Cloud Security White Paper
Transcript of Cloud Security White Paper
Cloud Security White Paper For Clarizen services running on Amazon Web Services
January 2021
Introduction
Enterprises today rely on third-party software and services to handle
business-critical processes and operations. Whether on-premises or in a
hybrid cloud architecture, these solutions must provide a level of security
that protects critical company data while minimizing business risk. This
white paper addresses security controls, and best practices deployed by
Clarizen to support Clarizen services in the cloud.
The Clarizen Cloud is designed, built, maintained, monitored, and regularly
updated with enterprise grade security included by design. Clarizen
leverages Amazon Web Services (AWS), the industry leading cloud platform.
The shared security responsibility model is a framework adopted by cloud
providers. Under this model, AWS is exclusively responsible for physical
security, while application, infrastructure, and operational security controls
are implemented, deployed, and monitored by the Clarizen security and
compliance team.
Application Security
APPLICATION SECURITY
Encryption DATA AT REST ENCRYPTION Clarizen deploys industry-leading encryption algorithms,
Advanced Encryption Standard (AES) 256, to secure all our
customer data. This ensures that sensitive data stored on AWS
is not readable by any user or application without a valid key.
Clarizen deploys data at rest encryption to all elastic blocks,
simple storage services and S3 buckets.
DATA IN TRANSIT Upon sending any data between the user browser and
Clarizen, a secure TLS connection (a cryptographic protocol
that provides communications security over public computer
networks) is established encrypting all communication between
the web server and the client. Additionally, Clarizen secures
the identification of the web server via an industry leading
certificate authority.
Authentication Users can authenticate to Clarizen with a password in one of
two ways: delegated authentication or local password.
DELEGATED AUTHENTICATION When users authenticate with their Office 365 credentials or
Clarizen One login credentials, passwords are maintained and
stored within the provider. This model of authentication is called
delegated authentication. When delegated authentication is
configured, the customer’s password policy for Office 365 or
Clarizen One is enforced.
LOCAL AUTHENTICATION When users authenticate to Clarizen with a local password,
Clarizen integrates with Okta, the leading identity and access
management platform. Passwords are stored in the Okta
cloud and are encrypted using bcrypt salt with a high number
of rounds to protect the passwords. Unlike other hashing
algorithms designed for speed and thus susceptible to rainbow
table or brute-force attacks, bcrypt is very slow and an
adaptive function, meaning its hash function can be made more
expansive and thus slower as computing power increases.
Passwords PASSWOD POLICY Clarizen’s strong password policy requirements govern the
creation, protection and frequency of password changes. These
requirements serve as a baseline or minimum recommended
password requirement. Passwords are transmitted via
a hypertext transfer protocol secured (HTTP with TLS)
connection that encrypts communication between the web
server and browser and secures the identification of the web
server.
PASSWORD PROTECTION Clarizen takes a multi-level approach to storing all sign-in
credentials. Protection begins with “hashing” passwords, a
common approach for taking passwords of varied lengths and
turning them into cryptic, fixed-length phrases for storage.
Clarizen also “salts” customer passwords, to add extra data
that is unique, and random, to every HASH to employ an
additional level of password protection.
Penetration tests EXTERNAL SECURITY AUDITS Clarizen engages external security testers and professional
application auditors on an annual basis as part of its security
testing processes. These experts perform penetration tests using
the Open Web Application Security Project (OWASP) Top Ten
methodology for multiple attack scenarios in conjunction with
several internally developed and managed proprietary attack
methodologies and scenarios.
PENETRATION TEST SUMMARY REPORT Penetration test summary reports are provided to customers
upon request. This includes all test findings, along with all
remedial actions taken to address any issues that may have
been identified during the test.
Application content filtering WEB TRAFFIC INSPECTION AND SANITATION To prevent all forms of cross-site scripting (XSS), SQL injection
and other such malicious attacks, Clarizen has fully integrated a
proprietary sanitation engine into the platform, which inspects
all incoming traffic to the web server.
Copyright © Clarizen. All rights reserved. 4
Infrastructure Security
INFRASTRUCTURE SECURITY
Network security
DISTRIBUTED DENIAL OF SERVICE [DDoS] PROTECTION Clarizen deploys AWS Shield to leverage DDoS mitigation
techniques. AWS provides enhanced resource-specific
detection and employs advanced mitigation and routing
techniques for sophisticated or larger attacks.
MAN IN THE MIDDLE [MITM ] ATTACKS Servers automatically generates new SSH host certificates
on first boot and logs them into the Clarizen console. Clarizen
leverages secure APIs to access the host certificates before
logging into an instance for the first time.
[IP] SPOOFING Servers running on the AWS network cannot send spoofed
network traffic. The AWS controlled, host-based firewall
infrastructure does not permit an instance to send traffic with a
source IP or MAC address other than its own.
PORT SCANNING Unauthorized port scans are a violation of the AWS Acceptable
Use Policy (AUP). Violations of the AUP are taken seriously, and
every reported violation is investigated. When unauthorized port
scanning is detected, it is stopped and blocked. Port scans of
Amazon EC2 instances are ineffective because, by default, all
inbound ports on Amazon EC2 instances are closed.
PACKET SNIFFING It is not possible for a virtual instance running in promiscuous
mode to receive or “sniff” traffic that is intended for a different
virtual instance. Even two virtual instances that are located
on the same physical host cannot listen to each other’s traffic.
Attacks such as ARP cache poisoning do not work within
Amazon EC2.
Access control
NETWORK FIREWALLS Clarizen has deployed Amazon’s Security Group in its cloud
architecture. Security Groups act as network firewalls designed
to protect the Clarizen instance from east-west and north-south
data center unauthorized traffic. Security Group also controls the
inbound traffic to the Clarizen Virtual Private Network.
LEAST PRIVILAGE Clarizen deploys identity and access management with a “least
privilege” approach to control and manage the access layer for
the Clarizen cloud infrastructure. Additionally, Clarizen relies on
complex password policies being enforced that include minimum
length, alphanumeric character requirements, and usage
frequency to rotate user passwords.
TWO-FACTOR [2FA] AUTHENTICATION Clarizen administrative access to the guest-host operating
systems requires the use of two-factor authentication.
Clarizen deploys software-based tokens on all our cloud-
administered devices.
ANTI MALWARE PREVENTION Clarizen deploy OPSWAT Metadefender to ensure advanced
threat detection and prevention.
All files uploaded to Clarizen are scanned by multi engine
scanning technology to ensure files are free from viruses
malware and malicious content.
Copyright © Clarizen. All rights reserved. 6
INFRASTRUCTURE SECURITY
Network architecture
Copyright © Clarizen. All rights reserved. 7
INFRASTRUCTURE SECURITY
Vulnerability management VULNERABILITY SCANNING AND PATCH MANAGEMENT Clarizen automatically scans all production cloud assets for vulnerabilities or
deviations from industry practices. Clarizen leverages the Amazon Inspector
service to secure all workloads. Detailed findings are regularly communicated to
the Clarizen management team.
Identified and validated vulnerabilities are prioritized and assigned an
appropriate remediation rating process according to the type of issue, its
impact severity, and exposure. Patches are deployed to the infrastructure after
passing required quality assurance and UAT tests according to a management
approval process.
Continuous security monitoring CLOUD GUARD Clarizen deploys Check Point CloudGuard, to ensure continuous security
monitoring for comprehensive, real-time cloud security and compliance
automation. The Clarizen security team can visualize and assess current
security posture, detect misconfigurations in real time, model and actively
enforce security best practices, and protect against identity theft and data loss
in the cloud.
Copyright © Clarizen. All rights reserved. 8
The following practices are followed to prevent unauthorized access to the Clarizen instance:
CLOUDGUARD
MONITORING
Operation Security
OPERATION SECURITY
Operation security DATABASE BACKUP Clarizen leverages Amazon RDS snapshots to automate
the cloud database backup process and validate restore
capabilities. These database snapshots create a storage
volume copy of the cloud database instance and back up the
entire instance—not just individual databases.
DATABASE REPLICATION AND DISASTER RECOVERY Clarizen utilizes Amazon Availability Zones to replicate our
cloud databases and ensure disaster recovery goals are
met. Customer data is stored in the primary database which
is replicated in real time to the secondary database that is
located in a separate physical zone.
BACKUP RETENTION Backup files of the cloud database are saved according to the
Clarizen backup retention policy which is monitored by the
Clarizen compliance team. Clarizen’s retention policy is set to
30 days.
SERVICE MONITORING Clarizen products are monitored 24/7, using external and
internal probes to monitor service availability and security
issues. These probes are configured to send alerts on a
wide variety of criteria, including security, availability and
performance degradation. The Clarizen system status
site provides real-time information about Clarizen service
availability in a clean and easy-to-read format.
https://status.clarizen.com/
LOG ANALYSIS Clarizen collects servers and application logs to identify
anomalies or any events that are relevant to the security,
availability and performance of the Clarizen platform.
LEAST PRIVILEGE ACCESS POLICY Clarizen requires that all access to its cloud infrastructure,
application, and data be controlled based on business
and operational requirements. Following the principles
of segregation of duties and least privilege, the Clarizen
Cloud Administrators are responsible for maintaining the
production environment, including code deployments. Cloud
administrative access is based on the concept of least
privilege. Clarizen users are limited to the minimum set of
privileges required to perform their jobs.
Personnel security HIRING POLICY Before hiring, Clarizen employees undergo background checks
where permitted by law. The pre-employment evaluation
includes criminal and dishonest behavior indicators.
After hiring, employees and contractors are made aware of their
job responsibilities, Clarizen operational and security policies, as
well as repercussions for failure to adhere to said responsibilities
and policies.
Copyright © Clarizen. All rights reserved. 10
Clarizen
Physical Security
PHYSICAL SECURITY
AWS data center security Clarizen has a physical security strategy focused on preserving
the confidentiality, integrity, and availability of our services from
physical threats. The enterprise-grade secure infrastructure
provided by AWS holds a wide range of certifications backed by
various security controls.
SURVEILLANCE & DETECTION Physical access is controlled at building ingress points by
professional security staff utilizing surveillance, detection
systems, and other electronic means. All ingress and egress
points to server rooms are secured with devices that require
everyone to provide multi-factor authentication before being
granted entry or exit. Physical access points to server rooms
are recorded by Closed Circuit Television Camera (CCTV)
and all images are retained according to legal and compliance
requirements.
POWER AWS data center electrical power systems are designed to be
fully redundant and maintainable without impact to operations,
24 hours a day. Data centers are equipped with back-up power
supply to ensure power is available to maintain operations in
the event of an electrical failure for critical and essential loads
in the facility.
CLIMATE AND TEMPERATURE AWS data centers use mechanisms to control climate and
maintain an appropriate operating temperature for servers
and other hardware to prevent overheating and reduce the
possibility of service outages. Personnel and systems monitor
and control temperature and humidity at appropriate levels.
FIRE DETECTION AND SUPPRESSION Data centers are equipped with automatic fire detection
and suppression equipment. Fire detection systems utilize
smoke detection sensors within networking, mechanical,
and infrastructure spaces. These areas are also protected by
suppression systems.
REDUNDANCY Data centers are designed to anticipate and tolerate failure
while maintaining service levels. In case of failure, automated
processes move traffic away from the affected area. Core
applications are deployed to an N+1 standard, so that in the
event of a data center failure, there is sufficient capacity to
enable traffic to be load-balanced to the remaining sites.
Given the importance of access control mechanisms, Clarizen continuously monitors and tests its security system and processes, to ensure they are functioning properly.
Copyright © Clarizen. All rights reserved. 12
PHYSICAL SECURITY
that sets out requirements and best practices for a systematic
approach to managing company and customer information
that’s based on periodic risk assessments appropriate to ever-
changing threat scenarios.
AWS - Data center security certifications SOC II TYPE II The SOC 2 report is an attestation report that expands
the evaluation of controls to the criteria set forth by the
American Institute of Certified Public Accountants (AICPA)
Trust Services Principles. These principles define leading
practice controls relevant to security, availability, processing
integrity, confidentiality, and privacy applicable to service
organizations. SOC 2 is an evaluation of the design and
operating effectiveness of controls that meet the criteria for the
security and availability principles set forth in the AICPA’s Trust
Services Principles criteria.
ISO 27001 ISO 27001 certification for Information Security Management
System (ISMS) covers infrastructure, data centers, and services.
ISO 27001/27002 is a widely-adopted global security standard
FEDRAMP Federal Risk and Authorization Management Program
Compliant Cloud Service Provider. Core infrastructure
component testing includes testing performed by a FedRAMP
accredited Third-Party Assessment Organization (3PAO) and
has been granted two Agency Authority to Operate (ATOs)
by the US Department of Health and Human Services (HHS)
after demonstrating compliance with FedRAMP requirements
at the Moderate impact level. All U.S. government agencies
can leverage the AWS Agency ATO packages stored in the
FedRAMP repository to evaluate AWS for their applications
and workloads, provide authorizations to use AWS, and
transition workloads into the AWS environment. The two
FedRAMP Agency ATOs encompass all U.S. regions (the AWS
GovCloud (US) region and the AWS US East/West regions).
GDPR The European Union’s General Data Protection Regulation
(GDPR) protects European Union data subjects’ fundamental
right to privacy and the protection of personal data. It
introduces robust requirements that will raise and harmonize
standards for data protection, security, and compliance. AWS-
based services comply with GDPR.
Copyright © 2021 Clarizen. All rights reserved.
In addition to leveraging AWS for physical security at data centers, Clarizen provides security at our offices.