optionally observe and enforce access from allowable endpoints only.
The initial connection to the SRFax network is performed over an HTTPS (port 443) connection where the authorization credentials are presented to the SRFax network. Once the session is established (and the authorization credentials have been accepted), the server and remote client will then generate a key-pair for further symmetric encryption within the already encrypted HTTPS transport.
The key-pair and subsequent shared secret used for encryption is generated using Elliptic Curve Cryptography methods using 1024 bits. Once an encryption key is established, each “message” between the SRFax client and the hosted service is further encrypted using AES256.
The client, requiring no firewall ports to be opened, initiates all connections to the SRFax network.
For high security environments like personal health information, SRFax makes every attempt to NOT store any fax image data/content except for the life of the actual fax transmission. While SRFax will maintain all call record details (eg. fax number dialled, actual connect time, remote fax system ID, pages delivered), all fax image data is immediately destroyed upon termination of the call, whether a success or failure is detected. This is an optional setting controlled by the client. EMR providers can ensure that data is only kept on SRFax servers for the minimum time possible.
During the in-transit period, all fax image data resides in a temporary data store and remains encrypted preventing even SRFax personnel from observing the contents of the fax image/content.
Once the fax transmission has terminated, all fax/image content is FIPS-140 deleted and permanently removed from the SRFax network altogether.
In the event that any data is stored in SRFax servers for any period of time, these files are AES256 bit encrypted and can only be accessed by the client upon a valid login. All connections to the SRFax portal during login are SSL encrypted.
Monitoring and Alerting Systems
SRFax uses standard network/system monitoring facilities as well as highly customized and integrated mechanisms allowing the network to automatically alert data center staff, SRFax engineering and support staff, and even advise customers of local network outages.
The SRFax network is designed around an escalation system making sure that the operational support staff is notified of potential threats or outages as they occur. Escalation from initial detection to an actual customer outage, for example, is achieved in as little as 15 minutes. Alerts are sent via SMTP email to one or more recipients as well as via SMS to mobile handsets.