SECURITY DOCUMENT. BetterTranslationTechnology

Similar documents
User's Guide. Product Version: Publication Date: 7/25/2011

FileCloud Security FAQ

QUANTIFY INSTALLATION GUIDE

Security Whitepaper: ivvy Products

Rally Installation Guide

Web Plus Security Features and Recommendations

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

User Management Guide

How To Secure Your Data Center From Hackers

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Polycom CMA System Upgrade Guide

The SSL device also supports the 64-bit Internet Explorer with new ActiveX loaders for Assessment, Abolishment, and the Access Client.

HP IMC Firewall Manager

Virtual Code Authentication User Guide for Administrators

G-Lock EasyMail7. Admin Guide. Client-Server Marketing Solution for Windows. Copyright G-Lock Software. All Rights Reserved.

Copyright 2012 Trend Micro Incorporated. All rights reserved.

Secure Web Appliance. SSL Intercept

Tableau Online Security in the Cloud

Decision Support System Software Asset Management (SAM)

TECHNICAL CONDITIONS REGARDING ACCESS TO VP.ONLINE. User guide. vp.online

Security Policy JUNE 1, SalesNOW. Security Policy v v

2X Cloud Portal v10.5

by New Media Solutions 37 Walnut Street Wellesley, MA p f Avitage IT Infrastructure Security Document

Mobile Device Management Version 8. Last updated:

SnapLogic Sidekick Guide

Connection Broker Managing User Connections to Workstations and Blades, OpenStack Clouds, VDI, and more. Security Review

XTM Drupal Connector. A Translation Management Tool Plugin

Acano solution. Security Considerations. August E

Sophos for Microsoft SharePoint startup guide

White Paper. Prepared by: Neil Shah Director, Product Management March, 2014 Version: 1. Copyright 2014, ezdi, LLC.

owncloud Architecture Overview

XIA Configuration Server

HP A-IMC Firewall Manager

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

Security Information & Policies

UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM

Check list for web developers

Xerox DocuShare Security Features. Security White Paper

SHARPCLOUD SECURITY STATEMENT

Technical specifications

Sharp Remote Device Manager (SRDM) Server Software Setup Guide

White Paper. Support for the HIPAA Security Rule PowerScribe 360

vcloud Director User's Guide

Application Security Testing. Generic Test Strategy

Lepide Active Directory Self Service. Configuration Guide. Follow the simple steps given in this document to start working with

SAM Server Utility User s Guide

USER GUIDE WEB-BASED SYSTEM CONTROL APPLICATION. August 2014 Phone: Publication: , Rev. C

CA Spectrum and CA Service Desk

WhatsUp Gold v16.3 Installation and Configuration Guide

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment

Enterprise Manager. Version 6.2. Installation Guide

Sophos Mobile Control SaaS startup guide. Product version: 6

SafeGuard Enterprise Web Helpdesk. Product version: 6.1

Desktop : Ubuntu Desktop, Ubuntu Desktop Server : RedHat EL 5, RedHat EL 6, Ubuntu Server, Ubuntu Server, CentOS 5, CentOS 6

How to Configure Captive Portal

EMC Data Protection Search

Installation Guide for Pulse on Windows Server 2012

Identikey Server Windows Installation Guide 3.1

RemoteTM Web Server User Guide. Copyright Maxprograms

SNAP WEBHOST SECURITY POLICY

Gigabyte Management Console User s Guide (For ASPEED AST 2400 Chipset)

vcenter Chargeback User s Guide

LifeSize Control TM Deployment Guide

Release Notes for Websense Security v7.2

AD Self-Service Suite for Active Directory

Connection Broker Managing User Connections to Workstations, Blades, VDI, and more. Security Review

SafeGuard Enterprise Web Helpdesk

User Manual Version User Manual A20 / A50 / A100 / A250 / A500 / A1000 / A2000 / A4000

SafeGuard Enterprise Web Helpdesk. Product version: 6 Document date: February 2012

How To Set Up A Backupassist For An Raspberry Netbook With A Data Host On A Nsync Server On A Usb 2 (Qnap) On A Netbook (Qnet) On An Usb 2 On A Cdnap (

Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1

vcenter Support Assistant User's Guide

Copyright 2014 Jaspersoft Corporation. All rights reserved. Printed in the U.S.A. Jaspersoft, the Jaspersoft

Chapter 6 Using Network Monitoring Tools

M86 Web Filter USER GUIDE for M86 Mobile Security Client. Software Version: Document Version:

Installation Guide ARGUS Symphony 1.6 and Business App Toolkit. 6/13/ ARGUS Software, Inc.

GTS Software Pty Ltd. Remote Desktop Services

Application Security Policy

Gigabyte Content Management System Console User s Guide. Version: 0.1

White Paper BMC Remedy Action Request System Security

Omniquad Exchange Archiving

MadCap Software. Upgrading Guide. Pulse

LifeSize Control Installation Guide

NSi Mobile Installation Guide. Version 6.2

HELP DOCUMENTATION SSRPM WEB INTERFACE GUIDE

IDENTIKEY Server Windows Installation Guide 3.2

VMware vcenter Log Insight Security Guide

SMART Vantage. Installation guide

Sage 200 CRM 2015 Implementation Guide

In this topic we will cover the security functionality provided with SAP Business One.

ITAR Compliant Data Exchange

Installing and Configuring vcloud Connector

Thinspace deskcloud. Quick Start Guide

Server Installation ZENworks Mobile Management 2.7.x August 2013

F-Secure Messaging Security Gateway. Deployment Guide

FormFire Application and IT Security. White Paper

docs.hortonworks.com

Transcription:

SECURITY DOCUMENT BetterTranslationTechnology

XTM Security Document Documentation for XTM Version 6.2 Published by XTM International Ltd. Copyright XTM International Ltd. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, including photocopying, without the written permission of XTM International Ltd. Updated June 2012 XTM-International Ltd, PO Box 2167, Gerrards Cross, SL9 8XF, UK Tel.: +44 (0)1753 480479 email: sales@xtm-intl.com http://www.xtm-intl.com Page 2

XTM Security Document Introduction... 4 XTM Architecture... 4 XTM Cloud Environments... 4 Physical security... 4 Access Management... 4 Access Control... 5 Identification and Authentication... 6 Data Transmissions... 6 Auditing and Logging... 6 Application timeout after a period of inactivity... 7 Application Monitoring... 7 Database connections... 7 Application Security... 7 Application Error Handling... 7 Web services... 7 Business Continuity / Disaster Recovery... 8 Server Management... 8 Server data access... 8 Data protection... 8 Fire-fighter account controls... 8 Page 3

XTM Security Document Introduction This document summarises the data and application security aspects of XTM. It covers both XTM Cloud, the SaaS version of XTM, and XTM Suite, the traditionally licenced software installed on a customer s Server. XTM Architecture XTM is written in Java and runs on servers under Windows Server or Linux. Users access the program entirely via a web browser. XTM currently supports Internet Explorer and Firefox. XTM Cloud Environments All XTM International s servers use Centos v5.6 and use port 443 and the HTTPS protocol. The system uses at least SSL version 3.0 with at a minimum of 128-bit cipher strength. XTM cloud exists in the following environments that are installed on different servers: Production servers for customers Stage server for customer testing Beta server for XTM staff and selected users Testing server for XTM International The XTM Cloud production servers are deployed in one zone which is protected by a firewall and only allows HTTPS and SSH connections. For hosted servers the customer can decide whether to use HTTPS. Physical security XTM International currently uses three hosting centres for XTM Cloud servers: 1. Germany, Nuremberg 2. France, Roubaix 3. USA, Saint Louis, Missouri These state of the art hosting facilities provide the following physical security: Multiple redundant internet connections Fully automatic room climate control and air moistening UPS and voltage filters Fire protection 230V power supply Early detection system for smoke 24 hour security service Video surveillance Admission control Diesel generators Access Management An XTM administrator can create, grant, modify and revoke access to the application for project managers and linguists. Project managers can create, grant, modify and revoke access to the system to linguists. XTM International works with the system administrators and project managers to set the rolebased access for users and ensure that the least privilege principle is consistently implemented. Page 4

Access Control XTM has the following access control features: XTM Security Document Feature Allowed log on attempts Disable account after non-use Computer activation level Password duration Check against previous passwords Minimum password length. Use brute force dictionary Force password change at first log in Password strength Administrator control - Description If the user makes the specified number of invalid logon attempts then their account will be locked and they will not be able to access the system. In order to unlock the account the administrator needs to go to the Users tab and select unlock account form the menu icon in the left hand column of the users listing. If the user does not log into their account during the period of days specified then the account will be locked. The account will then need to be unlocked by the administrator as described above. This setting specifies who will need to go through the PC activation process on first log in. The process involves generating an automatic email to the user which contains a link to download a cookie. This field specifies the number of days that user passwords will be valid. After this period the user will have to change their password. This field specifies the number of previous passwords that cannot be used as the current password. This field specifies the number of characters required in the password This dictionary defines the words that cannot be used as or in a password. By default the following words and components are excluded: User Guest Admin User s first or last name Sys Test Pass Super Check box to enforce this measure There are 3 levels of password strength which define the mixture of characters in the password. Characters are split into 4 groups: Upper-case letters, Lower-case letters, Numbers Non-alphanumeric symbols. The password strength is thus: Simple Medium Strong Must use characters from at least 1 group. Must use characters from at least 2 of the groups. Must use characters from at least 3 of the groups. Page 5

Identification and Authentication XTM Security Document XTM may either connect to an LDAP service for user authorisation or perform the authentication itself. When the authorisation is performed internally, firstly the password entry is hidden on sign in. Then the username and password are sent over the HTTPS encrypted connection to the server. At the server the authenticated Class connects to the appropriate database tables. All passwords are encrypted using SHA1 algorithm. The username and password pair is checked against the appropriate database entry. The user roles are also extracted from the database which governs the level of access of the user has to various parts of the system. On first sign- in the user is directed to the password reset page and encouraged to change the initial password. Browser HTTPS Apache Tomcat Database XTM Server XTM login security diagram Data Transmissions Users need to register their PC in order to access XTM Cloud. This is optional for XTM Suite. This is achieved through the installation of a cookie. The link for the cookie is sent to the user s email address. For XTM Cloud the communication between the end user and XTM uses HTTPS. This is optional for other XTM implementations. If a file is uploaded for processing and the upload is faulty then the user will receive a message that the file is corrupted. Auditing and Logging The XTM components that have logging capabilities are configured to produce a security audit log. These are: Apache HTTP Server log PostgreSQL log System log XTM log The following events are logged within XTM User logon and log off XTM Editor: Opening, saving and navigation to another page. On XTM Cloud and hosted servers managed by XTM international, all the logs are retained for 90 days, except for the PostgreSQL log which is retained for 7 days. Page 6

XTM Security Document To ensure that the log files are secured during system restarts, they stay on a mirrored HDD RAID ARRAY and are backed up onto an external machine daily. Application timeout after a period of inactivity In XTM Editor the user pings the server every 10 seconds. When a translator enters a page the segments are locked for other users. If the pings are not detected, when for example the browser or PC has crashed or if the user simply closes the browser without logging out, XTM releases the locked segments quickly. If no user activity is recorded for a period of 60 minutes then XTM closes the session. XTM project manager session time out after 60 minutes of user inactivity, however if the browser or the computer is closed then the session expires within 4 minutes. XTM TM Manager and XTM Terminology Manager sessions time out after 60 minutes of user inactivity if the browser is open, and within 20 minutes if the browser of computer is closed. Application Monitoring XTM Cloud and hosted servers managed by XTM International are proactively monitored by Nagios to ensure that all systems, applications and services, are functioning properly. In the event of a failure, Nagios alerts XTM International s technical staff of the problem, allowing them to begin remedial action before outages affect end-users. Database connections XTM applications connect to the database with the minimum privileges required. Application Security XTM does not permit cross-site scripting or SQL injection. Application Error Handling XTM displays an error message to the user on the web page with a link to a page containing the details of the error can be viewed in the log. The XTM Software development lifecycle process (SDLC) process ensures testing of potential intrusion threats such as SQL injection and session hijacking. This includes testing that error conditions cannot be forced, or that if error conditions are encountered that they cannot be used to breach the security mechanisms of the system. Web services The standard implementation of XTM does not expose web services. XTM has the option to connect to the Google Translate API or Asia Online Language Studio in order to provide translators with machine translations of text. Both of these options require the XTM administrator to set up a paid account with the MT provider There is also an optional API to integrate XTM with third party applications which can be set up with or without SSL. On XTM Cloud SSL is used. Each web service method has a LoginAPI object which contains three fields: Company, User, and Password. These fields have to be filled every time you call the web service method. Page 7

Business Continuity / Disaster Recovery XTM Security Document The XTM Cloud servers are equipped with mirrored disk arrays in case of HDD failure, all data is backed up every day (or every few hours depending on the client s specification) onto an external server. In case of hardware failure damaged components can be replaced in few hours or the whole service can be relocated to other machine using data from the latest backup. After every configuration change that can affect current procedures, the business continuity/disaster recovery procedures are tested and revisited to ensure they provide the required level of business continuity in emergency scenarios. The XTM Support SLA and Redmine issue tracking system ensure that details of any application incident are logged and managed correctly. Server Management Each administrator has a separate account to the server and there are no shared IDs. Server data access No directories can be accessed from web clients. There is a generic error page to hide the actual error message or warning returned. Data protection XTM International has a team of 9 core developers. If any developers leave the team, then they immediately lose all access rights to all development, testing and production systems. Only developers working on specific issues have access to production data and if the data is copied by developers for testing purposes it is deleted on completion of the tests. Production data is not stored on mobile media. Fire-fighter account controls In order to provide high quality support required of the SLA there are privileged accounts (firefighter accounts) that the XTM technical team use to access XTM Cloud. These accounts which allow access to customer s data are password protected and use is monitored via the log. Page 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information