Security Practices, Architecture and Technologies

Transcription

1 Security Practices, Architecture and Technologies CONTACT: 36 S. Wall Street Columbus, OH VAB

2 CONTENTS End-to-End Security Processes and Technologies... 3 Secure Architecture... 5 Secure Platform... 9 Network Security and Environmental Safeguards

3 End-to-End Security Processes and Technologies The Viewabill solution enables seamless access to information between clients and the firms they hire, and the confidentiality, integrity and availability of these systems is of paramount importance to Viewabill. From the initial planning stages of a feature thru architectural design, development, implementation and support, security is the cornerstone of the Viewabill solution. In utilizing best practices in people, processes and technology, Viewabill s multi-faceted secure development approach includes: Secure Development Environment and Systems. The computer systems used in the development process meet stringent security requirements and are secured by industryleading security systems and certified personnel to ensure the integrity of the development process Secure Development Professionals. Each developer and architect involved in the creation and augmentation of the solution is a highly-seasoned and experienced professional who is well-versed in all aspects of security and incorporates secure coding best practices 3

4 Robust Security Program. Viewabill s process starts with background checks for all employees and detailed training on security and privacy standards as part of new employee orientation. Security training and updates continue throughout the year with detailed annual reviews and signed acknowledgement and adherence to the standards. Comprehensive Review and Release Process. At each critical phase of planning and development, a formal review process is implemented, assessed and approved to ensure adherence to company security standards and industry best practice. Secure Code Review. Prior to releasing a new version of any portion of the Viewabill solution, a comprehensive assessment of the code is performed using manual, static and dynamic testing processes. Security Oversight. All development, implementation and support processes are overseen by security experts having achieved Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH) and Certified Hacking Forensic Investigator (CHFI) credentials. 4

5 Secure Architecture The Viewabill architecture was specifically designed to implement best-in-breed security measures within each component. The Viewabill architecture consists of two core components: Transmitter. Communicates with a firm s time entry system data and transmits the data to the Viewabill Cloud-based system. Viewabill Cloud-based System. Stores and presents data via database and web front-end, configures policies, runs reports. The role of the transmitter is to act as a proxy to securely send client, matter, time and associated data to the cloud and this data is not stored within the transmitter. The transmitter is an on-premise.net application that is specifically configured to obtain and send only specified data and does not have the capability to write to the database. To securely communicate to the cloud, the transmitter uses SSL encryption over port 443. The transmitter is a highly secure, limited functionality component that was specifically designed to act as a secure intermediary between the time entry system data and the Viewabill cloud. This component resides behind the firewall and receives the same firewall and IDS/IPS benefits afforded the time entry system itself. 5

6 For companies where an on-premise transmitter is not prudent, or the data is stored in another cloud-based system, API s within the Viewabill Cloud-based System are used to directly communicate with the data repository. Viewabill Architecture Directly Connecting to Billing System Database 6

7 Companies have the option to implement a shadow database to communicate with the transmitter, whereby only specific data that is to be processed by the Viewabill system is obtained from the primary time entry system database and is shadowed to a different database. Viewabill Architecture Connecting to Shadow Database 7

8 The Viewabill Cloud-based system is hosted within Amazon Web Services and runs on the Heroku Ruby platform-as-aservice. This system is the interface used by clients and firms to perform all relevant tasks associated with the functionality offered by the Viewabill systems. Administrators are able to assign roles to specific individuals and subsequently, implement granular controls for user access to the data. Users are authenticated via username and password stored within the Viewabill cloud-based system, with Active Directory, LDAP and two-factor authentication available via Viewabill Professional Services. 8

9 Secure Platform The confidentiality and integrity of data processed by the Viewabill solution is protected by numerous layers of security technologies and processes. By using a cloud computing platform, Viewabill customers are able to directly receive all of the security benefits from frequent and immediate updates to systems, the agility to meet evolving demands and the scalability to seamlessly expand to meet growth requirements. Viewabill utilizes Heroku s Ruby application platform-as-aservice running on Amazon Web Services (AWS) to power the solution. Each is highly-secure and has obtained numerous security and process certifications including: SOC 1/SSAE 16/ISAE 3402 SOC 2 FISMA DIACAP FedRAMP PCI DSS Level 1 ISO

10 Network Security and Environmental Safeguards The Viewabill platform is secured by numerous security and environmental controls to protect Viewabill customer data. Firewalls. Firewalls are utilized to restrict access to systems from external networks and between systems internally. By default all access is denied and only explicitly allowed ports and protocols are allowed based on business need. Each system is assigned to a firewall security group based on the system s function. Security groups restrict access to only the ports and protocols required for a system s specific function to mitigate risk. Host-based firewalls restrict customer applications from establishing localhost connections over the loopback network interface to further isolate customer applications. Host-based firewalls also provide the ability to further limit inbound and outbound connections as needed. DDoS Mitigation. The infrastructure provides DDoS mitigation techniques including TCP Syn cookies and connection rate limiting in addition to maintaining multiple backbone connections and internal bandwidth capacity that exceeds the Internet carrier supplied bandwidth. Personnel work closely with our providers to quickly respond to events and enable advanced DDoS mitigation controls when needed. 10

11 Spoofing and Sniffing Protections. Managed firewalls prevent IP, MAC, and ARP spoofing on the network and between virtual hosts to ensure spoofing is not possible. Packet sniffing is prevented by infrastructure including the hypervisor which will not deliver traffic to an interface which it is not addressed to. The Viewabill platform is secured by numerous security and environmental controls to protect Viewabill customer data. Port Scanning. Port scanning is prohibited and every reported instance is investigated by our infrastructure provider. When port scans are detected, they are stopped and access is blocked. Fire Detection and Suppression. Automatic fire detection and suppression equipment has been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet-pipe, doubleinterlocked pre-action, or gaseous sprinkler systems. Power. The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide backup power for the entire facility. 11

12 Climate and Temperature Control. Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Monitoring systems and data center personnel ensure temperature and humidity are at the appropriate levels. Management. Data center staff monitor electrical, mechanical and life support systems and equipment so issues are immediately identified. Preventative maintenance is performed to maintain the continued operability of equipment. Data Retention and Destruction. Further to securing the systems hosting Viewabill data, daily data backups are conducted and can be easily and seamlessly restored to prevent data loss. Data backups are kept for 90 days and decommissioned hardware is destroyed using the standards defined in DoD M ( National Industrial Security Program Operating Manual ) and NIST ( Guidelines for Media Sanitization ). Additional details on the security practices implemented by Heroku and AWS can be found at: