WHITE PAPER

Uptime Services Mission Critical

With over 6,000 clients, our The individual plans are designed for: Uptime is a globally trusted • Remote – designed primarily for the IT support and maintenance support of software products for offering. Uptime is a portfolio which incidents are handled remotely. Remote support is provided on a 24x7 of support services designed basis. to assist in maintaining the • Parts Only – for organizations availability of your technology have sufficient skills to perform an on- and offers enhancements site repair when needed, but don’t have through proactive service the scale to stock their own spares or options to drive down the logistics capabilities to get parts the complexity of your to the right location the right . infrastructure and lower Remote support is provided on a 24x7 basis and, when delivery of parts to your costs in operating your site is required, you’re able to select technology. from a set of service target options. Our portfolio is designed to give you the • Onsite – for organizations who require flexibility of service levels per asset from a combination of onsite labour and/ each of the four service plans. These or parts in addition to remote support, plans range from Remote, our entry providing a complete onsite solution offering, right through to Mission Critical for either hardware or software assets. for your most critical systems. All these This is suited to organizations who can be further enhanced with a set of do not have local teams, parts, and/ additional Proactive Support Services or engineering expertise to perform to you manage your estate onsite repairs. effectively. • Mission Critical – this plan is for both hardware and software assets in your network that must have minimum downtime and, when down, represent a significant impact on your business operations. This service plan provides an elevated level of support intimacy with fast track access to senior technical resources saving critical time when incidents occur. The scope of this white paper is to provide you with an overview of the technology and security posture which will enable you to benefit from our Uptime Mission Critical service plan.

1 | © Copyright NTT Limited 2019 hello.global.ntt white paper | Uptime Services - Mission Critical

Table of Contents Our three Mission Critical services 03 Delivery model 03 Compliance to industry standards 03 Global services oriented architecture (GSOA) 03 Network management protocols 04 Connectivity 04 Automation 04 Firewall rules 05 Access to client devices 05 Data privacy 05 Data in transit 05 Data at rest 05 Summary 06 Frequently asked questions 06

List of Figures Figure 1: GSOA architecture 03 Figure 2: Flexible connectivity 04

List of Tables Table 1: Encryption parameters 04 Table 2: Firewall rules - Outbound for traffic going out through VPN to NTT’s GSOA 04 Table 3: Firewall rules - Inbound for traffic coming in hrough VPN from NTT’s GSOA 04 Table 4: Device access - Inbound for traffic coming in hrough VPN from NTT’s GSOA 05 Table 5: Our approach to addressing common security concerns 06

2 | © Copyright NTT Limited 2019 hello.global.ntt white paper | Uptime Services - Mission Critical

Our three Mission Critical This will ensure the latest configuration Global services oriented services is available for restoration during architecture (GSOA) hardware failures or any failed changes. Availability Monitoring and Reporting You will be able to restore your business GSOA is comprised of the foundational This Mission Critical service is designed to normal at the earliest possible time toolsets and platforms we use to support to proactively monitor the availability with our Configuration Archiving service. our processes and people in delivering of your assets and ensure maximum services to your business. It provides uptime. Availability events are recorded Delivery model a global, multitenanted solution that supports our services – from support to and managed, and if required logged We adopt a global operating model outsourcing – on a common platform. and addressed as an incident. Included which allows us to leverage our experts The automation platform, which is part in this service, your infrastructure centrally from our global delivery of GSOA, will ensure maximum events availability reports are provided to you centers. This provides you with the are handled by a virtual engineer and via Manage Centre and will enable you to quickest possible response through will ensure that only business-impacting locate where your business is impacted multiple channels to suit your business events are converted to incidents. and take necessary actions to ensure preferences, and access to our technical maximum uptime for your business. expertise together with deployment Figure 1 depicts the high-level of local experts to give you the best architecture of our GSOA which is used Capacity Monitoring and Reporting possible service experience. for monitoring your infrastructure. Our Capacity Monitoring and Reporting service allows you to identify potential With an onsite presence in 147 countries, At a high level, GSOA has three performance issues in your infrastructure we can dispatch engineers and/or components: and prevent business-impacting hardware to your premises within agreed • Remote infrastructure management disruptions. Our Service proactively timeframes and are able to track them (RIM) is the layer where the network monitors the capacity utilization of your using advanced field mobility tools. management function is carried assets, which are based on a set of Your service experience is available to out. We use EMC Smarts assurance agreed thresholds that are configured to you in real-time via your Manage Centre manager for this function which suit your business needs. Thresholds are logon. This will provide you not only receives the Simple Network set only to generate alert notifications access to your Mission Critical service Management Protocol (SNMP) traps after a baseline period of three months. elements, but also gives you the ability to from your devices. Configuration Capacity and performance related track open tickets, log a new request, or backup functionality is performed by events (whether informational or service directly to one of our experts via our Smarts NCM. impacting) are recorded and if service is integrated chat function and much more. • IT service management (ITSM) is the impacted, logged and addressed as an layer used for managing ITIL processes incident. Compliance to industry for all client interactions. ServiceNow Included in this service, your capacity standards is the platform used for this. reports are provided to you via Manage Our global delivery centers are industry • Enterprise messaging routing (EMR) Centre to help you in planning changes certified inISO:20000, ISO:27001 and is the service integration layer through to your environment to meet the evolving ISO:9000 to adhere to industry best which the RIM and ITSM communicate needs of your business. practices on service management, with each other. security and quality standards and are Configuration Archiving subject to annual audits keep them that With our Configuration Archiving way. service, you can plan for unplanned outages. On an on-going basis we will archive the configuration of your Automation covered assets saving both the current ICMP configuration and previous version. Most Client SNMP GET and RESPONSE supported devices have the capability to inform our monitoring systems that SNMP TRAPS the configuration has been changed, IPSec VPN initiating a fresh configuration download. GSOA Configurations are archived monthly and compared to the last stored configuration to ensure the latest version is saved. Internet

Figure 1: GSOA architecture

3 | © Copyright NTT Limited 2019 hello.global.ntt white paper | Uptime Services - Mission Critical

Network management Option one: IPsec virtual private network Option two: Point to point leased line (VPN) over internet protocols If a VPN connection is not suitable, we Our recommended option is to establish Our Mission Critical service is designed can provision a dedicated point to point a secure encrypted VPN connection deliver a number of proactive services private leased line between your location over internet based on IPSec which to your environment. To achieve this we and NTT. gives advantage over the below three depend on SNMP and ICMP protocols to parameters: Option three: MPLS Cloud proactively monitor your network. Time – It is quick to establish a VPN. We can also connect to your network by ICMP is used to monitor the availability, According to our experience, the being part of your existing MPLS cloud whereas SNMP is used for performance configuration for setting up the VPN you have (if any). In this scenario, NTT related parameters. SNMP agents are generally is completed in less than two will be treated as a branch location in required to be activated in order to hours. your private cloud. generate traps and your devices will need to be configured accordingly for Flexibility – There is no dependency Automation the of events, and traps that will be on the underlying internet media type One of the values that our GSOA platform generated. The device will also respond for this VPN. The only requirement is offers is its automation capabilities. We to SNMP GET messages from GSOA. to have your network able to reach our public IP address and identify as a VPN use automation which will analyse the For security purposes, the SNMP termination point. events generated out of SNMP traps and communication between your device take action without the need for human Cost - Existing infrastructure is used for and our GSOA requires this to be intervention. This helps eliminate false this and there is no need of additional authenticated and SNMP community events as well as avoiding any potential investment in terms of a new physical are used for this. We require ’read human error. only’ community strings for monitoring. circuits or terminating device. For some automations, we will need As stated, the VPN connection In addition to this, a SNMP trap to login to your device automatically is encrypted using the following destination will need to be configured and execute some show commands to parameters to ensure confidentiality, pointing to our GSOA IP address. validate the event and verify its latest integrity, and availability (CIA) for all This configuration is done on individual status. To do this, we will require you communication between NTT and your devices and if requested, we can help to open the ports indicated and provide network. you execute this via automated scripts. credentials. Please note that all the logins will be available for audits from Connectivity Encryption parameters our platform and can be shared as and when required. Our proactive services will ensure Encryption algorithm 3DES your network is available 24x7 by continuously monitoring your devices Hash algorithm SHA1 via our GSOA platform. IP reachability is Diffie Hellman Group 2 required between your network and ours. Table 1: Encryption parameters We have the flexibility to achieve this using one of the three methods shown in Since the SNMP is a lightweight protocol, Figure 2. the bandwidth requirement through this VPN connection is minimal.

Internet IPsec VPN Client

P2P leased line

MPLS cloud GSOA

Figure 2: Flexible connectivity

4 | © Copyright NTT Limited 2019 hello.global.ntt white paper | Uptime Services - Mission Critical

Firewall rules Source IP Destination IP Protocol Service Port Description Necessary firewall rules are required Client network range NTT LAN IP address range UDP SNMP 162 SNMP trap to be created in your infrastructure to ensure smooth communication of the Client network range NTT LAN IP address range ICMP ICMP - Network ICMP, SNMP traps/polling and SSH/ connectivity Telnet between your network and NTT’s Client network range NTT LAN IP address range UDP ICMP 7 Network GSOA platform, as per Table 2 and 3. connectivity Client network range NTT LAN IP address range UCP ICMP 33434- Access to client devices 33464 For monitoring your infrastructure, Table 2: Firewall rules - Outbound for traffic going out through VPN to NTT’s GSOA we will not require access to your infrastructure devices. However, in the Source IP Destination IP Protocol Service Port Description event of an incident where you require our engineers to remotely troubleshoot, NTT LAN IP address range Client network range ICMP ICMP - Network connectivity we will require access to your network based on your approval. This can be NTT LAN IP address range Client network range UDP ICMP 7 Network connectivity done in two ways: NTT LAN IP address range Client network range UDP SNMP 161 SNMP polling Option one: Access through the VPN NTT LAN IP address range Client network range UCP ICMP 33434- Traceroute If you are able to provide credentials 33464 to your network devices for our NTT LAN IP address range Client network range TCP SSH 22 Configuration engineers in advance, they will be Telnet 23 backup; and for able to remotely login to the devices automation through the established VPN link using Table 3: Firewall rules - Inbound for traffic coming in through VPN from NTT’s GSOA these credentials and diagnosis immediately. All logins will be done only on the basis of approval from your side. Source IP Destination IP Protocol Service Port Description

Based on our extensive experience in NTT LAN IP address range Client network range TCP SSH 22 Device access managing millions of asset, this method Telnet 23 will significantly improve the mean- Table 4: Device access - Inbound for traffic coming in through VPN from NTT’s GSOA time-to-repair of your infrastructure and ensuring maximum uptime for your business. configuration management database • Device configuration files during (CMDB) where we maintain your asset configuration backup For immediate access, our engineers will base. The device credentials are also • SSH and Telnet traffic using device require access to your devices via the required to perform periodic backup logins either manually or by our VPN connection as per the port indicated using NCM. automations in Table 3. Please note: We do not maintain any Option two: Access by having a personally identifiable information nor Data at rest webconference with your team members monitor any traffic passing through any All the operational data is stored in ITSM If credentials cannot be provided to device. and encrypted at rest. The IT user and our engineers, we can also support device information which is stored in you by inviting your support team to a Data in transit ITSM is protected by edge encryption, Cisco Webex session to start diagnosis. Proactive monitoring is enabled through meaning that not even ServiceNow has This way, access and credentials are continuous polling of your devices using access to the keys to decrypt the data. controlled by your teams. industry standard protocols. The device health and performance data Data privacy The below traffic will be in transit during resides in RIM and is prevented using the normal operations of our Mission strict authentication mechanisms. For proactive monitoring, your specified critical service plan: The EMR communication between ITSM IT users will have access to our Manage and RIM are based on HTTPS. Centre Portal. This will enable visibility • ICMP traffic for device availability of you IT health, active incidents and the • SNMP polling and traps for device Manage Centre, which is our client portal, ability to raise tickets as well as other availability and performance related also does not store any information. It benefits. data. Only device diagnostics data acts as the presentation layer for the which contains information related to data residing within ITSM and RIM. For devices, we need the IP address, the health and status of that particular serial number, location, hostname, SNMP device details, etc., which will be stored in our

5 | © Copyright NTT Limited 2019 hello.global.ntt white paper | Uptime Services - Mission Critical

Summary Our Services are designed to deliver from them and will be attended to by encryption at all levels in our ITSM maximum uptime to your organization. our remote delivery team in our global platform and does not include any This requires our platforms to have delivery centers. personal identifiable information. basic access to your devices so that Security is important to us and we have To successfully integrate with our GSOA we can poll and collect critical system several controls in place to ensure that environment, we require you to open information that will allow our experts to your data is stored safely and encrypted necessary firewall ports and configure immediately resolve any issues. securely in our systems. SNMP in your infrastructure devices. Through an encrypted VPN connection, We give utmost importance to the Table 5 summarizes how the measures our GSOA platform will be able to poll security of your data and infrastructure. we deploy can address your security your devices or receive SNMP traps Your data will be stored securely with concerns:

Your security concern: How we address this:

Traffic between NTT and you Encrypted IPsec VPN between both NTT and you.

SNMP communication between your SNMP community strings for authentication. devices and NTT’s GSOA

Unauthorised traffic between NTT and Inbound and outbound firewalls rules configured on both your you and NTT’s enterprise firewalls.

Data privacy We store only device diagnostics data. No personally identifiable information is stored.

Data storage All your data stored in our system are encrypted.

Compliance to standards ISO:20000, ISO:27001 and ISO:9000 certifications for our global delivery centers.

Table 5: Our approach to addressing common security concerns

Frequently asked questions from clients Why do you need connectivity for the Do I need to configure SNMP commands We ensure only the traffic required for Mission Critical plan? in all my devices? our Services is allowed through the VPN. Mission Critical is a proactive plan , to respond to SNMP GET requests Similarly, we request that you configure which depends on SNMP traps being and send SNMP traps, we need to the firewalls in your enterprise to allow received from your devices. This requires configure SNMP commands in your only the traffic which we have specified IP reachability, hence the need for device. We have some automated scripts above. connectivity. which can be used to configure a large How do your engineers access my Do I need to procure a physical link to number of devices in a short amount of devices during any incident diagnosis? connect to NTT? time. We prefer that you give us credentials The only requirement is to have IP How much bandwidth is required for to access your devices through the VPN reachability between your network and network management traffic through link, since this will reduce the mean-time- NTT’s network. A physical link will also VPN? to-repair considerably. However, we have serve the purpose. But an encrypted VPN SNMP is a light-weight protocol. alternate methods using Cisco WebEx, over your existing internet link will be a Bandwidth usage per device will be etc., where your engineers can give cost-effective option and much faster ~1 kbps. access during the troubleshooting. and easier to configure. Since NTT has connectivity to my You support other clients using the same Isn’t it difficult and complex to setup a network, my network is exposed to you. infrastructure. How do you ensure my VPN? How do we insure against any of data is not accessible to others? In our experience, we believe this to be a attacks through this network? Our global services operating simple setup on configuration between The security of our client’s infrastructure architecture is a multi-tenanted platform security devices, as long as they support is of prime importance to us. We which uses domain segregation and role- the security parameters defined. This can consider it a joint effort to ensure based access control to ensure the client take as little as two hours to configure. availability of your network. data is completely segregated and only authorized users can access relevant client data.

6 | © Copyright NTT Limited 2019 hello.global.ntt