QuickBooks Online: Security & Infrastructure



Similar documents
Privacy + Security + Integrity

Where every interaction matters.

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Security Whitepaper: ivvy Products

SERENA SOFTWARE Serena Service Manager Security

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Network Test Labs (NTL) Software Testing Services for igaming

IBX Business Network Platform Information Security Controls Document Classification [Public]

Sitefinity Security and Best Practices

Passing PCI Compliance How to Address the Application Security Mandates

Adobe Systems Incorporated

FormFire Application and IT Security. White Paper

05.0 Application Development

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

ACCEPTING PAYMENT CARD ASSESSMENT Pre-Selection Questionnaire

Tenzing Security Services and Best Practices

Securing SaaS Applications: A Cloud Security Perspective for Application Providers

Security Controls for the Autodesk 360 Managed Services

Autodesk PLM 360 Security Whitepaper

KeyLock Solutions Security and Privacy Protection Practices

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS

GiftWrap 4.0 Security FAQ

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

GoodData Corporation Security White Paper

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

Enterprise level security, the Huddle way.

Security Policy JUNE 1, SalesNOW. Security Policy v v

Security Information & Policies

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Collaborate on your projects in a secure environment. Physical security. World-class datacenters. Uptime over 99%

CompTIA Security+ (Exam SY0-410)

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

THE BLUENOSE SECURITY FRAMEWORK

APIs The Next Hacker Target Or a Business and Security Opportunity?

(WAPT) Web Application Penetration Testing

Security Overview. BlackBerry Corporate Infrastructure

Famly ApS: Overview of Security Processes

Rational AppScan & Ounce Products

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

MIGRATIONWIZ SECURITY OVERVIEW

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

How To Protect A Web Application From Attack From A Trusted Environment

Building Energy Security Framework

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

Client logo placeholder XXX REPORT. Page 1 of 37

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

What is Web Security? Motivation

Advanced Service Desk Security

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Citrix GoToAssist Service Desk Security

Central Agency for Information Technology

Cloud Security:Threats & Mitgations

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

Tableau Online Security in the Cloud

PCI DSS Requirements - Security Controls and Processes

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Birst Security and Reliability

Security aspects of e-tailing. Chapter 7

Information Technology Policy

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

MANAGED SECURITY TESTING

Intel Enhanced Data Security Assessment Form

Projectplace: A Secure Project Collaboration Solution

OWASP AND APPLICATION SECURITY

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

Making Database Security an IT Security Priority

Cloud Contact Center. Security White Paper

External Supplier Control Requirements

Critical Controls for Cyber Security.

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

PCI Requirements Coverage Summary Table

Complying with PCI Data Security

Secure and control how your business shares files using Hightail

Our Key Security Features Are:

全 球 資 安 剖 析, 您 做 確 實 了 嗎? Albert Yung Barracuda Networks

Website Security. End-to-End Application Security from the Cloud. Cloud-Based, Big Data Security Approach. Datasheet: What You Get. Why Incapsula?

Media Shuttle s Defense-in- Depth Security Strategy

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Cloud Management. Overview. Cloud Managed Networks

NSA/DHS CAE in IA/CD 2014 Mandatory Knowledge Unit Checklist 4 Year + Programs

End-to-End Application Security from the Cloud

Penetration Test Report

Security Solution Architecture for VDI

Transcription:

QuickBooks Online: Security & Infrastructure May 2014

Contents Introduction: QuickBooks Online Security and Infrastructure... 3 Security of Your Data... 3 Access Control... 3 Privacy... 4 Availability... 4 QuickBooks Online Compliance Efforts... 4 Industry Standard Infrastructure Security... 5 Code Security... 6 Independent/External Validation of Assets and Practices... 7 Additional Resources... 8 2

Introduction: QuickBooks Online Security and Infrastructure At Intuit QuickBooks Online (QBO), we consider the security of your information a primary responsibility. We take specific precautions to provide security while your data is in transit from your computer to our servers, as well as while it is being processed and stored in our data centers. Security of Your Data No single measure can effectively provide complete security, so at QBO, we employ a strategy called defense in depth, a layered approach with multiple security measures in place to help protect your data at all times. Let s start with your data as it leaves your browser. QBO always establishes a secure connection to your browser, indicated by the small padlock symbol displayed on your screen (the location varies based on the browser you use). This secure connection uses SSL (Secure Sockets Layer) technology, which ensures your data is encrypted as it flows through the Internet. Upon receipt, your data passes through an Intuit-controlled firewall put in place to help prevent unauthorized access from outside Intuit s network. Once in our data centers, your data is processed and stored on dedicated QBO-only clusters where access is limited to a very small number of skilled technicians. As additional protection, highly sensitive information such as credit card numbers and Social Security numbers are converted into tokens or are encrypted prior to being stored. Access Control QBO provides fine-grained role-based security so that only you or your designee can specify who can access your data and what level of privileges are to be granted to different users. We also enforce strong password requirements (adhering to PCI standards) for all user logins. You control who accesses your financial data, and what they can see and do with it. Each person you invite to use QBO must create a unique login. We also offer multiple permission levels that let you limit the access privileges of each user. For example, you may want your parttime contractor to be able enter his hours, but not access your latest P&L charts. QBO also provides a comprehensive Audit Log that logs the actions taken by different users. This can help you keep track of user actions on the data. In short, you can rest assured that only authorized users can access the data and only to the extent that is explicitly configured via rolebased permissions. 3

Privacy We build privacy into everything we do. It's not an afterthought or corporate rhetoric; it s how we choose to treat and respect our customers on a daily basis. That's why we follow a strict set of guidelines and practices to help protect all of your private information. We will not, without explicit permission, sell, publish or share data entrusted to us by a customer that identifies the customer or any person. Our employees are trained on how to keep data safe and secure. Intuit is a licensee of the TRUSTe Privacy Program, an independent, nonprofit organization committed to the use of fair information practices. For full disclosure of our privacy practices, please review our Privacy Statement (see Additional Resources). Availability Intuit QBO takes service availability very seriously. Measures for resilience and redundancy ensured QBO was available to customers for 99.9% of time in 2013. In addition, QBO is set up to survive a major disaster and allow continued access to customer data. All parts of the infrastructure required to run QBO have redundancy across two geographically separate data centers. Each data center has a Tier-4 classification with high physical security and redundancy, and backups for power and cooling. Each infrastructure component for the application has redundancy to help avoid an unrecoverable single point of failure. All application servers are spread across multiple isolated fault domains in server farms built on virtualization technology for high availability. All user data is continuously replicated between the data centers over a private network using industry standard replication technology from Oracle. The lag in data synchronization between data centers is maintained at less than 5 minutes. We ensure reliability of our multi-data center setup by having at least some QBO customers in each data center at all times. Intuit engineers practice documented procedures to switch services between data centers at least once every quarter. QuickBooks Online Compliance Efforts Payment Card Industry (PCI): QBO is certified according to the Payment Card Industry (PCI) Data Security Standards (DSS) on an annual basis by our third party Qualified Security Assessor Trustwave, Inc. 4

Industry Standard Infrastructure Security The following represent our QBO security measures: a. Tier-4 Data Center: QBO is hosted on two Premier Tier-4 data centers. Tier-4 is the highest category in the data center industry tiers. b. Stringent Background Checks: Intuit has been in the business of consumer and small business finance for decades. We have robust, established practices of recruiting that involve several rounds of background and reference checks. c. Site Security: All our key sites are guarded by onsite security personnel, and we enforce Access Card-based entry to each building and 24/7 perimeter vigil and control. Data center security involves several orders of strict magnitude, and without a special privilege pass, even an Intuit employee cannot enter our data centers. We segregate roles within our development and production teams, and production access requires appropriate levels of authorization. For example, our Operations function is vertically separated in Development Ops and Production - Ops to enable highest degree of control on access of Intuit production assets. d. Throttling and Other Limits Mitigate Risk of DDOS: Online services are often at risk from distributed denial of service (DDOS) attempts. At Intuit, we use industry standard DDOS appliances to help detect, minimize and prevent potential service impact. e. Password Policy: We follow a strong password policy and password duration for all environments. f. Regular Updates and Security Patching: We have quarterly/bi-yearly/yearly cycles to update software patches, including security patches for our hardware and software stacks. We listen to various security distributions from our vendors and identify proper actions to rapidly ensure security of QBO users where applicable. 5

Code Security a. Release process tied with strong security metrics with stringent exit criteria: We log thousands of hours of security Code Reviews every year by our senior-most staff, principal and distinguished engineers for anti-patterns focusing on SQL injections; cross-site scripting; encryption usage; and correct usage of application APIs. A Code Collaborator tool is used to track the reviews and is integrated with our source-code control system for review audits. We also use Static Code Analysis tools such as Coverity and Fortify to scan the code for presence of any existing anti-patterns. Consider this coarse-grained protection to complement the fine grained protections applied in Code Reviews. b. Security Coding Standards & Industry Standard Practices followed in Business Logic; User Interface (JavaScript; CSS); Data/schema and Log: Authentication has built-in capabilities to prevent DOS and Brute Force resistance. To frustrate automated DOS attacks, we use CAPTCHA after a certain number of failed attempts. Secret and sensitive information is encrypted in storage and in transit. For most confidential data, such as Credit Card numbers, it is tokenized away from storage. Auditing, logging and reporting are in compliance with industry standard security practices. c. Test Cases: Our developers also are required to write Unit tests to assure that code behaves properly in the face of common forms of attack. 6

Independent/External Validation of Assets and Practices Regular (Independent) Penetration Testing: In addition to our industry standard practices and stringent processes to further mitigate the risk of exposing a vulnerability, we follow a daily/monthly/yearly regime of security tests. Daily: Static Automated Analysis with Tools. Monthly: Trustwave PCI Compliance scans (see Additional Resources) Yearly: Negative Penetration Tests by external independent security experts. Here we assume everything is suspect and simulate BOT attacks to test whether our Firewall, Web and App servers hold against most stringent denial of service and other malicious attacks. We have strategic partnerships with some of the most revered names in the security practices domain, and we regularly bring those experts in-house to audit and attempt to break our code. Some of the series tests we perform against ourselves include the following: Denial of Service attack using large number of attackers trying to overwhelm servers, or to use large payloads to break our application. Privilege escalation attack to try and access additional data without appropriate credentials. Mass mining for Information attack to try to get sensitive data, with or without valid credentials. CSRF (Cross-Site Request Forgery) Attack to try to hijack a user session and force the browser to send request to malicious sites. Cross Site Scripting attacks to reflect attacker s content back to the user to execute and pass on sensitive information to attacker. SQL Injection attacks to inject SQL in the application with malicious intent. Cookie Management Try to break Weak Passwords Packet Sniffing Attacks to intercept sensitive or private information in flight, for example. 7

Additional Resources Trustwave PCI Compliance - https://www.trustwave.com/home/ Privacy Statement - https://security.intuit.com/privacy General Intuit Security - https://security.intuit.com/index.php 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information