ASP Technology & Security Overview
J. J. Keller & Associates Company Profile Year Founded: 1953 Corporate Location: Neenah, Wisconsin, USA Number of Employees: Over 1200 Type of Business: Safety, Regulatory & Information Publications, Products & Services Products: Regulatory Guides, Compliance Manuals, Log Books, Training Handbooks, Newsletters, Video-based Training Kits, Forms & Supplies, Software, Custom Products & Programs Services: Online Services, On-Site Consulting, Seminars & Workshops, Outsourcing Services Number of Customers: 200,000+ companies in a wide range of industries, including transportation, industrial/manufacturing, environmental, distribution, chemical manufacturing, construction, food safety, mining and more. ASP Applications: J.J. Keller s Encompass, Driver Management Online, Vehicle Management Online, Log Checker Online, Fuel Tax Master Online, and Maintenance Manager Online ASP History The feasibility and justification for J. J. Keller s ASP applications were developed in late 1999, early 2000. There are now over 450,000 drivers and vehicles being managed with our online services. The design of our ASP takes into account several fundamental benefits to our clients. Aside from the regulatory and compliance functionality that J. J. Keller is known for, the ASP model allows companies to manage and monitor the compliance activities of multiple locations across North America. Corporate, regional, and division-level management have access to compliance information and practices for locations they are responsible for. Managers can implement standardized regulatory, compliance, and hiring processes throughout an organization, limiting exposures related to fines and mismanagement. Small to medium-sized companies have access to the same tools that have only been available to larger carriers, giving them an affordable, competitive advantage, as they pay based on the number of records stored in the system. Companies that do not have the regulatory expertise on site now have a tool to help them stay in compliance, while overall compliance is managed centrally. All companies can drastically improve their recruiting process and reduce the need for labor intensive, paper-based workflow. The benefits of ASP go on and on. Last revised January 2011 2
ASP Technology Overview J. J. Keller s ASP applications were designed and developed using the Rational Unified Process (RUP). This methodology was chosen to ensure that a project of this scope and magnitude could be delivered in a high quality, cost-effective manner. Using the RUP methodology and tool set, J. J. Keller ASP has been developed with an emphasis on time-to-market and Quality Assurance. Our ASP applications were developed primarily using Microsoft tools. The underlying application framework, or building blocks of the system, were developed using Microsoft.NET Frameworks. Specific tools include: Application Component Programming Language C# Presentation Tier Technology ASP.NET Database Access Technology ADO.NET Reporting Engine Crystal Reports.NET Web Server Internet Information Server (IIS) 6.0/7.0 Quality Assurance Technology IBM Rational Test Suite/Microsoft Visual Studio Team System Because it has developed under.net Frameworks, our ASP is an open, flexible, stateof-the-art system that can be enhanced and maintained in a highly efficient manner. System/Operating Requirements Connection speed: 56K Minimum High Speed, T1 Recommended Screen Resolution: 800X600 Minimum 1024X768 Recommended (can fit more information on the screen) High Color 16 bit Browser: Microsoft Internet Explorer; v6.0 or higher (ASP applications are optimized for IE) Mozilla Firefox; v3.0 or higher Report Viewer: Adobe Acrobat Reader v6.0 or higher Platform Requirements: Windows XP or higher 100 MB of Free Hard Drive space Last revised January 2011 3
ASP Security Overview Encryption Summary We use the same industry-standard Secure Socket layer (SSL) protocol that leading e- commerce and financial service providers use to encrypt information sent across the Internet. This encryption ensures the privacy of your data as it flows between your Web browser and our ASP applications. Application Security Summary Our ASP provides password-level security for all users. Users have access only to the tools and data permitted by their authorized security settings. J. J. Keller ASP requires a two-way match of a random and unique string of 72 characters each time the system is asked to retrieve information. We also use 128 bit encryption during transfer of any data. Physical Security Summary The application and equipment used to host our ASP is located at a physically secured facility specializing in the hosting of Internet applications. The facility is completely free of glass and any unsecured entry points. They use biometric hand scanning technology, access key cards, and combinations secure the physical location. General Security J. J. Keller will periodically audit our ASP application infrastructure to ensure compliance with the ASP Policy and these Standards. Full security reviews by outside security experts have been conducted. J. J. Keller maintains an architecture document that includes a full network diagram of the ASP Application Environment, illustrating the relationship between the Environment and any other relevant networks, with a full data flowchart that details where customer data resides, the applications that manipulate it, and the security thereof. This document remains confidential and will be made available based on customer written requests and demonstrated need only. J. J. Keller will immediately disable all or part of the functionality of the application should a security issue be identified. Affected customers will be notified as soon as possible should this occur. Physical Security Specifics Application hosting by a 3 rd Hosting Provider is the most secure way for an ASP to protect a customer s data. Hosting Providers offer physical security such as restricted building access and locked cages, as well as general application uptime services and redundancy that help ensure maximum availability. Availability services include guaranteed Internet bandwidth connections, backup generators, and fire suppression system. The equipment and application hosting for our ASP is located at CDW (formerly Berbee Information Networks), a physically secured facility in Madison, Wisconsin, specializing in the hosting of Internet applications. Biometric technology, access key Last revised January 2011 4
cards, and combinations secure the physical location. Further information on CDW can be found at www.cdw.com. The CDW facilities are state-of-the-art with multiple independent geographic connections to the most reputable Internet access providers to help maintain and balance Internet traffic; with a fully redundant OC-12 SONET Ring; multiple Uninterruptible Power Supplies (UPSs), and backup systems. J. J. Keller shall have final say as to who is authorized to enter any secured physical environment. J. J. Keller will disclose, upon request, who amongst their personnel and CDW s personnel will have access to the environment hosting the application. J. J. Keller ASP applications incorporate redundant network connections and a backup diesel generator that permits the system s continuous operation even in cases of prolonged electric power outages. Network Security Specifics The network hosting the application is air-gapped from any other network or client CDW may have. This means J. J. Keller s application environment utilizes separate hosts and separate infrastructure. J. J. Keller ASP utilizes logical separation to ensure customer data is not compromised. While the data of multiple customers is shared on common physical hardware, the data is separated logically within shared physical servers and application code handles the client data isolation. This method is fairly common practice in the ASP industry and ensures that all customers are utilizing the latest enhancements within the system and the data stores are fully redundant. All visible query string parameters are based on 72 character strings that are scientifically proven as random and unique. Our ASP requires a two-way match of relevant data in order to retrieve information. J. J. Keller ASP utilizes GUIDs or Globally Unique Identifiers, which randomly create identifications based on a 128-bit number for customer data and their employee data. The idea of a GUID is that not two machines can ever generate the same GUID value twice and unique numbers are created on independent machines. J. J. Keller ASP safeguards customer data and transactions while they are in transit. The system employs 128-bit RSA secured-socket layer (SSL) data encryption. Such 128-bit encryption has never been broken, and would require a trillion years to crack using current and foreseeable technology, according to RSA laboratories. Our ASP s SSL-based network security is supplemented by a VeriSign Server ID, also known as a digital certificate. The certificate verifies that all data claimed to have originated from a customer or partner web site has, in fact, originated from that site, and that is has not been tampered with along the way. Based on 128-bit encryption, a VeriSign digital certificate is the industry standard and can be neither forged nor decoded with current and foreseeable technology. Last revised January 2011 5
Engineered to deliver maximum feasible availability to its customers, the ASP system maintains replicated versions of its application and data on multiple servers in order to protect against unscheduled server interruptions. Our ASP s automatic fail over capability further ensures that the seamless transfer of operations to backup servers in the unlikely event of a main server failure. Host Security Patches are applied to host, web servers, and databases as often as they become available and based on the severity and applicability of the patch. In addition, standard operating procedures exist for the application of OS patches. A combination of protocol exists to monitor web site availability and system hardware performance. The combination includes activities on the parts of CDW and J. J. Keller, as well as, a 3 rd party service. The Network Operations Center at CDW is staffed 24 hours a day, 7 days a week with experienced and qualified Network Administrators. The system at CDW also monitors internal and customer systems, not only for failures, but also for exceeded thresholds in CPU, bandwidth, memory or hard disk utilization. Network Administrators perform trace route functions that are designed to identify response time delays with their Internet connections. Should one connection fail or experience unacceptable response time delay, the other connections have enough capacity to handle the full workload. Web Security The ASP applications use JavaScript and Microsoft ASPx technology. The applications are back-end written in C#, an object-oriented programming language with XML-based Web services on the.net platform. C# is designed for improving productivity in the development of Web application and boasts type-safety, garbage collection, simplified type declarations, versioning and scalability support and other features that make developing solutions faster and easier. J. J. Keller ASP has an active, dedicated, and on-going Quality Assurance process. Validation of system functionality, compliance, authentication, authorization, and accounting functions are all part of the Quality Assurance process. J. J. Keller ASP uses Trend Micro anti-virus software and the network system administrators monitor the Trend Micro web site daily for virus definitions and virus protection. A full virus scan is also completed weekly on all files. Data Security J. J. Keller ASP is built using Microsoft s.net framework. Microsoft brought in independent security experts, Foundstone, Inc. and CORE Security Technologies to analyze and remark on.net. Foundstone, Inc. and CORE Security Technologies have many years of experience assessing and securing complex software application of organizations ranging from members of the Fortune 500 to startups. Their analysis Last revised January 2011 6
stated, In fact, used appropriately, we believe that it is one of the best platforms for developing enterprise and Web Application with strict security requirements (Foundstone, 2003). ASP.NET includes well-integrated support for signing and encrypting cookie content addressing longstanding sensitive issues on Web Application security (Foundstone, 2003). The ASP system automatically backs up all customer data every night with backups stored on non-degradable media in a fireproof, offsite location. This makes it possible for quick restorations of service should online data ever become damaged in a natural disaster or similarly unlikely occurrence. Cryptography Connections to the ASP utilize SSL, Secure Sockets Layer, protocol for transmitting private, confidential documents via the Internet. All modern browsers currently support SSL. All cookies are hashed using SHA1 and protected through the continued use of the 128- bit TripleDES encryption. Role-Based Security Standard user roles are defined based on our knowledge of the transportation industry and best industry practices. While we have attempted to identify a set of standard user roles, we appreciate the uniqueness of processes in place at each of our customer s locations. For this reason, we have adopted role-based security. Role-based security assigns appropriate user access based on those users job responsibilities and affected regulatory compliance. This feature can be customized by the customer s system administrator to meet their company s unique needs. Standard user roles may include: Driver Qualification, Driver Recruiting, Alcohol & Drug Compliance Management, Safety Manager, Regional Safety Manager, and Corporate Management. The customer s system administrator maintains user roles outside of those identified as standard user roles. The customer s system administrator manages additional roles, access, and assignment of these roles to users. J. J. Keller offers initial consultation on this process with additional services as defined in the service agreement. Management of user roles can be effective just in time as managed by the customer s system administrator. Access to the ASP system is restricted to authorized users only. The password policy for ASP applications is designed to address the individual needs of our customers. J. J. Keller will manage the initial account generation, user and password setup under the service agreement. The customer s system administrator manages further security relating to user identification and passwords. This includes the maintenance or subsequent termination of a user s account. Last revised January 2011 7