Transcription

System and Organization Controls (SOC) 3 ReportReport on Rackspace’s Data Center Hosting Services System Relevant toSecurity and AvailabilityFor the period October 1, 2018 to September 30, 2019Prepared in Accordance with AT-C Section 205 pursuant to TSP Section100, 2017 Trust Services Criteria for Security, Availability, ProcessingIntegrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria)

Rackspace’s Data Center Hosting Services System Relevant to Security and AvailabilityFor the period October 1, 2018 to September 30, 2019Table of ContentsPageReport of Independent Service Auditors . 3Management of Rackspace’s Assertion . 5Attachment A – Rackspace's Description of the Data Center Hosting Services System . 6A.System Overview. 6Company Background . 6Data Center Hosting Services Overview . 6Data Center Hosting Services Boundaries and Scope of Report. 6B.System Components . 7(1) Infrastructure . 7(2) Software . 8(3) People . 10(4) Procedures . 10(5) Data . 11Attachment B – Principal service commitments and system requirements . 12(2)

REPORT OF INDEPENDENT SERVICE AUDITORSTo the Management of Rackspace Hosting, Inc.ScopeWe have examined Rackspace Hosting, Inc.’s (“Rackspace” or the “service organization”) accompanyingassertion titled "Management of Rackspace’s Assertion" (assertion) that the controls within Rackspace’sData Center Hosting Services System (system) were effective throughout the period October 1, 2018 toSeptember 30, 2019, to provide reasonable assurance that Rackspace’s service commitments and systemrequirements were achieved based on the trust services criteria relevant to security and availability(applicable trust services criteria) set forth in TSP section 100, 2017 Trust Services Criteria for Security,Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria).Service Organization’s ResponsibilitiesRackspace is responsible for its service commitments and system requirements and for designing,implementing, and operating effective controls within the system to provide reasonable assurance thatRackspace’s service commitments and system requirements were achieved. Rackspace has also providedthe accompanying assertion about the effectiveness of controls within the system. When preparing itsassertion, Rackspace is responsible for selecting, and identifying in its assertion, the applicable trustservice criteria and for having a reasonable basis for its assertion by performing an assessment of theeffectiveness of the controls within the system.Service Auditor’s ResponsibilitiesOur responsibility is to express an opinion, based on our examination, on whether management’sassertion that controls within the system were effective throughout the period to provide reasonableassurance that the service organization’s service commitments and system requirements were achievedbased on the applicable trust services criteria. Our examination was conducted in accordance withattestation standards established by the American Institute of Certified Public Accountants. Thosestandards require that we plan and perform our examination to obtain reasonable assurance aboutwhether management’s assertion is fairly stated, in all material respects. We believe that the evidence weobtained is sufficient and appropriate to provide a reasonable basis for our opinion.Our examination included: Obtaining an understanding of the system and the service organization’s service commitmentsand system requirements Assessing the risks that controls were not effective to achieve Rackspace’s service commitmentsand system requirements based on the applicable trust services criteria Performing procedures to obtain evidence about whether controls within the system wereeffective to achieve Rackspace’s service commitments and system requirements based theapplicable trust services criteriaOur examination also included performing such other procedures as we considered necessary in thecircumstances.PricewaterhouseCoopers LLP, 200 Concord, Suite 920, San Antonio, Texas 78216T: (210) 332-6540, F: (210) 332-6541, www.pwc.com/us

Inherent LimitationsThere are inherent limitations in the effectiveness of any system of internal control, including thepossibility of human error and the circumvention of controls.Because of their nature, controls may not always operate effectively to provide reasonable assurance thatthe service organization’s service commitments and system requirements were achieved based on theapplicable trust services criteria. Also, the projection to the future of any conclusions about theeffectiveness of controls is subject to the risk that controls may become inadequate because of changes inconditions or that the degree of compliance with the policies or procedures may deteriorate.OpinionIn our opinion, management’s assertion that the controls within Rackspace’s Data Center HostingServices System were effective throughout the period October 1, 2018 to September 30, 2019, to providereasonable assurance that Rackspace’s service commitments and system requirements were achievedbased on the applicable trust services criteria is fairly stated, in all material respects.San Antonio, TexasFebruary 6, 2020

1 Fanatical PlaceSan Antonio, TX 78218MANAGEMENT OF RACKSPACE’S ASSERTIONWe are responsible for designing, implementing, operating, and maintaining effective controls withinRackspace’s Data Center Hosting Services System (system) throughout the period October 1, 2018 toSeptember 30, 2019, to provide reasonable assurance that Rackspace’s service commitments and systemrequirements relevant to security and availability were achieved. Our description of the boundaries of thesystem is presented in Attachment A and identifies the aspects of the system covered by our assertion.We have performed an evaluation of the effectiveness of the controls within the system throughout theperiod October 1, 2018 to September 30, 2019, to provide reasonable assurance that Rackspace’s servicecommitments and system requirements were achieved based on the trust services criteria relevant tosecurity and availability (applicable trust services criteria) set forth in TSP section 100, 2017 TrustServices Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA,Trust Services Criteria). Rackspace’s objectives for the system in applying the applicable trust servicescriteria are embodied in its service commitments and system requirements relevant to the applicable trustservices criteria. The principal service commitments and system requirements related to the applicabletrust services criteria are presented in Attachment B.There are inherent limitations in any system of internal control, including the possibility of human errorand the circumvention of controls. Because of these inherent limitations, a service organization mayachieve reasonable, but not absolute, assurance that its service commitments and system requirementsare achieved.We assert that the controls within the system were effective throughout the period October 1, 2018 toSeptember 30, 2019, to provide reasonable assurance that Rackspace’s service commitments and systemrequirements were achieved based on the applicable trust services criteria.

Rackspace’s Data Center Hosting Services System Relevant to Security and AvailabilityFor the period October 1, 2018 to September 30, 2019ATTACHMENT A – RACKSPACE'S DESCRIPTION OF THE DATA CENTER HOSTINGSERVICES SYSTEMA. System OverviewCompany BackgroundRackspace Hosting, Inc. (“Rackspace”) began operations in December 1998 to provide managed webhosting services to businesses on tools including AWS, Google, VMware, Microsoft, Openstack , andothers. Today, Rackspace serves over 300,000 customers in 33 data centers worldwide. Currently,Rackspace employs over 6,500 people (Rackers) around the world.Rackspace integrates industry leading technologies and practices for each customer's specific need anddelivers it as a service via the company's commitment to Fanatical Experience .Data Center Hosting Services OverviewRackspace serves a broad range of customers with diverse hosting needs and requirements. Rackspace issegmented into business units. They include: Dedicated Hosting (Managed Hosting);Managed Colocation;Cloud;Fanatical Support for technologies; andE-mail and Apps.Managed Colocation serves clients that have significant in-house expertise and only require supportaround physical infrastructure. Rackspace Hybrid Hosting offers a combination of hosting services thatenables customers to use managed hosting and cloud services under one account. Rackspace FanaticalSupport for technologies includes in-house expertise in support of AWS, VMware, Microsoft,OpenStack and others. Cloud Hosting serves clients’ scalable IT-enabled capabilities using Internettechnologies. The scope of this report only pertains to the Dedicated Hosting business unit and not theother services.Data Center Hosting Services Boundaries and Scope of ReportThis report includes the components, infrastructure, network devices, infrastructure software, andphysical data center facilities for the Data Center Hosting Services System at Rackspace.This report does not extend to application and business process controls, automated application controls,or hosted application key reports that may be contained on servers hosted within the Data Center HostingServices System. Additionally, this report does not extend to the workloads (data, files, information) sentby Rackspace’s customers to the Data Center Hosting Services System. The integrity and conformity withregulatory requirements of such data are solely the responsibilities of the applicable Data Center HostingServices customer.The system boundaries relating to this SOC 3 report start at the edge/entry point of the network andextend through the corporate network domain and includes the dedicated infrastructure environment.(6)

Rackspace’s Data Center Hosting Services System Relevant to Security and AvailabilityFor the period October 1, 2018 to September 30, 2019See the illustration below for a visual representation of the boundaries of the system and this report.Rackspace Data Center Hosting Services System Boundary OverviewApplication Layer Application administration and change managementEmail/customer apps/managed applications Database administration and change managementData, data governance, and data complianceCloud files Administer local user and administrative accountsAdminister password policies for local accounts O/S patch communication and management (as directed)Ongoing O/S configuration management (as directed)Directed System AdministrationHosted Operating System/ServersOrganizational security Server hardening and initial configurationIntensive Active Directory (Dedicated client environment) Network administration and architectureFirewalls and network devicesNetwork change management Physical and environmental protectionsTechnical supportCustomer EnvironmentCustomer Self-Managed Operating SystemNetwork DevicesIncident managementBackups (if subscribed)Firewall and SSHDatabase LayerExternal Connections(pubic Internet/VPN)Rackspace Data CentersBoundaries of SOC 3 ReportLegend:Shared responsibilityInside boundaryOutside boundaryB. System Components(1) InfrastructureThe boundaries for the data centers in-scope include both owned, operated, and leased data centerfacilities. This report covers the Data Center Hosting Services at the following data centers (in-scope datacenters):(7)

Rackspace’s Data Center Hosting Services System Relevant to Security and AvailabilityFor the period October 1, 2018 to September 30, 2019Data CenterLocationOwnership TypeVendorDFW2Dallas, TexasOperatedNot applicableDFW3Dallas, TexasOperatedNot applicableFRA1Frankfurt, GermanyLeasedDigital Realty TrustHKG1Hong Kong, ChinaLeasedPCCW SolutionsIAD3Ashburn, VirginiaLeasedDigital Realty TrustIAD4Ashburn, VirginiaLeasedEquinix LimitedLON3London, United KingdomOwnedNot applicableLON5London, United KingdomLeasedDigital Realty TrustORD1Chicago, IllinoisLeasedDigital Realty TrustSYD2Sydney, AustraliaLeasedDigital Realty TrustSYD4Sydney, AustraliaLeasedEquinix LimitedRackspace owned or operated data centers are those for which Rackspace does not utilize a vendor forany services. For the leased data center facilities (FRA1, HKG1, IAD3, IAD4, LON5, ORD1, SYD2, andSYD4) Rackspace maintains direct monitoring controls, including annual risk assessments, a review ofthird-party reports, and periodic touchpoints with the operators of the data centers to provide coverageover the physical and environmental controls performed at those data centers.Rackspace manages and maintains infrastructure components supporting the Data Center HostingServices at the in-scope data centers. Rackspace is responsible for data center infrastructure services,including the following: Networking equipment (switches, routers, firewalls, load balancers);Physical and logical servers; andPhysical and environmental security equipment at owned and operated data centers (cameras,badge readers, fire suppression).Rackspace is responsible for Data Center Hosting Services connectivity to the Internet. Rackspace is notresponsible for connectivity from Rackspace’s owned, operated, and leased data centers beyond thispoint. Rackspace data centers and Rackspace’s Data Center Hosting Services communicate betweenphysical locations and data centers using secure protocols and links.(2) SoftwareSoftware systems are managed globally by Rackspace using consistent controls and processes. Rackspaceutilizes a variety of software systems that support the Data Center Hosting Services System.Operating Systems/PlatformsRackspace supports a number of different operating systems as part of the Data Center Hosting ServicesSystem. Platforms within the system boundaries include: CentOSESXi (Virtual Host Operating System connected to VMWare stack for virtualized serverinfrastructure)Red Hat Enterprise LinuxSUSE LinuxUbuntu LinuxWindows Server O/S(8)

Rackspace’s Data Center Hosting Services System Relevant to Security and AvailabilityFor the period October 1, 2018 to September 30, 2019Operational Support ToolsRackspace operates several other tools that provide support to internal and customer systems. Such toolsinclude: Service management and asset management tools;System configuration management tools; andPatch management tools.Authentication/Authorization Services & Isolation MechanismsIn supporting both the Data Center Hosting Services System as well as providing support to Rackspacecustomers, Rackspace has implemented a series of tools that support authentication and authorization ofindividuals. Technologies within the system boundaries include: Directory services tools; andAuthentication, authorization, and accounting tools for managing access to network components.Security ToolsMultiple technologies are employed throughout the environment to enable information security controlsand monitoring, including the following: Anti-virus/anti-malware;Intrusion Detection System; andLogging tools.Performance Monitoring ToolsRackspace operates several tools for the purposes of monitoring systems and providing health checksacross in-scope environments. The primary tool used within the system boundaries is: SCOM (System Center Operations Manager) – Microsoft product to support data centeroperational monitoring and maintenance of systems.Other Tools and/or Services Supporting Infrastructure ComponentsRackspace provides certain tools and services for customers based upon their request and direction.Example of these tools include: MyRackspace Customer Portal – publicly facing web application where Rackspace customers maylogin to access account information regarding their Rackspace services as well as request updatesto their environment (e.g. request firewall rule change, service request, configuration changes). Intensive Anti-Virus – customers may request that Rackspace install Sophos A/V agents oncustomer servers and provide on-going operational support for A/V solution. Managed Backup – a collection of servers in each data center utilized to provide data backupservices for customers. Managed Storage – network attached storage in support of customers in virtualized environmentsas well as customers expanding storage requirements beyond their physical dedicated serverofferings. Segment Support Patching –operating systems patching and update servers for supportingoperating systems at the request of customers. Customers are responsible for all validation ofthese activities in line with their compliance requirements.(9)

Rackspace’s Data Center Hosting Services System Relevant to Security and AvailabilityFor the period October 1, 2018 to September 30, 2019 Rackspace Virtual Infrastructure - includes all management components of the virtualizedinfrastructure hosting service.(3) PeopleIn order to meet its commitments and requirements as they relate to security and availability, Rackspacehas defined organizational structures, reporting lines, authorities, and responsibilities for the design,development, implementation, operation, maintenance, and monitoring of the system.Rackspace is segmented into business units. They include: Data Center Hosting (Managed Hosting),Managed Colocation, Openstack Public Cloud, Rackspace Private Cloud, Fanatical Experience fortechnologies, Managed Public Cloud, Rackspace Application Support, Rackspace Managed Security, Email and Apps. Each segment is led by a segment leader. Ten global functions support these segments: EngineeringAccounting & FinanceLegalEmployee ServicesGlobal Technical SupportGlobal Data Center InfrastructureSales & MarketingInformation TechnologyCorporate Development/StrategyGlobal Enterprise SecurityThese global functions have been established to provide capabilities to complement the segments, and torealize economies of scale and quality control. The leaders of the various global functions, the segmentleaders, and Corporate officers make up the Rackspace Leadership Team.The Rackspace Leadership Team actively supports information security within Rackspace through cleardirection, demonstrated commitment, explicit assignment, and acknowledgement of information securityresponsibilities.Personnel responsible for designing, developing, implementing, operating, maintaining and monitoringthe system affecting security and availability have the qualifications and resources to fulfill theirresponsibilities. Before hiring personnel, Rackspace takes actions to address risks to the achievement ofobjectives by making available the organizational values and behavioral standards in the Rackspaceemployee handbook.Rackspace is committed to hiring and retaining talent to provide fanatical support. Management requiresemployees to be subjected to a background check during the hiring process.Employee competence is a key element of the control environment. Rackspace is committed to trainingand developing its employees. At least annually, the Human Resources Team/Management performs areview of key talent by individual and role to ensure that critical talent is retained and to ensure that theorganizational structure is aligned in a way that will support achievement of the Company's objectives andstrategies.(4) ProceduresPolicies and ProceduresRackspace management is responsible for directing and controlling operations and for establishing,communicating and monitoring policies, standards and procedures. Rackspace achieves operational andstrategic compliance to the company's overall objectives through proper preparation, planning, execution(10)

Rackspace’s Data Center Hosting Services System Relevant to Security and AvailabilityFor the period October 1, 2018 to September 30, 2019and governance. The policies and procedures are a series of documents, which are used to describe thecontrols implemented within the Data Center Hosting Services System. The purpose of the policies andprocedures are to describe the environment and define the practices performed on behalf of the customer.The policies and procedures include diagrams and descriptions of the network, infrastructure,environment and Rackspace’s commitments.Importance is placed on maintaining sound and effective internal controls and the integrity and ethicalvalues of all Rackspace personnel. Rackspace promotes a culture based on core values defined bymanagement and carried out by all Rackspace employees. These core values complement the company'sethical values, integrity model, professional conduct standards, and employee development pathways. Thesum of these values and behaviors form Rackspace's unique environment by influencing the controlconsciousness of its employees.(5) DataData, as defined by Rackspace, constitutes the following: Data describing customer attributesHR Data supporting controls such as background checksDevice configurationSystem filesError logsAccess administration logsElectronic interface filesThis report does not cover any customer data that is housed on Rackspace controlled infrastructure.Rackspace takes no responsibility for customer data on their systems and does not perform any controlprocedures to ensure that customer data is maintained completely and accurately.In delivering these services, Rackspace has explicitly communicated to customers that Rackspace is notresponsible for encryption of data as part of the Data Center Hosting Services System. Further, customersare instructed to ensure any data that may require encryption at rest be encrypted prior to backup andthat encryption keys be stored in a manner such that Rackspace does not have access to the key.(11)

Rackspace’s Data Center Hosting Services System Relevant to Security and AvailabilityFor the period October 1, 2018 to September 30, 2019ATTACHMENT B – PRINCIPAL SERVICE COMMITMENTS AND SYSTEM REQUIREMENTSRackspace’s service commitments and system requirements are included in the Managed HostingServices Terms and Conditions which are available on Rackspace’s website. Customers are provided andrequired to agree to the Terms and Conditions. The Terms and Conditions documents the contractualobligations of Rackspace Data Center Hosting Services and the customers using Rackspace’s Data CenterHosting Services, including principal service commitments and system requirements. Any updates to theTerms and Conditions are communication to customers through the website and through the CustomerPortal. In addition, Rackspace’s service commitments and system requirements are communicated tointernal users through Rackspace’s intranet.Only the principal service commitments and system requirements relevant to the applicable trust servicescriteria are within the boundaries of the system. The relevant service commitments and systemrequirements are included within the following sections of the Terms and Conditions:4.Service Level ardware Repair or ReplacementReplication ApplianceStorage DevicesMaintenance11. Managed BackupAdditionally, the system description that reflects the boundaries of the Data Center Hosting Servicessystem is available online for customers and prospective customers.(12)

The boundaries for the data centers in-scope include both owned, operated, and leased data center facilities. This report covers the Data Center Hosting Services at the following data centers (in-scope