SECURITY DOCUMENT. 550archi

Similar documents
User Manual For Project Managers, Linguists & Customers

Awareness Technologies Systems Security. PHONE: (888)

XTM Connect Drupal Connector. A Translation Management Tool Plugin

jk0-022 Exam Questions Demo CompTIA Exam Questions jk0-022

Table of Contents. Page 1 of 6 (Last updated 27 April 2017)

Better Translation Technology

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

epldt Web Builder Security March 2017

DreamFactory Security Guide

Cyber security tips and self-assessment for business

Better Translation Technology. XTM Connect for Drupal 8

Support for the HIPAA Security Rule

Oracle Hospitality ecommerce Integration Cloud Service Security Guide Release 4.2 E

SECURITY & PRIVACY DOCUMENTATION

Better Translation Technology. XTM Connect Change Control for GIT (backend version)

Administering vrealize Log Insight. September 20, 2018 vrealize Log Insight 4.7

Cloud FastPath: Highly Secure Data Transfer

Information Security Policy

Projectplace: A Secure Project Collaboration Solution

System Overview. Security

Installing AX Server with PostgreSQL (multi-server)

StreamSets Control Hub Installation Guide

Better Translation Technology. XTM Connect Microsoft Team Foundation Server

Better Translation Technology. Documentation for. XTM Bridge

Security and Compliance at Mavenlink

Security context. Technology. Solution highlights

BEETLE /mopos Tablet Mobile POS solution

The Balabit s Privileged Session Management 5 F5 Azure Reference Guide

Xerox Audio Documents App

22 August 2018 NETOP REMOTE CONTROL PORTAL USER S GUIDE

ON SCHEDULE TERMS AND CONDITIONS (September 23rd 2018)

STRM Log Manager Administration Guide

SafeConsole On-Prem Install Guide

Echidna Concepts Guide

Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

HikCentral V.1.1.x for Windows Hardening Guide

Client Portal FAQ's. Client Portal FAQ's. Why is the Portal more secure?

DHIS2 Hosting Proposal

Oracle Hospitality ecommerce Integration Cloud Service Security Guide Release 18.1 E

Trust Services Principles and Criteria

HikCentral V1.3 for Windows Hardening Guide

Code42 Security. Tech Specs Data Protection & Recovery

KYOCERA Net Admin User Guide

Setting Up the Server

Secret Server User Guide

Ekran System v.6.0 Privileged User Accounts and Sessions (PASM)

LastPass Enterprise Recommended Policies Guide

Document Sub Title. Yotpo. Technical Overview 07/18/ Yotpo

CLIQ Web Manager. User Manual. The global leader in door opening solutions V 6.1

IT Services IT LOGGING POLICY

Xton Access Manager GETTING STARTED GUIDE

CONNX SECURITY OVERVIEW

Cisco Unified Serviceability

Wavelink Avalanche Site Edition Java Console User Guide. Version 5.3

SafeConsole On-Prem Install Guide. version DataLocker Inc. July, SafeConsole. Reference for SafeConsole OnPrem

VII. Corente Services SSL Client

Proofpoint Threat Response

Managing Users and Configuring Role-Based Access Control

SAS SOLUTIONS ONDEMAND

High Availability Enabling SSL Database Migration Auto Backup and Auto Update Mail Server and Proxy Settings Support...

Endpoint Security webrh

Passwordstate Mobile Client Manual Click Studios (SA) Pty Ltd

8.0 Help for Community Managers Release Notes System Requirements Administering Jive for Office... 6

Riverbed Xirrus Cloud Processes and Data Privacy June 19, 2018

July 2018 These release notes provide information about the The Privileged Appliance and Modules release.

User Guide. Version R94. English

User Accounts for Management Access

Security Overview. Technical Whitepaper. Secure by design. End to end security. N-tier Application Architecture. Data encryption. User authentication

MANAGING LOCAL AUTHENTICATION IN WINDOWS

Message Networking 5.2 Administration print guide

Online Services Security v2.1

SecurEnvoy Microsoft Server Agent

Data Security & Operating Environment

Oracle Database. Installation and Configuration of Real Application Security Administration (RASADM) Prerequisites

ClientNet. Portal Admin Guide

Security Specifications

FAQ. General Information: Online Support:

LEVEL 3 SM WEB MEETING SECURITY GUIDE

LifeSize Control Installation Guide

Payment Card Industry (PCI) Data Security Standard

Better Translation Technology. XTM Connect for WordPress

RADIAN6 SECURITY, PRIVACY, AND ARCHITECTURE

Administering vrealize Log Insight. April 12, 2018 vrealize Log Insight 4.6

InterCall Virtual Environments and Webcasting

IBM SmartCloud Notes Security

VST Hospital Administrator Guide. Version 2.0.4

File Reputation Filtering and File Analysis

iconnect625w Copyright Disclaimer Enabling Basic Wireless Security

Server Security Policy

Wavelink Avalanche Site Edition Web Console User Guide. Version 5.3

vcloud Director User's Guide

Sophos Enterprise Console

Cox Business Online Backup Administrator Guide. Version 2.0

Morningstar ByAllAccounts Service Security & Privacy Overview

Cloud Operations for Oracle Cloud Machine ORACLE WHITE PAPER MARCH 2017

TIBCO Cloud Integration Security Overview

Mcafee epo. Number: MA0-100 Passing Score: 800 Time Limit: 120 min File Version: 1.0

MigrationWiz Security Overview

The Common Controls Framework BY ADOBE

TRACKVIA SECURITY OVERVIEW

Transcription:

SECURITY DOCUMENT 550archi

Documentation for XTM Version 10.3 Published by XTM International Ltd. Copyright XTM International Ltd. All rights reserved. No part of this publication may be reproduced or transmitted in any form or by any means, including photocopying, without the written permission of XTM International Ltd. Updated May 2017 XTM-International Ltd, PO Box 2167, Gerrards Cross, SL9 8XF, UK Tel.: +44 (0)1753 480479 email: sales@xtm-intl.com http://www.xtm-intl.com Page 2

XTM User Manual Table of contents Table of Contents Table of Contents... 3 Introduction... 4 XTM Architecture... 4 XTM Cloud Environments... 4 Physical security... 4 Access Management... 4 Access Control... 5 Identification and Authentication... 6 Data Transmissions... 6 Auditing and Logging... 6 Application timeout after a period of inactivity... 7 Application Monitoring... 7 Database connections... 7 Application Security... 7 Application Error Handling... 7 Web services... 7 Business Continuity / Disaster Recovery... 8 Server Management... 8 Server data access... 8 Data protection... 8 Fire-fighter account controls... 8 Page 3

Introduction This document summarises the data and application security aspects of XTM. It covers both XTM Cloud, the SaaS version of XTM, and XTM Suite, the traditionally licenced software installed on a customer s Server. XTM Architecture XTM is written in Java and runs on servers under Windows Server or Linux. Users access the program entirely via a web browser. XTM currently supports Internet Explorer and Firefox. XTM Cloud Environments All XTM International s servers run Centos v7.0 and use the HTTPS protocol. The system uses at least TLS v1 with at a minimum of 2048-bit cipher strength. XTM cloud exists in the following environments that are installed on different servers: Production servers for customers Stage server for customer testing Beta server for XTM staff and selected users Testing server for XTM International The XTM Cloud production servers are deployed in one zone which is protected by a firewall and only allows HTTPS and SSH connections. For hosted servers the customer can decide whether to use HTTPS. Physical security XTM International currently uses three hosting centres for XTM Cloud servers: 1. France, Roubaix 2. USA, St. Louis, MO 3. Canada, Montreal These state of the art hosting facilities provide the following physical security: Multiple redundant internet connections Fully automatic room climate control and air moistening UPS and voltage filters Fire protection 230V power supply Early detection system for smoke 24 hour security service Video surveillance Admission control Diesel generators Access Management An XTM administrator can create, grant, modify and revoke access to the application for project managers and linguists. Project managers can create, grant, modify and revoke access to the system to linguists. XTM International works with the system administrators and project managers to set the role-based access for users and ensure that the least privilege principle is consistently implemented. Page 4

Access Control XTM has the following access control features: Feature Administrator control - Description Allowed logon attempts Disable account after non-use Computer activation level Password duration Check against previous passwords Minimum password length. Use brute force dictionary If the user makes the specified number of invalid logon attempts then their account will be locked and they will not be able to access the system. In order to unlock the account the administrator needs to go to the Users tab and select unlock account from the menu icon in the left hand column of the users listing. If the user does not log into their account during the period of days specified then the account will be locked. The account will then need to be unlocked by the administrator as described above. This setting specifies who will need to go through the PC activation process on first log in. The process involves generating an automatic email to the user which contains a link to download a cookie. This field specifies the number of days that user passwords will be valid. After this period the user will have to change their password. This field specifies the number of previous passwords that cannot be used as the current password. This field specifies the number of characters required in the password This dictionary defines the words that cannot be used as or in a password. By default the following words and components are excluded: User Guest Admin User s first or last name Sys Test Pass Super Force password change at first log in Password strength Check box to enforce this measure There are 3 levels of password strength which define the mixture of characters in the password. Characters are split into 4 groups: Upper-case letters, Lower-case letters, Numbers Non-alphanumeric symbols. The password strength is thus: Must use characters from at Simple least 1 group. Must use characters from at Medium least 2 of the groups. Must use characters from at Strong least 3 of the groups. Page 5

Identification and Authentication XTM may either connect to an LDAP service for user authorisation or perform the authentication itself. When the authorisation is performed internally, firstly the password entry is hidden on sign in. Then the username and password are sent over the HTTPS encrypted connection to the server. At the server the authenticated Class connects to the appropriate database tables. All passwords are encrypted using SHA1 algorithm. The username and password pair is checked against the appropriate database entry. The user roles, which govern user access to different XTM modules, are also extracted from the database. On first login the user is directed to the password reset page and encouraged to change the initial password. Data Transmissions XTM login security diagram By default users need to register their PC in order to access XTM Cloud. This is achieved through the installation of a cookie. The link for the cookie is sent to the user s email address. This feature may be deactivated at the system level by an administrator if it is deemed to be unnecessary. For XTM Cloud the communication between the end user and XTM uses HTTPS. This is optional for XTM Suite or Private Cloud implementations. If a file is uploaded for processing and the upload is faulty then the user will receive a message that the file is corrupted. Auditing and Logging The XTM components that have logging capabilities are configured to produce a security audit log. These are: Apache HTTP Server log PostgreSQL log System log XTM log The following events are logged within XTM User logon and logoff XTM Editor: Opening, saving and navigation to another page. On XTM Cloud and hosted servers managed by XTM international, all the logs are retained for 90 days, except for the PostgreSQL log which is retained for 7 days. To ensure that the log files are secured during system restarts, they stay on a mirrored HDD RAID ARRAY and are backed up onto an external machine daily. Page 6

Application timeout after a period of inactivity In XTM Editor the user pings the server every 10 seconds. When a translator enters a page the segments are locked for other users. If the pings are not detected, when for example the browser or PC has crashed or if the user simply closes the browser without logging out, XTM releases the locked segments quickly. If no user activity is recorded for a period of 60 minutes then XTM closes the session. XTM project manager session timeout after 60 minutes of user inactivity, however if the browser or the computer is closed then the session expires within 4 minutes. XTM TM Manager and XTM Terminology Manager sessions timeout after 60 minutes of user inactivity if the browser is open, and within 20 minutes if the browser of computer is closed. Application Monitoring XTM Cloud and hosted servers managed by XTM International are proactively monitored by Nagios to ensure that all systems, applications and services, are functioning properly. In the event of a failure, Nagios alerts XTM International s technical staff of the problem, allowing them to begin remedial action before outages affect end-users. Database connections XTM applications connect to the database with the minimum privileges required. Application Security XTM does not permit cross-site scripting or SQL injection. Application Error Handling XTM displays an error message to the user on the web page with a link to a page containing the details of the error can be viewed in the log. The XTM Software development life cycle process (SDLC) process ensures testing of potential intrusion threats such as SQL injection and session hijacking. This includes testing that error conditions cannot be forced, or that if error conditions are encountered that they cannot be used to breach the security mechanisms of the system. Web services The standard implementation of XTM does not expose web services. XTM has the option to connect to a number of different machine translation engines in order to provide translators with machine translations of text. These options require the XTM administrator to set have an account with the MT provider There is also an optional API to integrate XTM with third party applications called XTM Connect. It can be set up with or without SSL; on XTM Cloud SSL is used. Each web service method has a LoginAPI object which contains three fields: Company, User, and Password. These fields have to be filled every time you call the web service method. Page 7

Business Continuity / Disaster Recovery Data in XTM Cloud is stored in a database and also in data files. This data is backed up as follows: In case of HDD failure, the XTM Cloud server cluster is equipped with mirrored disk arrays. XTM data is written to a storage array on the local machine and in addition it is simultaneously written to a storage array on another server in the cluster. The databases and data files are backed up every day locally and also onto an external server. We store The last 15 copies of the databases The last 3 copies of the data files In case of hardware failure damaged components can be replaced in few hours or the whole service can be relocated to other machine using data from the latest backup. After every configuration change that can affect current procedures, the business continuity/disaster recovery procedures are tested and revisited to ensure they provide the required level of business continuity in emergency scenarios. The XTM Support SLA and Redmine issue tracking system ensure that details of any application incident are logged and managed correctly. Server Management Each administrator has a separate account to the server and there are no shared IDs. Server data access No directories can be accessed from web clients. There is a generic error page to hide the actual error message or warning returned. Data protection XTM International has a core team of developers and support engineers. If any staff leave the team, then they immediately lose all access rights to all development, testing and production systems. Only staff working on specific issues have access to production data and if the data is copied by staff for testing purposes it is deleted on completion of the tests. All PCs and laptops used by XTM support and development staff have their disks encrypted. Production data is not stored on mobile media. Fire-fighter account controls In order to provide high quality support required of the SLA there are privileged accounts (firefighter accounts) that the XTM technical team use to access XTM Cloud. These accounts which allow access to customer s data are password protected and use is monitored via the log. Access to all production servers, including XTM Cloud is protected via two-factor authentication. Page 8

XTM International Ltd, PO Box 2167, Gerrards Cross, SL9 8XF, UK Tel.: +44 (0)1753 480479 email: sales@xtm-intl.com http://www.xtm-intl.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback