Security FAQ

From Clariopedia

Contents 1 General Security Questions 2 Logical Security 3 Operational Security 4 References

[edit] General Security Questions

• Where is my data located?
  • Redundantly at multiple secure data centers located on the east coast of the United States and operated by Amazon.com, Incorporated.

• Is my data secure at Amazon AWS data centers?
  • Yes^[1]. Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors.

• How is my data segregated from other customers?
  • As a true multi-tenet application, clario^® segregates customer’s data logically using application level security. clario System Administrators assign data security rules that determine which users have access to which data. End users have the ability to authorize other users within their organization to access their data and projects if desired. All user access changes are logged.

• Who can access my data in your company?
  • clario System Administrators can access data for support purposes only.

• How are the users authenticated and authorized?
  • Users are authenticated and authorized via internal, replicated LDAP servers that store the users information using industry standard one-way encryption/hash algorithms.

• How secure is the clario web application?
  • clario uses 128 bit SSL technology to protect all data transmitted between the end-user’s web browser and the application server. The application server resides in a collocation facility, protected by the latest facility and network level security measures.

• How do you protect my data from breaches?
  • Access to all data in clario is controlled using a keyed-hash message authentication code (HMAC-SHA1) signature calculated from a Secret Access Key. Secret Access Keys are only available to clario System Administrators.

• Are you compliant with PCI DSS?
  • No. clario does not receive or hold any credit card information. Account management and billing is outsourced to Aria Systems, a PCI DSS compliant payment processor.

• Do you have a list of published policies and procedures that support information integrity objectives of the organization (Password Policies, User Access Policies, Incident Response Procedures, etc.)?
  • A full suite of policies and procedures are available upon request.

• What are the password requirements clario user accounts?
  • clario requires a minimum of 8 characters: the use of one number, one uppercase, and one lowercase letter are required for a password to be accepted as valid

• Who has access to my data?
  • clario System Administrators can access data for support purposes only.

• How is access to default accounts restricted?
  • Default accounts are locked down and not accessible remotely. clario System Administrators are authenticated via SSH keys. All access is logged and reviewed.

• Is access to my data logged?
  • clario audits data access on a per object level and the access logs are available only to clario System Administrators. Access log record contains details about the request such as the request type, the resource with which the request worked, and the time and date that the request was processed.

• How long are logs retained?
  • Logged events are retained for 90 days before being archived to near-line storage.

• Does clario utilize intrusion detection or prevention systems?
  • clario deploys a HIDS on all production systems.

• Is there a process for responding to suspected security incidents? How are these incidents resolved and mitigated?
  • NIST standard procedures^[2] are documented and executed upon incident presentation.

• Do documented configuration standards exist for the operating system versions running on systems that store, process or transmit my information?
  • A standard, minimal, hardened image is utilized as the basis for all client facing infrastructure. Changes to this image are strictly controlled and vetted through an approval process.

• How do you ensure that configuration settings on systems have not changed?
  • Our HIDS and agents ensure that system settings remain consistent.

• Do documented change management procedures for systems that support my data exist?
  • System change requests are put into a queue for approval. Change requests must include a justification, impact statement, and procedures for backing out changes should they have an unintended outcome.

• Do you review privileged user access to systems that hold my data?
  • Yes. root logins are trapped and logged. These logs are reviewed daily for anomalous activity. clario Systems Administrators is responsible for review of this.

• What is your patch management procedure for systems that store and transmit my data?
  • Your data is stored (for a short time) on a hardened SFTP server. Patches to the system are applied (if available) each month. Patch notification is handled via an automated system that notifies clario System Administrators of available updates. Updates are queued via a change request and staged for installation against a test environment that matches production. A standard set of regressions are run against test systems to ensure service continuity. If patches do not have an adverse impact, a snapshot of the existing production system is frozen, patches are applied, and system documentation is updated to reflect new patchlevel. The snapshot provides a rapid method of backing out applied updates.

[edit] Logical Security

• Are shared accounts used to access systems where my data resides?
  • No. Shared accounts do not exist on clario systems.

• What services are enabled on the systems that store, process, or transmit my data?
  • ssh, Apache Tomcat

• Are firewalls or other network controls used to protect my data?
  • Firewalls and secondary network access controls provide network edge controls for client facing systems.

• What traffic is allowed through the firewall?
  • Ports 22, 443 (secure shell, https)

• What is the mechanism used to transfer files to clario?
  • SFTP over SSHv2

• Is encryption being used to protect my data while being transmitted?
  • Yes. aes128-cbc is used to protect all SSH connections.

• Is wireless technology being used on the network that holds my data?
  • No.

[edit] Operational Security

• Who is responsible for monitoring production systems? Are they available 24x7x365?
  • clario System Administrators are responsible for monitoring all systems. They are available 24x7x365.

• Who is responsible for authorizing access to systems that store, process, or transmit my data?
  • clario's^® Chief Technology Officer is responsible for administrative access authorization.

• Is anti-virus used on all the systems that hold and support my data?
  • Yes.

• How often does clario update its virus definitions?
  • Anti-virus signatures are updated hourly.

[edit] References

1. ↑ Amazon Web Services Security Whitepaper
2. ↑ Tim Grance, Karen Kent, and Brian Kim. Computer Security Incident Handling Guide. NIST Special Publication 800-61. Gaithersburg, MD: National Institute of Standards and Technology, 2004.