Layer Security White Paper

Similar documents
Twilio cloud communications SECURITY

Google Cloud & the General Data Protection Regulation (GDPR)

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Projectplace: A Secure Project Collaboration Solution

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Watson Developer Cloud Security Overview

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

AWS continually manages risk and undergoes recurring assessments to ensure compliance with industry standards.

Vendor Security Questionnaire

The Common Controls Framework BY ADOBE

Data Security and Privacy at Handshake

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

WHITE PAPER- Managed Services Security Practices

QuickBooks Online Security White Paper July 2017

Security Note. BlackBerry Corporate Infrastructure

Cloud FastPath: Highly Secure Data Transfer

Juniper Vendor Security Requirements

A company built on security

Data Security and Privacy Principles IBM Cloud Services

SECURITY & PRIVACY DOCUMENTATION

TRACKVIA SECURITY OVERVIEW

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

Security Architecture

Automate sharing. Empower users. Retain control. Utilizes our purposebuilt cloud, not public shared clouds

SoftLayer Security and Compliance:

FormFire Application and IT Security

APPLICATION & INFRASTRUCTURE SECURITY CONTROLS

Checklist: Credit Union Information Security and Privacy Policies

WHITE PAPER Cloud FastPath: A Highly Secure Data Transfer Solution

Oracle Data Cloud ( ODC ) Inbound Security Policies

Keys to a more secure data environment

Security Information & Policies

Security and Compliance at Mavenlink

Awareness Technologies Systems Security. PHONE: (888)

Security+ SY0-501 Study Guide Table of Contents

ADIENT VENDOR SECURITY STANDARD

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

WORKSHARE SECURITY OVERVIEW

Security & Privacy Guide

RADIAN6 SECURITY, PRIVACY, AND ARCHITECTURE

CTS performs nightly backups of the Church360 production databases and retains these backups for one month.

HOW SNOWFLAKE SETS THE STANDARD WHITEPAPER

WHITEPAPER. Security overview. podio.com

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE

AWS Webinar. Navigating GDPR Compliance on AWS. Christian Hesse Amazon Web Services

Information Security Policy

What can the OnBase Cloud do for you? lbmctech.com

TB+ 1.5 Billion+ The OnBase Cloud by Hyland 600,000,000+ content stored. pages stored

SECURITY PRACTICES OVERVIEW

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

01.0 Policy Responsibilities and Oversight

Standard CIP Cyber Security Critical Cyber Asset Identification

Introduction to AWS GoldBase

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

HIPAA / HITECH Overview of Capabilities and Protected Health Information

Standard CIP Cyber Security Critical Cyber Asset Identification

EU General Data Protection Regulation (GDPR) Achieving compliance

HIPAA Security and Privacy Policies & Procedures

NYDFS Cybersecurity Regulations

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Verasys Enterprise Security and IT Guide

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Protecting your data. EY s approach to data privacy and information security

Information Security at Veritext Protecting Your Data

Cloud Security Whitepaper

InterCall Virtual Environments and Webcasting

Information Security Controls Policy

AWS Security. Stephen E. Schmidt, Directeur de la Sécurité

Education Network Security

Google Cloud Platform: Customer Responsibility Matrix. December 2018

RAPID7 INFORMATION SECURITY. An Overview of Rapid7 s Internal Security Practices and Procedures

SOLUTIONS BRIEF GOGO AIRBORNE SECURITY SUMMARY 2017 Q3 RELEASE

Cloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Title: Planning AWS Platform Security Assessment?

HITRUST ON THE CLOUD. Navigating Healthcare Compliance

Secure Esri Solutions in the AWS Cloud. CJ Moses, AWS Deputy CISO

Online Services Security v2.1

Daxko s PCI DSS Responsibilities

Security Policies and Procedures Principles and Practices

BEYOND CJIS: ENHANCED SECURITY, NOT JUST COMPLIANCE

Putting It All Together:

The Nasuni Security Model

WHITE PAPER. Title. Managed Services for SAS Technology

HIPAA Regulatory Compliance

Security Principles for Stratos. Part no. 667/UE/31701/004

Security Specification

Village Software. Security Assessment Report

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Google Cloud Platform: Customer Responsibility Matrix. April 2017

The following security and privacy-related audits and certifications are applicable to the Lime Services:

Riverbed Xirrus Cloud Processes and Data Privacy June 19, 2018

This paper introduces the security policies, practices, and procedures of Lucidchart.

Canada Life Cyber Security Statement 2018

INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

AUTHORITY FOR ELECTRICITY REGULATION

Transcription:

Layer Security White Paper

Content PEOPLE SECURITY PRODUCT SECURITY CLOUD & NETWORK INFRASTRUCTURE SECURITY RISK MANAGEMENT PHYSICAL SECURITY BUSINESS CONTINUITY & DISASTER RECOVERY VENDOR SECURITY SECURITY COMPLIANCE SUMMARY 4 4 6 7 7 8 8 9 9

Layer Security White Paper Layer is a trusted provider of conversation infrastructure for thousands of companies from the Fortune 500 to garage start-ups. These conversations drive sales, power customer support, and facilitate intimate connections between users. Regardless if the conversation contains personally identifiable information, transaction details, trade secrets or private messages, millions of people rely on Layer to reliably deliver and safeguard their information. This trust is sacred and underlies all that we do. To honor and protect it, all Layer personnel, software and infrastructure must adhere to the latest security best practices and comply fully with corporate policies. This document details Layer s security policies and processes. It is intended to provide transparency into the product and organizational architecture that supports Layer s position as the trusted platform that powers the conversation economy.

People Security Layer has created a vibrant security culture for all employees. The influence of this culture is felt across the hiring process, employee onboarding and ongoing training. Here are some of the processes that Layer has put in place to bring in the right people and keep them up to date on security practices: Background Checks Before a candidate joins the Layer staff, they must pass a stringent background check by a specialized third-party. These checks include verification of education, previous employment history and external reference checks. Where local labor law or statutory regulations permit, Layer may also conduct criminal, credit, immigration, and security checks. The extent of these background checks is dependent on the desired position. Security Training All new Layer employees attend a Security 101 training during the onboarding process. In addition, all Layer employees must take the Layer Security and Privacy training once a year, which covers the Information Security Policies, security best practices, and privacy principles. Depending on the job role, additional training on specific aspects of security may be required. For example, engineers are trained on security related topics such as cryptography, attack patterns and secure coding practices. Continuous Education The Layer security team provides continuous communication of emerging threats, advises employees of phishing campaigns and gives presentations on information security regularly to the company. Product Security The Layer product and engineering teams are dedicated to delivering robust, performant solutions that are second to none when it comes to security. To get there, we adhere to the following principles when designing and building our products:

Secure by Design Layer engineers believe in a holistic, architectural approach to security and defense in depth techniques for redundancy of controls. This approach includes: Security sections in the product and engineering specifications that precede implementation. Internal security reviews ahead of product launches. Regular third-party penetration testing. On-going traffic and infrastructure forensics scanning and introspection. Automated test suites focused on security. Development tooling and environments that are secure by default and design. Training materials for engineers covering topics such as cryptography and secure coding. Utilization of safe, managed programming languages whenever possible to guard against buffer overruns. Federated Authentication Layer utilizes a federated authentication model that delegates authentication to the customer application through cryptographic trust. This mechanism prevents user credentials from ever traversing the Layer infrastructure and enables opaque or fully anonymous conversations. Internal PKI Infrastructure Layer maintains an internal PKI infrastructure and issues certificates to all hosts and services, providing bi-directional TLS with authentication and encryption. Mobile SDK clients are issued device specific certificates and utilize public key pinning to mitigate man in the middle attacks. Encryption in Motion All data in motion between Layer clients, customer applications and across Layer services in encrypted with TLS 1.2. All networks are considered potentially hostile even behind the firewall Encryption at Rest All data persisted is encrypted at rest in the storage tier with AES-256. Penetration Testing Layer regularly performs penetration testing through third-party vendors.

Account Security Layer secures account credentials using industry best practice methods to salt and repeatedly hash passwords before persistence. Users can add an additional layer of security to their account by enabling two-factor authentication (2FA) for the Layer dashboard. Organizations can mandate that 2FA be enabled for all members, further enhancing security. Role Based Access Control The Layer dashboard enables organizations to configure specific roles for their members, ensuring that only the right level of access is available to each person. Cloud & Network Infrastructure Security Security of the Layer infrastructure and networks is foundational to delivering on the trust our customers have in us. This foundation is maintained by adhering to best in class security practices when provisioning, accessing and maintaining our cloud infrastructure and networks. These practices include: Asset Management All cloud assets have a defined owner, security classification and purpose. Principle of Least Privilege All personnel, services and processes are granted the minimal set of privileges necessary to fulfill their function. Access to production hosts is gated by a firewall and cloud load balancer which only permits traffic to port 443 (HTTPS, HTTP/2 & WebSocket). Services are deployed as containers on cloud nodes which restrict ingress and egress traffic to the minimal set of ports necessary for the service to function. Defense in Depth The Layer production environment is hosted in a logically isolated Virtual Private Cloud (VPC) environment. Production and non-production networks are fully segregated. Access to production hosts requires operations personnel to connect to a VPN with a TLS certificate encrypted with a passphrase, login to a bastion host with a personal account, SSH to the target host using private key authentication via key-forwarding and then utilize container management tools to access the services. Trusted Logging & Audits Access to Layer production hosts, changes to services and network configurations are logged to an external environment with access restricted to security team personnel. This external environment provides a trusted environment for auditing and forensic analysis in the event of a breach or security incident.

Risk Management Maintaining the security and resiliency of Layer services is the top priority of our security and infrastructure engineering teams. Even a perfectly secure service implementation is still exposed to the realities of life on the Internet. As such, it important to build on the foundation of secure engineering by proactively assessing, detecting and mitigating risks to our security and operations. To do so we utilize the following techniques: Risk Assessment & Mitigation Layer maintains detailed risk assessment and mitigation policies that are regularly reviewed and updated. Continuous Monitoring Layer utilizes continuous monitoring techniques including vulnerability scanning, statistical anomaly detection, signature based file modification detection, log analysis and deployment of an Intrusion Detection System (IDS). Incident Response Program Layer maintains a formalized incident response program. The incident response policy defines how security vulnerabilities and incidents are triaged, classified, reported, remediated and mitigated. Log Retention Layer retains operational logs for 90 days and security logs for 180 days. Access to the security logs is restricted to security personnel. Distributed Denial of Service (DDOS) Defense Layer utilizes third party technologies and platforms to detect, mitigate and prevent DDoS attacks. Physical Security Although Layer does not maintain any physical computing resources or data centers, we are committed to securing our facilities. Datacenter Security Layer leverages Google Cloud Platform (GCP), Amazon Web Services (AWS) and Microsoft Azure for production systems and customer data. GCP, AWS and Azure all follow industry best practices and comply with an impressive array of security standards.

Office Security Layer has a security program that manages visitors and overall office security. All employees, contractors and visitors are required to wear identification badges which distinguish their respective role. Business Continuity & Disaster Recovery Layer maintains policies and programs for ensuring continuity of business and swift recovery in the face of disaster. Emergency Planning & Testing The Layer security policies include formal Business Continuity and Disaster Recovery plans that are regularly reviewed and updated. These policies detail how an emergency is declared, recovery is performed and recovery time objectives. The disaster recovery process is tested bi-annually. High Availability Core production Layer services are deployed in high availability configurations within Google Cloud Platform in the US Central zone. Ancillary services are run across AWS and Azure. Globally distributed multi-region, multi-cloud deployments are scheduled for delivery in the second half of 2017. Data Backups Layer backs up all customer conversation information into Google Cloud Storage (GCS) snapshots. All backups are encrypted in motion and at rest. Backups are redundantly storage across multiple availability zones and are encrypted. Vendor Security From time to time Layer will utilize third-party vendors to provide design, development or other services. Maintaining our robust security standards while leveraging external talent requires processes such as: Vetting Process All third party vendors are assessed by the Layer security team to ensure that they comply with our stringent security requirements. Relationship Audits Once a third-party relationship has been established, Layer periodically reviews the relationship to ensure ongoing compliance from a security and business continuity perspective.

Offboarding Once a vendor relationship is terminated Layer ensures that all access is appropriately revoked and data returned or destroyed. Security Compliance Layer is dedicated to ensuring compliance with internal security policies, industry best practices and all relevant regulatory requirements: Cloud Infrastructure Provider The Layer conversation platform is hosted in Google Cloud Platform (GCS) data centers. GCS is compliant with a wide array of security frameworks and standards including SSAE16, SOC framework, ISO 27001, ISO 27017, ISO 27018 and PCI DSS v3.2. HIPAA Compliance Layer is compliant with the controls outlined in the HIPAA framework and has undergone third-party gap analysis, remediation and verification to ensure compliant handling of personal health information (PHI). Layer acts as a HIPAA business associate (BA) and executes business associate agreements (BAA) with covered entities in the healthcare space. EU U.S. Privacy Shield Framework Layer is self-certified under Privacy Shield as a part of our commitment to comply with EU data protection requirements when transferring personal data from the European Union to the United States. Summary The Layer digital conversation platform enables businesses, brands and developers to deliver engaging messaging experiences into their products and applications. Underlying everything we do at Layer is a foundation of trust in our product, people and business practices. There can be no trust without security, so we must be vigilant and protect the infrastructure and service components underlying our product. For further information about Layer security policies and procedures please reach out to the Layer security team via email at security@layer.com.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback