Layer Security White Paper
Content PEOPLE SECURITY PRODUCT SECURITY CLOUD & NETWORK INFRASTRUCTURE SECURITY RISK MANAGEMENT PHYSICAL SECURITY BUSINESS CONTINUITY & DISASTER RECOVERY VENDOR SECURITY SECURITY COMPLIANCE SUMMARY 4 4 6 7 7 8 8 9 9
Layer Security White Paper Layer is a trusted provider of conversation infrastructure for thousands of companies from the Fortune 500 to garage start-ups. These conversations drive sales, power customer support, and facilitate intimate connections between users. Regardless if the conversation contains personally identifiable information, transaction details, trade secrets or private messages, millions of people rely on Layer to reliably deliver and safeguard their information. This trust is sacred and underlies all that we do. To honor and protect it, all Layer personnel, software and infrastructure must adhere to the latest security best practices and comply fully with corporate policies. This document details Layer s security policies and processes. It is intended to provide transparency into the product and organizational architecture that supports Layer s position as the trusted platform that powers the conversation economy.
People Security Layer has created a vibrant security culture for all employees. The influence of this culture is felt across the hiring process, employee onboarding and ongoing training. Here are some of the processes that Layer has put in place to bring in the right people and keep them up to date on security practices: Background Checks Before a candidate joins the Layer staff, they must pass a stringent background check by a specialized third-party. These checks include verification of education, previous employment history and external reference checks. Where local labor law or statutory regulations permit, Layer may also conduct criminal, credit, immigration, and security checks. The extent of these background checks is dependent on the desired position. Security Training All new Layer employees attend a Security 101 training during the onboarding process. In addition, all Layer employees must take the Layer Security and Privacy training once a year, which covers the Information Security Policies, security best practices, and privacy principles. Depending on the job role, additional training on specific aspects of security may be required. For example, engineers are trained on security related topics such as cryptography, attack patterns and secure coding practices. Continuous Education The Layer security team provides continuous communication of emerging threats, advises employees of phishing campaigns and gives presentations on information security regularly to the company. Product Security The Layer product and engineering teams are dedicated to delivering robust, performant solutions that are second to none when it comes to security. To get there, we adhere to the following principles when designing and building our products:
Secure by Design Layer engineers believe in a holistic, architectural approach to security and defense in depth techniques for redundancy of controls. This approach includes: Security sections in the product and engineering specifications that precede implementation. Internal security reviews ahead of product launches. Regular third-party penetration testing. On-going traffic and infrastructure forensics scanning and introspection. Automated test suites focused on security. Development tooling and environments that are secure by default and design. Training materials for engineers covering topics such as cryptography and secure coding. Utilization of safe, managed programming languages whenever possible to guard against buffer overruns. Federated Authentication Layer utilizes a federated authentication model that delegates authentication to the customer application through cryptographic trust. This mechanism prevents user credentials from ever traversing the Layer infrastructure and enables opaque or fully anonymous conversations. Internal PKI Infrastructure Layer maintains an internal PKI infrastructure and issues certificates to all hosts and services, providing bi-directional TLS with authentication and encryption. Mobile SDK clients are issued device specific certificates and utilize public key pinning to mitigate man in the middle attacks. Encryption in Motion All data in motion between Layer clients, customer applications and across Layer services in encrypted with TLS 1.2. All networks are considered potentially hostile even behind the firewall Encryption at Rest All data persisted is encrypted at rest in the storage tier with AES-256. Penetration Testing Layer regularly performs penetration testing through third-party vendors.
Account Security Layer secures account credentials using industry best practice methods to salt and repeatedly hash passwords before persistence. Users can add an additional layer of security to their account by enabling two-factor authentication (2FA) for the Layer dashboard. Organizations can mandate that 2FA be enabled for all members, further enhancing security. Role Based Access Control The Layer dashboard enables organizations to configure specific roles for their members, ensuring that only the right level of access is available to each person. Cloud & Network Infrastructure Security Security of the Layer infrastructure and networks is foundational to delivering on the trust our customers have in us. This foundation is maintained by adhering to best in class security practices when provisioning, accessing and maintaining our cloud infrastructure and networks. These practices include: Asset Management All cloud assets have a defined owner, security classification and purpose. Principle of Least Privilege All personnel, services and processes are granted the minimal set of privileges necessary to fulfill their function. Access to production hosts is gated by a firewall and cloud load balancer which only permits traffic to port 443 (HTTPS, HTTP/2 & WebSocket). Services are deployed as containers on cloud nodes which restrict ingress and egress traffic to the minimal set of ports necessary for the service to function. Defense in Depth The Layer production environment is hosted in a logically isolated Virtual Private Cloud (VPC) environment. Production and non-production networks are fully segregated. Access to production hosts requires operations personnel to connect to a VPN with a TLS certificate encrypted with a passphrase, login to a bastion host with a personal account, SSH to the target host using private key authentication via key-forwarding and then utilize container management tools to access the services. Trusted Logging & Audits Access to Layer production hosts, changes to services and network configurations are logged to an external environment with access restricted to security team personnel. This external environment provides a trusted environment for auditing and forensic analysis in the event of a breach or security incident.
Risk Management Maintaining the security and resiliency of Layer services is the top priority of our security and infrastructure engineering teams. Even a perfectly secure service implementation is still exposed to the realities of life on the Internet. As such, it important to build on the foundation of secure engineering by proactively assessing, detecting and mitigating risks to our security and operations. To do so we utilize the following techniques: Risk Assessment & Mitigation Layer maintains detailed risk assessment and mitigation policies that are regularly reviewed and updated. Continuous Monitoring Layer utilizes continuous monitoring techniques including vulnerability scanning, statistical anomaly detection, signature based file modification detection, log analysis and deployment of an Intrusion Detection System (IDS). Incident Response Program Layer maintains a formalized incident response program. The incident response policy defines how security vulnerabilities and incidents are triaged, classified, reported, remediated and mitigated. Log Retention Layer retains operational logs for 90 days and security logs for 180 days. Access to the security logs is restricted to security personnel. Distributed Denial of Service (DDOS) Defense Layer utilizes third party technologies and platforms to detect, mitigate and prevent DDoS attacks. Physical Security Although Layer does not maintain any physical computing resources or data centers, we are committed to securing our facilities. Datacenter Security Layer leverages Google Cloud Platform (GCP), Amazon Web Services (AWS) and Microsoft Azure for production systems and customer data. GCP, AWS and Azure all follow industry best practices and comply with an impressive array of security standards.
Office Security Layer has a security program that manages visitors and overall office security. All employees, contractors and visitors are required to wear identification badges which distinguish their respective role. Business Continuity & Disaster Recovery Layer maintains policies and programs for ensuring continuity of business and swift recovery in the face of disaster. Emergency Planning & Testing The Layer security policies include formal Business Continuity and Disaster Recovery plans that are regularly reviewed and updated. These policies detail how an emergency is declared, recovery is performed and recovery time objectives. The disaster recovery process is tested bi-annually. High Availability Core production Layer services are deployed in high availability configurations within Google Cloud Platform in the US Central zone. Ancillary services are run across AWS and Azure. Globally distributed multi-region, multi-cloud deployments are scheduled for delivery in the second half of 2017. Data Backups Layer backs up all customer conversation information into Google Cloud Storage (GCS) snapshots. All backups are encrypted in motion and at rest. Backups are redundantly storage across multiple availability zones and are encrypted. Vendor Security From time to time Layer will utilize third-party vendors to provide design, development or other services. Maintaining our robust security standards while leveraging external talent requires processes such as: Vetting Process All third party vendors are assessed by the Layer security team to ensure that they comply with our stringent security requirements. Relationship Audits Once a third-party relationship has been established, Layer periodically reviews the relationship to ensure ongoing compliance from a security and business continuity perspective.
Offboarding Once a vendor relationship is terminated Layer ensures that all access is appropriately revoked and data returned or destroyed. Security Compliance Layer is dedicated to ensuring compliance with internal security policies, industry best practices and all relevant regulatory requirements: Cloud Infrastructure Provider The Layer conversation platform is hosted in Google Cloud Platform (GCS) data centers. GCS is compliant with a wide array of security frameworks and standards including SSAE16, SOC framework, ISO 27001, ISO 27017, ISO 27018 and PCI DSS v3.2. HIPAA Compliance Layer is compliant with the controls outlined in the HIPAA framework and has undergone third-party gap analysis, remediation and verification to ensure compliant handling of personal health information (PHI). Layer acts as a HIPAA business associate (BA) and executes business associate agreements (BAA) with covered entities in the healthcare space. EU U.S. Privacy Shield Framework Layer is self-certified under Privacy Shield as a part of our commitment to comply with EU data protection requirements when transferring personal data from the European Union to the United States. Summary The Layer digital conversation platform enables businesses, brands and developers to deliver engaging messaging experiences into their products and applications. Underlying everything we do at Layer is a foundation of trust in our product, people and business practices. There can be no trust without security, so we must be vigilant and protect the infrastructure and service components underlying our product. For further information about Layer security policies and procedures please reach out to the Layer security team via email at security@layer.com.