Dooblo SurveyToGo: Security Overview

Similar documents
Awareness Technologies Systems Security. PHONE: (888)

CTS performs nightly backups of the Church360 production databases and retains these backups for one month.

Xerox Audio Documents App

AWS continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

SECURITY STRATEGY & POLICIES. Understanding How Swift Digital Protects Your Data

APPLICATION & INFRASTRUCTURE SECURITY CONTROLS

The Common Controls Framework BY ADOBE

WHITEPAPER. Security overview. podio.com

InterCall Virtual Environments and Webcasting

Data Security at Smart Assessor

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Magento Commerce Architecture and Security Model Last updated: Aug 2017

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

Security and Compliance at Mavenlink

SECURITY + COMPLIANCE WHITEPAPER

HikCentral V1.3 for Windows Hardening Guide

HikCentral V.1.1.x for Windows Hardening Guide

Juniper Vendor Security Requirements

CompTIA Security+ (2008 Edition) Exam

FormFire Application and IT Security

ZyLAB delivers a SaaS solution through its partner data center provided by Interoute and through Microsoft Azure.

Layer Security White Paper

Information Security at Veritext Protecting Your Data

Integrated Cloud Environment Security White Paper

Data Security and Privacy Principles IBM Cloud Services

IBM SmartCloud Notes Security

State of Colorado Cyber Security Policies

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

Daxko s PCI DSS Responsibilities

Riverbed Xirrus Cloud Processes and Data Privacy June 19, 2018

emarketeer Information Security Policy

1) Are employees required to sign an Acceptable Use Policy (AUP)?

Watson Developer Cloud Security Overview

SECURITY & PRIVACY DOCUMENTATION

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

DFARS Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017


RAPID7 INSIGHT PLATFORM SECURITY

Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

7.16 INFORMATION TECHNOLOGY SECURITY

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Hosted Testing and Grading

Automate sharing. Empower users. Retain control. Utilizes our purposebuilt cloud, not public shared clouds

BEYOND CJIS: ENHANCED SECURITY, NOT JUST COMPLIANCE

Minfy MS Workloads Use Case

QuickBooks Online Security White Paper July 2017

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

RSA Authentication Manager 8.0 Security Configuration Guide

The following security and privacy-related audits and certifications are applicable to the Lime Services:

Five Essential Capabilities for Airtight Cloud Security

Security Principles for Stratos. Part no. 667/UE/31701/004

RAPID7 INFORMATION SECURITY. An Overview of Rapid7 s Internal Security Practices and Procedures

Total Video Solution Cybersecurity Protection. ConteraWS Platform Cybersecurity Overview

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Payment Card Industry (PCI) Data Security Standard

Minfy MS Workloads Use Case

CLIQ Remote - System description and requirements

Firewall Configuration and Management Policy

Independent DeltaV Domain Controller

epldt Web Builder Security March 2017

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

Introduction to SURE

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

Wireless Security Access Policy and Agreement

ISSP Network Security Plan

Security Architecture

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

WHITE PAPER- Managed Services Security Practices

HIPAA / HITECH Overview of Capabilities and Protected Health Information

Checklist: Credit Union Information Security and Privacy Policies

WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution

AUTHORITY FOR ELECTRICITY REGULATION

Keys to a more secure data environment

Standard: Event Monitoring

Internal Audit Report DATA CENTER LOGICAL SECURITY

Trust Services Principles and Criteria

Virginia Commonwealth University School of Medicine Information Security Standard

Cloud Security Whitepaper

Architecture. Hosted. PrintMap Client. PrintMap Application Server

Sparta Systems Stratas Solution

Security. ITM Platform

February 2017 Version: 1.0. Xerox App Gallery 4.0 Information Assurance Disclosure

SDR Guide to Complete the SDR

Agilent ICP-MS ChemStation Complying with 21 CFR Part 11. Application Note. Overview

CompTIA Mobility+ Certification

CompTIA CAS-002. CompTIA Advanced Security Practitioner (CASP) Download Full Version :

Morningstar ByAllAccounts Service Security & Privacy Overview

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Security Specification

HISPOL The United States House of Representatives Internet/ Intranet Security Policy. CATEGORY: Telecommunications Security

SECURITY PRACTICES OVERVIEW

HIPAA Compliance Checklist

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Databricks Enterprise Security Guide

Section A - Standards that Apply to All RFPs

Transcription:

Dooblo SurveyToGo: Security Overview November, 2013 Written by: Dooblo Page 1 of 11 1

Table of Contents 1 INTRODUCTION... 3 1.1 OVERVIEW... 3 1.2 PURPOSE... 3 2 PHYSICAL DATA CENTER SECURITY... 4 2.1 OVERVIEW... 4 2.2 SERVERS... 4 2.3 EMPLOYEE LIFECYCLE... 4 3 NETWORK SECURITY... 5 3.1 OVERVIEW... 5 3.2 CONNECTIONS FROM THE DEVICES TO THE DATA CENTERS AND BACK... 5 3.3 CONNECTIONS BETWEEN SERVERS INSIDE THE DATA CENTER... 5 3.4 ADMINISTRATIVE COMMUNICATIONS... 5 3.5 IDS/IPS... 5 4 SURVEYTOGO APPLICATION SECURITY FEATURES... 6 4.1 OVERVIEW... 6 4.2 USERS, TYPES, GROUPS & PASSWORDS... 6 4.3 ROLE BASED PERMISSIONS... 6 4.4 USER RIGHTS... 7 5 SURVEYTOGO DATA COLLECTION APP SECURITY... 8 5.1 OVERVIEW... 8 5.2 ANDROID APP... 8 5.3 PC SURVEY APP... 8 5.4 LOST / STOLEN DEVICE... 8 6 CONFIGURATION MANAGEMENT... 10 6.1 OVERVIEW... 10 6.2 SOFTWARE... 10 6.3 INFRASTRUCTURE... 10 7 BACKUPS... 11 7.1 OVERVIEW... 11 Page 2 of 11 1

1 Introduction 1.1 Overview This document outlines the security of the SurveyToGo system. All non-confidential information has been included. Due to the nature of the topics discussed, some topics are considered confidential and will not be discussed in this document for obvious reasons. 1.2 Purpose The purpose of this document is to provide for a high level overview of all the security aspects of the SurveyToGo system. As the SurveyToGo system grows more security measures are added and infrastructure and communications protocols change. This document provides the overview for the system at the time of writing only. Page 3 of 11 1

2 Physical Data Center Security 2.1 Overview The SurveyToGo state-of-the-art data center servers are hosted by Amazon AWS (US-EAST region): AWS datacenters are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access datacenter floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. AWS only provides datacenter access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to datacenters by AWS employees is logged and audited routinely. For more extensive information about the AWS infrastructure security utilized by Dooblo: http://d36cz9buwru1tt.cloudfront.net/pdf/aws_security_whitepaper.pdf 2.2 Servers All servers include a mandatory antivirus protection and are configured to receive any security OS update as required. 2.3 Employee lifecycle Dooblo has established formal policies and procedures to delineate the minimum standards for logical access to the SurveyToGo servers. Dooblo requires that staff with potential access to customer data undergo an extensive background check (as permitted by law) relevant to their position and level of data access. Page 4 of 11 1

3 Network Security 3.1 Overview SurveyToGo enables interviewers in the field to collect data and send it over the wire to the Dooblo Data center. This involves 2 way communications over the internet to both send Survey data to the device and receive collected data from the device. The Dooblo network security measures are in place to ensure network communication both to and from the data center is secure along with communications between servers in the data center. 3.2 Connections from the devices to the data centers and back The devices and management applications communicate over the internet with the Data center. SurveyToGo can utilize industry proven SSL encryption to encrypt these device/server communications and management app/server communications. The Dooblo Data Center uses certified SSL Certificates to ensure devices can validate and authenticate the server they are communicating with to prevent man in the middle attacks along with eavesdropping risks. Any incoming communication to the data center passes through a dedicated Checkpoint firewall product to prevent network attacks. 3.3 Connections between servers inside the data center All servers in the data center are located in the same physical space and are connected through a dedicated sub-network controlled by authorized Dooblo IT employees. The Checkpoint Firewall ensures internal communication between DMZ and other servers is done only by pre-configured IP addresses. 3.4 Administrative communications All administrative communications to the data center are secured with token based security and restricted to authorized personnel and IP addresses. 3.5 IDS/IPS All network traffic stopped at the FW is monitored and IDS/IPS (Intrusion Detection/Prevention systems) is employed. Page 5 of 11 1

4 SurveyToGo Application Security Features 4.1 Overview The SurveyToGo system includes application level security measures designed to allow your employees access to data only to those employees that you have configured and only to the project data that you have configured access for. SurveyToGo includes a customer-project paradigm which means that every data collected resides in a specific project that belongs to a specific customer (your customer, not Dooblo customers). 4.2 Users, types, groups & passwords Each access to the SurveyToGo system is done with a user and a password. Surveyors have user names, so do project managers and field managers. Both data collection apps and the management studio app requires a user name and a password in order to work. In fact, every interface of the system requires an authenticated user in order to work. User names and passwords are defined by the SurveyToGo account administrator (NOT by Dooblo) and passwords are encrypted. Users can be grouped in to groups to help with permissions. 4.3 Password policy A SurveyToGo organization can be set to use a custom password policy requiring users to adhere to policy standards of password lengths. The following password policy settings are controllable: Minimum characters Minimum uppercase characters Minimum lowercase characters Minimum non-alpha characters Minimum numeric characters 4.4 Role based permissions Role based permissions are granted to users and projects. Each project has 4 levels of roles: Project Administrator Project Manager Project Reviewer Page 6 of 11 1

Project Reader Each role includes various access rights to the data contained in the project. The SurveyToGo account administrator (or project administrator/manager) can assign users or groups of users with the relevant roles of a project. If a user does not have any access to a project that project will not show up on his management studio app. If the user does not have any access to any project of a customer than that entire customer will not show on his management app. Surveyor users can be assigned to a project which will then control whether they will see that survey in the list of surveys or not. 4.5 User rights On top of the project Role based security, several application level user rights can be assigned to a user or a group such as: Create users Manage subject stores Manage rights Etc.. These rights are granted to the user or group and are not related to a specific customer or project. Page 7 of 11 1

5 SurveyToGo Data Collection App Security 5.1 Overview The data collection apps are used to collect data from the field. The general approach to the security of the collected data in this regard is to upload the data and remove it from the device as quickly as possible. Shorter time on the device mean lower data security risks. 5.2 Android App The Android app stores all data in a special application storage segment provided by the Android OS. This segment is secured from access by other applications and restricts the segment to the SurveyToGo app only. Even accessing the device through USB mass-storage interface will not allow the human operator access to this storage area. Due to this enhanced security mechanism by Android, the data is saved in a local database on this secured storage segment. When-ever network is detected, all data is uploaded to the server and deleted from the device. The last user who used the app is cached locally in order to allow for quick access and continue to collect data even in offline scenarios, however the password is encrypted. Communication to and from the server is secured by SSL Encryption (Optional) as described in the network security chapter. 5.3 PC Survey App The PC (Windows) app stores all data in the local user storage space on the hard drive of the windows machine. As the hard disk is not secured like in the Android case, SurveyToGo utilizes the built-in encryption mechanism of Microsoft SQL Mobile to encrypt all the data and prevent access to it from unauthorized sources. Communication to and from the server is secured by SSL Encryption (Optional) as described in the network security chapter. 5.4 Lost / stolen Device In case the device is lost or stolen it is our recommendation that the user of that device will be set to disabled. This will disallow any access from that device to the account and prevent any tampering with data. Please note that if auto-sync is enabled up to 10 minutes worth of data collection might remain on the device and be exposed. Page 8 of 11 1

Page 9 of 11 1

6 Configuration Management 6.1 Overview Configuration changes to the SurveyToGo system infrastructure and software are authorized, logged, tested, approved, and documented in accordance with industry norms. Updates to the SurveyToGo infrastructure are done to minimize any impact on the customer and their use of the services. Dooblo communicates with customers via email when service use is likely to be impacted. 6.2 Software Dooblo applies a systematic approach to managing change so that changes to customer impacting services are thoroughly reviewed, tested, approved and well communicated. Dooblos change management process is designed avoid unintended service disruptions and to maintain the integrity of service to the customer. Changes deployed into production environments are: Reviewed: Peer reviews of the technical aspects of a change Tested: being applied will behave as expected and not adversely impact performance Approved: to provide appropriate oversight and understanding of business impact Changes are typically pushed into production in a phased deployment starting with customers who requested the change. When possible, changes are scheduled during weekend change windows. Emergency changes might be deployed on non standard times. 6.3 Infrastructure Updates to the SurveyToGo infrastructure are done to minimize any impact on the customer and their use of the services. Dooblo communicates with customers via email when service use is likely to be impacted. Page 10 of 11 1

7 Backups 7.1 Overview Data stored in the SurveyToGo system, is redundantly stored in multiple physical locations as part of normal operation of those services and at no additional charge. In addition, Dooblo periodically backs up all important parts of its data. Data removed from the system by actions of the customer are physically deleted from the servers and backups and will not be available to Dooblo support staff or customer. This is to ensure customer ability to remove sensitive information from the Dooblo Data center if needed. Page 11 of 11 1

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback