Page 2 Disclaimer THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF THE LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON- DISCLOSURE AGREEMENT, EGESTALT TECHNOLOGIES INC. PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESSED OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT BE APPLICABLE IN SUCH CIRCUMSTANCES. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of egestalt Technologies, Inc., except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, via electronic, mechanical, or otherwise, without the prior written consent of authorized personnel of egestalt Technologies Inc. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. Information about and around HIPAA and HITECH continues to evolve and the information here is subject to change. This information is provided as is and without warranty. While every effort has been made to ensure that the information presented is correct, no such assurances are offered. HIPAA /HITECH rules and regulations are subject to lots of different interpretations and are subjective. You should not rely on this information solely for auditing or legal purposes, but simply use it as a means to raise your awareness. We are not legal subject matter experts and advise you to consult with your own legal counsel, auditors or advisors. Changes are periodically made to the information herein and may contain inaccuracies or typographical errors. These changes may be incorporated in new editions of this document. Changes or improvements may be made to the software described in this document at any time. 2012 egestalt Technologies Inc., all rights reserved. CONTENT OUTLINE Background... 3 Cloud Security... 3 Instance Isolation:... 4 SecureGRC Application Security... 5 Access Control:... 5 Instance Isolation:... 5 Customer data protection... 5 Security policies and strategies:... 6 Summary... 6
Page 3 Security elements in SecureGRC Background Cloud Security Cloud technology has been the result of an imagination quite powerful. Moving to the cloud for businesses trying to leverage IT services is more or less inevitable due to cost efficiencies, ease of management and separation of responsibilities between the business and the cloud services provider. Cloud infrastructure has indeed been a very attractive proposition to many enterprises, small or large, from the features that cloud infrastructure providers offer today. But cloud security is sometimes raised as a matter of concern. Therefore, when egestalt took its information security and compliance services to the cloud, it made sure that the SecureGRC services offered were after a thorough due diligence to ensure complete privacy and security of customers, partners and businesses using the cloud based services. While SecureGRC was designed and built with Security architecture enmeshed into the application architecture, the consideration was equally important to identify and host the services in a cloud infrastructure that would meet SecureGRC s intense security requirements. SecureGRC is a service offered by egestalt Technologies for effectively managing information security through appropriate governance, risk management, and compliance solutions. SecureGRC11 supports HIPAA/HITCH compliance and PCI DSS. This whitepaper details the secure components built into the product. The framework allows easy interface to add any regulation or standard. The service is offered from the cloud based on Software-as-a-service model. If are concerned as to how safe would it be for depending on the cloud infrastructure in safeguarding your security posture and compliance information from, this whitepaper is all about dealing with such concerns. egestalt decided to host SecureGRC services on AWS (Amazon Web Services) after diligent evaluation of the secure infrastructure deployed by AWS, as egestalt s compliances services need to be built on strong foundation of confidentiality, integrity and availability. Why AWS Cloud infrastructure? AWS is compliant with various certifications and third-party attestations such as SOC 1/SSAE 16/ISAE 3402 (replacing the earlier SAS70 Type II), SOC 2, PCI DSS Level 1, ISO 27001, and FISMA. The Flexibility and customer control that the AWS platform provides permits the deployment of solutions that meet industry-specific certification requirements such as healthcare applications to measure compliance levels with HIPAA / HITECH Security and Privacy Rules or the Payment Card Industry Data Security Standards (PCI-DSS), or a wide range of compliance regulations and standards such as FISMA, COBiT, ISO 27K, etc., on AWS. With Amazon s many years of experience in designing, constructing, and operating large-scale data centres throughout the world, its infrastructure
Page 4 Instance Isolation: and the location is accessible within Amazon only to those who have a legitimate business need to have such. A variety of physical barriers in these data centres add to ensuring only authorized access. AWS enables users to encrypt their personal or business data within the AWS cloud and publishes backup and redundancy procedures for services. Amazon Web Services has successfully completed SOC 1/SSAE 16/ISAE 3402 (replacing the earlier SAS70 Type II), SOC 2 audits. This certifies that a service organization has had an in depth audit of its controls. Security exception monitoring mechanisms provide adequate protection for SecureGRC against Distributed Denial of Service (DDOS) attacks, Man-in-themiddle (MITM) attacks, IP Spoofing, unauthorized Port Scanning, packet sniffing, etc. Each of the services within the AWS cloud is architected to be secure and contains a number of capabilities that restrict unauthorized access or usage. AWS provides a highly scalable, reliable, and inexpensive data storage infrastructure that offers dependable backup solutions. AWS Architecture enables their customers to use a single code base with dynamic virtual partitioning of the system. The information is virtually partitioned in the cloud. Virtual partitioning helps to isolate the data for each customer and easy data manageability. To ensure privacy and security of data of each client that uses our cloud services, different instances running on the same physical machine are isolated from each other via the Xen hypervisor. In addition, the AWS firewall resides within the hypervisor layer, between the physical network interface and the instance's virtual interface. All packets must pass through this layer, thus an instance s neighbours have no more access to that instance than any other host on the Internet and can be treated as if they are on separate physical hosts. The physical RAM is separated using similar mechanisms. Customer instances have no access to raw disk devices, but instead are presented with virtualized disks. The AWS proprietary disk virtualization layer automatically resets every block of storage used by the customer, ensuring that one customer s data are never unintentionally exposed to another.
Page 5 SecureGRC Application Security Access Control: Instance Isolation: Customer data protection The innovative and granular Access Controls (Label Based and Role Based Access Controls) give the control to the end user to protect their data. LBAC model applies labels (Access Domain and Access Level) to users to define which account/customer the user can access. RBAC model applies roles to users so that access to any feature/data in the system will be based on the Role defined in the system. All interactions and user/client identification is through SSL/HTTPS. The password policy enforced is as per de facto industry usage with password expiry, strength and validation aspects built in.. Multi-Tenant Architecture of SecureGRC TM enables the customers and partners to use a single code base with dynamic virtual partitioning of the system. The information is virtually partitioned in the cloud. Virtual partitioning helps to isolate the data for each customer and easy data manageability. SecureGRC Customers data is in a database and spread across multiple tables. Database access is restricted to the Database Administrator. Virtual partitioning is done by using Role-based and Label-based access control. SecureGRC cloud services covers information relating to accounts and processes, regulatory controls or standards mapped to different clients, password policy, user management accounts, role-based module access rights, assessment templates and the associated response data and documentary attachments, reviewed data from auditors, assessment data such as gaps identified, corrective steps undertaken, etc. A Keystore is installed on SecureGRC to encrypt files. Keystore is a database of keys in which, Private keys have a certificate chain associated with them, which authenticates the corresponding public key. A keystore also contains certificates from trusted entities. Different Keystore has been implemented in different environments such as Quality Assurance, Development, and Production. The Keystore file being password protected and changed every few months programmatically that ensures absolute security of the data. The data while being sent from the customer premises to the cloud is encrypted using 3-DES symmetric encryption. Types of files that are encrypted include- evidence files, security scan outputs. Security scan configuration XML, Policy files not supplied out of the box by SecureGRC, customer or partner uploaded documents. With client and server side authentication, the data in transit will be secure. SecureGRC tokenizes all individually identifiable data of customers. The tokenization information is segregated from the actual data so as to make it
Page 6 practically impossible for anyone trying to make sense of the data outside of the programmatically implemented access control mechanism of SecureGRC. SecureGRC Customer data in the cloud is secured using the state-of-art encryption mechanisms. Vulnerability Scan data and all other security related data in the file system are encrypted as part of secure storage. SecureGRC Customer may use a separate customer specific key to encrypt all their data for which a new Keystore is generated for 3-DES symmetric encryption. Customer Keystore is password protected and is not stored in SecureGRC. {This is a feature under development and will be available in a future release}. On the cloud, the data will not be accessible to either the egestalt employees or the Cloud-Service provider personnel. Only Production operations Admin or the Database Admin will have access to the SecureGRC Server or Database and no one else will access to customer data. Each customer s data will be completely isolated from any other customers. The cloud provider s strong security measures as explained under other questions, provides a strong and secure framework. Secured continuous replication of the data ensures the data persistence. Security policies and strategies: Summary After the initial UserID creation and password generation, the customer after logging into SecureGRC with the assigned password will be required to change the password before proceeding further in using the services from SecureGRC. In the event of attending to reported bugs, the support team from egestalt will be allowed access to your data only on written authorization from you, where you will not allow them to use your User ID or PWD. But on your logging in, the team will analyse the data or other bugs. All such activities will be logged for monitoring the activities on SecureGRC. As access to the different modules in SecureGRC is role-based, access to various modules is highly restricted. This ensures integrity and confidentiality of data. For access to dashboards and reports on information security and compliance is strictly limited on a need-to-know basis. Cloud technology has been the result of an imagination quite powerful. Cloud infrastructure has indeed been a very attractive proposition to many enterprises, small or large, from the features that cloud infrastructure providers offer today. But cloud security is a matter of concern holding them back in quickly adopting the cloud services. Therefore, when egestalt took its information security and compliance services to the cloud, it made sure that the SecureGRC services offered were after a thorough due diligence. While SecureGRC was designed and built with Security architecture enmeshed into the application architecture, the consideration was equally important to identify and host the services in a cloud infrastructure that would meet SecureGRC s intense security requirements.
Page 7 egestalt Technologies Inc. Head Quarters: 3080 Olcott Street, Suite #200-B, Santa Clara, California 95054 Phone: +1 (408) 689 2586 info@egestalt.com About egestalt Technologies Inc.: egestalt Technologies is a world-class, innovation driven leader of cloud-computing based business solutions for information security and IT-GRC management. egestalt is headquartered in Santa Clara, California, and has offices throughout the US, Asia-Pacific and Middle East. To learn more about SecureGRC versions from egestalt and how we can help you protect your healthcarerelated organization, visit http://www.egestalt.com, call us at +1-(408)-689-2586, or email at sales@egestalt.com. egestalt SecureGRC was given a rating of 4.5 stars (out of a maximum 5) with 5 stars for Features, Support and Value for money by SC magazine in June 2012. In Feb. 2012 egestalt President Anupam Sahai was named a Channel Chief by Everything Channel's CRN. egestalt has been ranked in the Top 10 Vendors for Compliance Management and Data Access & Security by Hypatia Research, Q4 2011. egestalt was nominated Breakthrough Technology Vendor at XChange Americas, Aug. 2010, and selected by SiliconIndia among the "Top 10 Security Companies to Watch." egestalt s SecureGRC application was voted runner-up in the Managed Services Category at XChange Tech Innovators, Nov. 2010. In Sept. 2011 it was selected by Everything Channel as a 2011 CRN Emerging Technology Vendor as well as a 2011 Tech Innovator for Managed Services. For the second year in a row egestalt Technologies (www.egestalt.com), a provider of IT security monitoring and compliance management for SMBs and enterprises was selected by UBM Channel and CRN as a 2012 Emerging Technology Vendor. To learn more about Aegify Security Posture Management and Aegify SecureGRC compliance management tools from egestalt and how we can help you protect your organization, visit http://www.egestalt.com, call us at +1-(408)-689-2586, or email at mailto:sales@egestalt.com.