Cloud Security White Paper - For Clarizen services running on Amazon Web Services
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Cloud Security White Paper For Clarizen services running on Amazon Web Services January 2021
Introduction Enterprises today rely on third-party software and services to handle business-critical processes and operations. Whether on-premises or in a hybrid cloud architecture, these solutions must provide a level of security that protects critical company data while minimizing business risk. This white paper addresses security controls, and best practices deployed by Clarizen to support Clarizen services in the cloud. The Clarizen Cloud is designed, built, maintained, monitored, and regularly updated with enterprise grade security included by design. Clarizen leverages Amazon Web Services (AWS), the industry leading cloud platform. The shared security responsibility model is a framework adopted by cloud providers. Under this model, AWS is exclusively responsible for physical security, while application, infrastructure, and operational security controls are implemented, deployed, and monitored by the Clarizen security and compliance team.
Application Security
APPLICATION SECURITY
Encryption Passwords
DATA AT REST ENCRYPTION PASSWOD POLICY
Clarizen deploys industry-leading encryption algorithms, Clarizen’s strong password policy requirements govern the
Advanced Encryption Standard (AES) 256, to secure all our creation, protection and frequency of password changes. These
customer data. This ensures that sensitive data stored on AWS requirements serve as a baseline or minimum recommended
is not readable by any user or application without a valid key. password requirement. Passwords are transmitted via
Clarizen deploys data at rest encryption to all elastic blocks, a hypertext transfer protocol secured (HTTP with TLS)
simple storage services and S3 buckets. connection that encrypts communication between the web
server and browser and secures the identification of the web
DATA IN TRANSIT server.
Upon sending any data between the user browser and
Clarizen, a secure TLS connection (a cryptographic protocol PASSWORD PROTECTION
that provides communications security over public computer Clarizen takes a multi-level approach to storing all sign-in
networks) is established encrypting all communication between credentials. Protection begins with “hashing” passwords, a
the web server and the client. Additionally, Clarizen secures common approach for taking passwords of varied lengths and
the identification of the web server via an industry leading turning them into cryptic, fixed-length phrases for storage.
certificate authority. Clarizen also “salts” customer passwords, to add extra data
that is unique, and random, to every HASH to employ an
Authentication additional level of password protection.
Users can authenticate to Clarizen with a password in one of
two ways: delegated authentication or local password. Penetration tests
EXTERNAL SECURITY AUDITS
DELEGATED AUTHENTICATION Clarizen engages external security testers and professional
When users authenticate with their Office 365 credentials or application auditors on an annual basis as part of its security
Clarizen One login credentials, passwords are maintained and testing processes. These experts perform penetration tests using
stored within the provider. This model of authentication is called the Open Web Application Security Project (OWASP) Top Ten
delegated authentication. When delegated authentication is methodology for multiple attack scenarios in conjunction with
configured, the customer’s password policy for Office 365 or several internally developed and managed proprietary attack
Clarizen One is enforced. methodologies and scenarios.
LOCAL AUTHENTICATION PENETRATION TEST SUMMARY REPORT
When users authenticate to Clarizen with a local password, Penetration test summary reports are provided to customers
Clarizen integrates with Okta, the leading identity and access upon request. This includes all test findings, along with all
management platform. Passwords are stored in the Okta remedial actions taken to address any issues that may have
cloud and are encrypted using bcrypt salt with a high number been identified during the test.
of rounds to protect the passwords. Unlike other hashing
algorithms designed for speed and thus susceptible to rainbow Application content filtering
table or brute-force attacks, bcrypt is very slow and an WEB TRAFFIC INSPECTION AND SANITATION
adaptive function, meaning its hash function can be made more To prevent all forms of cross-site scripting (XSS), SQL injection
expansive and thus slower as computing power increases. and other such malicious attacks, Clarizen has fully integrated a
proprietary sanitation engine into the platform, which inspects
all incoming traffic to the web server.
Copyright © Clarizen. All rights reserved. 4Infrastructure Security
INFRASTRUCTURE SECURITY
Network security Access control
DISTRIBUTED DENIAL OF SERVICE [DDoS] PROTECTION NETWORK FIREWALLS
Clarizen deploys AWS Shield to leverage DDoS mitigation Clarizen has deployed Amazon’s Security Group in its cloud
techniques. AWS provides enhanced resource-specific architecture. Security Groups act as network firewalls designed
detection and employs advanced mitigation and routing to protect the Clarizen instance from east-west and north-south
techniques for sophisticated or larger attacks. data center unauthorized traffic. Security Group also controls the
inbound traffic to the Clarizen Virtual Private Network.
MAN IN THE MIDDLE [MITM ] ATTACKS
Servers automatically generates new SSH host certificates LEAST PRIVILAGE
on first boot and logs them into the Clarizen console. Clarizen Clarizen deploys identity and access management with a “least
leverages secure APIs to access the host certificates before privilege” approach to control and manage the access layer for
logging into an instance for the first time. the Clarizen cloud infrastructure. Additionally, Clarizen relies on
complex password policies being enforced that include minimum
[IP] SPOOFING length, alphanumeric character requirements, and usage
Servers running on the AWS network cannot send spoofed frequency to rotate user passwords.
network traffic. The AWS controlled, host-based firewall
infrastructure does not permit an instance to send traffic with a TWO-FACTOR [2FA] AUTHENTICATION
source IP or MAC address other than its own. Clarizen administrative access to the guest-host operating
systems requires the use of two-factor authentication.
PORT SCANNING Clarizen deploys software-based tokens on all our cloud-
Unauthorized port scans are a violation of the AWS Acceptable administered devices.
Use Policy (AUP). Violations of the AUP are taken seriously, and
every reported violation is investigated. When unauthorized port ANTI MALWARE PREVENTION
scanning is detected, it is stopped and blocked. Port scans of Clarizen deploy OPSWAT Metadefender to ensure advanced
Amazon EC2 instances are ineffective because, by default, all threat detection and prevention.
inbound ports on Amazon EC2 instances are closed.
All files uploaded to Clarizen are scanned by multi engine
PACKET SNIFFING scanning technology to ensure files are free from viruses
It is not possible for a virtual instance running in promiscuous malware and malicious content.
mode to receive or “sniff” traffic that is intended for a different
virtual instance. Even two virtual instances that are located
on the same physical host cannot listen to each other’s traffic.
Attacks such as ARP cache poisoning do not work within
Amazon EC2.
Copyright © Clarizen. All rights reserved. 6INFRASTRUCTURE SECURITY
Network architecture
Copyright © Clarizen. All rights reserved. 7INFRASTRUCTURE SECURITY
The following practices are followed to prevent
unauthorized access to the Clarizen instance: CLOUDGUARD
MONITORING
Vulnerability management
VULNERABILITY SCANNING AND PATCH MANAGEMENT
Clarizen automatically scans all production cloud assets for vulnerabilities or
deviations from industry practices. Clarizen leverages the Amazon Inspector
service to secure all workloads. Detailed findings are regularly communicated to
the Clarizen management team.
Identified and validated vulnerabilities are prioritized and assigned an
appropriate remediation rating process according to the type of issue, its
impact severity, and exposure. Patches are deployed to the infrastructure after
passing required quality assurance and UAT tests according to a management
approval process.
Continuous security monitoring
CLOUD GUARD
Clarizen deploys Check Point CloudGuard, to ensure continuous security
monitoring for comprehensive, real-time cloud security and compliance
automation. The Clarizen security team can visualize and assess current
security posture, detect misconfigurations in real time, model and actively
enforce security best practices, and protect against identity theft and data loss
in the cloud.
Copyright © Clarizen. All rights reserved. 8Operation Security
OPERATION SECURITY
Operation security
DATABASE BACKUP of segregation of duties and least privilege, the Clarizen
Clarizen leverages Amazon RDS snapshots to automate Cloud Administrators are responsible for maintaining the
the cloud database backup process and validate restore production environment, including code deployments. Cloud
capabilities. These database snapshots create a storage administrative access is based on the concept of least
volume copy of the cloud database instance and back up the privilege. Clarizen users are limited to the minimum set of
entire instance—not just individual databases. privileges required to perform their jobs.
DATABASE REPLICATION AND DISASTER RECOVERY Personnel security
Clarizen utilizes Amazon Availability Zones to replicate our HIRING POLICY
cloud databases and ensure disaster recovery goals are Before hiring, Clarizen employees undergo background checks
met. Customer data is stored in the primary database which where permitted by law. The pre-employment evaluation
is replicated in real time to the secondary database that is includes criminal and dishonest behavior indicators.
located in a separate physical zone.
After hiring, employees and contractors are made aware of their
BACKUP RETENTION job responsibilities, Clarizen operational and security policies, as
Backup files of the cloud database are saved according to the well as repercussions for failure to adhere to said responsibilities
Clarizen backup retention policy which is monitored by the and policies.
Clarizen compliance team. Clarizen’s retention policy is set to
30 days.
SERVICE MONITORING
Clarizen products are monitored 24/7, using external and
internal probes to monitor service availability and security
issues. These probes are configured to send alerts on a
wide variety of criteria, including security, availability and
performance degradation. The Clarizen system status
site provides real-time information about Clarizen service
availability in a clean and easy-to-read format.
https://status.clarizen.com/
LOG ANALYSIS
Clarizen
Clarizen collects servers and application logs to identify
anomalies or any events that are relevant to the security,
availability and performance of the Clarizen platform.
LEAST PRIVILEGE ACCESS POLICY
Clarizen requires that all access to its cloud infrastructure,
application, and data be controlled based on business
and operational requirements. Following the principles
Copyright © Clarizen. All rights reserved. 10Physical Security
PHYSICAL SECURITY
AWS data center security
Clarizen has a physical security strategy focused on preserving CLIMATE AND TEMPERATURE
the confidentiality, integrity, and availability of our services from AWS data centers use mechanisms to control climate and
physical threats. The enterprise-grade secure infrastructure maintain an appropriate operating temperature for servers
provided by AWS holds a wide range of certifications backed by and other hardware to prevent overheating and reduce the
various security controls. possibility of service outages. Personnel and systems monitor
and control temperature and humidity at appropriate levels.
SURVEILLANCE & DETECTION
Physical access is controlled at building ingress points by FIRE DETECTION AND SUPPRESSION
professional security staff utilizing surveillance, detection Data centers are equipped with automatic fire detection
systems, and other electronic means. All ingress and egress and suppression equipment. Fire detection systems utilize
points to server rooms are secured with devices that require smoke detection sensors within networking, mechanical,
everyone to provide multi-factor authentication before being and infrastructure spaces. These areas are also protected by
granted entry or exit. Physical access points to server rooms suppression systems.
are recorded by Closed Circuit Television Camera (CCTV)
and all images are retained according to legal and compliance REDUNDANCY
requirements. Data centers are designed to anticipate and tolerate failure
while maintaining service levels. In case of failure, automated
POWER processes move traffic away from the affected area. Core
AWS data center electrical power systems are designed to be applications are deployed to an N+1 standard, so that in the
fully redundant and maintainable without impact to operations, event of a data center failure, there is sufficient capacity to
24 hours a day. Data centers are equipped with back-up power enable traffic to be load-balanced to the remaining sites.
supply to ensure power is available to maintain operations in
the event of an electrical failure for critical and essential loads
in the facility.
Given the importance of
access control mechanisms,
Clarizen continuously
monitors and tests its
security system and
processes, to ensure they
are functioning properly.
Copyright © Clarizen. All rights reserved. 12PHYSICAL SECURITY
In addition to leveraging AWS for physical security at
that sets out requirements and best practices for a systematic
data centers, Clarizen provides security at our offices.
approach to managing company and customer information
that’s based on periodic risk assessments appropriate to ever-
changing threat scenarios.
FEDRAMP
Federal Risk and Authorization Management Program
Compliant Cloud Service Provider. Core infrastructure
component testing includes testing performed by a FedRAMP
accredited Third-Party Assessment Organization (3PAO) and
has been granted two Agency Authority to Operate (ATOs)
AWS - Data center security certifications by the US Department of Health and Human Services (HHS)
SOC II TYPE II after demonstrating compliance with FedRAMP requirements
The SOC 2 report is an attestation report that expands at the Moderate impact level. All U.S. government agencies
the evaluation of controls to the criteria set forth by the can leverage the AWS Agency ATO packages stored in the
American Institute of Certified Public Accountants (AICPA) FedRAMP repository to evaluate AWS for their applications
Trust Services Principles. These principles define leading and workloads, provide authorizations to use AWS, and
practice controls relevant to security, availability, processing transition workloads into the AWS environment. The two
integrity, confidentiality, and privacy applicable to service FedRAMP Agency ATOs encompass all U.S. regions (the AWS
organizations. SOC 2 is an evaluation of the design and GovCloud (US) region and the AWS US East/West regions).
operating effectiveness of controls that meet the criteria for the
security and availability principles set forth in the AICPA’s Trust GDPR
Services Principles criteria. The European Union’s General Data Protection Regulation
(GDPR) protects European Union data subjects’ fundamental
ISO 27001 right to privacy and the protection of personal data. It
ISO 27001 certification for Information Security Management introduces robust requirements that will raise and harmonize
System (ISMS) covers infrastructure, data centers, and services. standards for data protection, security, and compliance. AWS-
ISO 27001/27002 is a widely-adopted global security standard based services comply with GDPR.
Copyright © 2021 Clarizen. All rights reserved.You can also read
