Security & Infrastructure White Paper

Transcription

1 Proofing and approval made easy. Security & Infrastructure White Paper ProofHQ (Approvr Limited) 66 The High Street Northwood Middlesex HA6 1BL United Kingdom US: UK:

2 Introduction... 3 Security overview... 4 Perimeter & physical security... 4 Key security features and advantages... 5 Application security... 9 Advanced password security options... 9 Network connectivity Network security Data integrity Complete system redundancy Uptime / High availability Summary - Your data is secure and protected... 17

3 Introduction The accessibility, security and integrity of your data are integral to the success of your company and the reputation of our business. Because ProofHQ is delivered as a Software-as-a-Service (SaaS) solution, we understand that the reliability and uptime of our services are of utmost importance to your business and our success. Your data is secure with ProofHQ. The ProofHQ platform runs on a proven infrastructure designed to provide maximum security, performance, and reliability. ProofHQ partners with RackSpace who is a leader in hosting solutions to provide its customers and partners with state-of-the-art perimeter, network, server, application and data security to ensure privacy and availability. The data center infrastructure includes raised floors, state-of-the-art fire suppression, abundant and redundant high speed Internet connectivity, redundant power, and a self-contained cooling system. ProofHQ provides its software services to multiple users worldwide. The profile of our average customer is a fast-paced, small-to-medium sized business organization or a team or department within a large Fortune 500 or Global 2000 company. All of these customers, companies and organizations, regardless of their size, trust and rely on ProofHQ on a daily basis.

4 Security overview ProofHQ s security and infrastructure were designed to provide maximum performance and reliability with state-of-the-art physical and data security and redundancy. ProofHQ s security policy was architected with multiple layers of security, safeguards and redundancy to ward off external security threats. Perimeter & physical security ProofHQ is dedicated to developing and maintaining a state-of-the-art physical site security where it hosts its data and servers. ProofHQ hosts its primary servers and data with Rackspace in Chicago, Illinois. The data center s security includes on-site 24/7 staff, alarm systems, card key access, CCTV archived video and a host of other state-of-the-art security measures. With fully redundant power supplies, multiple backup generators, numerous of Tier 1 Internet providers, and laser-based early smoke detection, Rackspace s data center s have been configured to maximize safety, security and reliability.

5 Key security features and advantages Surveillance Physical access to the data center is controlled and monitored 24/7 by: Biometric scanning Security camera monitoring 24/7 onsite staff Unmarked facilities to help maintain low profile Physical security audited by an independent firm Data center access is limited to Rackspace data center technicians. Only authorized personnel are allowed to access the physical site and servers (including any remote, virtual or tele-access to the data center). Authorized personnel are required to pass through electronic and visual identity validation systems to enter the data center. Access to the data center is maintained by time-stamped logs for historical retrieval. All of ProofHQ s equipment (servers, routers, switches, storage devices) are stored in securely locked cabinets and cages.

6 Remote Access To ensure security, there is no direct data linkage or connected data lines between ProofHQ offices and the Rackspace data center. Remote Access to the ProofHQ Servers are strictly controlled and limited to authorized personnel only. Any authorized remote access is solely executed via encrypted communications. SSAE 16 Type II SOC 1 Rackspace is SSAE 16 Type II SOC 1 compliant which supersedes and effectively replaces the Statement on Auditing Standards (SAS) No. 70 Type II as designated by the U.S. Securities and Exchange Commission (SEC) as an acceptable method for a user organization's management to obtain assurance about service organization's internal controls without conducting separate assessments. A service auditor's examination performed in accordance with SSAE 16 ( SOC 1 Audit ) Type II SOC 1 ( SOC 1 Audit ) provides a detailed description of our controls and the effectiveness of those controls. The examination often includes controls over information technology and related processes. The SSAE 16 was created to update the US service organization reporting to mirror the new international service organization-reporting standard, the International Standard for Assurance Engagements (ISAE) No Rackspace recognizes the needs of their US, International and Global customers and has worked with the service auditor to have the report issued with a joint opinion that satisfies the requirements of both the SSAE 16 and the ISAE Building, fire suppression and power backup

7 The Chicago data center is a 34,000 sq. ft. state-of-the-art Gigabit Data Center situated in Chicago. The spacious facility features raised floors, state-ofthe-art redundant fiber optics and redundant self-contained fire suppression and cooling system. The data center s HVAC (Heating Ventilation Air Conditioning) system is N+1 redundant. This ensures that a duplicate system immediately comes online should there be an HVAC system failure. Every 90 seconds, all the air in the data center is circulated and filtered to remove dust and contaminants. With advanced fire suppression systems designed to stop fires from spreading in the unlikely event one should occur. If a total utility power outage ever occurs all of the data centers' power systems are designed to run uninterrupted, with every server receiving conditioned UPS (Uninterruptible Power Supply) power. The UPS power subsystem is N+1 redundant, with instantaneous failover if the primary UPS fails.

8 If an extended utility power outage occurs, the routinely tested, on-site diesel generators can run indefinitely.

9 Application security User authentication / Login security Users access ProofHQ only with a valid username and password combination thus ensuring secure access is restricted to specified users All ProofHQ users create a unique username and password when they create their ProofHQ account. These are encrypted using SSL while in transmission Users' credentials are verified before access to the ProofHQ applications is granted When logging into the system the user s secure session is created and monitored using a unique session identifier. Every subsequent request made by the user is authenticated using this unique session identifier. The security measures are transparent to the user Each additional request is re-verified and if the user s session cannot be authenticated or the user s status on the site has changed (i.e., the user is deleted from the system or Account by an Administrator), the user will not be allowed to access the system anymore ProofHQ uses Expiring Headers which enables users with the ability to ensure maximum security after they log out of ProofHQ eliminating the ability for other users to access cached pages in the browser Advanced password security options ProofHQ also provides an additional layer of password security by allowing Administrators to adjust a range of password options such as: Minimum password length The Administrator can determine what the minimum password length must be for all users within the account. To ensure a minimum level of password security, ProofHQ natively requires a minimum of 6 characters Password complexity Administrators can require users to use complex password credentials. Enabling this feature will require all users to include one or more of the following in their passwords: o At least one or more lower case character o At least one or more UPPER CASE character o o At least one or more digit (numeral) At least one or more special character one of the following ^ etc. Automatic password ageing Administrators can determine how often user passwords expire; forcing users to create a new password every specified number of days

10 Password repetition Administrators can prevent users from using previously entered passwords which will require the user to create a unique password when required Account lockout Additionally the Administrator can specify the number of times a user can reattempt an invalid login before their account is locked out. Once locked only an Administrator can unlock the user s account Below is a screenshot of the Advanced password settings: Permissions & rights management ProofHQ provides customizable permissions and rights management to accommodate a variety of customer needs. User Permissions are managed at both the Account level and at the Folder level allowing access to specified folders only and allowing the Administrator to further restrict user permissions at proof and file level. There are several types of user profiles that can exist within ProofHQ, each with their own permissions and level of access. In addition to the standard restrictions placed on a given user profile, the ProofHQ system uses folders that allow the Administrator to provide additional restrictions to items contained within these folders. Each proof created within the system can also be configured with the appropriate access and restrictions.

11 Creating a user allows you to select an appropriate permission profile A proof can be configured to restrict user access

12 Network connectivity To assure constant and continuous connectivity to the core internet backbones, ProofHQ s network infrastructure leverages Multi-Homed Bandwidth carriers. This ensures global access and uptime in the event of network discontinuity with a single carrier. Only high performance bandwidth is used throughout this network. To provide multiple redundancies in the flow of information to and from the data center, Rackspace partners with nine network providers. Every fiber carrier must enter the data center at separate points. This is to protect from complete service failures caused by an unlikely network cut. Fast and reliable network connections are guaranteed because of the Proactive Network Management methodology that monitors route efficiency and end-user performance, automatically improving the network's topology and configuration in real-time. The network's configuration, codeveloped with Cisco, guards against any single points of failure at the shared network level.

13 Network security ProofHQ has architected a multi-layered approached to secure and defend your data from external attack. We leverage state-of-the-art hardware and software security methods to prevent unauthorized intrusion by external users attempting to access your data. Our infrastructure proactively deters and monitors for external attacks and unauthorized intrusions. ProofHQ employs experienced engineers, system administrators and IT professionals who pass through rigorous testing, confidentiality agreements and background checks to secure your data. The ProofHQ team is proactively monitoring and deploying new security measures via software and hardware on a regular basis as appropriate. 3rd Party network auditing In addition to our own security measures, our network security is audited by industry leading 3rd party vendors. ProofHQ s multi-layer network security protection ProofHQ deploys a Multi-Layered Network Security Protection System to secure and defend your data from intrusion and attack. Between our servers which house customer data and the Internet, there are four layers of network security protection: 1. IDS (Intrusion detection system) The first line of defense to protect your data is the IDS that reside in front of the firewall. The IDS is specifically configured to provide on-demand and scheduled vulnerability scanning to block the most prevalent Worms, Trojans, BotNets and unauthorized intruders attacks on the web by analyzing header and packet information. Via the scanning process, each packet is inspected and either granted authorized access or denied before ever reaching the firewall. The IDS is the initial line of defense to eliminate unauthorized and unnecessary traffic and blocks it from gaining access to the Firewall. 2. Firewall All information and data requests that pass through the IDS must next pass through the firewall. The firewall places strict limits on ports and protocols and provides the second layer of protection for your data: NAT (Network Address Translation) also known as Network or IP Masquerading technology is used in the ProofHQ data center firewall to provide an extra layer of security. 3. Web server load balancing Web Server Load Balancing, while not strictly a security layer, also provides additional port screening and protocol protection. Web Server Load Balancing can identify common DoS attacks and screen them before reaching the server. It ensures that the URL requests being made are well formed, thus rejecting attempted exploits.

14 4. Web/Application servers The Web/Application server layer runs on Red Hat Linux with Apache as the Web Servers and ProofHQ as the application. Apache is configured to minimal configuration specifications required to run our application layer Application servers are configured to process HTTP requests only Other non-core Internet protocols and services are disabled Servers are locked down and secured at the operating system and system directory levels All non-essential ports and services have been blocked, locked and disabled Site operations Regular operations and system administrator meetings are held to discuss and review near-term and long-term industry compliant solutions ProofHQ proactively monitors industry security warnings, channels and alerts to uncover new and emerging security risks. ProofHQ engineers act immediately upon the discovery of any security risks or alerts ProofHQ proactively scans vendor-specific security channels, including: Cisco Systems, Microsoft Corporation, FreeBSD, Linux, plus community-based forums and channels. ProofHQ also subscribes to all common virus and bug notification and alerts lists. Security patches & upgrades The ProofHQ team routinely monitors, evaluates, tests and applies security patches, fixes, updates and upgrades Any other mission critical security patches, updates and upgrades from vendor and community channels are notified and sent to ProofHQ and are routinely evaluated, tested, and applied, if applicable, within hours of being notified

15 Data integrity We store a large number of data files within the ProofHQ customers accounts and thousands of files are continually being added every week. ProofHQ enlists a variety of methods to assure data integrity, including data protection based on network architecture, as described previously, plus software enabled SSL data encryption. Protected data storage Your data s integrity is protected by numerous layers of state-of-the-art hardware and software security features to prevent hackers or other unauthorized individuals from gaining access to it. With our multiple layer network security system, your data is safely sequestered well out of harm s way. The following details our approach to defense-in-depth security. Security model is reapplied with every request and enforced for the entire duration of the session. Application security model prevents customer data cross-over and ensures complete customer data segregation and privacy. Customer data is segmented from the Application layer providing additional security buffers. Virus scanning ProofHQ and application servers run the latest version of virus detection software. Virus scanning software is updated daily. SSL Data encryption All data transmissions are secured with 256 bit AES High Grade Encryption and Secure Socket Layer (SSL) that protects your data using both server authentication and data encryption. SSL encryption technology protects your data from being read during transmission from your computer to ProofHQ servers. SSL encryption software ensures that when the recipient of the transmitted data receives the information, the computer decrypts the information, authenticates the source and verifies the data integrity. SSL encryption technology leverages digital certificates to verify the identity of the data flow over the internet and allows for encryption and decryption by authorized (authenticated sources). ProofHQ uses GoDaddy for its SSL Digital Certificates. GoDaddy is worldwide the largest provider of new SSL certificates. GoDaddy certificates are recognized by EVERY major desktop and mobile browser enabling organizations of all sizes to secure e-business transactions cost-effectively. They are a founding member of the group that developed Extended Validation SSL Certificates, and one of the first Certification Authorities to offer the Extended Validation green bar. GoDaddy SSL Certificates are based on the established industry standards and have been WebTrust-certified by KPMG for 5 consecutive years.

16 System recovery ProofHQ deploys industry standard best practices to assure system recovery for any eventuality or scenario. Data backups and restoration ProofHQ has implemented rigorous backup procedures to ensure that your data is safely and accurately backed up. Mirrored and Redundant Data Stores ProofHQ maintains a mirrored and redundant copy of the entire storage system. This acts as a warm backup ensuring quick access and retrieval of data in the event of an emergency. Full Backup Snapshot ProofHQ maintains a full backup snapshot of the servers and data on a weekly basis with differential backups taking place every day. Database backups are made using Grandfather-father-son strategy U can access and download the entire contents of their data in ProofHQ using the backup functionality. The Backup is delivered to you as a zip file. It includes an XML export of all of your data (including comments and responses for all versions of all proofs), but does NOT include the original files that you uploaded as proofs Complete system redundancy System redundancy is the key to ensuring consistent and reliable uptime and to eliminating single points of failure. ProofHQ s infrastructure provides full redundancy of all key system components and services including hardware, internet connectivity and power systems. Redundancy is available on all key networking equipment including routers, switches, firewalls and load-balancing servers. Multiple load-balanced web servers and application servers are configured to ensure redundancy. If a web server fails, there are multiple web servers available to carry the website traffic and loads without interruption. Database and file servers use hardware RAID (redundant array of independent disks) technology to ensure availability during standard maintenance. This also ensures data integrity and redundancy in the event of any single hard drive failure without interruption or data loss to the user/customer. Routers and web servers are optimized and configured to accommodate maintenance, software upgrades, server rotation and configuration without a disruption of service.

17 Uptime / High availability ProofHQ provides industry-leading uptime and service with high availability and uptime. Real-time updating of systems can be found at: The measured uptime for ProofHQ typically exceeds 99.9%. (This is exclusive of scheduled maintenance which includes hardware and network maintenance as well as software updates.) Hardware maintenance is typically performed in windows between 12:00 am and 3:00 am Eastern Time on weekends to avoid inconveniencing customers. ProofHQ schedules software maintenance for weekend mornings (North America time) to ensure minimal customer disruption. ProofHQ uses real-time onsite and offsite alerts systems and site monitoring to ensure the availability and performance of distributed IT infrastructures e.g., servers, operating systems, network devices, network services, applications, and application components. Proactive monitoring enables ProofHQ engineers to attack problems immediately before they become critical or emergencies. Summary - Your data is secure and protected ProofHQ provides industry leading security and protection of your data. Whether you are working from your office, your home or on the road you can depend on ProofHQ to be available to you at your critical moments. The ability to access your data anytime from anywhere ensures that you remain productive, protected and connected to the information that you need to run your business. For more information or questions, please contact info@proofhq.com.