Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data



Similar documents
Our Key Security Features Are:

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

05.0 Application Development

Passing PCI Compliance How to Address the Application Security Mandates

Where every interaction matters.

BMC s Security Strategy for ITSM in the SaaS Environment

PCI Compliance for Cloud Applications

CONTENTS. PCI DSS Compliance Guide

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Collaborate on your projects in a secure environment. Physical security. World-class datacenters. Uptime over 99%

Sitefinity Security and Best Practices

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

FileCloud Security FAQ

How To Manage Security On A Networked Computer System

8070.S000 Application Security

PCI DSS Requirements - Security Controls and Processes

Cloud Security:Threats & Mitgations

Clarizen Security White Paper

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

KeyLock Solutions Security and Privacy Protection Practices

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

GoodData Corporation Security White Paper

MIGRATIONWIZ SECURITY OVERVIEW

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

Columbia University Web Security Standards and Practices. Objective and Scope

PCI Requirements Coverage Summary Table

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Tableau Online Security in the Cloud

Security Information & Policies

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

GFI White Paper PCI-DSS compliance and GFI Software products

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

JVA-122. Secure Java Web Development

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

QuickBooks Online: Security & Infrastructure

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

OWASP Top Ten Tools and Tactics

Payment Card Industry Self-Assessment Questionnaire

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Rule 4-004G Payment Card Industry (PCI) Remote and Mobile Access Security (proposed)

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

March

Web Plus Security Features and Recommendations

OWASP AND APPLICATION SECURITY

PCI Requirements Coverage Summary Table

74% 96 Action Items. Compliance

Criteria for web application security check. Version

SERENA SOFTWARE Serena Service Manager Security

A Rackspace White Paper Spring 2010

FormFire Application and IT Security. White Paper

DATA SECURITY AGREEMENT. Addendum # to Contract #

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Client Security Risk Assessment Questionnaire

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

Projectplace: A Secure Project Collaboration Solution

PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Security Controls for the Autodesk 360 Managed Services

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

IBM Connections Cloud Security

SECURITY DOCUMENT. BetterTranslationTechnology

Vendor Questionnaire

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

White Paper. Managing Risk to Sensitive Data with SecureSphere

MySQL Security: Best Practices

How Reflection Software Facilitates PCI DSS Compliance

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

Achieving PCI Compliance Using F5 Products

Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

FISMA / NIST REVISION 3 COMPLIANCE

Supplier Information Security Addendum for GE Restricted Data

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

PCI DSS 3.0 Compliance

PCI Compliance Updates

Meeting PCI-DSS v1.2.1 Compliance Requirements. By Compliance Research Group

SonicWALL PCI 1.1 Implementation Guide

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

全 球 資 安 剖 析, 您 做 確 實 了 嗎? Albert Yung Barracuda Networks

Securing the Service Desk in the Cloud

White Paper. Guide to PCI Application Security Compliance for Merchants and Service Providers

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues

Central Agency for Information Technology

elearning for Secure Application Development

2: Do not use vendor-supplied defaults for system passwords and other security parameters

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Transcription:

Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015

Multiple Layers of Protection Overview Password Salted-Hash Thank you for your interest in Kenna Security. In this document, you ll find a technical overview of the comprehensive security measures Kenna uses to protect your data while using the platform. These processes are important to achieving our goal of safeguarding user data while maintaining a positive and effective user experience. Highly Secure Server Hosting XSS & CSRF Protection SSL/SSH Encryption At Kenna we take the security and privacy of your data very seriously. We make every effort to help ensure that your data stays protected whenever you use our platform. Our software and systems architecture was built with maximum security in mind. Centralized Logging & Alerting Vulnerability Scanning, Internal Audits & Patching Customer Data 1 KENNA PLATFORM SECURITY KENNA PLATFORM SECURITY 2

Key Security Feature List The summarized list shown below are some of the key ways that our Kenna service has been designed and developed to better protect your data: AES-256 (data at rest) and SSL/TLS (data in transit) to encrypt and protect stored information. Security patches deployed within 24 hours, and minor patches within 48 hours of public release and verification testing. Network traffic encrypted using SSL/SSH. Password data stored in a one-way salted hash. FIPS-approved encryption algorithms and implementations. Servers hosted in a highly secure data center facility with multiple third-party certifications. Annual internal audits using SSAE16 and regularly scheduled penetration testing. Built-in platform protection and implementation controls to reduce risk from common web-based threats, such as cross-site scripting attacks (XSS) and cross-site request forgery (CSRF). Centralized logging and alerting. Strong authentication mechanisms for remote access through two-factor authentication. Automatic session expiration after a certain period of inactivity. Role-Based Access Control. Regularly scheduled vulnerability scanning using proprietary, commercial and open-sourced tools. Full vulnerability management and remediation using Kenna. 3 KENNA PLATFORM SECURITY KENNA PLATFORM SECURITY 4

Security Architecture Design Secure Sessions https://kenna User Sign Up User Sign In Data in Transit HTTPS Transport Security Cookie Attributes During the sign-up process, Users are authenticated when All application traffic occurs over The Kenna platform runs All authentication cookies use the user generates their own they sign in to Kenna using their SSL/TLS, and all network traffic exclusively over HTTPS, such the secure flag as well as the password, which is used as the password. The password is used is encrypted via SSL/SSH. that if someone manually edited http-only flag. This ensures basis for the encryption key. User to send an authentication hash All communication between the URL to start with http://, that cookies are only sent over passwords are stored in a one- via SSL to the Kenna server for the user s device and Kenna is they would be redirected to an secured connections and that the way salted hash. authentication. Sessions expire further encrypted at all times https:// URL. This prevents SSL- cookies cannot be accessed over after a 15-minute session timeout. using SSL/TLS as an automated stripping attacks in the event that non-http(s) methods. By design, it is impossible for any layer of data protection. a user connects to Kenna from an Kenna employee to access user The application supports single untrusted network. passwords. sign-on using oauth Login standards. Two-factor authentication can also be setup on the client-level by sending a one-time password to supporting applications. 5 KENNA PLATFORM SECURITY KENNA PLATFORM SECURITY 6

Kenna Security Architecture & Benefits The rapid growth of cloud-based services, coupled with the discovery of significant security weaknesses, has demanded heightened awareness and the use of high-level security measures and encryption protocols. We have carefully designed every aspect of Kenna to maximize the security of our users. In this section, we ll highlight some of the benefits of this approach. Customer Password All data is encrypted using a salted hash before being transferred to Kenna. Both the data encryption key and the authentication hash are derived on the user s computer from the user s password. This architecture is much more resilient to attack. Even in the unlikely event that an attack were to occur, the attacker would face the difficult task of a brute force attack attempt on each user s AES user data files separately. And as Kenna employs the bcrypt algorithm, with more than 10,000 iterations, the encryption keys used to protect users data have high complexity. This makes an attack impractical. Data Encryption Key Authentication Hash 7 KENNA PLATFORM SECURITY KENNA PLATFORM SECURITY 8

Operational Security We apply high security standards not only to our product software, but also to our infrastructure and operational model. This ensures that we are protecting the confidentiality and integrity of our customers and our data. Kenna Corporate Security Policy Kenna has clearly defined corporate security requirements with which every employee must comply, and technical standards for secure software development. Kenna has a process set in place to ensure that access to data is granted solely on a need-to-know basis. There is also an active process to revoke access by employees, contractors, or others that have left our company and no longer require access (this includes physical access, logical access, and access to any SaaS or external applications that our company uses). Third parties (such as outsourcing partners, vendors and subcontractors) do not have access to unencrypted company data. incidents. We will notify company of an information protection incident affecting their data within twenty-four hours of becoming aware of the incident. If a security incident were to occur, we d be willing to share audit logs with the affected company for review. We provide adequate security and privacy training internally. We provide secure software development training to our engineers, teaching them about common threats and countermeasures related to the software they are writing. Within the code itself our development team leverages as many of the security functions that are made available by the Rails framework. All of our developers utilize the OWASP secure coding guide, cheat sheets and relevant technology specific guidelines such as the OWASP Rails Security Guide. Kenna regularly conducts vulnerability scanning using proprietary, commercial and open-source tools, and using our own platform for vulnerability management and remediation. PCI Compliant Data Center Although the Kenna platform does not store credit card information, our data center complies with the Payment Card Industry Data Security Standard (PCI-DSS). We have a documented incident response process, with personnel available on a 24x7 basis to respond to information protection 9 KENNA PLATFORM SECURITY KENNA PLATFORM SECURITY 10

Server Hosting All Kenna servers, including all of our production computing equipment that handles and processes company information, are located in a physically secure data-center. This data center has received the following certifications: SSAE 16 Type II certification detailing physical and environmental controls (available upon request). Control program certified based on ISO/IEC 27001:2005 standard for Information Security Management Systems. Validated as a Level 1 Service Provider under PCI-DSS. This method specifically addresses security issues in the code and ensures high code quality and regression testing. These code reviews are performed by both peers within our organization and by an independent company. Network Architecture - Application Database Server Isolation The design of our network is based on three-tiered Model View Controller architecture that has been compartmentalized and firewalled, and we carefully segment each of these technology layers via network and access controls. Kenna has implemented documented security configuration baselines that harden and secure our systems. Certified for HIPAA compliance. Secure Admin Access Kenna has the ability to delete data on demand in response to a request to delete data. Conversely, we have established anti-recovery techniques to help prevent malicious recovery of deleted-data. Third Party Security Testing Kenna conducts annual security audits that use SSAE16 by an independent auditor, as well as regularly scheduled self-penetration testing. We also perform software code reviews before every release using expert manual techniques and automated code analysis tools. Kenna implements levels of access privileges or roles called Role-Based Access Control, so that users can be assigned only the permissions they need to perform their respective functions. By default, no access to front and back-end services is granted to any employee and access is granted based only on operational need and at the Least Privilege necessary to perform the duty. All access to the Kenna infrastructure requires VPN access with two-factor authentication to enhance security and accountability. 11 KENNA PLATFORM SECURITY KENNA PLATFORM SECURITY 12

Log Management Patch Management A centralized log management and monitoring solution is in place to detect, prevent and alert on unauthorized access to Kenna systems. This also allows our team to reconstruct the actions that any given user took within the application. Server Hardening All servers and applications are kept up to date with the latest tested patches in the production environment through daily forced patches. Specifically, security patches are deployed within 24 hours, and minor patches within 48 hours of public release and verification testing. We also have an emergency process in place to install patches outside the regular patching schedule for security updates that address high-risk vulnerabilities. All configuration is managed centrally via Chef. Web servers and databases have been hardened and secured using documented security configuration baselines from NIST s Guide to General Server Security. Change Management Our code is tested via static analysis and dynamic scanning prior to being deployed to our production environment. All code is deployed using Reduced Attack Surface deployment, and we use generic exception handling to help prevent information disclosure attacks. Source code is also kept in a code repository with versioning controls. Web Application Platform Protections Kenna protects all state-changing actions across cross-site request forgery (CSRF) using built-in platform protection and implementation controls to prevent cross-site scripting attacks (XSS) as well as additional code side filtering. These methods are also used to protect cross-site scripting as well as SQL Injection and any significant security vulnerabilities from web traffic. Firewalls restrict network access to only the necessary ports, and are configured based on the principle of least privilege according to NIST s Guide to General Server Security. 13 KENNA PLATFORM SECURITY KENNA PLATFORM SECURITY 14

Ensuring User Data is Safe and Secure While designing and developing the platform, we have made it our mission to deliver a product that provides users with an effective vulnerability threat prioritization platform that also delivers strong data security. As this document explains, Kenna performs many complex security functions in the background to protect confidential data, but by design the user need not be aware of these processes. Regardless of technical knowledge, all user types can benefit from the high level of security that Kenna offers in their platform. At Kenna, we are both a user as well as the developers of our platform. Just as our users use a variety of tools, processes and technologies to help secure and control their environment, we re doing much of the same here. Of course at the center of our vulnerability intelligence is our own instance of Kenna, which is a reliable part of our daily workflow. Not only do we use Kenna to manage and remediate our vulnerabilities internally, we also offer our clients read-only access to our account, upon request. We understand the trust our customers place in our services and are committed to transparency in our controls. 24/7 15 KENNA PLATFORM SECURITY

COPYRIGHT 2015 KENNA, INC. ALL RIGHTS RESERVED.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information