Data Security & Operating Environment

Similar documents
SECURITY & PRIVACY DOCUMENTATION

SECURITY PRACTICES OVERVIEW

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

WHITE PAPER- Managed Services Security Practices

Projectplace: A Secure Project Collaboration Solution

Online Services Security v2.1

QuickBooks Online Security White Paper July 2017

Security and Compliance at Mavenlink

TECHNICAL INFRASTRUCTURE AND SECURITY PANOPTO ONLINE VIDEO PLATFORM

Juniper Vendor Security Requirements

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Specifications for WebDocs On-Demand

IBM Case Manager on Cloud

SAS SOLUTIONS ONDEMAND

1 Data Center Requirements

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

DHIS2 Hosting Proposal

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

Riverbed Xirrus Cloud Processes and Data Privacy June 19, 2018

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

Integrated Cloud Environment Security White Paper

enalyzer enalyzer security

Security+ SY0-501 Study Guide Table of Contents

IBM Security Intelligence on Cloud

Watson Developer Cloud Security Overview

Twilio cloud communications SECURITY

Afilias DNSSEC Practice Statement (DPS) Version

University of Pittsburgh Security Assessment Questionnaire (v1.7)

TRACKVIA SECURITY OVERVIEW

Cloud FastPath: Highly Secure Data Transfer

CTS performs nightly backups of the Church360 production databases and retains these backups for one month.

SECURITY DOCUMENT. 550archi

Security Specification

IBM SmartCloud Notes Security

Table of Contents. Page 1 of 6 (Last updated 27 April 2017)

Morningstar ByAllAccounts Service Security & Privacy Overview

Cyber Defense Operations Center

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

Corrigendum 3. Tender Number: 10/ dated

A company built on security

The Common Controls Framework BY ADOBE

SCHEDULE DOCUMENT N4PROTECT DDOS SERVICE PUBLIC NODE4 LIMITED 28/07/2017

OUR CUSTOMER TERMS CLOUD SERVICES - INFRASTRUCTURE

June 2012 First Data PCI RAPID COMPLY SM Solution

Fiscal 2015 Activities Review and Plan for Fiscal 2016

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Cisco Meraki Privacy and Security Practices. List of Technical and Organizational Measures

emarketeer Information Security Policy

Certified Information Systems Auditor (CISA)

PretaGov Australia SaaS Hosting with Fully Managed Services, Support and Maintenance

Awareness Technologies Systems Security. PHONE: (888)

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

BLACKLINE PLATFORM INTEGRITY

Security Guide: For the safety use of Digital Multifunction Printer (Digital MFP) Version 1.1

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

InterCall Virtual Environments and Webcasting

Data Storage, Recovery and Backup Checklists for Public Health Laboratories

Secure Esri Solutions in the AWS Cloud. CJ Moses, AWS Deputy CISO

Information Security at Veritext Protecting Your Data

Layer Security White Paper

The following security and privacy-related audits and certifications are applicable to the Lime Services:

CIS Controls Measures and Metrics for Version 7

WEBSCALE CONVERGED APPLICATION DELIVERY PLATFORM

Ten Security and Reliability Questions to Address Before Implementing ECM

CIS Controls Measures and Metrics for Version 7

Technical Brief SUPPORTPOINT TECHNICAL BRIEF MARCH

RMS(one) Solutions PROGRESSIVE SECURITY FOR MISSION CRITICAL SOLUTIONS

SoftLayer Security and Compliance:

Cyber security tips and self-assessment for business

SECURITY STRATEGY & POLICIES. Understanding How Swift Digital Protects Your Data

Canada Life Cyber Security Statement 2018

Ransomware A case study of the impact, recovery and remediation events

Document Sub Title. Yotpo. Technical Overview 07/18/ Yotpo

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

ISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045

ISC2. Exam Questions CISSP. Certified Information Systems Security Professional (CISSP) Version:Demo

GDPR Update and ENISA guidelines

Information Security Controls Policy

Trello Business Class

System Security Features

Secure Industrial Automation Remote Access Connectivity. Using ewon and Talk2M Pro solutions

Tips for Passing an Audit or Assessment

Cyber Security Technologies

GDPR: Get Prepared! A Checklist for Implementing a Security and Event Management Tool. Contact. Ashley House, Ashley Road London N17 9LZ

AppPulse Point of Presence (POP)

Security. Bob Shantz Director of Infrastructure & Cloud Services Computer Guidance Corporation. All Rights Reserved.

Data Center Operations Guide

WHITE PAPER. Title. Managed Services for SAS Technology

Understanding IT Audit and Risk Management

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

Epicor ERP Cloud Services Specification Multi-Tenant and Dedicated Tenant Cloud Services (Updated July 31, 2017)

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Recommendations for Implementing an Information Security Framework for Life Science Organizations

Cloud Services. Introduction

Feasibility study of scenario based self training material for incident response

Asset Bank - Shared Hosting. Service Description

epldt Web Builder Security March 2017

OPERATIONS CENTER. Keep your client s data safe and business going & growing with SOC continuous protection

Transcription:

Data Security & Operating Environment Version 1.0, Summer 2018 Last updated: June 21, 2018 https://www.kintone.com/contact/

Contents 1. Service Level Objective (SLO)... 1 2. Availability and Reliability... 1 2.1 Operating Hours... 1 2.2 Redundancy... 2 2.3 Fault Management... 2 2.4 Updates... 2 2.5 Support... 2 2.6 Data Deletion... 2 2.7 DLP (Data Loss Prevention) & Disaster Recovery Plan... 2 3. CSIRT... 4 3.1 Internal security management policies... 5 3.2 Human Error Prevention Management Systems... 6 4. Data Encryption... 7 4.1 Data in Transit Encryption... 7 4.2 Data at Rest Encryption... 7 5. Server Security... 7 6. Vulnerability & Penetration Testing... 8 6.1 Collecting Information of Third Party OS and Software Vulnerability... 8 6.2 Detection and Prevention of Any Possible Fault or Failure... 9 7. Product-Based Secure Access Features... 10 7.1 Sub-domain and login page... 10 7.2 Multi-Factor Authentication (MFA)... 11 7.3 Login and Password Policies... 14 7.4 Audit Log... 15 8. Compliance... 15

1. Service Level Objective (SLO) We provide 24/7 monitoring and have set our Service Level Objectives for our infrastructure to provide the most reliable service to our Kintone.com clients. Uptime rate: 99.99% Response time: within 4 seconds Recovery time: within 10 mins Access log storage time: 1 year online Historical Uptime Results Month Uptime May 2018 99.962% Apr 2018 99.979% Mar 2018 99.994% Feb 2018 99.997% Jan 2018 99.997% Dec 2017 99.993% Click here to download the full uptime report. 2. Availability and Reliability 2.1 Operating Hours Our platform operates 24 hours a day, 365 days a year (excluding regular maintenance), with regular backup and redundancy built-in. 2.1.1 Regular maintenance When and if necessary, regular maintenance occurs the second Friday of the month, unless the 1st of the month lands on a Saturday or Sunday in which case it will be conducted on the first Friday. 2.1.2 Occasional maintenance 1

If there s a need for occasional maintenance, at least 1 week advanced notification will be given. 2.2 Redundancy Kintone operates a fully redundant system which includes servers, networks, storage, and data (Hyperlink to 4 DLP (Data Loss Prevention). 2.3 Fault Management Kintone has developed and maintains an extensive Fault Management system, which is comprised of a set of functions that prevent, detect, and correct malfunctions, and initiate recovery automatically within the Kintone cloud platform. 2.4 Updates As a policy, Kintone platform and product updates are propagated across the platform at the same time for all clients. 2.5 Support 2.5.1 Support Hours Standard support hours are Monday through Friday 9 am 5:00 pm PST. More detailed Support SLA can be found here. 2.5.2 Support Contact Support phone number: 415-692-6546 Support e-mail: support@kintone.com 2.6 Data Deletion All data stored within a customer account sub-domain shall be deleted 30 days after the termination of an account. All backup data shall be completely deleted approximately 2 weeks after the initial data deletion. 2.7 DLP (Data Loss Prevention) & Disaster Recovery Plan Square is our backup system designed to protect clients data, and includes the following locations and storage server sets: 2

2 Regions (East and West Japan) 4 storage servers ( 3 storage servers in East Japan and 1 storage server in West Japan) 2.7.1 Hard Disk Redundancy (RAID 6) The Storage Server set has 12 hard disks per server. 10 of the 12 hard disks were implemented with RAID6. RAID6 allows for two disk failures within the RAID set before any data is lost. The 2 additional hard disks are prepared as hot spares. 2.7.2 Mirroring (RAID 1) Customer data is updated to the storage server and the replication storage server simultaneously. This RAID1 mirroring system protects against the loss of data due to storage server failures because of hard disk failure or power supply failure. 2.7.3 14-day Backup Data with Backup Server 3

The East Japan Data Center (EJDC) maintains storage servers, replication storage servers and backup storage servers. The most recent 14-days of data is stored there. Backup data beginning from one day prior to the current day can be restored. Restoration capabilities are tested daily. 2.7.4 2 Regions for Remote Backup BCP The West Japan Data Center (WJDC) has remote backup storage servers in case of any catastrophic event affecting the EJDC. All backup data stored in the backup storage servers in EJDC are automatically backed up to the WJDC. 2.7.5 Data Centers Meet FISC Standards for Most Reliable Data Centers Meet Tier 4 FISC Facility Safety Standards The data centers that house and manage Cybozu.com servers, including Kintone.com, comply with the requirements of the The Center for Financial Industry Information Systems (FISC) Facility Safety Standards, considered one of the strictest compliance agencies in Japan. (Cybozu Inc is Kintone s parent company). The data centers meet Tier 4 specifications, the highest level, for most of the categories in the Data Center Facility Standard regulated by the Japan Data Center Association. 2.7.6 A+ Rating for Secure Network Encryption (SSL/TLS) As detailed below in Section 5, Server Security, Kintone maintains an A+ rating for server security by Qualsys, the leading provider of infrastructure security compliance solutions. 2.7.7 Power Supply and Network Redundancy We provide Power Supply and Network redundancy to help reduce the chance for disasterrelated damage. 2.7.8 Hard Disk Physical Destruction After service, retired hard disks shall be physically destroyed to prevent any possible information leakage from such disks. 3. CSIRT Cy-SIRT (Cybozu Computer Security Incident Response Team) is an in-house expert security group created to prepare against and handle any Security incidents. Cy-SIRT helps create 4

policies to protect against threats and responds rapidly and in real-time to identify, contain, and eradicate threats as they arise. 3.1 Internal security management policies 3.1.1 Only highly access-restricted devices can be connected to the data center 3.1.2 Product environment and testing environment shall be separated 5

3.1.3 Infrastructure operations system shall be operated only by authorized members within a dedicated access control room 3.2 Human Error Prevention Management Systems 3.2.1 Service Updates To prevent Human Error, systems shall be tested and verified several times before updates occur. 3.2.2 Separation of product environment and remote backup environment The Product Environment and Remote Backup Environment shall be separated and prohibited to operate simultaneously. When data is deleted in Product Environment, that data can not be deleted at the same time in the Backup Environment. 3.2.3 Automation 6

Automation is implemented to minimize failure probabilities caused by human error. Kintone.com promotes automation wherever possible instead of manual system operations. For example, the creation of a client sub-domain environments and adding and cancelling services are all automated. 3.2.4 Automatic Logging of Manual Operations Manual operations performed by humans shall be done while following prescriptive manuals. All such manual operation activities however, shall be logged automatically. 3.2.5 Working alone is prohibited In an emergency case, humans operating the system without a manual is permitted. However, even in an emergency case, working alone is prohibited as 2 or more authorized technicians must work together. 4. Data Encryption Kintone encrypts all data both in transit and at rest. Learn more. 4.1 Data in Transit Encryption All data is encrypted as it moves between our servers and your web browser. The Kintone service is offered only with SSL connections, and provides optional IP address connectivity restrictions, 2-Factor Authentication and basic authentication. 4.2 Data at Rest Encryption We also encrypt all data stored on our servers. Our Data at Rest Encryption encrypts all inactive data stored within our servers. Kintone uses a 512 bit key length encryption scheme, the same used in Windows BitLocker and OS X FileVault. 5. Server Security 7

Our Server Security level is confirmed as A+ by Qualsys SSL Labs per below. Source: Qualys SSL labs A+ rating by Qualys SSL Labs for cloud server security We deploy the latest SSL/TLS (1.2 or higher) technology HTTP Strict Transport Security (HSTS) Perfect Forward Secrecy (PFS) SHA-2 certificate 6. Vulnerability & Penetration Testing Kintone has third-party vulnerability testing auditors such as Vulnerability Defense Laboratory perform vulnerability/penetration audits on our platform on a semi-annual or as needed (when any major updates occur) basis. 6.1 Collecting Information of Third Party OS and Software Vulnerability 8

A vulnerability assessment is the process of identifying and quantifying security vulnerabilities in a software environment. A penetration test simulates the actions of an external and/or internal cyber attacker that aims to breach the information security of the organization. Found a security problem? Report it here. 6.2 Detection and Prevention of Any Possible Fault or Failure 6.2.1 An autonomous fault management system Kintone.com has an autonomous decentralized agent system called Tsukuyomi, a prophet in Japanese mythology who can predict future events. Appropriately, this system is designed to prevent, detect, and correct faults or failures and initiate recovery in the Kintone servers. In the Tsukuyomi system, Servers monitor each other to detect faults or failures. After detection, the automatic recovery process instantly replaces the fault server to the spare server. If multiple servers go down, then special recovery plan will be initiated. 6.2.2 DoS, DDoS attack protection and mitigation Denial of Service (DoS) attacks are common attacks wherein a huge volume of traffic (TCP, UDP and ICPM packets) is sent to a specific sub-domain (URL) within a very short time. In such instances, the tenant s sub-domain will be automatically shut down to protect the rest of the tenants in Kintone s multi-tenant system. 9

Network monitoring systems and intrusion detection/prevention systems continuously monitor the Kintone system. 7. Product-Based Secure Access Features 7.1 Sub-domain and login page 7.1.1 Customers have unique sub-domains for their log-ins option IP address restriction / 2-Factor Authentication option Unique login names per account 7.1.2 Login page Images and company name can be changed for destination confirmation used to counter phishing attempts 10

7.2 Multi-Factor Authentication (MFA) 7.2.1 Basic authentication Free Sets up an extra login page before accessing the sub-domain (users enter a shared login name and password) Note: The password should be changed if a user leaves the company 7.2.2 IP address restrictions Free Restricts access from IP addresses that are not listed 11

Can be used together with Basic Authentication and Client Certificate Authentication to provide individual device-based access Secure access setting screen Secure access settings can be reviewed and set in the Security & Authentication admin control panel displayed below. Setting Changes are reflected immediately. 7.2.3 Secure access through client certificates Client certificates can be issued for individual users to install onto their devices in order to gain a unique access gateway through the IP fencing restriction setting. Certificates can be set to expire at set time intervals and re-issued easily. 4 Examples of Security Settings Options with the Kintone.com /Cybozu.com cloud platform 12

13

7.3 Login and Password Policies 7.3.1 Password settings The following is a list of password settings that can be configured when setting up a Kintone account. Password Character length Password Character complexity Password reuse policy Password expiration policy 7.3.2 Logins 7.3.2.1 Account lockout policy Account lockout threshold number of incorrect attempts Account lockout duration length of time the lockout will occur. 7.3.2.2 Automatic login policy Enable/disable auto login Enable auto login duration 14

7.4 Audit Log You can browse and download the audit log of operations such as logins, modifications, file downloads, etc. Custom audit log settings can also be set to initiate notification emails. 8. Compliance Information Security Management System (ISMS) Cybozu Inc s Cybozu.com and Kintone.com cloud infrastructure has achieved ISO 27001 certification of our Information Security Management System (ISMS) covering our infrastructure, data centers, and services. Certification registration Design, construction and maintenance of operational infrastructure of a cloud service developed in-house. Initial ISO 27001 certification registration date was November 10th, 2011 with subsequent audit updates occurring since. 15

ISO 27001 certified registration number IS 577142 Information Security Management System (FISC) As mentioned above, the data centers the Kintone.com cloud is currently operating from comply with The Center for Financial Industry Information Systems (FISC) Facility Safety Standards, considered one of the strictest compliance agencies in Japan. In fact, the data centers meet Tier 4 specifications, the highest level, for most of the categories in the Data Center Facility Standards as regulated by the Japan Data Center Association. 16

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback