Cloud Services

The Cloud hosted Caradigm Intelligence Platform (CIP) is a secure, robust, and scalable solution that has been designed with setup and implementation agility in mind.

What this means for you:

  •    Caradigm will provision your CIP Cloud instance quickly to accelerate your time to value
  •    You don’t need to invest in the hardware or staffing that an on-site installation typically requires
  •    Caradigm will maintain the CIP system and its underlying infrastructure, including:
    • Backup and restore operations
    • Active monitoring
    • Security updates and patches
    • Anti-virus and intrusion detection
  •    You benefit from Caradigm's CIP operations experience. Members of the Caradigm Cloud Services team have    extensive experience operating CIP and its predecessor products for over 10 years.

 

A CIP Cloud solution is your own set of virtual environmentsa Cloud instancehosted on resources managed and maintained by Caradigm. A typical CIP Cloud solution includes:

  •    A multi-tiered server environment built upon Microsoft server and SQL products
  •    Storage Logical Unit Numbers (LUNs)
  •    Virtual Local Area Networks (VLANs)
  •    The CIP platform and CIP applications
  •    A hot-standby topology for disaster recovery (Additional cost option).

 

Each customer’s cloud instance resides within a private cloud that Caradigm built specifically for its CIP Cloud customers. The private cloud technology keeps your resources and data protected and separate from any other customers. The underlying systems - the physical networks, Storage Area Networks (SANs), and Hyper-V clusters that generate and maintain the private cloud - reside in datacenters that Caradigm controls and manages and, users access the CIP Cloud securely across the Internet through a site-to-site VPN.

The diagram below illustrates a high-level view of this architecture for a standard configuration* of a CIP Cloud instance.

*The actual model architecture for each CIP Cloud customer may vary.

 

Each standard CIP cloud solution will include the following environments:

  •    Production environment: Each CIP server role is deployed across a minimum of two servers for high availability.    More servers can be added if necessary to meet workload
  •    Staging environment: Mimics the production environment. Cloud Services deploys changes here to validate them    before deploying them in the production environment
  •    Test environment: Each CIP server role is deployed across separate virtual machines for testing applications,    configuration and development integrations, and data; prior to migration to the staging environment
  •    Development environment: Resources for configuring or building customer specific setup and/or configuring data    feeds
  •    Disaster recovery hot-standby environment (optional): Virtual mirror image of the production environment in    an alternative geographically located datacenter.

During initial environment planning, Caradigm will work with you to scale your CIP Cloud topology appropriately to meet your current and future usage needs and data traffic levels.

Your CIP Cloud subscription includes the day-to-day operation and support of your CIP Cloud system. These services cover the following areas:

  •    Deployment support: Caradigm will work with you to help size and build the topology, from the design phase    through to go-live
  •    Maintenance services: The Cloud Services team performs proactive maintenance tasks, including deploying security    patches and CIP hotfixes, rebuilding SQL indexes, performing backups, and archiving messages and logs
  •    Monitoring and response services: Automated systems monitor the health of customers’ subscribed applications    24x7
  •    Support services:Caradigm Support responds to, classifies, and investigates customer support requests
  •    Customer communication: Caradigm communicates with customers by email or phone regarding open support    issues or planned maintenance work

 

CIP Cloud Security Measures

Physical Security for the Data Centers

Multiple IBX facilities that support our CIP Cloud customers reside in some of the most secure and technologically sophisticated data centers in the U.S. Caradigm resources manage these facilities, and the security measures in place include:

  •    24x7 staffed security entrance facilities
  •    Physical access control
  •    Multi-layered armed guard security
  •    CCTV surveillance
  •    Perimeter security
  •    Floor-to-ceiling caging
  •    Key location for Federal IT initiatives

 

Security for the infrastructure

– Access: Only authorized personnel can access the systems that support CIP Cloud customers, and these personnel are    subject to requirements to safeguard PHI. Authorized personnel include:

  •    Caradigm personnel who provide Cloud Services or Support Services.
  •    Personnel who serve other approved business needs, such as auditing, security, or other administrative services.

The Caradigm Cloud Services team reviews user accounts on a regular basis to confirm that only appropriate personnel have active accounts. Domain accounts - including service accounts - must change passwords every 120 days.

– Anti-virus and anti-malware protection: All servers have anti-virus and anti-malware protection, and Caradigm    personnel apply security patches and updates regularly

– Firewalls: Each datacenter has a high-availability pair of enterprise-class firewalls, each of which has an intrusion    detection (IDS) module that monitors for and intrusion prevention (IPS) module that actively blocks malicious traffic.    These firewalls govern traffic between the network segments and VLANs within the datacenters as well as into and out    of the datacenters. The Verizon security operations center monitors the IDS/IPS alerts and logs 24x7 (Verizon does    not have access to any customer data).

– External Communication: Communication between the datacenters with customers and external services is through    site-to-site VPN tunnels. These VPN tunnels, which use at least AES-256 encryption, terminate at the datacenter    firewalls.

– Internal Network Segmentation: Each customer has a set of dedicated VLANs that it can access through the    datacenter firewalls. The firewalls limit traffic from the Internet, and restrict any traffic between one customer’s    VLANs and those of another customer. Only the CIP server roles that require customer access can use the VLANs, and    only the necessary ports are open.

   All database servers reside on a back-end storage area network (SAN). All traffic to the SAN from the other datacenter    network segments (including the customer VLANs) passes through the datacenter firewalls.

 

Security for data

All data passing in to or out of the datacenters, as well as the stored data, is encrypted.

– Data in transit: Uses Secure Socket Layer (SSL) and Transport Layer Security (TLS) for protection and Secure FTP    (sFTP) for secure data transfer

– Data at rest: Uses Encrypted File System (EFS) partitions; databases and database backups are encrypted using    Transparent Database Encryption (TDE)

– Information security certifications and audits: Caradigm’s Cloud Services are independently certified to the leading    international standard for information security management, ISO27001. Our cloud services also undergo an annual    SOC 2 Type II audit for security and confidentiality controls, and a full report is made available to our clients on    request. In addition, our datacenter facilities are ISO27001 certified and undergo SSAE 16 Type II audits annually.    Access to Service Operations is automatically audited, and includes events such as user identity, time of access,    operations performed, and downloads or uploads.

 

How you control your data

The Caradigm CIP Cloud uses claims-based authentication, built on Microsoft Windows Identity Foundation, to verify user credentials.

To manage user credentials, the Caradigm private cloud uses Active Directory Federation Services (AD FS 2.0) to integrate with your Active Directory Domain Service (AD DS) forest. Creation or maintenance of a second identity store for CIP Cloud users is not required – the users can sign in with their existing customer domain credentials.

As another benefit of AD FS, you can directly control your users’ access levels. CIP Cloud systems use Role-Based Access Control (RBAC) to provide an efficient way to manage user access. You can use these roles to define user and administrator levels of access with the granularity you need. Further, you have a centralized system for managing access policies for all applications and data.

Standard connectivity for CIP Cloud

 

Making changes to your solution

Caradigm uses a change management process to manage change requests from the CIP Cloud customers. The details of the process for your organization depend on the applications that you’ve subscribed to, and the configuration that is implemented for your organization. For all customers, Caradigm deploys changes in the staging environment(s) for the customers to validate before deploying the changes in the production environment(s).

CIP Cloud subscriptions include a set of hours annually (based on your subscription agreement) that you can use to deploy these customer applications or changes to the stage, production, and disaster-recovery environments.