Cyber Security Hardening Guide

Similar documents
Security+ SY0-501 Study Guide Table of Contents

Document Sub Title. Yotpo. Technical Overview 07/18/ Yotpo

Security Overview. Technical Whitepaper. Secure by design. End to end security. N-tier Application Architecture. Data encryption. User authentication

Identity & Access Management

PCI DSS Compliance. White Paper Parallels Remote Application Server

Awareness Technologies Systems Security. PHONE: (888)

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

The Nasuni Security Model

1. Introduction. 2. Why Mi-Token? Product Overview

QuickBooks Online Security White Paper July 2017

SECURITY AND DATA REDUNDANCY. A White Paper

CYBER SECURITY WHITEPAPER

Information Security Policy

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Cloud FastPath: Highly Secure Data Transfer

WHITEPAPER. Security overview. podio.com

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

PCI DSS and VNC Connect

The Lighthouse Case Management System

Security and Compliance at Mavenlink

CPM. Quick Start Guide V2.4.0

What can the OnBase Cloud do for you? lbmctech.com

Watson Developer Cloud Security Overview

WEBSCALE CONVERGED APPLICATION DELIVERY PLATFORM

SCALEFAST COMMERCE CLOUD INFRASTRUCTURE

SECURITY PRACTICES OVERVIEW

SECURITY DOCUMENT. 550archi

This paper introduces the security policies, practices, and procedures of Lucidchart.

TB+ 1.5 Billion+ The OnBase Cloud by Hyland 600,000,000+ content stored. pages stored

SECURITY & NETWORK WHITEPAPER

BeBanjo Infrastructure and Security Overview

SignalFx Platform: Security and Compliance MARZENA FULLER. Chief Security Officer

Oracle Hospitality RES 3700 Security Guide Release 5.5 E May 2016

Security White Paper. Midaxo Platform Krutarth Vasavada

Double up on security for Active Directory and cloud app authentication

BEST PRACTICES FOR PERSONAL Security

Paperspace. Security Primer & Architecture Overview. Business Whitepaper. 20 Jay St. Suite 312 Brooklyn, NY 11201

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

Hackproof Your Cloud Responding to 2016 Threats

The Common Controls Framework BY ADOBE

How NOT To Get Hacked

HOW SNOWFLAKE SETS THE STANDARD WHITEPAPER

Xerox FreeFlow Print Server. Security White Paper. Secure solutions. for you and your customers

Security Fundamentals for your Privileged Account Security Deployment

Security Principles for Stratos. Part no. 667/UE/31701/004

Security and Privacy Overview

Cyber Essentials Questionnaire Guidance

Twilio cloud communications SECURITY

A Security Admin's Survival Guide to the GDPR.

AKAMAI WHITE PAPER. Enterprise Application Access Architecture Overview

Security Policy (EN) v1.3

Layer Security White Paper

Title: Planning AWS Platform Security Assessment?

10 FOCUS AREAS FOR BREACH PREVENTION

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

Security Assessment. Prepared For: Prospect Or Customer Prepared By: Your Company Name

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

PCI DSS and the VNC SDK

CogniFit Technical Security Details

IBM Secure Proxy. Advanced edge security for your multienterprise. Secure your network at the edge. Highlights

Table of Contents. Page 1 of 6 (Last updated 27 April 2017)

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Recommendations for Device Provisioning Security

Oracle Payment Interface Token Proxy Service Security Guide Release 6.1 E November 2017

APPLICATION & INFRASTRUCTURE SECURITY CONTROLS

Cyber security tips and self-assessment for business

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

SIEMLESS THREAT DETECTION FOR AWS

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

HikCentral V.1.1.x for Windows Hardening Guide

InterCall Virtual Environments and Webcasting

Azure Active Directory B2C. Daniel Dickinson Enterprise Mobility Specialist

Google Cloud Platform: Customer Responsibility Matrix. April 2017

CTS performs nightly backups of the Church360 production databases and retains these backups for one month.

IT Security Training MS-500: Microsoft 365 Security Administration. Upcoming Dates. Course Description. Course Outline $2,

AWS Security. Stephen E. Schmidt, Directeur de la Sécurité

TIBCO Cloud Integration Security Overview

VMware vcloud Air SOC 1 Control Matrix

SonicWall Web Application Firewall 2.0. AWS Deployment Guide

Commvault Backup to Cloudian Hyperstore CONFIGURATION GUIDE TO USE HYPERSTORE AS A STORAGE LIBRARY

Streamline IT with Secure Remote Connection and Password Management

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

Integrating Password Management with Enterprise Single Sign-On

Oracle Hospitality OPERA Cloud Services Security Guide Release 1.20 E June 2016

Security in Bomgar Remote Support

Aerohive and IntelliGO End-to-End Security for devices on your network

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

A Security Model for Space Based Communication. Thom Stone Computer Sciences Corporation

Security Overview of the BGI Online Platform

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Best Practices for Cloud Security at Scale. Phil Rodrigues Security Solutions Architect Amazon Web Services, ANZ

Install SimpleRisk as a VirtualBox Appliance

Securing Your Amazon Web Services Virtual Networks

W H IT E P A P E R. Salesforce Security for the IT Executive

Cloud Security Myths Paul Mazzucco, Chief Security Officer

Five Essential Capabilities for Airtight Cloud Security

Security

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

emarketeer Information Security Policy

AN IPSWITCH WHITEPAPER. The Definitive Guide to Secure FTP

Transcription:

Cyber Security Hardening Guide HOW FEENICS PROTECTS THE DATA AND INTEGRITY OF TRANSACTIONS FEENICS, INC. 301-2310 St. Laurent Blvd., Ottawa, Ontario K1G 5H9 (855) 333-6427 www.feenics.com

Contents The Feenics Philosophy... 2 Roles-based User Rights... 2 No Default Passwords... 2 Security Levels... 3 Password Requirements... 3 Two Factor Authentication (TFA)... 4 Data Encryption... 5 No accessibility to the Database... 5 Audit Logs... 5 Transport Layer Security (TLS)... 6 TLS Enabled Mercury Panels... 6 Mercury s Series 3 Red boards... 6 Communication Ports... 7 Veracode... 7 Stay Up to Date... 8 RESTful API Architecture... 8 1

Keep Secure How Feenics protects the data and security of transactions For those who are new to cloud computing, the term cloud can sometimes bring concerns regarding digital security. What they may not know is that when using the appropriate methods and technology, cloud-based access control solutions are safer than ever before. In addition, cloud solutions bring more cyber security and resiliency than traditional legacy on-premise systems. The Feenics Philosophy Feenics approaches data security and data access in a multi-layered design philosophy. We followed what Microsoft refers to as SD3+C. Secure by Design, Secure by Default, Secure in Deployment and Communications. Keep was designed from the ground up to be a cloud based product and that requirement dictates that software security is paramount. Roles-based User Rights Roles-based user rights provides users to specifics areas of the software or partitions based on login permissions set by the administrator to accomplish the tasks assigned to that user s rights. A user may have different rights in different parts of the enterprise. For example, a user may be able to enroll new card holders for the Ottawa office, but not the Baltimore office or not have access to specific features of the software, such as visitor management or badge creation. No Default Passwords An often-over-looked security vulnerability is default passwords. Many systems contain them and many never get changed. A quick internet search for default passwords under a specific access control product will turn up the factory default, which also means that a perpetrator looking to get into the system will do the same. Keep uses no default usernames and passwords. Each hosted by Feenics system is issued with a unique password. This is really the first step in designing with both human nature in mind and our secure by design philosophy. 2

Security Levels Keep allows administrators to set a Security Level that will dictate how much information is returned to a user attempting to login if that attempt is invalid. Figure 1: Low Security Level Setting For example, in a lower security environment, if the name brain instead of brian, the user gets User name not found as we can see in Figure 1 to the right. At a High Security level, if the user spelled their username incorrectly, they would just receive an Invalid Logon as Feenics would not give a potential hacker any extra information on why they can t access the system. This helps limit phishing attempts and brute force attacks. Figure 2: High Security Level Setting This is the first step in protecting your logon process. Password Requirements Keep allows system administrators to enforce varying degrees of password strength to meet organization requirements. Administrators can also require that system users must change their passwords every so many days. 3

Two Factor Authentication (TFA) Often administrators following best practices in password security require that all system users accessing company IT resources must use so called strong passwords. Strong passwords are typically 8 characters or more and include both alpha-numeric text and special characters. However, they run into the unexpected roadblock of basic human behavior. That system users often feel overwhelmed by the number and length of the passwords they have to remember and how often they must be changed. This leads to system users recycling the same password for different systems or the computer monitor with several yellow Post-It notes stuck to the side, each with a username and password for a system. A frustrated user has now circumvented a best practice and created gaping holes in IT security. Feenics supports two factor authentications. Two Factor Authentication not only provides unrivaled security in the access control space, it can also help to both mitigate and even prevent system users from creating security vulnerabilities. Two Factor authentication helps you get past this be requiring the extra code that is specific to users and devices and is updated every 30 seconds. An authenticator can be attached to the login of any user for an added layer of security. User accounts are linked with the authenticator company of choice which generates a one-time token with an expiration. Users must provide this code upon entering their username and password. Now a perpetrator would need three things to access the system: 1. Your username 2. Your password 3. Your device Note: Keep s two factor authentication follows the IETF RCC 6238 for Time Base One Time Password Algorithm. Many applications such as Google Authenticator, Duo, AWS and LastPass, all support this standard. 4

Data Encryption Feenics protects the transmission of data between the client and the cloud based server using modern TLS 1.2 encryption. This same technology is used to secure credit card information, social security numbers, and login credentials. TLS 1.2 is essentially the next step in the evolution of encryption and has replaced SSL. All data in transit (moving from or to AWS) is protected by TLS 1.2 encryption while data at rest (once the data reaches AWS servers) is protected with server-side encryption (SSE). No accessibility to the Database The is ZERO access to the database. All activity related to the database must pass through Feenics RESTful API. The MongoDB resides on its replica sets behind AWS firewalls in an encrypted state. Audit Logs User activity audit logs are first class citizen with the rest of the event pipeline. Alerts can be generated (email, SMS, mobile, WebHooks) for data modification just as for door access. For example, send the user a text after two successive failed login attempts. 5

Transport Layer Security (TLS) Feenics can encrypt the data being transmitted from the hardware controllers to the cloud using TLS 1.2 encryption on Mercury panels. Many other access control providers offer some sort of panel encryption but it is often very cumbersome to setup. It is often very difficult to setup for the integrator which means it becomes costlier to the customer and we see that human nature again gets in the way. A justification is made that the risk of someone eavesdropping on your hardware communication is low and not worth the cost to implement. Feenics addresses this by using TLS encryption on the Mercury panel which is a simple checkbox for the integrator. Feenics cloud based servers then automatically negotiate that encryption. TLS Enabled Mercury Panels EP2500 EP1501 EP1502 TLS allows for asymmetric sharing of symmetric keys for AES 128 Encryption. It works similarly to SSL except that it uses a By Protocol connection rather than By Port. This means that connections are first initiated to the server by an insecure broadcast and then switch to secured communications once the handshake has been established. TLS 1.2 is the latest and most secure version that is implemented across devices. Using TLS Keep encrypts the transfer of data from the client to the server, as well as the controller to the server. Mercury s Series 3 Red boards Mercury s introduction of the series 3 downstream modules also enhances additional security functionality at the field level with the following: Enhanced Cyber Security capabilities SAM Chip Encrypted storage of data and keys RS485 communications (MSP1) encrypted by default AES256 encryption (LP series controllers in July, 2018) Full OSDP Support (SIA Link) 6

Communication Ports The following outbound ports must be opened to effectively communicate between Keep and its connected devices: 3001 Mercury Controllers to Cloud (Outbound only) 443 Client to Server (Outbound only) Keep only uses outbound ports, meaning that an IT director will never have to open inbound ports on their network. This helps keep customer networks safe. All communications originate from inside the customer firewall. Once the cloud-based server answers, two-way communication is initialized. Veracode Feenics has entered a contractual agreement with Veracode, who is owned by CA Technologies. With each software release, Feenics submits our code to Veracode for both static and dynamic code analysis. Veracode looks for all cyber security vulnerabilities that they can find and produces a report to Feenics detailing all low, medium, and high threats. The goal was to instill confidence that Feenics is doing everything possible to maintain the integrity of Keep while protecting the customer from any outside influences that could cause a breach or cyber-attack to the end user. In April 2018, the API for Keep passed the stringent year-long process of becoming Verified, Veracode s vulnerability compliance assessment. Feenics is now listed on Veracode's, Verified directory. 7

Stay Up to Date Feenics utilizes Amazon Web Services (AWS) as its hosted environment. AWS is the largest datacenter provider in the world. Utilizing AWS adds layers of redundancy and security that most standard users could never afford on their own. The AWS EC2 instances that we use include their own SLAs and guaranties. When Feenics hosts customer systems in AWS, the following are provided: 1. Full backups every 24 hours for point in time recovery. a. Mongo Database replica sets running on a minimum of three redundant servers. 2. Monthly software updates. This could be new features/functionality, patches or fixes. Remember that access to buildings is not impacted by software updates. a. Updates frequently include simple training videos on new features and improvements in the system. 3. Elastic Block Storage data is written to multiple availability zones for redundancy. 4. All operating systems, database, webserver and application patching and updates. 5. Maintain all services that facilitate communications RESTful API Architecture While the user s experience resides at the interface, Keep s engine is built on a RESTful API, or common language for all developers. Keep is 100% open for developers to allow other integrations to interoperate with the platform. There is no direct access to the MongoDB. Everything MUST go through the API. Feenics employs the power of AWS load balancing at the communication servers to meet the demands of the API calls to maintain optimum performance, and auto scaling, to allow expansion for the customer based on growth. Horizontal scaling allows peak transactional moments to occur, without the need to increase hardware requirements of the actual servers (RAM, memory, HDD capacity), or vertical scaling, which is what occurs on traditional on premise configurations. 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback