THE BLUENOSE SECURITY FRAMEWORK

Transcription

1 THE BLUENOSE SECURITY FRAMEWORK Bluenose Analytics, Inc. All rights reserved

2 TABLE OF CONTENTS Bluenose Analytics, Inc. Security Whitepaper ISO 27001/27002 / 1 The Four Pillars of Our Security Program / 3 Secure Development Lifecycle ("SDLC") / 3 Product Security Features / 3 Secure Deployment Architecture on Amazon Web Services / 4 Corporate Security / 5 IT Security / 5 Physical Security / 6

3 Bluenose Analytics, Inc. Security Whitepaper Bluenose Analytics is in the business of helping you understand your customer relationships. By loading your customer data into our application, we give you tools to aggregate and analyze this data to spot at-risk customers and opportunities to increase revenue with existing customers. We fully understand the importance of protecting your data and the implications of data security on our application. Simply put, our aim is to protect your data in a way that exceeds your expectations. In this document we will outline our overall security framework, and how we implement it across four major areas. ISO 27001/27002 is our Management & Controls Framework ISO 27001/27002 ( ISO ) is industry best practice. Virtually every other security, privacy and regulatory framework has been cross-referenced in full to it. ISO has stood the test of time. ISO is our information security management system that states our control objectives. Control objectives are high-level statements of policy that guide the selection and implementation of actual procedures and controls. We can share with you the specifics of our implementation: our 1

4 objectives, policies and how we approach the process of selecting, implementing and managing specific security policies, standards, procedures and controls. Note: Much of the rest of this document describes our control objectives at a high level. ISO is our means of selecting and implementing policies, standards, procedures & controls as a means to satisfy our control objectives. We select and implement specific policies, procedures & controls described in based on their relevance to Bluenose operations and their ability to reduce risk. Our portfolio of controls is comprised of both primary and compensating controls, based on what s practical for you and us. Our controls are administrative, technical, management and legal in nature. Because our implementation of ISO is improving continuously - and it s highly confidential - it makes sense to talk to us live to get a current picture of our implementation under NDA. To assist your due diligence and to ensure our capabilities, we seek to obtain and maintain third-party certifications. To that end, we have completed a SSAE 16 SOC2 Type 1 examination. The examination period was as of January 31, 2014 and the report on its results was issued in May, We will seek a SSAE 16 SOC2 Type 2 examination later in 2014 to demonstrate our ability to sustain our security practices. Over time, we expect to achieve various certifications that are enabled by our ISO implementation, such as ISO certification, Cloud Security Alliance, etc. 2

5 THE FOUR PILLARS OF OUR SECURITY PROGRAM Our security program has four pillars. Secure Development Lifecycle ( SDLC ) We believe that the best way to achieve security is to design it in. Therefore, we train each of our developers on a multi-day curriculum developed by experts in this domain. This approach minimizes the likelihood that vulnerabilities are introduced into our product in the first place. Our SDLC training includes the Threat Modeling approach: Review designs using threat modeling Find the weaknesses in an application architecture Document how the weaknesses can be exploited Decide what and how to mitigate the weaknesses Product Security Features Our product contains numerous security features that affect how you experience it as a customer: Multi-factor authentication Encrypted transports (HTTPS is required) Role-based access model with fine-grained controls at the field level Password complexity policies 3

6 AWS Secure Deployment Architecture on Amazon Web Services ( AWS ) Our product runs on AWS. AWS operates on a shared responsibility principle, wherein AWS accepts responsibility for lower-level security: Facilities Network (that supports their infrastructure) Hardware Host OS Details on AWS model can be found here: Bluenose is responsible for securing everything that runs on this stack, including Guest OS, application software, and various security controls such as access control at the network, application and data layers, encryption, secure configuration, etc. Our implementation on AWS includes the following approaches: Data segregation: each customer s data is logically segregated in full Application instance isolation: each customer gets their own application instance IP-based access: access between software tiers is controlled at the firewall / IP level (for example, between the web application and the database) Updated and validated machine images, patches and configurations before deployment Logging, auditing & alerting: instances are monitored for performance and security 4

7 Corporate Security Our approach to corporate security is a combination of IT security and physical security. i. IT Security Security Awareness Training Every employee must pass a security awareness training course. We provide supplemental training and assistance on an ongoing basis as threats evolve and our practices change. Supported Devices We maintain strict control over the types of devices that can access our internal network and the configuration settings of those devices. Our Network We operate a minimal amount of network infrastructure. As a result, we simplify network security. We monitor our networks for ingress and egress patterns, in order to ensure that the connection between our end-points and cloud-based accounts is secure. No Servers We do not own or operate any servers on our premises, which we believe reduces our security risk in many ways: Simplified network security Avoidance of management challenges related to installed software: patch management, vulnerability scanning, etc. Increased physical security 5

8 Cloud-Based Business Applications We run our business on a portfolio of cloud-based business applications, many of which you probably use, too. This includes financial accounting, customer relationship management, project management, etc. We manage this portfolio in the following way: We conduct due diligence on application vendors based on their security features and security management practices. We maintain an inventory of our applications and authorized users of each application, as well as the privilege level for each user, carefully restricting administrative privilege to only those with a need for it. We continuously manage the provisioning and de-provisioning processes. We manage access to these systems, including multi-factor authentication (such as tokens, SMS, etc.), password complexity policies, role-based access management with least-privilege provisioning, device fingerprinting, audit logging etc. ii. Physical Security Bluenose provides a robust set of physical security measures: We minimize the risk of physical security by minimizing our own infrastructure. We also minimize security risk by having a take-home policy for end-point devices. Because our workforce is highly mobile, we take associated measures such as device encryption, access control at the OS and application level, remote wipe, etc. Each of our facilities is protected by continuous video surveillance and recording, electronic access control systems, alarm monitoring systems and visitor registration systems. 6

9 TM MAKE YOUR CUSTOMERS LAST A LIFETIME ABOUT BLUENOSE Bluenose is a customer success platform that empowers SaaS businesses to proactively manage customers through complete visibility, a robust early warning system, and built-in playbooks. For more information, visit Contact Us Bluenose Analytics 517 York Street San Francisco, CA info@bluenose.com