FAQ PROJECTPLACE SECURITY

Transcription

1 FAQ PROJECTPLACE SECURITY This FAQ sheet is intended to provide a better understanding of Projectplace and its security services with respect to areas such as backup, safeguards and certifications. For questions unanswered here or elsewhere on the Projectplace website, please contact Projectplace at security@projectplace.com Table of content 1. Privacy benefit 2. Third-party audits 3. Security audit 4. Physical access to user assets 5. Information protection 6. User data and safeguards 7. Sensitive data and encryption 8. Access to the databases 9. Customer data and Projectplace staff 10. Data-backup and data-retention policies 11. Backups and operating data 12. Projectplace servers 13. RTO, RPO and disaster recovery 14. User data and contract termination 15. Web-application attacks 16. User credentials and secure login 17. Additional password settings 18. Viruses and malware 19. Sensitive user information and SLA 20. Terms and conditions SLA 21. Two-factor authentication 22. Single-Sign-on (SSO) 23. Single-Sign-on (SSO) through SAML 24. Filtering IP addresses 25. IPCI DSS-certified service provider 26. In case of bankruptcy or a change in business 27. Information security management system 1. What is the additional privacy benefit of using a service within the EU? A significant competitive differentiator for Projectplace is its focus on providing user data integrity, which includes safeguarding potential access from overseas legislation such as, for example, the United States Patriot Act. All Projectplace systems are hosted in Stockholm, Sweden: user data never leaves the private cloud. The majority of competitors have data centres outside the EU and therefore lack immunity to such legislation. This, however, solely covers data stored in the Projectplace systems: data linked to projects in the Projectplace service through the use of integration tools (e.g. GoogleDrive and Dropbox) is not protected as described above. 2. What third-party audits are performed in the Projectplace environment? The Projectplace infrastructure and application are subject to vulnerability scans, regularly performed on a quarterly basis. Annual penetration tests are carried out by independent third parties. These tests are repeated whenever any significant changes occur in the Projectplace environment. Projectplace has an established information-security-management system, which was awarded ISO 27001certification by Intertek, an independent auditor. A copy of this certificate can be viewed on the company web site Furthermore, Projectplace entrusts external auditors (Deloitte) to evaluate its information security practices and general IT controls. 3. What is the approach used when a client requests to have a security audit of Projectplace conducted? Projectplace has an open policy that allows its clients to perform security audits of its service. The audit may be performed by either the client or a third-party supplier appointed by the client, provided that sufficient non-disclosure agreements have been completed and testing pre-conditions, defined by Projectplace, have been mutually agreed upon. Testing pre-conditions typically include dedicated timeframes, static source IP addresses, defined test types (avoiding destructive tests, such as denial of service and DNS poisoning), etc. 1 Faq Projectplace Security l 2013 by Projectplace International AB. All rights reserved.

2 Safeguarding against potential access from overseas legislation All Projectplace systems are hosted in Stockholm, Sweden and the customer data never leaves our private cloud therefore it is immune from overseas legislation from outside the EU, such as the United States Patriot Act. 4. How is physical access to user assets and/or information controlled and restricted solely to authorised staff? The Projectplace server environment is hosted in two separate colocation facilities and is operated by Qbranch 365/24 AB in Stockholm, Sweden. Qbranch AB, is a profitable, rapidly-growing co-location provider, assigned with an AAA rating. The ISO certified, service organisation provides server hall facilities with 24-hour physical security. This includes comprehensive identification, access control and monitoring systems, automatic fire protection, redundant climate control and fail-over power supply. All physical access to Projectplace data centres operated by QBranch is logged and monitored in real time. CCTV images from inside the data centre are retained for 90 days. 5. How is user information protected from unauthorised networkaccess, such as malicious internal users and external hackers? The network containing the Projectplace production servers (the service) is protected by redundant firewalls, intrusion detection systems and load balancers. The Projectplace service is located on a physically segregated network that requires two-factor authentication for administrative access from the office network. Projecplace proactively monitors and analyses firewall and systems, using its internal system for security information and event management to identify unusual traffic patterns, potential intrusion attempts and other security threats. Network monitoring services, provided by Qbranch 365/24 AB for the co-location facilities, are used as well. 6. How is data from a particular user segregated from that of other clients? What safeguards are in place to prevent users from accessing one another s data? Projectplace achieves logical separation of user data through object level access controls and encryption. In Projectplace, each object links to a file individually encrypted, using an AES-192 algorithm. Access controls are implemented at the object level to prevent unauthorised users from accessing data. Production or user data is not used in the Projectplace testing environment. Production and test environments are physically segregated; only dummy user data is used in testing. Projectplace does not store user data on backup media; instead, it relies on real-time replication of data (through mirroring and snapshots) in redundant systems for availability (hosted at co-location sites as described above). Security controls for the segregation of user data are identical in both environments. 2 Faq Projectplace Security l 2013 by Projectplace International AB. All rights reserved.

3 7. How is sensitive data, stored and transmitted by the Projectplace service protected? Which encryption methods are used? Data in transit is encrypted with 256 bit SSL (version 3) and TLS (version 1) protocols, using a 2048 bit RSA public key for key exchange. User data (including login information) is not sent through unencrypted channels. Details of the Projectplace encryption certificate can be viewed on the public web site. All documents stored in Projectplace are automatically encrypted with a unique key, using the AES-192 encryption algorithm. Documents are saved anonymously, rendering identification impossible. Encryption keys are stored separately, with precautions are taken to prevent unauthorised access both to encrypted documents and their corresponding encryption keys. User data is not stored in the Projectplace database; only the objects which refer to the encrypted files are stored in the data vault. Continuous security testing The Projectplace infrastructure and application are subject to vulnerability scans, regularly performed on a quarterly basis. Annual penetration tests are carried out by independent third parties. 8. Who at Projectplace has access to the databases? Only a very limited number of system operation team members (fewer than ten) have access to the production databases through two-factor authentication. 9. What customer data stored in the Projectplace system can be viewed by Projectplace staff? Only the user s contact information - i.e. name, address, address, phone numbers and project membership can be viewed by Projectplace support and sales staff. Projectplace administrators are able to see all project names and their members that have been created in the system. This information is neither shared with anyone, nor sold or marketed to any third party (see Privacy Statement: privacy-statement/.) Projectplace staff is prohibited from accessing user project data or uploaded documentation. In fact, the extensive encryption procedures effectively prevent anyone (including Projectplace staff) from accessing this information, using normal daily operations or existing tools. To obtain access to project data and recover project files, an administrator would need to retrieve the encryption key for each individual object and decrypt each file. To prevent unauthorised retrieval of customer data, mechanisms for access control (through two-factor authentication), logging and monitoring have been implemented. Faq Projectplace Security l 2013 by Projectplace International AB. All rights reserved. 3

4 Secure transmission over the Internet Data in transit is encrypted with 256 bit SSL (version 3) and TLS (version 1) protocols, using a 2048 bit RSA public key for key exchange. 10. What data-backup and data-retention policies and procedures are applied to the information stored in the Projectplace service? Multi-step mirroring and online backup routines for production databases and document storage systems have been put into effect by Projectplace. These mirrored data vaults are subject to security control identical to that of the production system. User data is not stored on removable backup media (i.e. tapes). Online backups (snapshots) of the Projectplace database do not contain user data (only object referrers). The backups serve the sole purpose of restoring the whole production system in the unlikely event of multiple server failure. Projectplace employees are unable to restore individual projects or documents from these backups. Upon client request, Projectplace has procedures in place for the removal and secure disposal of user data. These procedures include deleting encrypted files from the data vault, removing the referrer object and encryption key from Projectplace databases and overwriting the allocated memory space in the data vault so as to prevent restoration. At the end of their life cycle, all data vault disks are physically destroyed by disk shredders. Projectplace retains user data as long as clients remain members of the service. Projectplace can retain user data indefinitely for active project members, downloadable at any point in time by the user for offline retention. 11. How long are backups and operating data retained? Unless data is explicitly deleted by the project user, all project information is retained for the duration of the project. Once the user initiates project data deletion - e.g. by emptying a project s waste paper bin or terminating a project - the data disposal process is initiated, with user information no longer retained hereinafter. Object referrers and their associated encryption keys for deleted objects are deleted from the Projectplace database, which then initiates the garbage collection process, removing the encrypted file from the data vault and overwriting the data. Projectplace does not use backup tapes or other removable media to store user data. Once the data is purged from both primary and secondary systems, it is no longer available. 12. What is the backup schedule for Projectplace servers? How much data could a user potentially lose? Projectplace operates a fully redundant system with real-time database mirroring. All data generated on the Projectplace primary site is continuously backed up to its secondary site, via dual fibre connections. The Projectplace disaster recovery tests demonstrate zero data loss. Projectplace further promises to keep data loss to a minimum (estimated RTO and RPO approximately two minutes) in the event of an actual disaster. 13. What are the RTO and RPO of the disaster recovery solution for the Projectplace service? The Projectplace production system is run on a multi-site cluster at two geographically dispersed locations. All critical servers and applications are installed at both locations, which, in the case of a major disruption or disaster, ensure business continuity. All data stored in the primary database servers is mirrored to secondary servers in real time. Second- 4 Faq Projectplace Security l 2013 by Projectplace International AB. All rights reserved.

5 ary servers are located at the second Qbranch co-location facility and are configured to automatically take over production tasks. In the event one of the locations fails, the second site is configured to take over all production tasks with minimal service disruption and capacity loss (estimated RTO and RPO approximately two minutes). In the event of a major disruption or disaster at one or both production sites, an emergency response team, consisting of selected Projectplace staff, is summoned to activate the disaster recovery plan. Safe from prying eyes Projectplace staff is prohibited from accessing user project data or uploaded documentation. In fact, the extensive encryption procedures effectively prevent anyone (including Projectplace staff) from accessing this information, using normal daily operations or existing tools. 14. How is user data disposed of at the time of contract termination? Once a user initiates deletion of project data - for example, by emptying a project s waste paper bin or terminating a project, object referrers and their associated encryption keys are deleted from the Projectplace database. This initiates the garbage collection process, which removes the encrypted files from the data vault and overwrites the data. The process is identical for both primary and secondary data centres. User data is not stored on any removable storage systems or backup media. 15. What processes and procedures are in place to ensure that the web application is not vulnerable to known web-application attacks? Projectplace is constructed on a multi-tier architecture, consisting of web servers, application servers and database data storage. Projectplace has in place established coding standards and a software-development life cycle, with security incorporated from the very outset. Industry guidelines, such as The Open Web Application Security Project (OWASP), Secure Coding Guide, SANS CWE Top 25 and CERT Secure Coding are followed by the development team. Projectplace application security is tested by web application vulnerability scans and annual penetration tests at least once every quarter and whenever any significant change is made in the system. These tests are performed in accordance with OWASP testing guidelines. 16. What controls are implemented and enforced that protect user credentials and ensure a secure login procedure? All users are required to authenticate on the service with a unique username and password combination. User credentials are encrypted when transmitted over the Internet (HTTPS) and when at rest in the Projectplace database. User-identity verification is done via , using the self-service, challenge-response mechanism. Users are required to enter the activation code that is sent to their pre-defined address. By default, users are required to have passwords that consist of at least six characters in order to access the service. However, the client account manager can define the minimum password requirements for project members and enforce higher security standards. Password properties recommended by Projectplace are as follows: At least eight characters Upper and lower case characters Numeric characters Faq Projectplace Security l 2013 by Projectplace International AB. All rights reserved. 5

6 Over 99% uptime since 1998 Projectplace operates a fully redundant system with real-time database mirroring. All data generated on the Projectplace primary site is continu ously backed up to its secondary site, via dual fibre connections. Currently, settings for password history and account lockout are not supported by Projectplace. Users are required to re-authenticate after session expiration (one hour). 17. What additional password settings can be enabled on the service? Project administrators can set the minimum password requirement of between eight or ten characters.password complexity requirements can be set to none, one or both of the following: Both small and capital letters must be included in the password. Numeric characters must be included in the password. Password validity duration can be set to the following options: Never expire After 1 month After 3 months After 6 months After 12 months Please note these settings only apply to enterprise accounts. 18. How are client assets and/or information protected against damage potentially caused by viruses and other types of malware? Projectplace provides file integrity monitoring and anti-virus software for all our critical systems that are commonly affected by malware. 19. How are clients informed about any incident or breach that potentially exposes sensitive user information? Do standard agreements and SLAs include clauses that stipulate terms and conditions for the reporting of these types of incidents? Projectplace has in place established security incident responses and escalation procedures that ensure timely and effective handling of all situations. All clients are informed in the event of a security incident which may potentially expose their data or cause a major disruption to the service. Projectplace is in close contact with the Swedish CERT, the police and legal authorities to handle such cases. 20. Are custom SLAs supported by Projectplace? What terms and conditions in the standard SLAs are negotiable? Although Projectplace provides the best service for all its clients, custom SLAs are supported by Projectplace and are preferred by some larger clients. RTO/RPO, retention periods and notification mechanisms are among the negotiable terms of a custom SLA. In the past year, Projectplace maintained an uptime of 99.98%, independently monitored by third-party, Pingdom. 6 Faq Projectplace Security l 2013 by Projectplace International AB. All rights reserved.

7 21. Does Projectplace support two-factor (2-factor) authentication for the login procedure? Currently, the Projectplace service does not support two-factor authentication. However, the infrastructure is constructed in such a way so as to support encrypted authentication mechanisms that utilise strong passwords. All passwords and data in transit are encrypted, using SSL version 3 and TLS version 1 protocols over the Internet (HTTPS). To protect data stored in the Projectplace systems (including user credentials) the Advanced Encryption Standard (AES) protocol, renowned for its security, is used. Furthermore, Projectplace has a mature information security management system in place. Risks are continuously monitored and evaluated. Projectplace does not believe that two-factor authentication adds much value to its service security when taking into account the existing number of mitigating controls. These controls include, but are not limited to, strong passwords, account-lockout mechanisms, audit logging and monitoring. Seamless login process via SSO Projectplace supports Single-Sign-on (SSO), using the SAML and Active Directory Federation service for its enterprise clients. The SSO procedure allows network users to access Projectplace without having to log in separately. 22. Does Projectplace support Single-Sign-on (SSO) for the login procedure? Yes, Projectplace supports Single-Sign-on (SSO), using the SAML and Active Directory Federation service for its enterprise clients. The SSO procedure allows network users to access Projectplace without having to log in separately, with authentication federated from the Active Directory. When federated authentication is enabled, Projectplace does not validate a user s password. Instead, an assertion in the HTTP POST request is verified, allowing for SSO if the assertion proves to be true. This reflects the industry s standard procedure for SSO that is widely in use. When federated authentication is enabled, Projectplace does not validate a user s password. Instead, an assertion in the HTTP POST request is verified, allowing for SSO if the assertion proves to be true. This reflects the industry s standard procedure for SSO that is widely in use. 23. What features are supported by Single-Sign-on (SSO) through SAML? The implementation of SSO through SAML is mainly for end-user convenience, avoiding the need for users to remember multiple passwords. Currently, Projectplace does not support advanced SAML features which allow for centralised user accounts and access management (such as automatic deletion of users from the Projectplace system after removal from the client domain). This, however, is in the pipeline. 24. Can exposure be limited by limiting access to the system through filtering IP addresses? Currently Projectplace does not provide source IP-based access restriction as the service is intended for global access. With over 820,000 users, IP-source-address filtering is not a manageable access control for the Projectplace system. Faq Projectplace Security l 2013 by Projectplace International AB. All rights reserved. 7

8 Certified Security Projectplace s mature information security management system is awarded the ISO certificate. 25. Is Projectplace a PCI DSS-certified merchant/service provider? PCI DSS (Payment Card Industry Data Security Standard) is a set of security requirements and guidelines for merchants who store, process or transmit cardholder data. Projectplace outsources all its payment processing to DIBS. Cardholder data is not stored, transmitted or processed by Projectplace systems. Users are directed to the DIBS secure payment page for online purchasing and returned to Projectplace upon transaction completion. Since its systems never touch payment card data, Projectplace is not subject to PCI DSS. DIBS, however, is a PCI DSS-validated service provider for online payment processing. 26. In the event of Projectplace bankruptcy or a change in its line of business, does Projectplace provide an escrow agreement to safeguard user data and project data? Projectplace, one of the first SaaS providers and in existence since1998, is customarily used as an escrow medium for cross-organisational collaboration. For companies that work together but don t want project documentation to be hosted by either side, Projectplace is an invaluable solution. Whilst Projectplace does not by default support escrow agreements, it can offer its clients the technical assurance that all project documentation and plans are downloadable for off-line retention. All data stored on the Projectplace site is owned solely by the client. Once a project or account is deleted, the corresponding data is no longer retained. Users desiring to retain documents for a longer period of time are able to download project documentation. Users are also able to implement a routine backup procedure that downloads their documents for off-line retention. 27. Does Projectplace have an information security management system in place? Is Projectplace ISO certified? Yes, Projectplace has a very mature information security management system in place, whereby risks are continuously monitored and evaluated. Projectplace was awarded ISO certification in March of 2012, following an audit by Intertek. A copy of the certificate is available for viewing on the company web site. 8 Faq Projectplace Security l 2013 by Projectplace International AB. All rights reserved.