RackTop Secure Architecture and Supply Chain

BrickStor SP runs BrickStor OS, RackTop’s own proprietary UNIX operating system. The OS is compiled in accordance with the company’s Software Secure Supply Chain procedures, which include 100% RackTop controlled US based code repositories, US based build and QA process, and a restricted code signing process which ensures software which is released to the public is authentic.

The operating system cryptographically validates the signature of the OS on installation and on boot. BrickStorOS is installed as an image, similar to firmware, and is read only.

The operating state of the OS is non-persistent so that each reboot returns the system to its original state. Customer data is kept separate from the operating environment.

BrickStor OS is not a general purpose operating system. It is designed to run and operate like a hardened black box appliance.

BrickStor OS does not allow end users to perform patch management. Updates and patches are delivered as a new OS image which the system boots into. Management of the OS is performed over HTTPS/REST and requires both authentication and authorization (via access Groups).

For further information regarding ports and firewall rules, refer to Hardening and Customization.

Management data in flight is encrypted using TLS. Protocol data in flight is encrypted using AES256. Data at rest is protected for encrypted datasets using AES256. If using self-encrypting disks, data is also encrypted using a different set of keys on the disk itself.

RackTop Secure Supply Chain for Information Assurance

RackTop employs cybersecurity best practices throughout the entire product lifecycle from development, deployment, sustainment and system retirement.

RackTop provides company wide training to promote security awareness and foster an understanding of the risks facing the company and our customers. Additionally, RackTop fosters an environment where the software development organization understands the principles of secure software design.

The secure by design culture of RackTop includes security reviews as part of product designs and architectures. A security analysis is performed against implementations to detect security weaknesses and common security vulnerabilities.

RackTop uses automated scanning tools such as Nessus to continuously monitor, detect and remediate vulnerabilities. RackTop is vigilant about preventing vulnerabilities from entering the product during the development and product delivery process; and providing corrective configuration actions or updates to eliminate vulnerabilities in fielded products.

As part of the product lifecycle, the project management team tracks and reviews serious findings from vulnerability scans and security reviews. The project management team ensures they are being worked with the highest development priority for security updates and product releases.

RackTop secures software updates by providing signed code in a proprietary RAP format. Fielded systems validate the signature before installing the software update. RackTop’s operating system will not allow unsigned binaries to persist a reboot to provide further protection against malware and advanced persistent threats. Firmware for RackTop provided hardware is also managed in a similar way using signed binaries to protect the authenticity and integrity of the software and hardware.

Updates are provided to internet connected machines over a secure channel with certificate based authentication. For customers who do not have internet connectivity RackTop provides secure password protected access to a web accessible repository. Customers can securely import the software via their organizationally approved methods and upload it to their RackTop System to perform the secure update process.

RackTop understands the need for end-to-end security in both software and hardware. RackTop ensures that it orders original manufacturer’s authentic hardware through authorized manufacturers and distributors. To further improve security, RackTop always uses TAA compliant hardware and BAA compliant hardware whenever available.

RackTop employs FIPS Validated 140-2 Level 2 Self Encrypting Drives within its systems to protect the data at rest. The data on the drives are encrypted using a data encryption key that is never exposed to the user or an external application.

Cryptographic data purge features along with statements of volatility allow end user organizations to appropriate destroy and retire the information system. RackTop is continuously increasing the security and resiliency of the product to defend against evolving advanced persistent threats.