Meraki operates the industry's largest-scale Cloud Networking service. Meraki’s cloud service powers over 18,000 networks worldwide. Meraki also has the most experience in the cloud, having run its production service continuously for five years. Meraki’s Cloud Networking platform is trusted by thousands of IT professionals, from enterprises to hospitals, banks, and retailers.

This website is the central repository of information regarding security, privacy, and reliability as related to Meraki’s cloud hosted services. Here you will find information concerning:

• Our datacenters, our security processes, and certifications
• How we safeguard your data
• Best practices for securing your organization's network
• How Meraki networks continue to operate when disconnected from the cloud
• PCI compliance information, tools, and best practices
• Meraki’s 99.99% uptime Service Level Agreement

Meraki’s service is collocated in tier-1, SAS70 type II certified datacenters. These datacenters feature state of the art physical and cyber security and highly reliable designs. All Meraki services are replicated across multiple independent datacenters, so that customer-facing services fail over rapidly in the event of a catastrophic datacenter failure.

Availability Monitoring

• 99.99% uptime service level agreement (that's under one hour per year)
• 24x7 automated failure detection - all servers are tested every five minutes from multiple locations
• Rapid escalation procedures across multiple operations teams
• Independent outage alert system with 3x redundancy

Redundancy

• Five geographically dispersed datacenters
• Every customer's data (network configuration and usage metrics) replicated across three independent datacenters
• Real-time replication of data between datacenters (within 60 seconds)
• Nightly archival backups

Disaster Recovery

• Rapid failover to hot spare in event of hardware failure or natural disaster
• Out of band architecture preserves end-user network functionality, even if connectivity to Meraki’s cloud services is interrupted
• Failover procedures drilled weekly

Cloud Services Security

• 24x7 automated intrusion detection
• Protected via IP and port-based firewalls
• Remote access restricted by IP address and verified by public key (RSA)
• Systems are not accessible via password access
• Administrators automatically alerted on configuration changes

Out-of-Band Architecture

• Only network configuration and usage statistics are stored in the cloud
• End user data does not traverse through the datacenter
• All sensitive data (e.g. passwords) stored in encrypted format

Physical Security

• A high security card key system and biometric readers are utilized to control facility access
• All entries, exits, and cabinets are monitored by video surveillance
• Security guards monitor all traffic into and out of the datacenters 24x7, ensuring that entry processes are followed

Disaster Preparedness

• Datacenters feature sophisticated sprinkler systems with interlocks to prevent accidental water discharge
• Diesel generators provide backup power in the event of power loss
• UPS systems condition power and ensure orderly shutdown in the event of a full power outage
• Each datacenter has service from at least two top-tier carriers
• Seismic bracing is provided for the raised floor, cabinets, and support systems
• In the event of a catastrophic datacenter failure, services fail over to another geographically separate datacenter

Environmental Controls

• Over-provisioned HVAC systems provide cooling and humidity control
• Flooring systems are dedicated for air distribution

Regular Penetration Testing

• All Meraki datacenters undergo daily penetration testing by an independent third party

Datacenter Certification

• Meraki datacenters are SAS70 type II certified

Meraki’s out of band control plane separates network management data from user data. Management data (e.g. configuration, statistics, monitoring, etc.) flows from Meraki devices (wireless access points and routers) to Meraki’s cloud over a secure Internet connection. User data (web browsing, internal applications, etc.) does not flow through the cloud, instead flowing directly to its destination on the LAN or across the WAN.

Advantages of an out of band control plane:

Scalability

• Unlimited throughput: no centralized controller bottlenecks
• Add devices or sites without MPLS tunnels

Reliability

• Redundant cloud service provides high availability
• Network functions even if management traffic is interrupted

Security

• No user traffic passes through Meraki’s datacenters
• Fully HIPAA / PCI compliant

What happens if my network loses connectivity to the Meraki Cloud Controller?

Because of Meraki’s out of band architecture, most end users are not affected if Meraki wireless APs and routers cannot communicate with Meraki’s cloud services (e.g. because of a temporary WAN failure):

• Users can access the local network (printers, file shares, etc.)
• If WAN connectivity is available, users can access the Internet
• Network policies (firewall rules, QoS, etc.) continue to be enforced
• Users can authenticate via 802.1X/RADIUS
• Wireless users can roam between access points
• Users can initiate and renew DHCP leases
• Established VPN tunnels continue to operate
• Local configuration tools are available (e.g. device IP configuration)

While Meraki’s cloud is unreachable, management, monitoring, and hosted services are temporarily unavailable:

• Configuration and diagnostic tools are unavailable
• Usage statistics are stored locally until the connection to the cloud is re-established, at which time they are pushed to the cloud
• Splash pages and related functionality are unavailable

In addition to Meraki’s secure out of band architecture and hardened datacenters, Meraki offers a number of tools for administrators to maximize the security of their network deployments. Use of these tools provide optimal protection, visibility, and control over your Meraki network. This page contains information about how to quickly and easily increase the security of your meraki.com accounts and our recommended best practices for account control and auditing. For more information, see the Meraki Cloud Controller manual.

Enable two-factor authentication

Two-factor authentication adds an extra layer of security to an organization's network by requiring access to an administrator's phone, in addition to her username and password, in order to log in to Meraki’s cloud services. Meraki’s two factor authentication implementation uses secure, convenient, and cost effective SMS technology: after entering their username and password, an administrator is sent an a one-time passcode via SMS, which they must enter before authentication is complete. In the event that a hacker guesses or learns an administrator's password, she still will not be able to access the organization's account, as the hacker does not have the administrator's phone. Meraki includes two-factor authentication for all enterprise users at no additional cost.

Strengthen your password policies

You can configure organization-wide security policies for your Meraki accounts to better protect access to the Meraki dashboard. Under Organization -> Configure, you may:

• Force periodic password change (e.g., every 90 days)
• Require minimum password length and complexity
• Lock users out after repeated failed login attempts
• Disallow password reuse
• Restrict logins by IP address

Enforce the principle of least privilege with role-based administration

Role-based administration lets you appoint administrators for specific subsets of your organization, and specify whether they have read-only access to reports and troubleshooting tools, administer managed guest access via Meraki’s Lobby Ambassador, or can make configuration changes to the network. Role-based administration reduces the chance of accidental or malicious misconfiguration, and restricts errors to isolated parts of the network.

Enable configuration change email alerts

The Meraki system can automatically send human-readable email alerts when network configuration changes are made, enabling the entire IT organization to stay abreast of new policies. Change alerts are particularly important with large or distributed IT organizations.

Periodically audit configuration and logins

Meraki logs the time, IP, and approximate location (city, state) of logged in administrators. Additionally, Meraki provides a searchable configuration change log, which indicates what configuration changes were made, who they were made by, and which part of the organization the change occurred in. Auditing configuration and login information provides greated visibility into your network.

Verify SSL certificates

Meraki accounts can only be accessed via https, ensuring that all communication between an administrator's browser and Meraki’s cloud services is encrypted. As with any secure web service, do not log in if your browser displays certificate warnings, as it may indicate a man-in-the-middle attack.

Idle Timeout

30 seconds before being logged out, users are shown a notice that allows them to extend their session. Once time expires, users are asked to log in again.

Meraki provides a comprehensive solution to ensure a PCI compliant wireless environment held to the strict standards of a Level 1 PCI audit (the most rigorous audit level). Meraki’s rich security feature set addresses all of the PCI Data Security Standards, helping customers to build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, and monitor network security.

Unlike traditional wireless LANs, Meraki’s intelligent security infrastructure eliminates the management complexities, manual testing, and ongoing maintenance challenges that lead to vulnerabilities. Meraki’s intuitive and cost effective security features are ideal for network administrators, while powerful and fine-grained administration tools, account protections, audits, and change management appeal to CISOs.

Centrally managed from the cloud, Meraki makes it easy and cost effective to deploy, monitor, and verify PCI compliant WiFi across distributed networks of any size.

• Downloads:    
• PCI Compliance Whitepaper
• Meraki & Retail Overview

---

Secure retail environments using Meraki: See customer stories

PCI-DSS requirements applicable to wireless LANs and their related Meraki features:

• Meraki Infrastructure – Isolated from the Cardholder Data Environment
• Requirement 1.2.3 – Segregate Wireless Network and the Cardholder Data Environment
• Requirement 2.1.1 – Change Vendor Defaults and Enable Strong Encryption
• Requirement 4.1.1 – Encrypt Authentication and Transmission with Industry Best Practices
• Requirement 6.1 – Use the Latest Security Patches
• Requirement 7.2 – Restrict Access Based on a User’s Need to Know
• Requirement 8 – Implement User-Based Access Controls
• Requirement 10 – Track and Monitor All Access to Network Resources
• Requirement 11.2/11.3 – Perform Regular Audits and Penetration Testing
• Requirement 11.1/11.4 – Detect Unauthorized Access

Meraki Infrastructure – Isolated from the Cardholder Data Environment

Meraki’s cloud hosted WLAN controller is out of band, meaning that wireless traffic (including cardholder data) does not flow through Meraki’s cloud-hosted controller or any other Meraki infrastructure not behind your firewall. Learn more about Meraki’s out of band architecture. Meraki’s datacenters are SAS70 type II certified, feature robust physical and cyber security protection, and are regularly audited by third parties. Learn more about Meraki’s datacenters.

Requirement 1.2.3 – Segregate Wireless Networks and the
Cardholder Data Environment

Meraki’s wireless APs include an integrated stateful firewall which ensures that guest WiFi users and other non-privileged clients cannot access cardholder data, in conformance with Requirement 1.2.3. The firewall’s LAN isolation feature enables one-click secure guest WiFi, wherein guests can only access the Internet. Blocked from LAN access, guests cannot spread viruses or reach internal resources. Meraki’s firewall provides fine-grained control, from layer 3 through 7. Configure VLAN tags, ACLs, identity-based policies, and block unwanted applications - even peer-to-peer apps without well-known hosts and ports.

Requirement 2.1.1 – Change Vendor Defaults and Enable Strong Encryption

Meraki does not ship with default vendor keys that need to be changed. Meraki hardware is configurable through an SSL-encrypted connection, accessible only by authenticated users. To comlpy with Requirement 2.1.1, simply enable strong security standards, such as WPA2 (802.11i). See Requirement 4.1.1 for more information on wireless encryption.

Requirement 4.1.1 – Encrypt Authentication and Transmission with
Industry Best Practices

Compliant networks require strong encryption using industry best-practices, e.g. WPA2, for wireless networks used for cardholder data. Meraki supports WPA2 (802.11i), offering both WPA2-PSK and WPA2-Enterprise with AES encryption. To maintain compliance with Requirements 4.1.1 and 2.1.1, enable WPA2 on any SSID that cardholder data is transferred over. Since Meraki’s firewall will isolate traffic between SSIDs, WPA2 need not be enabled on SSIDs that are not used for cardholder data (e.g. a guest WiFi SSID.)

Requirement 6.1 – Use the Latest Security Patches

Meraki firmware updates are delivered seamlessly from the cloud to APs. When firmware updates are available, an administrator simply schedules an appropriate time for APs to download and install the new version, eliminating insecure and out of date firmware in the Cardholder Data Environment. This delivery model facilitates compliance with Requirement 6.1 – without deciphering compatibility matrices, time consuming manual updates, site visits to branch locations.

Requirement 7.2 – Restrict Access Based on a User’s Need to Know

Meraki provides role-based administration to enforce the principle of least privilege in compliance with Requirement 7.2. Role-based administration lets you appoint administrators for specific subsets of your organization and specify whether they have read-only access to reports and troubleshooting tools, can administer managed guest access via Meraki’s Lobby Ambassador, or can make configuration changes to the network.

Requirement 8 – Implement User-Based Access Controls

Meraki includes a comprehensive suite of features to enable unique ID and authentication methods for network administration, in compliance with Requirement 8. Configure organization-wide security policies for your Meraki administrator accounts to better protect access to the Meraki dashboard and network infrastructure. These policies include account protections such as two-factor authentication, password hardening policies, and the use of encrypted transmission (SSL/TLS) for access to the Meraki dashboard.

Requirement 10 – Track and Monitor All Access to Network Resources

Meraki logs the time, IP, and approximate location (city, state) of logged in administrators. Additionally, Meraki provides a searchable configuration change log, which indicates what configuration changes were made, who they were made by, and which part of the organization the change occurred in. Auditing this configuration and access information satisfies Requirement 10 and provides greater visibility into your network.

Requirement 11.2/11.3 – Perform Regular Audits and Penetration Testing

Meraki datacenters undergo thorough quarterly scans and daily penetration testing by McAfee SECURE, an Approved Scanning Vendor (ASV). Meraki is verified to be free of vulnerabilities such as injection flaws, cross-site scripting, misconfiguration, and insecure session management. Meraki datacenters are SAS70 type II certified, hardened against physical and network intrustion. These procedures exceed the scanning and penetration testing requirements of requirement 11.2 and 11.3, respectively.

Requirement 11.1/11.4 – Detect Unauthorized Access

Meraki’s out-of-the-box rogue AP detection protects the network from unauthorized wireless access points that may compromise network security. Rogue APs are unauthorized wireless APs that connect to your wired LAN, or that connect to a separate network but masquerade as part of your WLAN, using your same SSID. Meraki automatically detects rogue APs, identifying their IP address, VLAN, manufacturer, and model. Rogue detection includes network-wide visualization, email alerts, and reporting, meeting Requirements 11.1 and 11.4.

For more information about Meraki’s security capabilities, PCI compliance, and configuration best practices, please contact a Meraki specialist.

Meraki SLA. During the term of your Meraki Cloud Controller license (the “Agreement”), the Meraki Cloud Controller web interface will be operational and available to Customer at least 99.9% of the time in any calendar month (the "Meraki SLA"). If Meraki does not meet the Meraki SLA, and if Customer meets its obligations under this Meraki SLA, Customer will be eligible to receive the Service Credits described below. This Meraki SLA states Customer's sole and exclusive remedy for any failure by Meraki to meet the Meraki SLA.

Definitions. The following definitions shall apply to the Meraki SLA.

"Downtime" means if there is more than a five percent user error rate. Downtime is measured based on server side error rate.
"Meraki Covered Services" means the Meraki Cloud Controller service, for any Meraki product.
"Monthly Uptime Percentage" means total number of minutes in a calendar month minus the number of minutes of Downtime suffered in a calendar month, divided by the total number of minutes in a calendar month.
"Service Credit" means the following that Meraki will add a certain number of days of Service to the end of the Service term, at no charge to Customer.

Uptime	Days Credited
< 99.99% - ≥ 99.9%	3
< 99.9% - ≥ 99.0%	7
< 99.0%	15

Customer Must Request Service Credit. In order to receive any of the Service Credits described above, Customer must notify Meraki within thirty days from the time Customer becomes eligible to receive a Service Credit. Failure to comply with this requirement will forfeit Customer’s right to receive a Service Credit.

Maximum Service Credit. The aggregate maximum number of Service Credits to be issued by Meraki to Customer for all Downtime that occurs in a single calendar month shall not exceed fifteen days of Service added to the end of Customer’s term for the Service (or the value of 15 days of service in the form of a monetary credit to a monthly-billing customer’s account). Service Credits may not be exchanged for, or converted to, monetary amounts.

Meraki SLA Exclusions. The Meraki SLA does not apply to any services that expressly exclude this Meraki SLA (as stated in the documentation for such services) or any performance issues: (i) caused by “Force Majeure” or (ii) that resulted from Customer’s equipment or third party equipment, or both (not within the primary control of Meraki).