WHITEPAPER. Security overview. podio.com

Similar documents
Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

MigrationWiz Security Overview

Security Architecture

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Liferay Security Features Overview. How Liferay Approaches Security

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Security and Compliance at Mavenlink

IBM SmartCloud Notes Security

QuickBooks Online Security White Paper July 2017

Xerox Audio Documents App

W H IT E P A P E R. Salesforce Security for the IT Executive

Twilio cloud communications SECURITY

RADIAN6 SECURITY, PRIVACY, AND ARCHITECTURE

IBM SmartCloud Engage Security

Unleash the Power of Secure, Real-Time Collaboration

DreamFactory Security Guide

Installation Guide. Citrix License Server VPX v1.01

SECURITY PRACTICES OVERVIEW

Dooblo SurveyToGo: Security Overview

The Common Controls Framework BY ADOBE

HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere.

Best Practices for Cloud Security at Scale. Phil Rodrigues Security Solutions Architect Amazon Web Services, ANZ

ARBOR DDoS PRODUCTS IN A GDPR COMPLIANT ENVIRONMENT. Guidelines and Frequently Asked Questions

IBM Tivoli Directory Server

Information Security Policy

Information Security at Veritext Protecting Your Data

Five reasons to choose Citrix XenServer

A company built on security

Safeguarding Cardholder Account Data

Security Overview. Technical Whitepaper. Secure by design. End to end security. N-tier Application Architecture. Data encryption. User authentication

emarketeer Information Security Policy

Watson Developer Cloud Security Overview

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

A Mobile Security Checklist: The Top Ten Threats to Your Enterprise Today. White Paper

PCI DSS and VNC Connect

Solutions Business Manager Web Application Security Assessment

Pulseway Security White Paper

Citrix Consulting. Guide to Consulting Methodology and Services

Riverbed Xirrus Cloud Processes and Data Privacy June 19, 2018

The following security and privacy-related audits and certifications are applicable to the Lime Services:

Verasys Enterprise Security and IT Guide

Oracle PeopleSoft 9.2 with NetScaler for Global Server Load Balancing

Oracle Communications Services Gatekeeper

WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution

Azure MFA Integration with NetScaler

Google Cloud & the General Data Protection Regulation (GDPR)

Cloud FastPath: Highly Secure Data Transfer

TRACKVIA SECURITY OVERVIEW

CogniFit Technical Security Details

Your Data and Artificial Intelligence: Wise Athena Security, Privacy and Trust. Wise Athena Security Team

TIBCO Cloud Integration Security Overview

Awareness Technologies Systems Security. PHONE: (888)

SoftLayer Security and Compliance:

Data Security and Privacy Principles IBM Cloud Services

PCI DSS and the VNC SDK

APPLICATION & INFRASTRUCTURE SECURITY CONTROLS

InterCall Virtual Environments and Webcasting

System Security Features

AWS continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

Sentinet for Microsoft Azure SENTINET

Adaptive Authentication Adapter for Citrix XenApp. Adaptive Authentication in Citrix XenApp Environments. Solution Brief

epldt Web Builder Security March 2017

VMware vcloud Air SOC 1 Control Matrix

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Layer Security White Paper

Cloud Security Whitepaper

Design and deliver cloud-based apps and data for flexible, on-demand IT

TeamViewer Security Statement

Xerox Connect for Dropbox App

TECHNOLOGY LEADER IN GLOBAL REAL-TIME TWO-FACTOR AUTHENTICATION

CS 356 Operating System Security. Fall 2013

C1: Define Security Requirements

PCI DSS Compliance. White Paper Parallels Remote Application Server

Security Overview of the BGI Online Platform

CTS performs nightly backups of the Church360 production databases and retains these backups for one month.

Single Sign-On. Introduction

LiveEngage Messaging Platform: Security Overview Document Version: 2.0 July 2017

Augmenting security and management of. Office 365 with Citrix XenMobile

NetIQ Secure Configuration Manager Installation Guide. October 2016

The Nasuni Security Model

Citrix SD-WAN for Optimal Office 365 Connectivity and Performance

Hosts have the top level of webinar control and can grant and revoke various privileges for participants.

Five Essential Capabilities for Airtight Cloud Security

What can the OnBase Cloud do for you? lbmctech.com

ADAPTIVE AUTHENTICATION ADAPTER FOR IBM TIVOLI. Adaptive Authentication in IBM Tivoli Environments. Solution Brief

Security Guide Zoom Video Communications Inc.

White Paper Taking Windows Mobile on Any Device Taking Windows Mobile on Any Device

MIS Week 9 Host Hardening

Hosted Testing and Grading

A10 HARMONY CONTROLLER

Guide: HIPPA Compliance. Corporate HIPAA Compliance Guide. Privacy, productivity and remote access. gotomypc.com

Avanade s Approach to Client Data Protection

Security and Privacy Overview

Secure communications simplified

SIEMLESS THREAT DETECTION FOR AWS

CipherCloud CASB+ Connector for ServiceNow

FINANCIAL INFORMATION FORUM 5 Hanover Square New York, New York 10004

Security+ SY0-501 Study Guide Table of Contents

Automate sharing. Empower users. Retain control. Utilizes our purposebuilt cloud, not public shared clouds

SECURITY & PRIVACY DOCUMENTATION

Transcription:

WHITEPAPER Security overview

Podio security White Paper 2 Podio, a cloud service brought to you by Citrix, provides a secure collaborative work platform for team and project management. Podio features powerful social collaboration tools and customizable workflow apps, plus the ability to seamlessly integrate other cloud services into Podio workspaces. Podio follows the Software as a Service delivery model and does not require any premisebased software deployment. Its interactive, cloud-based work environment empowers teams and individuals to manage workflows and share information through both real-time and asynchronous communication. Citrix considers the security of your information to be of the highest importance. At Citrix, security is not an afterthought to functionality, but a key element that is designed and built into our systems from the ground up. Security encompasses all aspects of the Podio service, from the software to the facilities to the personnel developing and operating the service. Measures have been undertaken at multiple levels to maintain the privacy and integrity of data managed by Podio. This paper describes some of those measures, including access controls, physical and operational security, data security, and software development lifecycle security. Protecting the front door An essential element of information security is the reliable identification and authentication of those accessing the information. Every manner of application, data and network security could be implemented, but if we were not able to reliably identify those accessing the data, we could not achieve the high standard of security that Citrix sets for our services.

Podio security White Paper 3 For this reason, Podio places great emphasis on user authentication. To begin with, users must be registered using a validated email account, which is associated with an identified organization. No guest or anonymous access to the system is permitted. In addition, numerous techniques are employed to detect and prevent unauthorized account access, such as complex password enforcement, soft and hard account lockout triggered by repeated unsuccessful login attempts, and the logging and continuous monitoring of account probing and other anomalous behavior. Once a user is authenticated, continued access to the system is dependent upon the presence of a set of security tokens exchanged with the client during the authentication process. These tokens, or session identifiers, are protected using advanced web security mechanisms, including the use of cryptographically strong pseudo-random number generators and session hijacking/fixation countermeasures. All access to Podio, whether pre- or post-authentication, is permitted only over connections that are secured with Secure Sockets Layer (SSL). Any connection attempt that is not using SSL will be refused. In this way, organizations and users can be assured that all information passed between Podio and the user s browser or mobile app will be safe from would-be eavesdroppers and potential man-in-the middle attacks that rely upon an initial HTTP (unsecured) connection. In addition to end-user access via a web browser or a Podio mobile app, Podio may be accessed by registered third-party services or applications that are built on the Podio API. Access through the API uses the widely accepted and deployed OAuth2 protocol for authentication and authorization. Beyond the protection provided by SSL/TLS and any native application techniques, every API request is authenticated by the presence of a unique, random access token, securely obtained through OAuth2 using a registered client identifier, client secret, and set of user credentials. A secure foundation Although protecting the front door is essential, if the networks and systems that host a service are not themselves secure, the service might still be vulnerable. This, of course, is the reason that Podio is built upon a foundation of network, host and physical security.

Podio security White Paper 4 Web, application and database servers supporting Podio reside within highly secured worldwide datacenters. Physical access to these datacenters is continuously monitored and restricted to authorized personnel only. The servers themselves are hardened to baseline secure configuration standards, and are dedicated to running only those services required to support Podio. Citrix policy requires that servers remain up-to-date with the latest security patches, and undergo periodic reassessment through both internal and independent auditing and penetration testing. Network access to the systems hosting Podio is strictly controlled through firewalls and other network security devices designed to detect and respond to various attacks, including but not limited to denial-of-service (DoS) attacks originating from the Internet. Backend servers and services are never directly accessible to external systems or personnel. Furthermore, multiple levels of host and network security are employed to ensure that only authorized access is permitted between backend systems, effectively containing any potential internally-leveraged attacks. Access to and activity on systems is centrally logged and continuously monitored for anomalous patterns or behavior. Safeguarding your data Once your information has been entered into the Podio system, it is secured with multiple levels of encryption and access controls. Podio is designed to securely allow the efficient sharing of information in a manner that is flexible yet highly visible and easily managed. Data resides in workspaces, which are associated with specific organizations. Only those users explicitly granted access to your information may view or modify it. The design of the system requires that every access request pass through an authorization subsystem that verifies the access rights of the user before allowing the request to proceed. Not even Podio staff or administrators can access your information, unless you explicitly grant them the right to do so. Unlike some data management systems, Podio does not include the concept of root or superuser access. This helps to ensure the privacy of your information, even against inadvertent or other internal exposure. Sensitive configuration information, passwords and keys are secured using the latest in cryptographic technology. The Advanced Encryption Standard (AES) is used with a 256-bit key to encrypt sensitive information that must later be available to authorized users in plaintext form. Passwords are secured through a

Podio security White Paper 5 uniquely salted, one-way (irreversible) password hashing mechanism that ensures protection against exposure even to internal personnel with access to the storage systems and/or encryption keys. Every file uploaded to Podio is encrypted with AES- 256 before being transferred to an Amazon Web Services (AWS) S3 repository. Beyond the security safeguards implemented within AWS, the encryption mechanism ensures the privacy of file content. Database backups are encrypted in the same manner as uploaded files. Secure by design In addition to the security measures described, the software services that comprise Podio are developed by Citrix using processes that guarantee the integration of security assurance techniques at every stage of the development and deployment lifecycle. Every significant design and architectural decision must undergo a review process known as threat modeling, in which foreseeable threats to the system are evaluated and measured in light of the proposed design/architectural features. Additionally, code is required to be assessed for security flaws via static analysis, while new and updated systems must be scanned and tested for security weaknesses using industry-leading manual and automated application vulnerability assessment tools. Availability All the protection measures in the world will prove meaningless if you cannot access your information or systems when needed. Thus, one of our top priorities in security by design is availability. With Podio, the continued availability of your information is achieved in several ways. First, the datacenters that host the Podio service incorporate system redundancy throughout in order to ensure resiliency in the face of outages due to failure or attack. Additionally, for the purposes of scalability and reliability, load balancers transparently distribute incoming requests among multiple Citrix servers. As previously mentioned above, security devices are also in place in every Citrix datacenter to implement countermeasures to denial-of-service (DoS) attacks. To prevent unintended destruction or corruption of information, Podio systems are

Podio security White Paper 6 backed up hourly and daily, with backups being encrypted and stored at a secure off-site location. Additionally, the Podio interface includes a protection mechanism that requires explicit user acknowledgement before executing any record deletion requests. Summary Citrix takes the privacy, security and protection of your data very seriously. We have built our services, including Podio, around this priority. Our security policies and controls align with industry standards, and we review them regularly to ensure continued compliance. Businesses, work teams and individuals can confidently use the Podio service to share information, track projects and manage workflows, knowing that their data is protected by the architecture and policies outlined above. Customer Domicile Contracting Entity Notice address Governing law Governing venue North, South or Central America, or the Caribbean ( Americas ) Citrix Systems, Inc., 851 West Cypress Creek Rd. Ft. Lauderdale, Florida 33309, U.S.A. Citrix Systems, Inc., 851 West Cypress Creek Rd., Ft. Lauderdale, Florida 33309, U.S.A. Florida and controlling United States federal law Broward County, Florida, U.S.A. Europe, Middle East or Africa Citrix Systems International, GmbH Rheinweg 9, CH-8200 Schaffhausen, Switzerland Citrix Systems International, GmbH Rheinweg 9, CH-8200 Schaffhausen, Switzerland Switzerland In each case without reference to the conflict of laws principles, and excluding the United Nations Convention on Contracts for the International Sale of Goods Canton of Zurich @2016 Citrix Systems, Inc. All rights reserved. Citrix and Podio are trademarks of Citrix Systems, Inc. or one or more of its subsidiaries, and may be registered in the U.S. Patent and Trademark Office and in other countries. All other trademarks appearing in this piece are the property of their respective owners. June 2016

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback