Huddle: Secure by Design Security Whitepaper... · a foundation of best practice from which...

Huddle: Secure by DesignInformation Security Overview

Version: 10.2 (Nov 2017)

THIS DOCUMENT AND THE INFORMATION IN IT ARE PROVIDED IN CONFIDENCE, AND MAY NOT BE DISCLOSED TO ANY THIRD PART Y OR USED FOR ANY OTHER PURPOSE WITHOUT THE E XPRESS WRIT TEN PERMISSION OF HUDDLE. © Huddle Nov 20172

Huddle: Information Security Overview

Contents1 Introduction 3

2 Security principles 4

3 Huddle in government 6

4 Huddle’s hosting partners 7

5 Certifications, standards & accreditations 8

6 Technical engineering 10

7 Application security 12

3


1. Introduction

To be a trusted cloud provider, Huddle understands today’s

organizations require an exceptionally high standard of security

management without compromising ease of use or functionality.

Enterprises and governments require their content to be stored

securely and be made available to their employees and partners

across multiple devices and geographies in the knowledge that

what they’ve entrusted to Huddle remains available, secure and

intact. That’s why maintaining the highest level of confidentiality,

integrity and availability of our customers’ content is one of the

guiding principles of Information Security at Huddle.

Huddle’s services are audited by accredited third party

organizations to ensure we meet industry standards.

Additionally, our approach to ISO 27001 certification is

designed to be as holistic as possible, allowing us to introduce

a foundation of best practice from which Huddle’s certification

and compliance strategy can be built. ITIL v3 and COBIT5 best

practices coupled with ISO 27002:2013 requirements have

created a base which is sufficiently flexible to allow the adoption

of other certifications, best practices and regulatory and

compliance standards e.g. Huddle’s accredited compliance to

FedRAMP (a standardized approach to Information Security in

U.S. Government).

Huddle invests significantly in Information Security strategies

and has a security team focused on information security,

compliance and risk management to advise the company board,

management, employees and clients.

Information Security is driven by the board through the

management hierarchy, and within Huddle through a security

program that ensures knowledge and best practice is spread

across all departments of the business. Effective information

security is about continual improvement to already established

and accepted practices from across the information security

ecosystem. Benchmarking against ITIL, COBIT and other

frameworks provides the ability to properly maintain and

improve processes, policies and audit functions to ensure

Huddle’s Information Security is at the forefront of best practice.

All of Huddle’s products are protected by various

proprietary, open source, and internally authored solutions.

Countermeasures are in place to protect customers against ever-

changing threats and risks, including (but not limited to): Man in

the Middle, malware, session hijacking, Cross-Site Scripting (XSS),

Cross-Site Request Forgery (XSRF), SQL Injection and Denial of

Service (DoS).

Since 2006, Huddle has provided cloud collaboration solutions to global enterprises, governments and public sector organizations.



CLOUD SECURITY PRINCIPLE WHAT HUDDLE DOES

DATA IN TRANSIT PROTECTION Huddle protects all data in transit with the TLS 1.2 protocol which utilizes strong ciphers capable of up to 256 bits.

ASSET PROTECTION AND RESILIENCE Huddle has partnered with some of the industry’s leading infrastructure providers who have adopted AT101, SSAE16, and industry practices for the physical protection of information processing assets. Customer’s file content can be protected by 256-bit AES data at rest encryption. ISO 27001:2013 certi-fied policies and processes ensure that all endeavors to protect information assets have been verified and audited by an external independent third party.

SEPERATION BETWEEN USERS Huddle’s services are multi-tenanted and follow stringent industry practices and business logic. This ensures that no unintended information disclosure is permitted between Huddle users. The confi-dentiality, privacy and ownership of information is maintained at all times. Access must be explicitly granted by the customer.

GOVERNANCE FRAMEWORK Huddle’s global Information Security Management System (ISMS), which incorporates the protec-tion of information security assets, is third party verified by Bsi for adherence to the ISO 27001:2103 standard. Huddle’s U.S. instance is FedRAMP approved and audited by Coalfire Controls LLC.

OPERATIONAL SECURITY Huddle’s global services are monitored and managed via continuous improvement methodologies that allow for the review of current security policies and procedures. Huddle reviews its Information Security through the Plan, Do, Check, Act cycle.

PERSONNEL SECURITY All Huddle employees are screened prior to employment with the following checks:• Six year address history • Right to work in UK or U.S• Three years employment history • Education Verification • Criminal (federal, state, county), unspent convictions, DMV (motor vehicles) and SSN matching

Huddle employees with authorized access to production and test environments are screened prior to access being granted. These employees undertake Disclosure Scotland, which is an equivalence to BS 7858 where a more in depth check is undertaken for providing criminal records disclosure.

SECURE DEVELOPMENT Huddle’s services are developed with stringent OWASP derived industry standard practices. Huddle’s product has Information Security built into the heart of the Software Development Lifecycle (SDLC) policy and process.

SUPPLY CHAIN SECURITY All of Huddle’s suppliers are subject to a rigorous due diligence processes to ensure that their security management controls polices and processes are acceptable to Huddle’s high acceptance criteria.

SECURE USER MANAGEMENT Huddle’s services allow for rich management functionality to enable company’s/department’s secu-rity requirements e.g. access control, audit of usage, creation and deletion of users. Huddle’s services provide rich security-centric functionality such as mobile application PIN, viewer-only, and native 2FA.

2. Security principles

5


CLOUD SECURITY PRINCIPLE WHAT HUDDLE DOES

IDENTITY & AUTHENTICATION Customer’s web and devices are secured and authenticated by the industry standard OAuth 2.0. Single sign-on (SSO) via SAML, allows customers to have greater granularity and control over authen-tication and identity management.

HOSTING PROVIDERS / EXTERNAL INTERFACE PROTECTION

Huddle has partnered with industry leaders in IaaS hosting who are both seasoned and have well-established governance programs in place. They adhere to some of the most stringent security management methodologies and standards; ISO 27001, AT101, SSAE16. All controls, managed by both Huddle internally and infrastructure partners, include all public, physical or logical interfaces that include patch management, access control and audit of access and usage.

SECURE SERVICE ADMINISTRATION Huddle’s services are governed by infrastructure management policies and processes which includes the utilization of industry standard practices governing Change and Operational Management. The governance practiced by Huddle ensures the integrity, confidentiality, performance and uptime (availability) of client content.

AUDIT INFORMATION FOR USERS Huddle provides end-user and administrative reports that detail usage and access to all content stored in its services.

SECURE USE OF THE SERVICE Consumers are provided with the knowledge of how to best implement and manage the product to ensure content remains accessible and available on a need to know basis which is achieved through the utilization of:• Customer Success Managers• Extensive online help archive• Instructional usage videos• Ticket based support portal



3. Huddle in government

UK (G-Cloud)Huddle is widely used in UK Government and its wider

ecosystem. Huddle is available via the G-Cloud CloudStore and

offers a variety of services tailored to market requirements.

Huddle was one of the first Cloud Service Providers to be

awarded Pan Government Accreditation (PGA) by CESG (GCHQ)

under the old Impact Level classification and is certified with

Cyber Essentials Plus .

Huddle adheres to the 14 National Cyber Security Centre (NCSC)

Cloud Security Principles1, which detail how cloud providers

manage the services provided to G-Cloud. Several UK Public

Sector Senior Information Risk Owners (SIRO) have assessed and

entrusted the use of Huddle for Official (OFFICIAL-SENSITIVE)

content2.

1 https://www.ncsc.gov.uk/guidance/implementing-cloud-security-principles2 https://www.gov.uk/government/publications/defence-cyber-protection-partnership-cyber-risk-profiles/over-view-dcpp-and-cyber-security-controls

U.S. (FedRAMP)Huddle was one of the first SaaS providers to achieve

FedRAMP Authority To Operate (ATO) and was the first cloud

based collaboration company to achieve this status. With

a commitment to meet stringent U.S. Government security

requirements, Huddle has a separate instance of Huddle with

data centers located in the U.S. to meet the needs of U.S.

government departments.

https://www.ncsc.gov.uk/guidance/implementing-cloud-security-principles

https://www.gov.uk/government/publications/defence-cyber-protection-partnership-cyber-risk-profiles/

https://www.gov.uk/government/publications/defence-cyber-protection-partnership-cyber-risk-profiles/

7


4. Huddle’s hosting partners and governanceAmazon Web Services (AWS) As one of the leading providers of computer services globally,

AWS’s services provide a fabric for Huddle to build massively

scalable and agile services to the benefit of Huddle customers.

Rackspace As a global leader in the provision of secure managed

infrastructure services, Rackspace has delivered enterprise-level

hosting services to businesses of all sizes around the world.

Data center access control All Huddle data centers are compliant and certified to the highest

standards and, therefore, the physical and logical access control

is an exceptionally important component of this. Ensuring that

the right people have the right clearance removes significant

risk from interruption of service, corruption of your content and

accidental or intended disclosure of your content/documents.

Huddle has exceptionally stringent Access Control policies based

on industry best practice.

Domicile Huddle has two territories where information can be domiciled;

the UK and the U.S.

There is a separate instance of Huddle in each geo-location.

Each territory has different local legal requirements and

interconnectivity agreements in place to ensure that your

content benefits from the country in which it’s hosted. Huddle’s

main data centres for each Huddle instance operate a primary

and disaster recovery site within the same country but not in

the same geographical area. This ensures continuity of services

through real-time replication.



5. Certifications, standards and accreditationsISO 27001/ISO 27002: 2013: ISO 27001 is a specification for an

Information Security Management System (ISMS). An ISMS is

a framework of policies and procedures that includes all legal,

physical and technical controls involved in managing sensitive

and secure information through risk management based

policies and processes. The specification includes details for

documentation, management responsibility, internal audits,

continual improvement, and corrective and preventive action.

The standard requires cooperation among all sections of an

organization. Huddle is third party, independently audited

and certified by Bsi (British Standards Institution). Bsi is one

of the most trusted and recognized organizations in audit and

certification in the world.

Cyber Essentials Plus (Level 2): Created in 2014 as a primary

objective of the UK Government’s National Cyber Security

Strategy, Cyber Essentials Plus is a third party independently

audited annual certification completed by accredited

organizations managed by CREST1. The audit focuses on five

main control areas; secure configuration, boundary firewalls and

internet gateways, access controls and administrative privilege

management, patch management, and malware protection.

SureCloud completed Huddle’s assessment; the scope of which

includes Huddle’s company systems, policies, processes and any

third party services that store confidential content.

1 Huddle is listed on CREST’s certified company page: http://www.cyberessentials.org/list/

FedRAMP: FedRAMP is a U.S. government-wide program that

provides a standardized approach to security assessment,

authorization, and continuous monitoring for cloud products

and services.

Predicated on Huddle’s ISO 27001 certificate, Huddle has

demonstrated its commitment to the (NIST 800-53) System

Security Plan (SSP) and its 17 control families and 325 individual

controls. Huddle’s SSP is independently assessed by Coalfire

Controls LLC an approved FedRAMP 3PAO (Third Party

Assessment Organizations).

Huddle hosting provider accreditations: Huddle has chosen

its hosting providers with security in mind and all providers

adhere to unique certifications specific to data centers. Their

certifications are a combination of the following, depending on

the hosting provider:

• PCI DSS Level 1

• SOC 1/ISAE 3402

• SOC 2

• SOC 3

• ISO 27001

• G-Cloud

• FedRAMP (Moderate)

• Compliant with Information Technology Infrastructure

Library (ITIL) IT Service Management standards.

http://www.cyberessentials.org/list/

9


Privacy: Huddle is a UK company (Ninian Solutions Ltd t/a

Huddle) and is legally required to be compliant with the UK Data

Protection Act 1998 (DPA). The objective of the Act was to adopt

the principles of the European Union Data Protection Directive,

which was created to ensure every European citizen’s right to

privacy. Huddle ensures that EU citizens’ personal information

(PII) is never shared with other entities or companies without

the prior permission of the individual. Huddle’s usage is outlined

in its Privacy Policy at www.huddle.com/privacy. Huddle has

been registered as a Data Controller with the Information

Commissioners Office since 2007 (Data Protection Register

Number: Z9592961)2.

In October 2015, the European Court of Justice (ECJ) ruled that

the Safe Harbor agreement was invalid. Huddle has always gone

beyond the original framework agreement and implemented

controls to ensure the privacy of customer’s content and data

regardless of the geographic location or service. Huddle has

included EU Model Clauses within data service providers’

contracts. The EU and U.S. governments are working towards

an agreement on Safe Harbor 2. Huddle will remain close

to announcements to ensure we meet new legislative or

directives regarding the management of Personally Identifiable

Information.

2 Huddle’s ICO (Information Commissioners Office) Data Protection Register document is available at: https://ico.org.uk/ESDWebPages/DoSearch

https://ico.org.uk/ESDWebPages/DoSearch



6. Technical engineering

Secure development lifecycle All roles within Huddle are clearly defined. Access to resources

and environments is granted on requirements of a role only.

Segregation of environments is managed both by policy and

by technologies such as ACLs and firewalls. Restrictions and

safeguards are in place to ensure only those personnel and

systems that need access receive the appropriate level of

access to complete the task utilizing the principle of ‘Least

Privilege’ as per industry best practice. Policies and processes

ensure employees are capable of being effective and efficient

without increasing the risk of ‘inside threat’, configuration

drift, data leakage or the stability of Huddle’s services and

business operations. Test and development environments are

separated, and stored production content is never removed from

segregated and ring-fenced secured production systems. The

controls in place to secure customers’ content and meta-content

(username, personal details, profile information, usage audit)

always protect this data. These controls include environment,

change management, access control and redundancy.

Testing & quality Huddle builds all software and services under an Agile

methodology based on SCRUM. The Software Development

Lifecycle (SDLC) includes OWASP Top Ten, which is a powerful

awareness document for web application security. The OWASP

Top Ten is industry recognized, and an industry led list that

represents the current most critical web application security

flaws known. This allows Huddle’s Quality Assurance team to

conduct extensive functionality testing prior to release.

Automated testing, incorporating unit, integration and end-to-

end tests, plus continuous integration and constantly releasing

new code for development and test environments, assists

in reducing the risk of the introduction of bugs to Huddle’s

services. These tests include (but are not limited to) malicious

user input, static and dynamic code scanning, confirming all

resources require authorization, XSS & XSRF/CSRF testing,

session management, secure/insecure direct object references

and functional access control.

Independent security consultancy & penetration testing SureCloud1 is Huddle’s partner for security consultancy

and frequent penetration testing. Their credentials range

from CREST membership; CESG CHECK approved and PCI

Approved Scanning Vendor (PCI ASV). SureCloud provides

independent testing and review of all Huddle infrastructure

and services. This ensures that we have an ‘alternative’ view of

how effectively implemented security policies and processes

are. SureCloud completes, at a minimum, an annual full global

holistic penetration test on all Huddle assets. This allows us

to gain insight into Huddle’s threat footprint. The scope of

this engagement includes all infrastructure hosting partners,

Huddle’s international offices and associated WAN and desktop

and mobile desktop software supplied by Huddle.

Vulnerability & patch management All business operations and Huddle service infrastructure are

scanned for vulnerabilities, security patch levels and potential

configuration issues via specialized proprietary solutions. This

incorporates daily changes to the database of new threats and

vulnerabilities and allows Huddle to mitigate quickly and reduce

the risk of exploitation by known methods.

1 http://www.surecloud.com/

http://www.surecloud.com/

11


Huddle’s strategy and policy governing the management and

control of vulnerabilities adheres to industry standards and is

certified to ISO 27001.

MonitoringHuddle has exceptionally detailed auditing in both the Huddle

Service’s application and the underlying infrastructure

(hardware, Operating Systems, network devices). Escalation of

these threats is managed by Huddle’s 24/7 Technical Operations

team. Huddle’s Incident Response policy and process are

certified to ISO 27001 and FedRAMP standards which ensures a

fluid, efficient but forensic detail level investigation including a

triage of the priorities and threats and a process for remediation.

We utilize SaaS providers Pingdom and New Relic to ensure

integrity and uptime of the services independent of the services

internal monitoring.

Configuration managementInitial and continual hardening of all business operations and

Huddle’s service infrastructure is performed to ensure that

Huddle has a risk and threat adverse baseline configuration that

meets and exceeds the Center for Internet Security (CIS) and

other industry standards.

Service integrity & resilienceHuddle’s services are architected for multiple levels and points

of redundancy. The services can allow for multiple failures of

core components while still being able to provide a service to

customers. In the unlikely event that a data center were to fail,

Huddle’s Services have multi-geo located data centers to ensure

the continuity of service. Huddle’s Services SLA (Service Level

Agreement) guarantees 99.9% uptime for all functionality. In

the last quarter of 2015 Huddle’s service uptime was calculated

as 99.98%. That is just 17 minutes of downtime over a three

month period for a 24/7 service. All of Huddle’s services are

independently monitored by partners Pingdom2 and New Relic3.

Huddle can provide reports generated from their services on

request. We are exceptionally proud of Huddle’s services uptime

achievement.

2 https://www.pingdom.com/3 http://newrelic.com/

Transport securityHuddle has removed SSLv3 due to recent criticisms, and rejection

by the PCI Security Standards Council. Huddle meets industry

best practice through the use of strong transport protocols

exclusively on all Huddle services.

All public internet accessible certificates are signed by Huddle’s

certificate partner ‘Go Daddy’ (18 years’ experience in the

industry) and signed with RSA 2048 bit keys. The signature

algorithm used is SHA 256 (with RSA) and Huddle utilizes

both Online Certificate Status Protocol (OCSP) and Certificate

Revocation List (CRL) to ensure the certificates utilized by

customers are meeting accepted industry standards. Secondly,

a chain of trust for the encryption of the transport of content

from Huddle’s services to all customers is maintained. The

entire certificate chain from Go Daddy’s Certificate Authority

and intermediate certificate to Huddle’s issued certificate is

maintained and monitored to the same standards.

Encryption within the environmentData at Rest Encryption is available for customers should they

require additional security on their content stored within our

services. Content storage is protected by 256-Bit AES (the

accepted industry standard for content encryption).

Huddle’s services never store passwords in a clear text. hash

of the password is ‘salted’ when setting or resetting to ensure

additional protection. Devices and integrations utilize authorized

OAuth 2.0 tokens in order to gain access to content.

Key management strictly adheres to established and mature

internal policies, which are certified to ISO 27001 standard.

Data loss preventionHuddle’s services are open standards-based and built on

industry-standard protocols and connectivity. APIs (Application

Program Interface) allow deep integration with already

established internal, external and cloud-based DLP solutions.

The rich functionality that the APIs provide ensures that Huddle’s

Services are capable of meeting current and future requirements

to protect the distribution and access to your content within

Huddle’s services.

https://www.pingdom.com/

http://newrelic.com/



7. Platform security

Administration access All of Huddle’s services share the same rich functional, tiered

access and control methodology. This ensures, regardless of

the endpoint (web, mobile, integration), consistent principles

of access and user interaction with a set standard and easy to

understand management workflow. Huddle’s administrative

access is purposefully built to provide an exceptionally quick

ability to grant or remove users access, lower or increase

privileges, customize access and sharing policies to adhere

to your corporate policies. The administrative access further

provides an audit of changes made to the account.

Authentication & accessHuddle’s Services have an industry accepted native password

policy:

• At least six characters long

• Mix of upper and lowercase

• Includes at least one number

• Includes at least one special character e.g.!@#?%

If a user does try to login unsuccessfully ten consecutive times,

a CAPTCHA will request some additional information. The

CAPTCHA is to mitigate against automated brute force attacks on

accounts.

If a user does not perform an action within a (configurable) set

period of time, Huddle will automatically log out that user from

the service to ensure confidentialility of the content.

Customers of Huddle’s services with a requirement for more

restrictive authentication and access policies can utilize Huddle’s

SAML functionality.

This allows for Single Sign-on (SSO) abilities across all of

Huddle’s services as well as the adoption of already established

client password complexity policies, including multi-factor

authentication solutions. Huddle has partnered with some of the

leading Authentication as a Service (AaaS) providers to ensure

secure and functional integration.

To limit the risk of data leakage, Huddle can limit collaboration

on file and content within the service to specific email domains.

With this functionality, company managers can restrict access to

individual email addresses or entire domains e.g. all users with a

@huddle.com, or just [email protected]

Organizations can finely tune access control within Huddle to

harmonize with already established internal policies.

Granting and managing user access to your contentInitial and continual hardening of all business operations and

Huddle’s services are based on a Workspace methodology.

Individual users are members of an Account. Additionally, users

can be placed in Teams that allow for additional access and

permission controls. Workspaces are logical groupings of content

run by a Workspace Manager, who invites and deletes users and

permission rights.

13


There are several ways to get users collaborating in Huddle.

These include:

• On-demand user creation through SAML functionality

provided by your Identity Provider (IdP) or Active Directory

Federations Services (ADFS).

• Email invitation to those you want to collaborate with. The

process includes a unique single-use link that is sent directly

to the user. If they are already in Huddle they will be granted

access instantly, it not they will have to complete a light and

short ‘account creation’ procedure.

• Huddle’s Customer Success team can create accounts and

associated workspaces as part of the on-boarding process

for new customers.

Content stored in Huddle can have Read-Only, Read & Write or

No Access permissions set for individual users or teams. Users

denied access cannot even see folders or content they do not

have access to ensuring the confidentiality of that data. This

permissions based methodology is very easy to understand and

can be adopted quickly across all Huddle services.

Mobile access and managementHuddle’s services have several iOS and Android based

applications to help end-users collaborate on their content

stored in Huddle. Access to Huddle’s services is granted via the

industry standard OAUTH 2.0 protocol. Deployment of mobile

endpoints and applications can be managed via Mobile Device

Management (MDM) and Enterprise Mobility Management (EMM)

providers such as AirWatch, MobileIron, MaaS360.

These services allow for the granular management of end-user

devices and applications to ensure that access to restricted

and management controls adhere to your companies already

established policies.

Audit & usageHuddle’s services have integrated audit functionality that

includes content access, update, creation/deletion and

permissions. Additional, and more granular, reporting can

be published on request via the Huddle Customer Success

Team. The level of reporting available ensures quick and easy

adherence to your already established audit policies.



About HuddleHuddle is the cloud collaboration solution that makes it easy

for teams to stay productive and to work securely beyond the

firewall with colleagues, partners and clients.

Better ResultsFrom client engagements to internal collaboration across teams,

Huddle means you spend less time organizing documents,

managing feedback and searching through email, and more time

delivering exceptional results.

One PlaceCreate secure Huddle workspaces for your teams and clients

in minutes. Huddle pulls together files, tasks and team

communication into one place that’s accessible wherever you

are.

Always SynchronizedIn the office, travelling, or at a client’s site, our mobile and

desktop apps keep you connected to team and client activity and

synchronized to the latest documents and tasks.

• A single interface to manage the collaborative nature of today’s work.

• Sophisticated permissions. Lock workspaces across geographical teams or lines of business.

• Greater visibility for managers who need to oversee activity and track deliverables.

• Robust security assures the integrity of client data.

• All document and user activity is auditable and trackable.

• Check clients have viewed key documents and tasks.

• Infinite roll-back to past document versions.

• Built-in approval workflow.

• Securely upload and download files without email.

• Cloud-based, allows easy access for audit staff in the field.

• Ability to meet NDA requirements for control and removal of sensitive reference materials.

• Centralized calendar to schedule project activity and manage tasks.

• Fully integrated with Microsoft Office tools (Excel, Word, Outlook, and PowerPoint). Save and open Huddle documents within Microsoft tools, add and review document comments.

For more information, or to request a demo, please visit huddle.com

15

Huddle: Information Security OverviewHuddle: Information Security Overview

Locations

London2nd Floor, Aldgate Tower2 Leman StreetLondon, E1 8FA

Washington DC 7910 Woodmont Avenue #1250 Bethesda, MD 20814

San Francisco535 Mission St, 17th FloorSan Francisco, CA 94105

THIS DOCUMENT AND THE INFORMATION IN IT ARE PROVIDED IN CONFIDENCE, AND MAY NOT BE DISCLOSED TO ANY THIRD PART Y OR USED FOR ANY OTHER PURPOSE WITHOUT THE EXPRESS WRITTEN PERMISSION OF HUDDLE.

© Huddle 2017

Ninian Solutions Ltd (trading as Huddle) is registered in England & Wales at Aldgate Tower, 2 Leman Street, London, UK (company number 057 7 7111) and its U.S subsidiary Huddle Inc, a Delaware Corporation, at 535 Mission Street, San Francisco, CA, U.S.

Huddle: Secure by Design Security Whitepaper... · a foundation of best practice from which...

Documents

Transcript of Huddle: Secure by Design Security Whitepaper... · a foundation of best practice from which...