LiveEngage Messaging Platform: Security Overview Document Version: 2.0 July 2017

Similar documents
LiveEngage Secure Form. Document Version: 1.2 June 2018

Profiles (permissions) Document Version: V1.6 March 2018

Web Messaging Configuration Guide Document Version: 1.3 May 2018

Enhancing the LiveEngage SMS Experience with Twilio Functions Document Version: 3.0 October 2017

LiveEngage System Requirements and Language Support Document Version: 5.0 February Relevant for LiveEngage Enterprise In-App Messenger SDK v2.

Updated: July LiveEngage secure form for messaging. Contents. Introduction. Secure form benefits. European Security Standards

Partner Center: Secure application model

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

A company built on security

LiveEngage System Requirements and Language Support Document Version: 5.6 May Relevant for LiveEngage Enterprise In-App Messenger SDK v2.

Cloud Access Manager Overview

Cirius Secure Messaging Single Sign-On

SafeNet Authentication Service

SafeNet Authentication Service

SafeNet Authentication Service

Single Sign-On. Introduction

Xerox Audio Documents App

Solutions Business Manager Web Application Security Assessment

AWS Webinar. Navigating GDPR Compliance on AWS. Christian Hesse Amazon Web Services

Security Information & Policies

Single Sign-On. Introduction. Feature Sheet

5 OAuth Essentials for API Access Control

LiveEngage System Requirements and Language Support Document Version: 6.4 March 2018

Scribe Monitor App. Version 1.0

Security Guide Zoom Video Communications Inc.

DreamFactory Security Guide

SafeNet Authentication Service

Layer Security White Paper

Google Cloud & the General Data Protection Regulation (GDPR)

SSO Integration Overview

SAP Single Sign-On 2.0 Overview Presentation

WHITEPAPER. Security overview. podio.com

SafeNet Authentication Service

KACE GO Mobile App 5.0. Release Notes

APPLICATION & INFRASTRUCTURE SECURITY CONTROLS

Login with Amazon. Customer Experience Overview for Android/Fire apps

THE GDPR PCLOUD'S ROAD TO FULL COMPLIANCE

MANAGING ANDROID DEVICES: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Watson Developer Cloud Security Overview

SECURITY & PRIVACY DOCUMENTATION

Mobile ios Configuration Guide

Mobile ios Configuration Guide

PCI DSS and VNC Connect

SAP Security in a Hybrid World. Kiran Kola

Cloudiway Google Groups migration. Migrate from Google Groups to Office 365 groups

KACE GO Mobile App 5.0. Getting Started Guide

SAML SSO Okta Identity Provider 2

Security Model Overview. WHITE PAPER July 2012

SpiraTeam Help Desk Integration Guide Inflectra Corporation

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

KACE GO Mobile App 3.1. Release Notes

Administering Jive Mobile Apps for ios and Android

Cloud Access Manager SonicWALL Integration Overview

Dell One Identity Cloud Access Manager 8.0. Overview

SafeNet Authentication Service

Symantec Endpoint Protection Mobile - Admin Guide v3.2.1 May 2018

SafeNet Authentication Service

One Identity Defender 5.9. Product Overview

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

WebADM and OpenOTP are trademarks of RCDevs. All further trademarks are the property of their respective owners.

SpiraTeam Help Desk Integration Guide Inflectra Corporation

Release Notes. BlackBerry Enterprise Identity

KACE GO Mobile App 4.0. Release Notes

Five9 Plus Adapter for Agent Desktop Toolkit

One Identity Starling Two-Factor Desktop Login 1.0. Administration Guide

February 2017 Version: 1.0. Xerox App Gallery 4.0 Information Assurance Disclosure

Data Security and Privacy at Handshake

Security and Privacy Overview

Gmail Integration for Salesforce and Dynamics 365

SafeNet Authentication Manager

Xperia TM. in Business. Product overview. Read about the enterprise policies and features supported in Xperia devices. March 2018

IBM UrbanCode Cloud Services Security Version 3.0 Revised 12/16/2016. IBM UrbanCode Cloud Services Security

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

TIBCO Cloud Integration Security Overview

CoreBlox Integration Kit. Version 2.2. User Guide

Security Specification

PCI DSS and the VNC SDK

Security and Compliance at Mavenlink

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

SafeNet MobilePASS+ for Android. User Guide

SafeNet MobilePKI for BlackBerry V1.2. Administration Guide

Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

EAM Portal User's Guide

Xperia TM. in Business. Product overview. Read about the enterprise policies and features supported in Xperia devices.

Twilio cloud communications SECURITY

Centrify for Dropbox Deployment Guide

TERMS OF USE Effective Date: January 1, 2015 To review material modifications and their effective dates scroll to the bottom of the page. 1.Parties.

RSA SecurID Implementation

PrinterOn Mobile App MDM/MAM. Basic Integration Guide

Custom Location Extension

Security Overview. Technical Whitepaper. Secure by design. End to end security. N-tier Application Architecture. Data encryption. User authentication

Cloud FastPath: Highly Secure Data Transfer

SafeNet Authentication Service

Deploying OAuth with Cisco Collaboration Solution Release 12.0

FIREFLY ARCHITECTURE: CO-BROWSING AT SCALE FOR THE ENTERPRISE

SafeNet Authentication Service

Deltek Touch Expense for Ajera. Touch 1.0 Technical Installation Guide

SafeNet Authentication Manager

How to Access Protected Health Information from Anywhere and Stay Compliant

Transcription:

LiveEngage Messaging Platform: Security Overview Document Version: 2.0 July 2017

Contents Introduction... 3 Supported Platforms... 3 Protecting Data in Transit... 3 Protecting Data at Rest... 3 Encryption... 3 Masking... 3 International Security Compliance Program... 4 Secure Development Life-Cycle... 4 Security by Design... 4 Static Code Analysis... 4 Input Validation... 4 Ethical Hacking, Vulnerability Assessments and Penetration Testing... 4 System Components... 5 Data Flow... 5 Authenticated Interaction... 5 Unauthenticated Interaction... 6 Push Notifications... 7 Agent Login... 8 Standard Login... 8 SSO... 8 2

Introduction LivePerson has developed an advanced, SDK-based solution for mobile messaging between Consumers and Brands. As a leading provider with thousands of customers and many years of experience, we understand that the integration of any 3rd party SDKs into a brand s mobile application requires an appropriate risk assessment and due-diligence processes. We also realize that the content of Consumer and Brand interaction should be treated in accordance with the highest levels of Security and Privacy. We ve invested significant efforts in designing and implementing a robust security model to help protect our messaging solution. This document outlines the high-level security model and controls that has been implemented in LivePerson s messaging platform and SDK. Supported Platforms LivePerson s SDK applies to both ios and Android devices. Protecting Data in Transit All communication between the LivePerson SDK and the LivePerson backend is encrypted using 256bit AES with 2048 RSA, and established over either HTTPS (for REST communication) or WSS (for data transmitted over WebSockets). In addition, requests are verified with a unique JSON Web Token (JWT). Protecting Data at Rest Encryption On the Device In both ios and Android, data generated by the LivePerson SDK and stored on the consumer s mobile device is encrypted based on standard OS ciphers. The encryption is based on 256bit AES. On the LivePerson Datacenter An optional 192bit AES encryption is available using unique and dedicated set of keys for each Brand. LivePerson recommends enabling encryption for data at rest as part of the best practices for secure messaging. Masking LivePerson provides two primary, optional data masking functions: RegEx based, real-time masking via the SDK the masked data will not bestored on the device or on the LivePerson servers. RegEx based, server-side masking the masked data is displayed to the customer care professional during the active interaction, but will is not stored on the LivePerson servers. 3

International Security Compliance Program Similar to LiveEngage, the Messaging platform is in-scope of the LivePerson International Security Compliance Program and adhere to the following standards: ISO27001, SSAE16 SOC2, PCI-DSS via Secure Form widget and EU Privacy directive, in progress to comply with GDPR prior to May 2018. Secure Development Life-Cycle Security by Design Security is an integral part of the software development processes at LivePerson. The platform and all of its components have gone through constant security design reviews by the LivePerson Security team and R&D Architects. Additionally, LivePerson Mobile Application Developers has gone through a dedicated Secure Mobile Application Development training by a leading 3rd party instructor that specializes in this domain. Static Code Analysis The code behind the platform has undergone repeated static code analysis scans in order to help identify potential gaps/flaws. According to LivePerson s SDLC policy, any High Risk findings are fixed prior to deployment to Production. Input Validation All data exchanged between LivePerson backend and the Agent Workspace is validated on the server side to prevent browser side attacks (for example Cross Site Scripting - XSS). Ethical Hacking, Vulnerability Assessments and Penetration Testing The LivePerson Unified Messaging Platform, API and SDK have been tested multiple times by independent penetration testers and Ethical Hackers with specialization in Mobile Application Security. An additional weekly vulnerability assessment is executed against the infrastructure using Rapid7 Nexpose scanner. 4

System Components Component Description Client Side Mobile App LP SDK (ios & Android) LiveEngage Workspace Server Side UMS REST API Backend WebSocket Backend IDP (LP Proprietary Identity Provider) AC Connector Developed by the brand (not LivePerson). To be embedded in the brand s mobile app. Browser-based web application from which agents interact with users. LP Unified Messaging System which is responsible for asynchronous messaging. Channel for the SSO process. Channel for messaging between the consumer and the agent. Responsible for the SSO login process between the LivePerson environment and the customer environment. Stores customer details such as URL, secret, public certificate, and more. Data Flow The LivePerson Messaging SDK has three primary types of interactions and dataflows. 1. Authenticated Interaction 2. Unauthenticated Interaction 3. Push Notifications Below is a high-level description of all three dataflows and sequence diagrams. Authenticated Interaction There are 2 methods for establishing an Authenticated Interaction: Client Based Implicit Flow: a JWT is created by the brand upon Consumer authentication and communicated to LivePerson by the Consumer. A step by step process is outlined below: 1. Consumers authenticate directly to the Brand Mobile Application with their personal credentials (username/password/certificate). 2. The Brand generates a unique consumer ID by a JSON Web Token (JWT). 3. The JWT is communicated to LivePerson through the SDK (without exposing username/password). 4. LivePerson generates an additional unique JSON Web Token (JWT) which is used in each message that is sent between the Consumer and LivePerson backend infrastructure. 5

Encryption of the JWT is optional by using JWE. Server Based Code Flow: An AuthCode (UID) is generated by the Consumer upon authentication. The AuthCode is communicated to LivePerson, which then directly communicates with the Brand Servers to obtain the JWT based on that unique ID. The JWT is signed with the Brand Public Key. A step by step process is outlined below: 1. Consumers authenticate directly to the Brand Mobile Application with their personal credentials (username/password/certificate). 2. The Brand App / LivePerson SDK generates a Unique AuthCode. 3. The AuthCode is securely communicated to LivePerson through the SDK. 4. LivePerson sends the AuthCode to the Brand Server over encrypted channel. 5. The brand generates a JWT which is communicated to LivePerson over encrypted channel. 6. The JWT is used in each message that is sent between the Consumer and LivePerson backend infrastructure. Encryption of the JWT is optional by using JWE. Unauthenticated Interaction The consumer does not authenticate to the brand application or systems. However, the consumer is still able to initiate a messaging request and communicate with a brand agent. The process for unauthenticated interactions is described below. 6

1. The consumer downloads the brand mobile application from the App Store or Marketplace. 2. The consumer initiates a request for an instant messaging conversation. 3. LivePerson IDP receives the request, generates a random UUID for the consumer, creates a LivePerson JWT, and sends it back to the consumer via the LivePerson SDK. 4. The consumer establishes a secure websocket to LivePerson UMS. 5. Each message or communication to UMS is sent with LivePerson JWT. 6. UMS verifies LivePerson JWT validity and expiration. 7. If LivePerson JWT is expired or not verified, the socket is terminated. Push Notifications Push notifications are designed to allow an agent to communicate with or respond to consumer inquiries when the consumer is not using the brand application. The process for push notifications is described below. 1. The LivePerson SDK generates a request for a new token (UID) from the Apple Push Notification Service (APN), or the Google Cloud Messaging (GCM) service. 2. The LivePerson SDK registers (userid + APN/GCM token) to LivePerson Pusher. 3. LivePerson Pusher adds a new record for the new consumer token. 4. Any message notification is sent to LivePerson s UMS with an LivePerson JWT. 5. All messages are verified by the LivePerson Gatekeeper. 6. When UMS generates a new message to the consumer, a new notification is generated to LivePerson Pusher. 7. LivePerson Pusher sends the message with APN/GCM token to Brand Proxy (Customer Pusher). 8. Brand Pusher sends a push notification via GCM/APN to the consumer device. 9. LivePerson UMS sends the message to the agent queue, to be reviewed by the brand agent. 7

Agent Login Access to the LiveEngage interface requires authentication. LivePerson provides two options for agent authentication: Standard login SSO Standard Login Agents authenticate using a unique siteid, Username and Password. Brands are responsible for the User Management and Login Policy settings of the account. The default Login Policy requires a minimum password length of 8 characters. Brands may opt to change the password policy, add IP based access lists, and implement additional security settings. SSO Brands may choose to implement and enforce a SAML 2.0 based Single Sign-On. If the SSO feature is enabled, the agents authenticate to the brand authentication platform. Upon successful authentication by the brand, a token (bearer) is securely provided to LiveEngage, and the agent is logged in. 8

This document, materials or presentation, whether offered online or presented in hard copy ("LivePerson Informational Tools") is for informational purposes only. LIVEPERSON, INC. PROVIDES THESE LIVEPERSON INFORMATIONAL TOOLS "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. The LivePerson Informational Tools contain LivePerson proprietary and confidential materials. No part of the LivePerson Informational Tools may be modified, altered, reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), without the prior written permission of LivePerson, Inc., except as otherwise permitted by law. Prior to publication, reasonable effort was made to validate this information. The LivePerson Information Tools may include technical inaccuracies or typographical errors. Actual savings or results achieved may be different from those outlined in the LivePerson Informational Tools. The recipient shall not alter or remove any part of this statement. Trademarks or service marks of LivePerson may not be used in any manner without LivePerson's express written consent. All other company and product names mentioned are used only for identification purposes and may be trademarks or registered trademarks of their respective companies. LivePerson shall not be liable for any direct, indirect, incidental, special, consequential or exemplary damages, including but not limited to, damages for loss of profits, goodwill, use, data or other intangible losses resulting from the use or the inability to use the LivePerson Information Tools, including any information contained herein. 2017 LivePerson, Inc. All rights reserved. 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback