QuickBooks Online: Security & Infrastructure

Transcription

1 QuickBooks Online: Security & Infrastructure May 2014

2 Contents Introduction: QuickBooks Online Security and Infrastructure... 3 Security of Your Data... 3 Access Control... 3 Privacy... 4 Availability... 4 QuickBooks Online Compliance Efforts... 4 Industry Standard Infrastructure Security... 5 Code Security... 6 Independent/External Validation of Assets and Practices... 7 Additional Resources

3 Introduction: QuickBooks Online Security and Infrastructure At Intuit QuickBooks Online (QBO), we consider the security of your information a primary responsibility. We take specific precautions to provide security while your data is in transit from your computer to our servers, as well as while it is being processed and stored in our data centers. Security of Your Data No single measure can effectively provide complete security, so at QBO, we employ a strategy called defense in depth, a layered approach with multiple security measures in place to help protect your data at all times. Let s start with your data as it leaves your browser. QBO always establishes a secure connection to your browser, indicated by the small padlock symbol displayed on your screen (the location varies based on the browser you use). This secure connection uses SSL (Secure Sockets Layer) technology, which ensures your data is encrypted as it flows through the Internet. Upon receipt, your data passes through an Intuit-controlled firewall put in place to help prevent unauthorized access from outside Intuit s network. Once in our data centers, your data is processed and stored on dedicated QBO-only clusters where access is limited to a very small number of skilled technicians. As additional protection, highly sensitive information such as credit card numbers and Social Security numbers are converted into tokens or are encrypted prior to being stored. Access Control QBO provides fine-grained role-based security so that only you or your designee can specify who can access your data and what level of privileges are to be granted to different users. We also enforce strong password requirements (adhering to PCI standards) for all user logins. You control who accesses your financial data, and what they can see and do with it. Each person you invite to use QBO must create a unique login. We also offer multiple permission levels that let you limit the access privileges of each user. For example, you may want your parttime contractor to be able enter his hours, but not access your latest P&L charts. QBO also provides a comprehensive Audit Log that logs the actions taken by different users. This can help you keep track of user actions on the data. In short, you can rest assured that only authorized users can access the data and only to the extent that is explicitly configured via rolebased permissions. 3

4 Privacy We build privacy into everything we do. It's not an afterthought or corporate rhetoric; it s how we choose to treat and respect our customers on a daily basis. That's why we follow a strict set of guidelines and practices to help protect all of your private information. We will not, without explicit permission, sell, publish or share data entrusted to us by a customer that identifies the customer or any person. Our employees are trained on how to keep data safe and secure. Intuit is a licensee of the TRUSTe Privacy Program, an independent, nonprofit organization committed to the use of fair information practices. For full disclosure of our privacy practices, please review our Privacy Statement (see Additional Resources). Availability Intuit QBO takes service availability very seriously. Measures for resilience and redundancy ensured QBO was available to customers for 99.9% of time in In addition, QBO is set up to survive a major disaster and allow continued access to customer data. All parts of the infrastructure required to run QBO have redundancy across two geographically separate data centers. Each data center has a Tier-4 classification with high physical security and redundancy, and backups for power and cooling. Each infrastructure component for the application has redundancy to help avoid an unrecoverable single point of failure. All application servers are spread across multiple isolated fault domains in server farms built on virtualization technology for high availability. All user data is continuously replicated between the data centers over a private network using industry standard replication technology from Oracle. The lag in data synchronization between data centers is maintained at less than 5 minutes. We ensure reliability of our multi-data center setup by having at least some QBO customers in each data center at all times. Intuit engineers practice documented procedures to switch services between data centers at least once every quarter. QuickBooks Online Compliance Efforts Payment Card Industry (PCI): QBO is certified according to the Payment Card Industry (PCI) Data Security Standards (DSS) on an annual basis by our third party Qualified Security Assessor Trustwave, Inc. 4

5 Industry Standard Infrastructure Security The following represent our QBO security measures: a. Tier-4 Data Center: QBO is hosted on two Premier Tier-4 data centers. Tier-4 is the highest category in the data center industry tiers. b. Stringent Background Checks: Intuit has been in the business of consumer and small business finance for decades. We have robust, established practices of recruiting that involve several rounds of background and reference checks. c. Site Security: All our key sites are guarded by onsite security personnel, and we enforce Access Card-based entry to each building and 24/7 perimeter vigil and control. Data center security involves several orders of strict magnitude, and without a special privilege pass, even an Intuit employee cannot enter our data centers. We segregate roles within our development and production teams, and production access requires appropriate levels of authorization. For example, our Operations function is vertically separated in Development Ops and Production - Ops to enable highest degree of control on access of Intuit production assets. d. Throttling and Other Limits Mitigate Risk of DDOS: Online services are often at risk from distributed denial of service (DDOS) attempts. At Intuit, we use industry standard DDOS appliances to help detect, minimize and prevent potential service impact. e. Password Policy: We follow a strong password policy and password duration for all environments. f. Regular Updates and Security Patching: We have quarterly/bi-yearly/yearly cycles to update software patches, including security patches for our hardware and software stacks. We listen to various security distributions from our vendors and identify proper actions to rapidly ensure security of QBO users where applicable. 5

6 Code Security a. Release process tied with strong security metrics with stringent exit criteria: We log thousands of hours of security Code Reviews every year by our senior-most staff, principal and distinguished engineers for anti-patterns focusing on SQL injections; cross-site scripting; encryption usage; and correct usage of application APIs. A Code Collaborator tool is used to track the reviews and is integrated with our source-code control system for review audits. We also use Static Code Analysis tools such as Coverity and Fortify to scan the code for presence of any existing anti-patterns. Consider this coarse-grained protection to complement the fine grained protections applied in Code Reviews. b. Security Coding Standards & Industry Standard Practices followed in Business Logic; User Interface (JavaScript; CSS); Data/schema and Log: Authentication has built-in capabilities to prevent DOS and Brute Force resistance. To frustrate automated DOS attacks, we use CAPTCHA after a certain number of failed attempts. Secret and sensitive information is encrypted in storage and in transit. For most confidential data, such as Credit Card numbers, it is tokenized away from storage. Auditing, logging and reporting are in compliance with industry standard security practices. c. Test Cases: Our developers also are required to write Unit tests to assure that code behaves properly in the face of common forms of attack. 6

7 Independent/External Validation of Assets and Practices Regular (Independent) Penetration Testing: In addition to our industry standard practices and stringent processes to further mitigate the risk of exposing a vulnerability, we follow a daily/monthly/yearly regime of security tests. Daily: Static Automated Analysis with Tools. Monthly: Trustwave PCI Compliance scans (see Additional Resources) Yearly: Negative Penetration Tests by external independent security experts. Here we assume everything is suspect and simulate BOT attacks to test whether our Firewall, Web and App servers hold against most stringent denial of service and other malicious attacks. We have strategic partnerships with some of the most revered names in the security practices domain, and we regularly bring those experts in-house to audit and attempt to break our code. Some of the series tests we perform against ourselves include the following: Denial of Service attack using large number of attackers trying to overwhelm servers, or to use large payloads to break our application. Privilege escalation attack to try and access additional data without appropriate credentials. Mass mining for Information attack to try to get sensitive data, with or without valid credentials. CSRF (Cross-Site Request Forgery) Attack to try to hijack a user session and force the browser to send request to malicious sites. Cross Site Scripting attacks to reflect attacker s content back to the user to execute and pass on sensitive information to attacker. SQL Injection attacks to inject SQL in the application with malicious intent. Cookie Management Try to break Weak Passwords Packet Sniffing Attacks to intercept sensitive or private information in flight, for example. 7

8 Additional Resources Trustwave PCI Compliance - Privacy Statement - General Intuit Security - 8