Clever Security Overview

Transcription

1 Clever Security Overview

2 Clever Security White Paper Contents 3 Introduction Software Security 3 Transport Layer Security 3 Authenticated API Calls 3 Secure OAuth 2.0 Bearer Tokens 4 Third Party Penetration Testing and Code Review Facility Security 5 Facility Security Infrastructure 5 Certifications and Accreditations 5 SAS70 Type II 5 PCI DSS Layer I 5 ISO FISMA Data Access Grants 6 Full School District Data Access Controls 6 Conclusion 2014 Clever, Inc. All Rights Reserved. 2

3 Introduction Clever is a service for transferring student information, in a private and highly secure manner, between authorized parties - generally, from a school to a vendor. Clever helps schools protect student data by replacing manual processes, such as ed CSV files, which are often insecure and insufficient for compliance with the Family Educational Rights and Privacy Act (FERPA). By comparison, Clever is engineered to be a private,reliable, and highly secure alternative for schools to control the transmission of student data. Clever is fully compliant with all federal student privacy mandates (such as FERPA), and complies with local state privacy mandates in all 50 states (such as California SOPIPA and Louisiana HB-1076). To gain familiarity with Clever, API examples are available on the Clever website at: Software Security Clever uses bank-grade security infrastructure at the software and network level, to ensure that student data is always encrypted and transmitted securely. This includes use of TLS / SSL protocols, API call-level authentication, and API bearer tokens with 200 bits of entropy. Transport Layer Security Clever requires that all data transfer via its website and API use the Transport Layer Security (TLS) cryptographic protocol over a HTTPS connection. This means that unique session keys are used to encrypt and decrypt data transmissions and to validate transmission integrity. Clever servers prefer perfect forward secrecy (using ECDHE) to encrypt data using 256 bit Advanced Encryption Standard (AES) which surpasses the standard adopted by the consumer banking industry and the US Government for the secure transmission of classified data. Authenticated API Calls Clever mandates that all API calls be authenticated individually, meaning that authorized API credentials must be provided each time student data is accessed. For authentication, Clever uses OAuth 2.0 authentication occurring over TLS/SSL protocols. Secure OAuth 2.0 API Bearer Tokens Clever isolates and controls data access through the use of API bearer tokens, generating a unique and secure token for each application at each district. This API token infrastructure 2014 Clever, Inc. All Rights Reserved. 3

4 ensures that individual school districts maintain full discretion and control over the entire data access process, and can easily limit, expand, or revoke those permissions at any time. Two-Factor Authentication Clever offers (and recommends) a two-factor authentication mechanism for user account access, requiring authorized team members to first log in using their address and password, then enter a six-digit access code that refreshes every 30 seconds from a linked mobile device. Data Isolation Clever employs district-level data isolation throughout the information transmission pipeline, from data ingestion all the way through to application sync. Individual district-level data sets are normalized and processed in single use, highly secure, and contained environments. Our production environment is completely inaccessible from the Internet, and all access to it is logged and secured using multiple factor authentication. Access to the data for districts and partner applications is secured by district and application-specific credentials. Third Party Penetration Testing and Code Review Clever relies on Matasano Security ( one of the nation s largest online security firms, for comprehensive commercial penetration testing and code review. Matasano employs leading internet security experts, who attempt to breach the Clever security system through a series of increasingly advanced techniques. Matasano security experts have never been able to breach Clever. Following the penetration test, Matasano works with the Clever team to conduct full code review, hardening existing security systems to meet or exceed consumer banking standards. Clever also maintains an active responsible disclosure program, reachable at [email protected] Clever, Inc. All Rights Reserved. 4

5 Facility Security Clever s data centers are operated by partners with extensive experience in designing, constructing, and operating large-scale data centers. Its data centers are all housed inside the continental United States, in nondescript facilities with extensive setbacks, military-grade permitter control berms, and natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion section systems, biometric employee authentication standards, and other electronic means. Authorized staff must pass multi-factor authentication no fewer than three times to access data center floors. Data Center Certifications and Accreditations SOC 1/SSAE 16/ISAE 3402 The SOC 1 report audit attests that the Company s control objectives are appropriately designed and that the controls safeguarding customer data are operating effectively. The audit for this report is conducted in accordance with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the International Standards for Assurance Engagements No (ISAE 3402). SOC 2 (formerly SAS70). Includes detailed controls and operates along with an independent auditor opinion about the effective operation of these controls. These controls meet the criteria set forth by the American Institute of Certified Public Accountants (AICPA) Trust Service Principles, including leading practice controls relevant to security, availability, processing, integrity, confidentiality, and privacy applicable to service organizations. PCI DSS Level 1. Company has been independently validated to comply with the PCI Data Security Standard as a hosting provider. ISO Company has achieved ISO certification of the Information Security Management System (ISMS) covering infrastructure, data centers, and services. FISMA Company enables government agency customers to achieve and sustain compliance with the Federal Information Security Management Act (FISMA). Company has been awarded an approval to operate at the FISMA Low level. It has also completed the control implementation and successfully passed the independent security testing and evaluation required to operate at the FISMA-Moderate level Clever, Inc. All Rights Reserved. 5

6 Data Access Grants Once a school or district begins using Clever, student data will not be available to any vendor until the school has, for each vendor, explicitly granted access in writing. Once a school or district grants permission for a vendor to sync data, the data may be accessed via the API using the vendor s secure API Bearer Token. Vendors syncing data from Clever have agreed to store, transmit, and display student data only via secure and FERPA compliant methods. Clever reserves the right to withhold student data from vendors it believes unable to handle student information securely. Conclusion At Clever, security is paramount. The Clever API represents a new way of transferring student data securely, using a combination of encryption, software security, hardware security, and access permissions to carefully safeguard student information. This security-minded approach allows partners to sync student information while remaining in full compliance with federal mandates such as FERPA and state mandates such as SOPIPA. For more information about Clever security, please contact [email protected]. PGP Key ID: F1916C63 Fingerprint: BC A7 B1F7 345A DD35 C015 E1ED F191 6C63 For more information about using Clever in your school district, please contact [email protected]. To find out how to integrate Clever in to your application, please contact [email protected] Clever, Inc. All Rights Reserved. 6