twilio cloud communications SECURITY ARCHITECTURE

Size: px
Start display at page:

Download "twilio cloud communications SECURITY ARCHITECTURE"

Transcription

1 twilio cloud communications SECURITY ARCHITECTURE July 2014 twilio.com

2 Security is a lingering concern for many businesses that want to take advantage of the flexibility and ease of cloud services. Businesses have found that previously employed security measures for on-premise equipment and traffic have to be adjusted as communications applications move out to the cloud. Equally, businesses need to be able to trust that their cloud services are secure by getting a clear view into their provider s security practices and operations. Twilio strives to build customer trust by keeping customer data both private and secure. The core of the Twilio security program are internal security mechanisms, processes and configurable features that protect the Twilio cloud platform and connected customer applications. In the spirit of transparency, this document details all of these platform security mechanisms and processes. Additionally, this document covers best practices we have gleaned from customer implementations to achieve regulatory compliance. It is important to note that new security capabilities are frequently added as we encounter changes in the security landscape and new Twilio use-cases emerge. 1. Security in layers to protect physical, network and application components of the Twilio platform, where: Physical security mechanisms that apply across distributed compute and storage; Network security mechanisms that apply across global carrier interconnects; and Application security mechanisms that apply to customers apps, which connect via the Twilio API. 2. Customer-accessible details on the internally implemented security policies, internal audits, systems and operations. 3. Best practices that help businesses address various regulatory compliance requirements.

3 SECURE YOUR TWILIO-POWERED APPLICATIONS Application security mechanisms and features for customer apps include: multi-tenant communications platform. Multi-tenancy is an integral component of Twilio s architecture, and it also applies to the AWS infrastructure, the Twilio platform and customer applications. For example, Twilio maintains per-tenant isolation for resources, such as queues, databases, bandwidth and the API, which makes customers applications highly secure, because each customer s workflows occur in isolation from every other customer s workflows. ssl. Twilio uses SSL 3.0 to encrypt bidirectional web session traffic between the customer application and Twilio. Twilio updates and renews the encryption methods when they expire. http digest authentication. Twilio supports HTTP Basic and Digest Authentication, which allows customers to password protect their TwiML URLs (which contain usernames and passwords) on their web server so that only they and Twilio can access these URLs. signature validation. Twilio cryptographically signs its HTTP requests with X- Twilio-Signature HTTP headers for outbound requests to customers applications. This signature can be used to validate the authenticity of requests originating from Twilio to their application and protects against spoofing attacks. The request to the customer s web application, which includes any POST fields

4 and the final URL, is signed with the AuthToken as a key and HMAC-SHA1 to ensure the integrity of the capability tokens. role-based access. Twilio has documented policies, procedures and controls to appropriately limit access to customers data to mitigate the risk of insider threats. Access is granted on a least-privilege basis and all requests require management approval prior to access. Twilio access controls are also based on job roles and on a need-to-know basis. Only select Twilio employees, such as staff from Customer Support, Development and Security, have access to customer data. customer data backups. Twilio performs regular backups of Twilio account information, call records, call recordings and other critical data using Amazon S3 cloud storage. All backups are encrypted in transit and at rest using strong industry encryption techniques. Hot data backups ensure that no data is lost in the handoff process and the archival backup process ensures full recovery in the unlikely event that data centers are lost. Backup files are stored redundantly across multiple availability zones and are encrypted by Amazon using AES-256 encryption. Amazon S3 encrypts each object with a unique key, and as an additional safeguard, it encrypts the key itself with a master key that it rotates regularly. Amazon S3 Server Side Encryption uses one of the strongest block ciphers available 256-bit Advanced Encryption Standard (AES-256) to encrypt customer data. A new master key is issued at least monthly. Encrypted data, encryption keys and master keys are stored and secured on separate hosts for multiple layers of protection. secure apps on twilio. Designing an application that works with the Twilio API is no different from designing any other application. Twilio recommends following all standard practices for developing secure web apps, including: Users should access their applications via the Twilio Account Portal using twofactor authentication. More information on enabling two-factor authentication is available here. Apply all relevant security patches to keep software up to date. Twilio highly recommends the use of helper libraries to do signature validation. All official Twilio Helper Libraries ship with a Utilities class, which facilitates request validation. More information can be found here. All AuthToken should be kept secure.

5 Secure Authentication and input validation must be enabled. Twilio offers many resources to assist in the building of efficient and secure apps, including QuickStart Guides, HowTo s and Helper Libraries. Read the blog post: Best Practices For Securing Your Twilio App for more information. NETWORK SECURITY ACROSS GLOBAL CARRIER INTERCONNECTS Twilio implements best practices for protecting the network perimeter between the Twilio Cloud and more than 1,800 carrier connections across the globe. These measures include: network firewalls. Twilio adheres to industry standard practices for securing and maintaining call routers, media gateways and other voice infrastructure, including the use of secure authentication and IP authentication for all VoIP communications. Additional protection is afforded by a Layer 3/4 firewall between all ingress and egress VoIP ports and Twilio telecommunications providers. VoIP traffic is isolated from other types of traffic, including web and HTTP API traffic. denial-of-service (dos) prevention. Twilio implements best practices for preventing DoS attacks, including maintaining redundant DNS servers and following DoS prevention and mitigation practices. As an example, Twilio DoS security controls protect against a runaway account or malicious user who swamps the Twilio API with traffic. As a result, no one customer's bad application code can take down the Twilio API. DoS protection is also part of the Twilio sbc-public deployment. The main action is to block a rogue IP using iptables. By default, an IP address will be blocked for 10 minutes before it is unblocked automatically and s will be sent out. distributed denial-of-service (ddos) prevention. Twilio data centers are hosted at AWS, and AWS uses a variety of proprietary DDoS mitigation techniques to mitigate the risk of attacks. In addition, AWS s networks are multi-homed across a number of providers to achieve Internet access diversity and to ensure network availability. posture assessment. Twilio has a formal antivirus and antimalware policy to guide efforts around mitigating malware and security attacks, which can affect workstations, servers and mobile devices. Antivirus and host-based intrusion

6 detection systems are used to protect all production servers. The resulting reports are regularly monitored and alerts are addressed promptly. PHYSICAL SECURITY ACROSS DISTRIBUTED COMPUTE AND STORAGE Twilio's cloud communications platform is hosted at Amazon Web Services (AWS) data centers, which are highly scalable, secure and reliable. AWS complies with leading security policies and frameworks, including SSAE 16, SOC framework, ISO and PCI DSS Level 1. SSAE 16, or more formally, Statement on Standards for Attestation Engagements No. 16, Reporting on Controls at a Service Organization, replaces SAS 70. It is key guidance for reporting on internal controls for service organizations. SSAE 16 is used for reporting on the Service Organization Control (SOC) framework, which consists of SOC 1, SOC 2 and SOC 3. SOC 1 is focused toward an organization s internal controls over financial reporting, while SOC 2 and SOC 3 cover reporting for the security, availability, processing integrity, confidentiality and privacy for service organizations, including cloud and data center providers. AWS is certified to ISO 27001, which describes a systematic approach to managing sensitive information so that it remains secure. ISO covers a risk management process that encompasses people, processes and IT systems. AWS is also Level 1 compliant under the Payment Card Industry (PCI) Data Security Standard (DSS), enabling customers to run applications on AWS s PCI-compliant infrastructure for storing, processing and transmitting credit card information in the cloud. In addition, AWS physical security measures include: 24x7 surveillance. At each AWS hosting site, the Twilio servers are secured 24x7 by trained security guards, and access is authorized strictly on a least privileged basis. The data centers use state-of-the art electronic surveillance to monitor any suspicious activity. security logs. AWS CloudTrail provides logs of all user activity to the Twilio servers. Twilio employees can monitor and track what actions were performed on each of the Twilio resources and by whom.

7 multi-factor authentication. AWS provides built-in support for multi-factor authentication (MFA) to access Twilio servers. This requires the user to input his or her credentials, a password and a two-factor PIN to protect against unauthorized use of the account. multiple redundancy zones. AWS spans multiple geographic regions and Availability Zones, which allow Twilio servers to remain resilient in the event of most failure modes, including natural disasters or system failures. Environmental systems are designed to minimize the impact of disruptions to customer operations. In addition, each AWS data center has independent power grids, as well as redundant power, HVAC and fire suppression systems. The AWS data centers use state-of-the-art practices for fault tolerance at each level of the system infrastructure, including Internet connectivity, power and cooling. Further details on Amazon Web Services security practices are available here: aws.amazon.com/security/. TRANSPARENT SECURITY OPERATIONS At Twilio, we believe that security practices should be completely transparent to customers, and these measures are outlined below. Twilio has well-defined policies for audit, incident response and privacy. In addition, various internal tests and documented policies can be shared with customers to provide with more visibility into Twilio s security practices. audit policy. Twilio performs third-party penetration tests every six months and regularly scans our systems for security vulnerabilities. All access to production clusters is logged and audited regularly. The production cluster is accessible only to Twilio operational staff and engineers, whose primary responsibility is the construction and maintenance of the Twilio API and services. incident response policy. Twilio maintains an incident reporting policy that defines conditions under which security incidents will be responded to and reported, including levels of severity and risk for various types of vulnerabilities. The Twilio Security Incident Response Team monitors alerts from upstream vendors and is staffed 24x7. The team assesses the threat of all relevant

8 vulnerabilities and establishes remediation actions and timelines for all events. For Severity-1 incidents, Twilio s internal response service-level agreements are less than 5 minutes and customers are sent notifications within 15 minutes. An external-facing, real-time incidence reporting portal is available at status.twilio.com/. privacy policy. Twilio has a formal process for reporting and responding to privacy complaints or privacy incidents. All Twilio employees receive information on these policies during new-hire training and via company-wide distribution after any update is made. The privacy policy is published on the Twilio privacy page as well. Twilio has implemented role-based access such that only support escalation engineers can access customer data and only upon manager approval. COMPLIANCE Twilio complies with key government and industry regulations and policies, including US-EU Safe Harbor and PCI DSS as a merchant. Twilio also supports a variety of use cases employed by companies engaged in HIPAA-covered activities. Safe Harbor Compliance Twilio abides by the US-EU Safe Harbor Framework and the US-Swiss Safe Harbor Framework, as provided by the US Department of Commerce regarding the collection, use and retention of personal information received from European Union member countries and Switzerland. Twilio has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access and enforcement. By complying with Safe Harbor privacy principles, Twilio assures businesses operating in Europe that it takes concrete measures to protect customer data and privacy within the frameworks of local privacy laws, including the EU. Safe Harbor stipulations require that: companies collecting personal data must inform people that the data is being gathered, and tell them what will be done with it; they must obtain permission to pass on the information to a third party; they must allow people access to the data gathered; data integrity and security must be assured; and a means of enforcing compliance must be guaranteed.

9 Without Safe Harbor compliance, all vendors must obtain separate authorization from each EU country when handling consumer data. This process is cumbersome and can lead to significant delays in deploying Twilio solutions in these countries. PCI DSS Compliance Twilio is a PCI DSS 3.0-compliant merchant and can securely accept credit card payments for its services. However, apps built with Twilio are not covered under Twilio's compliant status. Twilio recommends that customers familiarize themselves with the PCI DSS requirements and security assessment procedures. Use of a PCI-DSS-compliant application by itself does not make an entity PCI-DSS-compliant, because the application must be implemented in conformity with the overall Payment Application Data Security Standard (PA-DSS) Implementation Guide. Many businesses have architected their applications in a PCI-compliant manner, while still using Twilio for part(s) of their workflow. The key is to avoid processing, storing and transmitting cardholder data on Twilio. Some techniques that customers have used are as follows: Verifying a customer s account using only the last few digits of the PAN via voice, SMS (short messaging service) or DTMF (dual tone multi-frequency) dialing. Ensuring that the customer application never transmits entire cardholder data over unencrypted channels, including voice, SMS or DTMF. If this is necessary, an online solution or landline implementation should be developed. The PCI rules for VoIP are the same as mentioned above for DTMF. When collecting DTMF via VoIP, the signaling and media transmission must both occur over secured networks (TLS/IPSec and SRTP). Not retaining sensitive authentication data after authorization. For telephone operations, sensitive authentication data means the CAV2/CVC2/CVV2/CID and/or PIN values that may be taken during a telephone call. To read more about Twilio and PCI compliance, check out this FAQ.

10 HIPAA Compliance By law, the HIPAA Privacy Rule applies only to covered entities health plans, healthcare clearinghouses, and certain health care providers. Twilio is not a covered entity, and does not consider itself a business associate. A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. At Twilio, many businesses have architected their applications in a manner to be compliant with the HIPAA Privacy and Security Rules, while still using Twilio for part(s) of their workflow. One way to be compliant is to not process, store or transmit individual protected health information (PHI) data on Twilio. Some techniques that customers have used are as follows: Request Inspector should be Disabled. This will disable logging, which may make it difficult to develop applications on Twilio. A workaround is to have a separate development account to debug new code and turn the Request Inspector on for debugging, but at the same time not log any PHI to Twilio. HTTP Auth on Media URLs should be Enabled. This means customers will have to authenticate themselves to get to their recordings. This will send a username and password with every HTTP request to be able to access recordings. However, this may also require updating the source code. Two-factor authentication can be turned on, which will send a text message or make a phone call with a code to enter every time a customer has to log into the account portal, or once every 30 days. Ensure that the customer application never transmits PHI over unencrypted channels, including voice, SMS or DTMF. If this is necessary, an online solution or landline implementation should be developed. The HIPAA rules for VOIP are the same as mentioned above for DTMF. When collecting DTMF via VOIP, the signaling and media transmission must both occur over secured networks (TLS/IPSec and SRTP). For more information, please visit the Twilio website: https://www.twilio.com/user/account/settings

11 Twilio recommends that customers familiarize themselves with the HIPAA requirements and security assessment procedures. Please note that the list above is not meant to be comprehensive or replace the official HIPAA standards and guidelines. Customers will need to ensure that their applications meet those guidelines. As always, Twilio recommends that customers seek guidance from their legal counsel if they have any compliance questions concerning their applications. To read more about Twilio and HIPAA compliance, check out this FAQ. SUMMARY Twilio cloud communications enable businesses to deliver superior customer experiences by easily incorporating voice, messaging and other communications into their customer-facing applications. Security mechanisms to protect physical, network and application components of the platform, coupled with transparency about security practices and compliance best practices, give customers the confidence they need to move communications to the cloud. For further details and steps to secure your Twilio-powered application, check out the Docs section on Twilio s website. Copyright 2014 Twilio. All rights reserved. Patends Pending. Twilio, TwiML, and OpenVBX are tradmarks of Twilio, Inc.

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table January 2013 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

Anypoint Platform Cloud Security and Compliance. Whitepaper

Anypoint Platform Cloud Security and Compliance. Whitepaper Anypoint Platform Cloud Security and Compliance Whitepaper 1 Overview Security is a top concern when evaluating cloud services, whether it be physical, network, infrastructure, platform or data security.

More information

HIPAA Privacy & Security White Paper

HIPAA Privacy & Security White Paper HIPAA Privacy & Security White Paper Sabrina Patel, JD +1.718.683.6577 sabrina@captureproof.com Compliance TABLE OF CONTENTS Overview 2 Security Frameworks & Standards 3 Key Security & Privacy Elements

More information

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD PROTECTING YOUR VOICE SYSTEM IN THE CLOUD Every enterprise deserves to know what its vendors are doing to protect the data and systems entrusted to them. Leading IVR vendors in the cloud, like Angel, consider

More information

PCI Requirements Coverage Summary Table

PCI Requirements Coverage Summary Table StillSecure PCI Complete Managed PCI Compliance Solution PCI Requirements Coverage Summary Table December 2011 Table of Contents Introduction... 2 Coverage assumptions for PCI Complete deployments... 2

More information

KeyLock Solutions Security and Privacy Protection Practices

KeyLock Solutions Security and Privacy Protection Practices KeyLock Solutions Overview KeyLock Solutions hosts its infrastructure at Heroku. Heroku is a cloud application platform used by organizations of all sizes to deploy and operate applications throughout

More information

White Paper How Noah Mobile uses Microsoft Azure Core Services

White Paper How Noah Mobile uses Microsoft Azure Core Services NoahMobile Documentation White Paper How Noah Mobile uses Microsoft Azure Core Services The Noah Mobile Cloud service is built for the Microsoft Azure platform. The solutions that are part of the Noah

More information

Cloud Contact Center. Security White Paper

Cloud Contact Center. Security White Paper Cloud Contact Center Security White Paper Introduction Customers communicate with organizations in a variety of forms from phone conversations to email, web chat and social media. As each interaction may

More information

Cloud Contact Center. Security White Paper

Cloud Contact Center. Security White Paper Cloud Contact Center Security White Paper Introduction Customers communicate with organizations in a variety of forms from phone conversations to email, web chat and social media. As each interaction may

More information

Famly ApS: Overview of Security Processes

Famly ApS: Overview of Security Processes Famly ApS: Overview of Security Processes October 2015 Please consult http://famly.co for the latest version of this paper Page 1 of 10 Table of Contents 1. INTRODUCTION TO SECURITY AT FAMLY... 3 2. PHYSICAL

More information

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility

More information

FormFire Application and IT Security. White Paper

FormFire Application and IT Security. White Paper FormFire Application and IT Security White Paper Contents Overview... 3 FormFire Corporate Security Policy... 3 Organizational Security... 3 Infrastructure and Security Team... 4 Application Development

More information

Security Considerations

Security Considerations Concord Fax Security Considerations For over 15 years, Concord s enterprise fax solutions have helped many banks, healthcare professionals, pharmaceutical companies, and legal professionals securely deliver

More information

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table BAE Systems PCI Essentail PCI Requirements Coverage Summary Table Introduction BAE Systems PCI Essential solution can help your company significantly reduce the costs and complexity of meeting PCI compliance

More information

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster Security Standards Symantec shall maintain administrative, technical, and physical safeguards for the Symantec Network designed to (i) protect the security and integrity of the Symantec Network, and (ii)

More information

Simone Brunozzi, AWS Technology Evangelist, APAC. Fortress in the Cloud

Simone Brunozzi, AWS Technology Evangelist, APAC. Fortress in the Cloud Simone Brunozzi, AWS Technology Evangelist, APAC Fortress in the Cloud AWS Cloud Security Model Overview Certifications & Accreditations Sarbanes-Oxley (SOX) compliance ISO 27001 Certification PCI DSS

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

The Education Fellowship Finance Centralisation IT Security Strategy

The Education Fellowship Finance Centralisation IT Security Strategy The Education Fellowship Finance Centralisation IT Security Strategy Introduction This strategy outlines the security systems in place to optimise, manage and protect The Education Fellowship data and

More information

PCI Compliance for Cloud Applications

PCI Compliance for Cloud Applications What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility. FME Cloud Security Table of Contents FME Cloud Architecture Overview Secure Operations I. Backup II. Data Governance and Privacy III. Destruction of Data IV. Incident Reporting V. Development VI. Customer

More information

Payment Card Industry Data Security Standard

Payment Card Industry Data Security Standard Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security

More information

Security Information & Policies

Security Information & Policies Security Information & Policies 01 Table of Contents OVERVIEW CHAPTER 1 : CHAPTER 2: CHAPTER 3: CHAPTER 4: CHAPTER 5: CHAPTER 6: CHAPTER 7: CHAPTER 8: CHAPTER 9: CHAPTER 10: CHAPTER 11: CHAPTER 12: CHAPTER

More information

Security Controls for the Autodesk 360 Managed Services

Security Controls for the Autodesk 360 Managed Services Autodesk Trust Center Security Controls for the Autodesk 360 Managed Services Autodesk strives to apply the operational best practices of leading cloud-computing providers around the world. Sound practices

More information

BMC s Security Strategy for ITSM in the SaaS Environment

BMC s Security Strategy for ITSM in the SaaS Environment BMC s Security Strategy for ITSM in the SaaS Environment TABLE OF CONTENTS Introduction... 3 Data Security... 4 Secure Backup... 6 Administrative Access... 6 Patching Processes... 6 Security Certifications...

More information

Secure, Scalable and Reliable Cloud Analytics from FusionOps

Secure, Scalable and Reliable Cloud Analytics from FusionOps White Paper Secure, Scalable and Reliable Cloud Analytics from FusionOps A FusionOps White Paper FusionOps 265 Santa Ana Court Sunnyvale, CA 94085 www.fusionops.com World-class security... 4 Physical Security...

More information

Achieving PCI Compliance with Red Hat Enterprise Linux. June 2009

Achieving PCI Compliance with Red Hat Enterprise Linux. June 2009 Achieving PCI Compliance with Red Hat Enterprise Linux June 2009 CONTENTS EXECUTIVE SUMMARY...2 OVERVIEW OF PCI...3 1.1. What is PCI DSS?... 3 1.2. Who is impacted by PCI?... 3 1.3. Requirements for achieving

More information

Autodesk PLM 360 Security Whitepaper

Autodesk PLM 360 Security Whitepaper Autodesk PLM 360 Autodesk PLM 360 Security Whitepaper May 1, 2015 trust.autodesk.com Contents Introduction... 1 Document Purpose... 1 Cloud Operations... 1 High Availability... 1 Physical Infrastructure

More information

Security Whitepaper. NetTec NSI Philosophy. Best Practices

Security Whitepaper. NetTec NSI Philosophy. Best Practices Security Whitepaper NetTec NSI provides a leading SaaS-based managed services platform that to efficiently backup, monitor, and troubleshoot desktops, servers and other endpoints for businesses. Our comprehensive

More information

OCTOBER 2015 TAULIA SUPPLIER ARCHITECTURE OVERVIEW TAULIA 201 MISSION STREET SAN FRANCISCO CA 94105

OCTOBER 2015 TAULIA SUPPLIER ARCHITECTURE OVERVIEW TAULIA 201 MISSION STREET SAN FRANCISCO CA 94105 OCTOBER 2015 TAULIA SUPPLIER ARCHITECTURE OVERVIEW TAULIA 201 MISSION STREET SAN FRANCISCO CA 94105 CONTENTS OVERVIEW 3 SOFTWARE DESIGN 3 CUSTOMER ARCHITECTURE.. 4 DATA CENTERS. 4 RELIABILITY. 5 OPERATIONS

More information

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security Technical Paper Plain talk about security When it comes to Cloud deployment, security is top of mind for all concerned. The Infor CloudSuite team uses best-practice protocols and a thorough, continuous

More information

Projectplace: A Secure Project Collaboration Solution

Projectplace: A Secure Project Collaboration Solution Solution brief Projectplace: A Secure Project Collaboration Solution The security of your information is as critical as your business is dynamic. That s why we built Projectplace on a foundation of the

More information

UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM 800.820.5855 1

UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM 800.820.5855 1 UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM 800.820.5855 1 As organizations unlock the true potential of meeting over the web as an alternative to costly and timeconsuming travel,

More information

Media Shuttle s Defense-in- Depth Security Strategy

Media Shuttle s Defense-in- Depth Security Strategy Media Shuttle s Defense-in- Depth Security Strategy Introduction When you are in the midst of the creative flow and tedious editorial process of a big project, the security of your files as they pass among

More information

Introduction to AWS Security July 2015

Introduction to AWS Security July 2015 Introduction to AWS Security July 2015 Page 1 of 7 Table of Contents Introduction... 3 Security of the AWS Infrastructure... 3 Security Products and Features... 4 Network Security... 4 Inventory and Configuration

More information

AWS Security. Security is Job Zero! CJ Moses Deputy Chief Information Security Officer. AWS Gov Cloud Summit II

AWS Security. Security is Job Zero! CJ Moses Deputy Chief Information Security Officer. AWS Gov Cloud Summit II AWS Security CJ Moses Deputy Chief Information Security Officer Security is Job Zero! Overview Security Resources Certifications Physical Security Network security Geo-diversity and Fault Tolerance GovCloud

More information

The Anti-Corruption Compliance Platform

The Anti-Corruption Compliance Platform The Anti-Corruption Compliance Platform DATA COLLECTION RISK IDENTIFICATION SCREENING INTEGRITY DUE DILIGENCE CERTIFICATIONS GIFTS, TRAVEL AND ENTERTAINMENT TRACKING SECURITY AND DATA PROTECTION The ComplianceDesktop

More information

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS www.grupo-sms.com 949.223.9240 option 3 for sales

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS www.grupo-sms.com 949.223.9240 option 3 for sales SMS Systems Management Specialists Cloud Computing Grupo SMS www.grupo-sms.com 949.223.9240 option 3 for sales Cloud Computing The SMS Model: Cloud computing is a model for enabling ubiquitous, convenient,

More information

HOW MX PROTECTS YOUR DATA

HOW MX PROTECTS YOUR DATA HOW MX PROTECTS YOUR DATA Overview MX is passionate about and dedicated to protecting, safeguarding, and securing customer data. To do so, MX has established a strong security program supported by a comprehensive

More information

Xerox Litigation Services. In the Cybersecurity Hot Seat: How Law Firms are Optimizing Security While Reducing Cost and Risk

Xerox Litigation Services. In the Cybersecurity Hot Seat: How Law Firms are Optimizing Security While Reducing Cost and Risk Xerox Litigation Services In the Cybersecurity Hot Seat: How Law Firms are Optimizing Security While Reducing Cost and Risk Your Highest Priority is also Your Greatest Challenge Data breaches are not just

More information

Apteligent White Paper. Security and Information Polices

Apteligent White Paper. Security and Information Polices Apteligent White Paper Security and Information Polices Data and Security Policies for 2016 Overview Apteligent s Mobile App Intelligence delivers real-time user experience insight based on behavioral

More information

Vendor Questionnaire

Vendor Questionnaire Instructions: This questionnaire was developed to assess the vendor s information security practices and standards. Please complete this form as completely as possible, answering yes or no, and explaining

More information

Security and Information Policies

Security and Information Policies Security and Information Policies 1 Data and Security Policies for 2015-2016 Overview Crittercism's Mobile App Intelligence delivers real-time user experience insight based on behavioral and operational

More information

Security Practices, Architecture and Technologies

Security Practices, Architecture and Technologies Security Practices, Architecture and Technologies CONTACT: 36 S. Wall Street Columbus, OH 43215 1-800-VAB-0300 www.viewabill.com 1 CONTENTS End-to-End Security Processes and Technologies... 3 Secure Architecture...

More information

Securing the Service Desk in the Cloud

Securing the Service Desk in the Cloud TECHNICAL WHITE PAPER Securing the Service Desk in the Cloud BMC s Security Strategy for ITSM in the SaaS Environment Introduction Faced with a growing number of regulatory, corporate, and industry requirements,

More information

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP SOLUTION BRIEF PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP The benefits of cloud computing are clear and compelling: no upfront investment, low ongoing costs, flexible capacity and fast application

More information

StratusLIVE for Fundraisers Cloud Operations

StratusLIVE for Fundraisers Cloud Operations 6465 College Park Square Virginia Beach, VA 23464 757-273-8219 (main) 757-962-6989 (fax) stratuslive.com Contents Security Services... 3 Rackspace Multi Layered Approach to Security... 3 Network... 3 Rackspace

More information

Client Security Risk Assessment Questionnaire

Client Security Risk Assessment Questionnaire Select the appropriate answer from the drop down in the column, and provide a brief description in the section. 1 Do you have a member of your organization with dedicated information security duties? 2

More information

University of Pittsburgh Security Assessment Questionnaire (v1.5)

University of Pittsburgh Security Assessment Questionnaire (v1.5) Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.5) Directions and Instructions for completing this assessment The answers provided

More information

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE SWAP EXECUTION FACILITY OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific

More information

Keyfort Cloud Services (KCS)

Keyfort Cloud Services (KCS) Keyfort Cloud Services (KCS) Data Location, Security & Privacy 1. Executive Summary The purposes of this document is to provide a common understanding of the data location, security, privacy, resiliency

More information

A Rackspace White Paper Spring 2010

A Rackspace White Paper Spring 2010 Achieving PCI DSS Compliance with A White Paper Spring 2010 Summary The Payment Card Industry Data Security Standard (PCI DSS) is a global information security standard defined by the Payment Card Industry

More information

CloudCheck Compliance Certification Program

CloudCheck Compliance Certification Program CloudCheck Compliance Certification Program Ensure Your Cloud Computing Environment is Secure with CloudCheck Certification Organizations today are increasingly relying on a combination of private and/or

More information

THE BLUENOSE SECURITY FRAMEWORK

THE BLUENOSE SECURITY FRAMEWORK THE BLUENOSE SECURITY FRAMEWORK Bluenose Analytics, Inc. All rights reserved TABLE OF CONTENTS Bluenose Analytics, Inc. Security Whitepaper ISO 27001/27002 / 1 The Four Pillars of Our Security Program

More information

Achieving PCI-Compliance through Cyberoam

Achieving PCI-Compliance through Cyberoam White paper Achieving PCI-Compliance through Cyberoam The Payment Card Industry (PCI) Data Security Standard (DSS) aims to assure cardholders that their card details are safe and secure when their debit

More information

GoodData Corporation Security White Paper

GoodData Corporation Security White Paper GoodData Corporation Security White Paper May 2016 Executive Overview The GoodData Analytics Distribution Platform is designed to help Enterprises and Independent Software Vendors (ISVs) securely share

More information

Becoming PCI Compliant

Becoming PCI Compliant Becoming PCI Compliant Jason Brown - brownj52@michigan.gov Enterprise Security Architect Enterprise Architecture Department of Technology, Management and Budget State of Michigan @jasonbrown17 History

More information

Collaborate on your projects in a secure environment. Physical security. World-class datacenters. Uptime over 99%

Collaborate on your projects in a secure environment. Physical security. World-class datacenters. Uptime over 99% Security overview Collaborate on your projects in a secure environment Thousands of businesses, including Fortune 500 corporations, trust Wrike for managing their projects through collaboration in the

More information

VIEWABILL. Cloud Security and Operational Architecture. featuring RUBY ON RAILS

VIEWABILL. Cloud Security and Operational Architecture. featuring RUBY ON RAILS VIEWABILL Cloud Security and Operational Architecture featuring RUBY ON RAILS VAB_CloudSecurity V1 : May 2014 Overview The Viewabill.com cloud is a highly-secure, scalable and redundant solution that enables

More information

Cloud e-mail services: Security, Compliance and Privacy. Nasos Kladakis Solutions Specialist Microsoft Hellas

Cloud e-mail services: Security, Compliance and Privacy. Nasos Kladakis Solutions Specialist Microsoft Hellas Cloud e-mail services: Security, Compliance and Privacy Nasos Kladakis Solutions Specialist Microsoft Hellas Risk Management Program Overview Information Security Policy Security Privacy & Regulatory Service

More information

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE DESIGNATED CONTRACT MARKET OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the

More information

74% 96 Action Items. Compliance

74% 96 Action Items. Compliance Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated

More information

Secure and control how your business shares files using Hightail

Secure and control how your business shares files using Hightail HIGHTAIL FOR ENTERPRISE: SECURITY OVERVIEW Secure and control how your business shares files using Hightail Information the lifeblood of any business is potentially placed at risk every time digital files

More information

Security Overview. BlackBerry Corporate Infrastructure

Security Overview. BlackBerry Corporate Infrastructure Security Overview BlackBerry Corporate Infrastructure Published: 2015-04-23 SWD-20150423095908892 Contents Introduction... 5 History... 6 BlackBerry policies...7 Security organizations...8 Corporate Security

More information

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst. 2010. Page 1 of 7 www.ecfirst.com Policy/Procedure Description PCI DSS Policies Install and Maintain a Firewall Configuration to Protect Cardholder Data Establish Firewall and Router Configuration Standards Build a Firewall Configuration

More information

Netop Environment Security. Unified security to all Netop products while leveraging the benefits of cloud computing

Netop Environment Security. Unified security to all Netop products while leveraging the benefits of cloud computing Netop Environment Security Unified security to all Netop products while leveraging the benefits of cloud computing Contents Introduction... 2 AWS Infrastructure Security... 3 Standards - Compliancy...

More information

Enterprise level security, the Huddle way.

Enterprise level security, the Huddle way. Enterprise level security, the Huddle way. Security whitepaper TABLE OF CONTENTS 5 Huddle s promise Hosting environment Network infrastructure Multiple levels of security Physical security System & network

More information

MIGRATIONWIZ SECURITY OVERVIEW

MIGRATIONWIZ SECURITY OVERVIEW MIGRATIONWIZ SECURITY OVERVIEW Table of Contents Introduction... 2 Shared Security Approach... 2 Customer Best Practices... 2 Application Security... 4 Database Level Security... 4 Network Security...

More information

Druva Phoenix: Enterprise-Class. Data Security & Privacy in the Cloud

Druva Phoenix: Enterprise-Class. Data Security & Privacy in the Cloud Druva Phoenix: Enterprise-Class Data Security & Privacy in the Cloud Advanced, multi-layer security to provide the highest level of protection for today's enterprise. Table of Contents Overview...3 Cloud

More information

White Paper: Librestream Security Overview

White Paper: Librestream Security Overview White Paper: Librestream Security Overview TABLE OF CONTENTS 1 SECURITY OVERVIEW... 3 2 USE OF SECURE DATA CENTERS... 3 3 SECURITY MONITORING, INTERNAL TESTING AND ASSESSMENTS... 4 3.1 Penetration Testing

More information

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices

TASK -040. TDSP Web Portal Project Cyber Security Standards Best Practices Page 1 of 10 TSK- 040 Determine what PCI, NERC CIP cyber security standards are, which are applicable, and what requirements are around them. Find out what TRE thinks about the NERC CIP cyber security

More information

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10 Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID This Microsoft Online Services Security Amendment ( Amendment ) is between

More information

Addressing Cloud Computing Security Considerations

Addressing Cloud Computing Security Considerations Addressing Cloud Computing Security Considerations with Microsoft Office 365 Protect more Contents 2 Introduction 3 Key Security Considerations 4 Office 365 Service Stack 5 ISO Certifications for the Microsoft

More information

Security Document. Issued April 2014 Updated October 2014 Updated May 2015

Security Document. Issued April 2014 Updated October 2014 Updated May 2015 Security Document Issued April 2014 Updated October 2014 Updated May 2015 Table of Contents Issued April 2014... 1 Updated October 2014... 1 Updated May 2015... 1 State-of-the-art Security for Legal Data...

More information

Our Key Security Features Are:

Our Key Security Features Are: September 2014 Version v1.8" Thank you for your interest in PasswordBox. On the following pages, you ll find a technical overview of the comprehensive security measures PasswordBox uses to protect your

More information

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 --------------

Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 EES17 -------------- w Microsoft Volume Licensing Enrollment for Education Solutions Addendum Microsoft Online Services Agreement Amendment 10 Enrollment for Education Solutions number Microsoft to complete --------------

More information

Delivering peace of mind in digital optimization: Clicktale's security standards and practices

Delivering peace of mind in digital optimization: Clicktale's security standards and practices THE CLICKTALE DIFFERENCE Delivering peace of mind in digital optimization: Clicktale's security standards and practices CONTENTS INTRODUCTION... 2 PRIVACY AND ANONYMITY...2 ISO 27001 COMPLIANCE...4 APPLICATION-LEVEL

More information

Building Energy Security Framework

Building Energy Security Framework Building Energy Security Framework Philosophy, Design, and Implementation Building Energy manages multiple subsets of customer data. Customers have strict requirements for regulatory compliance, privacy

More information

Application Security Best Practices. Matt Tavis Principal Solutions Architect

Application Security Best Practices. Matt Tavis Principal Solutions Architect Application Security Best Practices Matt Tavis Principal Solutions Architect Application Security Best Practices is a Complex topic! Design scalable and fault tolerant applications See Architecting for

More information

Security & Infra-Structure Overview

Security & Infra-Structure Overview Security & Infra-Structure Overview Contents KantanMT Platform Security... 2 Customer Data Protection... 2 Application Security... 2 Physical and Environmental Security... 3 ecommerce Transactions... 4

More information

SERENA SOFTWARE Serena Service Manager Security

SERENA SOFTWARE Serena Service Manager Security SERENA SOFTWARE Serena Service Manager Security 2014-09-08 Table of Contents Who Should Read This Paper?... 3 Overview... 3 Security Aspects... 3 Reference... 6 2 Serena Software Operational Security (On-Demand

More information

IBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public]

IBX Business Network Platform Information Security Controls. 2015-02- 20 Document Classification [Public] IBX Business Network Platform Information Security Controls 2015-02- 20 Document Classification [Public] Table of Contents 1. General 2 2. Physical Security 2 3. Network Access Control 2 4. Operating System

More information

ClickTale Security Standards and Practices: Delivering Peace of Mind in Digital Optimization

ClickTale Security Standards and Practices: Delivering Peace of Mind in Digital Optimization Delivering Peace of Mind in Digital Optimization TABLE OF CONTENTS INTRODUCTION 2 PRIVACY AND ANONYMITY 3 ISO 27001 COMPLIANCE 5 APPLICATION-LEVEL SECURITY 6 PENETRATION TESTING AND SECURITY AUDITS 7 GENERAL

More information

Level I - Public. Technical Portfolio. Revised: July 2015

Level I - Public. Technical Portfolio. Revised: July 2015 Level I - Public Technical Portfolio Revised: July 2015 Table of Contents 1. INTRODUCTION 3 1.1 About Imaginatik 3 1.2 Taking Information Security Seriously 3 2. DATA CENTER SECURITY 3 2.1 Data Center

More information

GiftWrap 4.0 Security FAQ

GiftWrap 4.0 Security FAQ GiftWrap 4.0 Security FAQ The information presented here is current as of the date of this document, and may change from time-to-time, in order to reflect s ongoing efforts to maintain the highest levels

More information

Using AWS in the context of Australian Privacy Considerations October 2015

Using AWS in the context of Australian Privacy Considerations October 2015 Using AWS in the context of Australian Privacy Considerations October 2015 (Please consult https://aws.amazon.com/compliance/aws-whitepapers/for the latest version of this paper) Page 1 of 13 Overview

More information

Tenzing Security Services and Best Practices

Tenzing Security Services and Best Practices Tenzing Security Services and Best Practices OVERVIEW Security is about managing risks and threats to your environment. The most basic security protection is achieved by pro-actively monitoring and intercepting

More information

Central Agency for Information Technology

Central Agency for Information Technology Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage

More information

CONTENT OUTLINE. Background... 3 Cloud Security... 3. Instance Isolation:... 4. SecureGRC Application Security... 5

CONTENT OUTLINE. Background... 3 Cloud Security... 3. Instance Isolation:... 4. SecureGRC Application Security... 5 Page 2 Disclaimer THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF THE LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET

More information

Amazon Web Services: Risk and Compliance May 2011

Amazon Web Services: Risk and Compliance May 2011 Amazon Web Services: Risk and Compliance May 2011 (Please consult http://aws.amazon.com/security for the latest version of this paper) 1 This document intends to provide information to assist AWS customers

More information

PCI v2.0 Compliance for Wireless LAN

PCI v2.0 Compliance for Wireless LAN PCI v2.0 Compliance for Wireless LAN November 2011 This white paper describes how to build PCI v2.0 compliant wireless LAN using Meraki. Copyright 2011 Meraki, Inc. All rights reserved. Trademarks Meraki

More information

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery WHITE PAPER HIPAA-Compliant Data Backup and Disaster Recovery DOCUMENT INFORMATION HIPAA-Compliant Data Backup and Disaster Recovery PRINTED March 2011 COPYRIGHT Copyright 2011 VaultLogix, LLC. All Rights

More information

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015 NETWORK ACCESS CONTROL AND CLOUD SECURITY Tran Song Dat Phuc SeoulTech 2015 Table of Contents Network Access Control (NAC) Network Access Enforcement Methods Extensible Authentication Protocol IEEE 802.1X

More information

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room MAXIMUM DATA SECURITY with ideals TM Virtual Data Room WWW.IDEALSCORP.COM ISO 27001 Certified Account Settings and Controls Administrators control users settings and can easily configure privileges for

More information

White Paper. BD Assurity Linc Software Security. Overview

White Paper. BD Assurity Linc Software Security. Overview Contents 1 Overview 2 System Architecture 3 Network Settings 4 Security Configurations 5 Data Privacy and Security Measures 6 Security Recommendations Overview This white paper provides information about

More information

CHIS, Inc. Privacy General Guidelines

CHIS, Inc. Privacy General Guidelines CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified

More information

Global Partner Management Notice

Global Partner Management Notice Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with

More information

Unified Security Management

Unified Security Management Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy

More information

Clever Security Overview

Clever Security Overview Clever Security Overview Clever Security White Paper Contents 3 Introduction Software Security 3 Transport Layer Security 3 Authenticated API Calls 3 Secure OAuth 2.0 Bearer Tokens 4 Third Party Penetration

More information