Overview
BuyVPS Server's security is formed by three basic elements: the infrastructure, the design and the isolation of the given infrastructure, and access to its operational parts. The main idea of the company's security strategy is to reduce the so-called attackable surfaces and to create stable operational surfaces. We are trying to reach these goals by dividing control of the needed systems between the network infrastructure and the applications of our customers.
This document describes the protection of critical infrastructure and outlines customer responsibilities for the assigned protection related tasks.
Infrastructure-Level Isolation
All VPS instances servers are operated on a basis of KVM-based virtualization and are running in a virtualized environment that is also hardware-assisted. Storage is operated on NVMe drives servers in Amsterdam and New York locations.
The virtual machines function through:
- An independent kernel.
- The system decides how to partition CPU power and memory.
- Segmented virtual networking
- Clear storage boundaries
For our VPS instances we don't use any container-based virtualization. The hypervisor in our case is mostly a resource allocator.
Network Security Architecture
Our network design includes:
- The network operates through segmented management systems
- Limited administrative access routes
- Duplicate connections to upstream networks
- Specific IP address management rules
The system monitors all abuse that leaves the network because it needs to protect the entire network reputation. Email traffic is rate-limited by default. The process for obtaining further IPv4 address blocks requires evaluation by the organization.
We have typical network filtering in place to block most of today's volume of attacks but that does not replace the need for application specific security controls to defend against today's sophisticated threats.
Access Control and Operational Security
Right now our infrastructure is running with limited access. We will give authorized personnel access to the systems they need to access to do their jobs.
Operational practices include:
- The system implements role-based access control
- Administrative access requires multi-factor authentication
- Maintains logged access events which are auditable
- Restricts access to management endpoints
The system monitors all administrative actions which it continues to track.
Data Handling and Storage
BuyVPS provides infrastructure services. The system enables users to keep full control over their personal data and application security functions.
At the infrastructure level:
- The selected region contains all data storage
- The system performs no default data replication between different regions
- The backup system performs disk-level backups when users activate this feature
- Off-site backup options can be set up during data backup selection.
Customers are responsible for:
- OS hardening
- Application security measures
- Firewall configuration inside the VPS
- Backup strategy validation
- Data encryption policies
Patch Management
For scheduled updates of the hypervisor and the associated infrastructure the organization runs its internal operational procedures.
Maintenance scheduled for our system will only be performed on certain areas of our system and the company will issue advance notifications for any impending system disruption to occur.
Customers need to perform their own operating system and application updates for their VPS environment.
DDoS and Abuse Handling
The network-level mitigation system works to minimize the effects which big attacks create. However, no provider can guarantee immunity from all forms of distributed attacks.
The system starts abuse report investigations right away after receiving sufficient evidence which needs to include time stamps and source IP addresses and proper system logs. Report to abuse@buyvps.com.
The network integrity of BuyVPS allows the company to take measures against workloads which produce ongoing abuse or create threats to platform stability.
Vulnerability Reporting
The security team at BuyVPS needs your immediate contact to report any security vulnerability which threatens our infrastructure.
- The report provides an extensive analysis of the problem
- Detailed reproduction steps
- Details about system and endpoint impact
- Supporting evidence from logs and evidence
We support responsible reporting and will recognize legitimate concerns. You can reach out to security@buyvps.com.
Customer Responsibilities
Security in a VPS environment is shared.
BuyVPS secures
- Physical infrastructure
- Hypervisor layer
- Network segmentation
- Access control to platform systems
Customers secure
- Operating systems
- Applications
- Authentication policies
- Encryption
- Backup integrity
Our team can defend production workloads by using secure VPS operations because we understand this separation method. See our VPS infrastructure.
Policy Updates
The policy will undergo changes when new infrastructure projects start their operations. The security posture page will display all major changes which impact system security.
Security questions
The first section delivers right away essential information about infrastructure security and shared responsibility and demonstrates to users the correct method for system problem reporting.