Tenzing Security Services and Best Practices

2 Dallas | Kelowna | London | Toronto | Vancouver www.tenzing.com

OVERVIEWSecurity is about managing risks and threats to your environment. The most basic security protection is achieved by pro-actively monitoring and intercepting various forms of attacks using antivirus software and network security measures. However, in order to completely assure yourself and your customers that your business, data and transactions are fully secured, a comprehensive approach to security is needed. This approach must cover process and human factors as well as direct technology threats. This is the only way that you can assure the Confidentiality, Integrity, and Availability (CIA) (Fig 1) of your online business and customer information, and be truly compliant with best practices and regulatory requirements.

Tenzing is committed to mitigating the risks against the confidentiality, integrity, and availability of client information. As part of this commitment, continuous improvements are made to Tenzing’s information security posture by adopting and incorporating best practices into critical aspects of processes and technologies. Tenzing believes in a multi-layered “defense in depth” approach to security and has a comprehensive suite of fully managed security services available to customers, including managed firewalls, VPNs, both network and host level intrusion detection and prevention services. When combined, these services provide a high level of confidence in the protection of systems and data, and assurances in addressing industry standards and compliance requirements, such as PCI-DSS Level 1, AT101 SOC 2 (previously known as SAS70 or SSAE16), CSAE3416 SOC1 and ISO27001. Tenzing’s security services and policies are designed, maintained, and enforced by Tenzing’s expert security and compliance team.

The purpose of this document is to provide an inclusive summary of Tenzing’s security processes and services. The full range of security processes are an integral part of Tenzing’s core service and are designed to protect your operations and ensure that you fulfill your compliance commitments. Information

Confidentiality Ensuring only those who ought to have access can do so

Integrity Ensuring that information cannot be modified without detection

Availability Ensuring information can be accessed when needed

Figure 1: Information Classes

Tenzing believes in a multi-layered “defense in depth”

approach to security and has a

comprehensive suite of fully managed

services that provide a high level of

confidence in the protection of systems

and data.

3 Dallas | Kelowna | London | Toronto | Vancouver www.tenzing.com

The challenging nature of regulatory and compliance requirements makes security compliance an exhaustive effort that requires full cooperation across the value chain of your online channel. As part of this value chain, Tenzing is compliant with a number of internationally recognized compliance regulations (see Fig. 2) as explained below:

PCI-DSSTenzing is a Visa Level 1 PCI-DSS Compliant services provider and is listed as a third party services provider for MasterCard Worldwide and Visa Canada. Tenzing has completed the registration and validation processes for both the Mastercard and Visa program and has been certified for the highest level of transaction levels (Level 1). What this means is that Tenzing can host large volume, high value transaction sites and clients have less to worry about for PCI compliance. Tenzing’s processes and policies fulfill a number of the operation related PCI control objectives for security.

Tenzing uses a third party Qualified Security Assessor (QSA) to validate processes and security practices to ensure compliance with the relevant industry certifications. Tenzing successfully achieved the renewal of Attestation of Compliance (AOC) for PCI-DSS (Payment Card Industry-Data Security Standard, Service Providers) as well as a Report on Compliance (ROC) from its QSA. Furthermore, Tenzing is now recognized in its AOC as a PCI-compliant enterprise that provides Managed Services for Physical Security and the Management and Deployment of an Antivirus Solution. PCI Compliance is an integral component of online retailing and the security team at Tenzing has gone to great lengths to help clients achieve their PCI compliance objectives.

Tenzing Security Compliance

Figure 2: Tenzing Security System

PCI DSS

AT101 SOC Type 2 ISO 27000

Netw

ork Security Data Security

Server Security AccessFirewall

IDS

VPN

Antivirus

Critical SystemsProtection

LogicalAccess

SSL and Encryption

Physical Access

4Tenzing Security Services and Best Practices

ISO 27001 Certification ISO/IEC 27001:2013 is a standard that brings information security under explicit management controls organized under an Information Security Management System (ISMS). An organization’s ISMS outlines the restrictions and 114 controls that need to be in place across 14 domains in order to ensure the confidentiality, integrity and available of data (Fig 3). Tenzing is one of the few service providers in North America that validates its ISMS by performing an annual ISO 27001 audit. This audit further certifies that all of Tenzing’s information security processes and procedures are up to the standard of industry best practices.

Information Security Policy

Defines essential requirements for security. Intended to support management decisions and explain the organization’s security and IP position.

Organization of Information Security

Ensures management support, security coordination, and security services are in alignment with business requirements and operations.

Human Resource Security

Provides security communication, training and awareness for employees, contractors and other personnel. Includes background checks and other controls to assess human risks.

Asset managementEnsures that assets are accounted for and categorized by risk. Allows for the relevance of each business process to be evaluated and individual security requirements determined.

Access controlAccess to assets is modeled using appropriate access and business roles concepts. The appropriate technologies are then implemented to enforce the model.

Cryptography Defines the controls related to encryption and key management.

Physical and environmental security

Defines the controls required to protect assets from physical risks such as theft and damage.

Operations security Defines the security of operations and information exchange between organizations and staff.

Communications Security

Defines the security of information exchange and communication with external organizations.

System acquisition, development and maintenance

Defines the integration of security into the system development lifecycle. Includes security for change and configuration management.

Supplier relationships Defines the controls on what to include in supplier contracts and agreements as well as how to monitor the supplier.

Information security incident management

The establishment of people, process and technologies to ensure that security incidents are communicated in a manner allowing timely corrective action to be taken.

Information security aspects of business continuity management

Business Continuity Planning (BCP) aims at uncovering risks for the business process and defining emergency measures to enable the organization to resume normal operations.

ComplianceIdentification and implementation of the appropriate actions necessary to ensure requirements from legal, regulatory, and other internal requirements are met.

Figure 3: ISMS Domains

5 www.tenzing.com

Tenzing has implemented a variety of network security technologies to ensure the utmost level of security. Network security is the first line of defense from the outside world and it is intended to secure the information exchanged with the external world from malicious attacks as well as protect the security of your computing resources. Security is integrated into Tenzing’s network services through its architecture as well as in the policies and procedures that govern its management. Tenzing employs a number of industry leading security measures including, but not limited to: separate physical network segments for public (“front-end”), private (“back-end”), and backup networks. Tenzing also uses vLANs with firewalls in customer environments to segregate different types of customer traffic with encrypted access controls and default deny-all policies.

Firewall Firewalls are installed at the perimeter of customer environments to protect and prevent un-authorized access, while at the same time isolating the web tier from the application and database tier. Tenzing uses carrier grade equipment for its firewall service, which are enterprise-class security appliances that provide network and application protection against Internet threats. This service is delivered using the latest Application Specific Integrated Circuit (ASIC) technology that enables wire-speeds for advanced security features such as Stateful Packet Inspection.

VPN To provide a secure method of access to both clients and employees, Tenzing deploys redundant IPSEC VPN appliances that integrate seamlessly to provide secure VPN connectivity without the need to reconfigure the network or deploy additional hardware. Tenzing pro-actively manages the configuration and user administration, allowing clients direct, secure, and reli-able remote and in-office connectivity to their managed infrastructure.

AT101SOC 2 Type 2 and CSAE 3416 SOC 1 Type 2 (formerly SAS70) AT101 SOC 2 Type 2 is the authoritative guidance that allows service organizations to disclose their control activities and processes to customers and their customers’ auditors in a uniform reporting format. The issuance of a service auditor’s report prepared in accordance with AT101 SOC 2 Type 2 signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm. The service auditor’s report, which includes the service auditor’s opinion, is issued to the service organization at the conclusion of AT101 SOC 2 Type 2 examination.

CSAE has been designed to provided the standards and guidance to an auditor who is reporting on the controls at a service organization. This is relevant to situations when the service (a specialized business task or function) being provided to customers (or user entities) impacts the user entity’s financial reporting processes. In such situations, service organizations are subjected to the audits of these processes. (Please note that this audit report can only be applied to controls relevant to financial reporting.)

These audits are very important as they validate that the security controls and processes that Tenzing has implemented are well designed, in place and under correct management. On top of external audits, Tenzing’s information security team also conducts a number of internal audits that collect, assess and measure ongoing compliance with internal controls, industry best practices and the external audits mentioned earlier.

Network Security

6Tenzing Security Services and Best Practices

Intrusion Detection Services (IDS) Tenzing’s Intrusion Detection Services are designed to provide a critical layer of network defense against threats that easily bypass perimeter and endpoint defenses – constantly protecting the internal network from worms, and other threats. Tenzing combines intrusion detection, vulnerability management and compliance reporting technology into a single integrated solution that offers both proactive and reactive protection from the latest threats. Tenzing’s IDS encompasses a global view of security event trends to maintain accurate and relevant network security intelligence. Tenzing’s Security Operations Center to quickly identify, escalate, contain and mitigate security breaches around the clock.

Figure 4: Network Threats

Benefits of Tenzing IDS

• 24x7x365 monitoring for security events by Tenzing’s Security Operations Center – staffed with Certified Information Systems Security Professional (CISSP) and Global Information Assurance Certification (GIAC) certified experts – via Intrusion Detection System (IDS) on Customer’s edge network.

• IDS System configuration, maintenance and incident analysis from Tenzing’s security team.

• Seven factor threat scenario modeling (Fig 4) to increase accuracy and reduce false alarms

DOS Assure Protection ServiceFor many of Tenzing’s clients, their online environment is a critical part of their business, their web properties generate revenue, reduce cost and gain efficiencies. For many clients a Distributed Denial of Service (DDoS) attack would bring business to a halt.

Tenzing’s DDOS protection service protects your site 24 x 7 from any DDoS attacks. The base configuration mitigates a wide number of incursions, including ICMP & UDP floods, Port Scans, SYN attack and Distributed Reflection DOS.

Tenzing provides the following deployment options for DOS Assure: • A proactive, Always-On service, where all traffic is filtered through the DDoS Assure Service.• A hybrid service, where customers are pre-configured for DDoS Assure but require their DNS settings altered during the

time of the attack to have the attack mitigated.• An On-Demand “emergency” service, that can be deployed quickly to mitigate an attack

Figure 5: DOS Assure

7 Dallas | Kelowna | London | Toronto | Vancouver www.tenzing.com

Unfortunately, many web applications are shipped with undiscovered vulnerabilities. Without advanced security your web store is left exposed to attack. Tenzing’s Web Application Firewall helps mitigate these risks by protecting your site and your revenue.

Tenzing has partnered with ZENEDGE to create Tenzing Security Shield, a suite of cloud-based security services designed for ecommerce. The combination of DDoS mitigation, Web Application Firewall, and CDN servicesmeans that your site is well protected from malicious attacks and performance degradation. Tenzing Security Shield is an external layer of cyberdefense for web applications, web sites and networks. Security Sheild protects web applications and networks from malicious traffic, prevents hackers from penetrating our client’s web servers and protect against large volumetric DDoS attacks. It acts by stopping malicious traffic (at application layer 7, or network layers 3 and 4) before the Internet traffic reaches the web application servers or networks of our clients. Figure 6 shows how the deployment of Tenzing Security Shield creates a protective shield around our clients’ security perimeter, adding a critical layer of web application and IP protection. Once deployed, all traffic flows through the ZENEDGE network prior to hitting the origin server infrastructure. Traffic is directed to the nearest ZENEDGE POP by means of data driven DNS. The lowest latency POP is chosen on a query-by-query basis to create a performance optimized application delivery network.

Application Security

Figure 6: Tenzing Security Shield

8Tenzing Security Services and Best Practices

At an average cost of $201 per customer record compromised, security breaches can inflict irreparable harm. Tenzing’s Security Testing services help businesses identify security vulnerabilities before hackers do. The services range from basic external scans that meet PCI quarterly scan requirements, to in-depth penetration testing.

Security Testing

Vulnerability Management

Tenzing’s vulnerability management program provides a means for clients to proactively address security issues. The program finds vulnerabilities in your environment using both external and internal scans. Any vulnerabilities discovered inthe scans will be prioritized and built into a remediation plan. The team will ensure completion by creating and managing tickets for the vulnerabilities and recommended fixes.

Tenzing’s vulnerability management service is an annually recurring service that allows merchants to continuously improve the security of their environment and stay ahead of threats. Clients are able to proactively prevent breaches, ensure ongoing security and remediation and satisfy PCI Requirements 11, 6.1 & 6.5 - all without any capital expenditure or additional headcount.

Patch Management To ensure all client environments are up to date and well protected, Tenzing provides patch management services to all cli-ents on a quarterly basis. Tenzing has also built an emergency patching program in accordance with ITIL best practices that allows us to respond quickly and secure our clients in the event of large impact vulnerabilities. This process is critical during well publicized vulnerabilities like HEARTBLEED and FREAK. For HEARTBLEED it allowed the team to quickly respond and mitigate the threat, as well as communicate clearly with clients, resulting in all vulnerable devices being secured without any service disruptions, up to two days before other service providers.

Vulnerability Scan

Vulnerability Assessment

Penetration Testing

Infrastructure Scan

Web Application Scan

Deep Application Analysis

Web Services Analysis

Risk Reconnaissance

Business Logic Analysis

PCI/NIST SP800-115 Compliant Methodology

OWASP Testing Guide Compliant Methodology

Simulated Attacker

Exploitation

9 www.tenzing.com

Data Availability

Data Security is the protection of data from destructive forces and the unwanted actions of unauthorized users. Tenzing’s data security service uses a dedicated backup infrastructure, with comprehensive policies and procedures that are capable of backing up and restoring the most complex applications and system configurations. Tenzing can service all major file systems, databases and applications.

Backup services from Tenzing include:• Off-site Backups: Customers can have backups replicated to a data store at a geographical remote location for additional

disaster recovery capabilities. Recovery Periods are equivalent to the policy maintained for local backups.• Data Encryption: Customers can have their data encrypted both in transit and on the data store for maximum security.

SSL certificate options are also available. • Secure Access: Seamless VPN integration, without the need to reconfigure your network or deploy additional hardware.

Tenzing manages the configuration and user administration, allowing authorized users direct, secure, and reliable connectivity to your managed infrastructure, wherever they are.

Access Control

Physical Access Tenzing’s datacenters are protected by multi-layered physical security measures including 24x7x365 security personnel, dual-factor electronic and bio-metric authentication systems, surveillance cameras, and man-traps. Access to the datacenter floor is strictly limited to Tenzing’s datacenter technicians and bonded facility maintenance engineers.

Logical Access Tenzing utilizes a number of tools to monitor logical access controls for identification, authentication, authorization, and accountability to secure environments, including system logins. These tools enforce access control measures to systems, programs, processes, and information. In order to authenticate, authorize, and maintain accountability, a variety of method-ologies are used including password protocols, devices coupled with protocols and software, encryption, and firewalls. These measures and others allow Tenzing to detect intruders, maintain security, reduce vulnerabilities and protect client data and systems from threats.

End Point Protection Tenzing uses industry protection technology for the endpoint level layer of protection. Tenzing’s Managed Anti-Virus service is PCI-DSS ready and satisfies the PCI-DSS requirement number 5. It protects servers against a wide range of viruses and ma-licious codes, including Zero-Day threats. The service desk is automatically alerted of any potential threats which are quickly resolved by Tenzing’s Information Security team and vendor. With centralized management, Tenzing automatically updates Virus Signatures, thus ensuring servers are up to date with the latest malware protection.

Critical System Protection Tenzing also implements a second layer of protection known as “Critical System Protection” allowing us to proactively safe-guard heterogeneous server environments and the information they contain. This technology allows Tenzing to monitor and protect logical and virtual solutions using granular, policy-based controls, with a combination of host-based intrusion detec-tion (HIDS), intrusion prevention (HIPS), and least privilege access control. Tenzing leverages granular policy-based controls to provide high security for virtual solutions, protecting against zero-day, targeted attacks, real-time control and visibility into compliance.

Host Level - Endpoint Protection

10Tenzing Security Services and Best Practices

Tenzing believes that a great IT managed services company should do more than just keep infrastructure up and running. It should help your business succeed and grow. That’s why Tenzing partners with its clients to deliver meaningful insights and impactful technologies that help them grow their online revenues. The success of Tenzing’s clients has fueled it’s own success. Since Tenzing first launched back in 1998, the company has been recognized 7 times by Profit Magazine as one of Canada’s fastest growing companies. It has also been recognized by The Branham Group as a top information and communications technology company for five years running. The secret to Tenzing’s success is a set of core values and industry-leading best practices designed to ensure the best outcomes for its clients. Tenzing’s security services are integral to its core value.

CONCLUSION

For more information, please reach out to Tenzing at 877-767-5577 or email us at sales@tenzing.com.

Payment Security

PCI Assure With PCI Assure, Tenzing utilizes the latest in transaction processing technology to get merchants PCI compliant quickly and pain-lessly and to keep them there. PCI Assure offers a complete, flexible, online checkout solution that integrates seamlessly into your environment keeping the customer check-out process seamless. Tenzing has partnered with Hosted PCI to deliver this service to customers.

This service provides retailers with a Level 1 PCI-DSS compliant solution, and enables retailers to maintain complete control over the checkout process.

PCI Assure provides the following benefits:• Complete Indemnification against credit card breach.• Simplified PCI-DSS Certification process..• Significant cost savings compared with in-house PCI-DSS

Compliance. • Predictable, timely implementation with several pre-built

integrations.• Flexible deployment allowing for seamless integration anywhere on

the merchant website.• Simple, All-In Cost/Transaction model that scales to millions of

transactions.• Payment processor independent tokens - No need to be locked

into one payment processor or tokenization solution. PCI Assure Tokens are transferable between supported payment gateways and processors.

• Customization options for merchants who are required to pass credit card data to other Level 1 PCI Compliant entities, such as fulfillment providers.

• Fewer abandoned carts with the PCI Assure advantage. Keep customers on your site and keep abandonment rates low with PCI Assure IFRAME.