DiamondStream Data Security Policy Summary

Transcription

1 DiamondStream Data Security Policy Summary Overview This document describes DiamondStream s standard security policy for accessing and interacting with proprietary and third-party client data. This covers the handling of data within DiamondStream s cloudbased data architecture environment, as well as on DiamondStream work stations. Protect Data in Transfer and Data at Rest Encryptions applied to data in transfer provide assurance that the communication between the client, cloud storage and webservers cannot be intercepted, as well as validating the intended recipient of the data. Encryptions applied to data at rest protect from (highly unlikely) security breaches in cases where the physical disk containing the data is removed from the cloud services data center. Amazon Web Services I. Data at Rest 1. All data is encrypted using AES 256-bit server-side transparent encryption. II. Data in Transit 1. Clients should ensure that a secure SSL connection is used for file uploads. One such utility is s3cmd: 2. The transfer of data between storage, web services and database are done via SSL AES 256-bit encryption. 3. File transfers within the virtual private cloud are protected from interception and no additional encryption is applied. 4. Processed files sent outside of the DiamondStream Cloud a. From the DiamondStream Cloud to an external cloud distribution site are sent via SSL AES 256-bit encryption. b. From the DiamondStream Cloud to Secure FTP. Patron data is sent quarterly to outside vendors SFTP for National Change of Address (NCOA) updates and demographic appends via Secure Shell connection (SSH). c. BI application webservers to DiamondStream/clients to view dashboards and reports based on client data are SSL-secured via HTTPS i. All reports and data files which BI clients download from BI dashboards are downloaded over an SSL connection via HTTPS. ii. All reports and data files which BI clients schedule for delivery via are SSL-protected if the client server is able to receive encrypted data. 1

2 DiamondStream Work Stations and External Clouds I. Data at Rest 1. The entire volume of any DiamondStream work station which stores client data is encrypted via an encryption software which uses AES 256-bit encryption. 2. Cloud backup -- all DiamondStream work stations have automatic file backup to the cloud and encrypted using 128-bit Blowfish transparent encryption. 3. File sharing applications DiamondStream uses cloud based file sharing solutions to share files internally which apply AES-256 bit encryption. 4. External cloud distribution sites the Online File Folder server is partitioned to create a mount point that only contains DiamondStream data and that only DiamondStream users can access. II. Data in Transit 1. Cloud backup data is encrypted using 128-bit Blowfish encryption prior to transfer, and then is sent to the cloud via SSL. 2. File sharing applications data is sent to the cloud via SSL AES 256-bit encryption. 3. Connections from DiamondStream workstations to DiamondStream cloud based webservers remote connections are required to kick off processing, query data, etc. All such connections are made via SSH and RDP. 4. All data files outside of BI dashboards which must be shared with clients, vendors, or any other authorized third-parties may only be shared through password-protected external cloud distribution site external links; shared links are created using a unique hash such that there is no way to manipulate the link to get to another portion of the data stored on the site s Online File Folder. 5. Very large data files which cannot easily be shared via the external cloud distribution site may be shared via DiamondStream-authorized memory cards. Memory cards must be wiped clean after each use. Strong Access Control Measures DiamondStream puts restrictions in place to ensure that only authorized users have access to the data at any stage of the DiamondStream data ecosystem. This includes source traffic controls via VPC and firewalls and user access restrictions on the DiamondStream cloud and DiamondStream work stations. VPC and Firewalls Most components of the DiamondStream cloud are inside a VPC. The VPC restricts traffic to and from each webserver and databases to other machines inside the VPC only. Exceptions which enable DiamondStream to connect remotely to these machines are governed by route tables, subnets and security groups. Usernames and Passwords I. Amazon Web Services: Identity Access Management (IAM) 1. Privileges 2. Users receive only the privileges required to perform their daily tasks. Authentication 2

3 II. a. User passwords are set according to best practice policies. b. Root and admin users Access Keys and Secret Keys are not directly used by any processes. Instead, separate users with minimum permissions required to establish a remote connection and perform the processing steps are used for additional security. DiamondStream Work Stations & Other Portals 1. All DiamondStream work stations are password-protected and all passwords must satisfy best practice standards. 2. All DiamondStream employee phones have password protection enabled. 3. Customer passwords for accessing BI dashboards through the DiamondStream website portal must satisfy the Wordpress secure password policy and best practices. 4. All other passwords for DiamondStream-related accounts or communications containing sensitive information are auto-generated by password management software and must satisfy the best practice criteria (no vendor-supplied defaults are allowed). Maintain a Vulnerability Management Program This section discusses DiamondStream s policies and practices for ensuring ongoing protection of data from security threats. This includes utilizing anti-virus software, keeping all software updated, storing keys and passwords in a safe place, rotating them regularly, and managing the archival and destruction of stored data. I. All DiamondStream work stations and webservers have anti-virus software installed. II. Software updates 1. All anti-virus software to be updated regularly and new licenses to be purchased no later than 30 days before expiration of current license. 2. All database software to be updated as updates are released. 3. Java plug-ins to be disabled on all browsers. 4. All other software (e.g. browsers) also to be updated as new releases become available to leverage the latest security patches. III. Password, Access/Secret Key and Web Server Private Key Storage and Rotation 1. Storage of access keys and secret keys, web server private keys, and other DiamondStream system/account passwords a. All DiamondStream login details are stored in password vaults which is protected via a master password, except web server private keys. Each DiamondStream employee must have a password vault account and create their own master password which is not to be shared with anyone. Login details are locally encrypted using AES 256-bit encryption prior to being sent to the password vault. b. Webserver private keys are saved on DiamondStream work stations of employees working directly with the webservers only. In such cases, the keys are encrypted as indicated above. 3

4 c. Browser settings which save login details for future use must be disabled. Usernames and passwords must be entered manually each time a login is required; alternatively, password vault auto-fill may be used, but the vault must be locked between browser sessions. 2. Password and key rotation a. The following types of keys require yearly rotation: Transparent encryption keys which are stored in the DiamondStream cloud and used to encrypt data at rest. Webserver Private Keys for remote connection from DiamondStream work stations via SSH/RDP. All Access Keys/Secret Keys except root account. PGP keys used to share data with authorized third-party vendors for National Change of Address updates and demographic appends. Encryption software private keys for DiamondStream work stations. b. All other DiamondStream passwords on active require rotation every 90 days. Note that this excludes client passwords to the DiamondStream website portal. While DiamondStream auto-generates the original password for new clients, it is each client s responsibility to enforce a secure password storage and rotation policy going forward. Client password breaches will only expose that client s data, but unauthorized users cannot gain access to any other clients information via this method. IV. Archival and Destruction of Stored Data. Data will be archived and destroyed per the following: 1. Data files stored on external cloud distribution sites and shared via password-protected public links these files will be available at the link provided for one month from upload; subsequently, they will be deleted from the distribution site. 2. Data files shared with vendors for specific contracts must be destroyed upon termination of said contracts via over-write, and proof of data destruction must be provided to DiamondStream. The latter will require the vendor to provide DiamondStream access to sample data from the device where the data was previously stored. Regularly Monitor and Test Networks; Enforce Security Standards This section discusses ongoing best practices which must be applied to ensure data systems remain secure and all DiamondStream employees and partners are in compliance with the DiamondStream Data Security Policy. I. Testing User and Firewall Access Points 1. A password policy simulator will be applied to all users whose permissions have been altered in any way, to ensure the changes continue to provide the appropriate level of access for the user s purposes. 4

5 II. 2. Firewall/Security Groups: Security Group settings will be tested via NMAP (a security scanner which is used to discover hosts and services on a network) to verify that only the necessary ports are open on each machine and that only authorized IP addresses have inbound access. Related security policies In addition to the DiamondStream Data Security Policy, the following documents define security standards for employees and vendors, respectively. 1. DiamondStream Employee Security Agreement covers use of work stations, data, security best practices, and ethics. Requires employee signature. 2. DiamondStream Vendor Security Agreement covers requirements for the vendor to protect the information, to limit access to those who must access it in order to perform the tasks under contract, to destroy data and provide proof of destruction at the end of the contract, and to notify DiamondStream if there is a potential security breach. Requires vendor signature. 5