clarizen security white paper€¦ · clarizen leverages amazon inspector service to secure all...
TRANSCRIPT
Clarizen SecurityWhite Paper Cloud security and practices
Security White Paper2019
IntroductionEnterprises today rely upon third-party software and services to
handle business-critical processes and operations. Whether on-
premises or in a hybrid cloud architecture, these solutions must
provide a level of security that protects critical company data while
minimizing business risk. Clarizen delivers its collaborative, secure,
and robust solution built on this vision of business agility. Clarizen
product allows our customers to stay up-to-date with their strategic
projects, initiatives and work managed.
Application SecurityClarizen Cloud is designed, built, maintained, monitored, and regularly updated with baked enterprise
grade security by design. Clarizen leverages Amazon Web Services; the industry leading cloud platform to
deliver a secure Services. The shared security responsibility model is a framework adopted by many cloud
providers. Under this model, Amazon Web Services is exclusively responsible for Infrastructure Security,
while network, personnel and application layer security controls are implemented, Deploy and monitored
by the Clarizen security and compliance team.
EncryptionDATA AT REST ENCRYPTION
Clarizen deploys industry-leading encryption algorithms to
secure customer data. All our customers data is encrypted with
Advanced Encryption Standard (AES) 256. This ensures that
sensitive data saved on AWS cloud disks is not readable by
any user or application without a valid key. Clarizen security
team deploys data at rest encryption to all elastic blocks, simple
storage services and S3 buckets.
DATA IN TRANSIT
Upon sending any data between the user browser and the
Clarizen cloud, Clarizen establishes a secure TLS connection, a
cryptographic protocol that provides communications security
over public computer networks, encrypting all communication
between the web server and the client. Additionally, Clarizen
secures the identification of the web server via an industry
leading certificate authority.
Passwords PASSWOD POLICY
Clarizen’s strong password policy requirements govern the
creation, protection and frequency of password changes. These
requirements serve as a baseline or minimum recommended
password requirement. More stringent password policies
can be established as needed. Passwords are transmitted
via a hypertext transfer protocol secured (HTTP with TLS)
connection. A protocol that encrypts communication between
the web server and browser and secures the identification of
the web server.
PASSWORD PROTECTION
Clarizen takes a multi-level approach to storing all sign-in
credentials. Protection begins with “hashing” passwords, a
common approach for taking passwords of varied lengths
and turning them into cryptic, fixed-length phrases for
storage. Clarizen relies on industry recognized SHA2
algorithms for creating robust hashes. Clarizen also “salts”
customer passwords, or adds extra data that is unique, and
random, to every HASH to employ an additional level of
password protection.
Copyright © Clarizen. All rights reserved.
UNIQUE IDENTFICATION
Every Clarizen user must have a unique account ID to access the
platform. This account ID is used to track user activity, as well as
assign and enforce the correct permissions level.
Penetration testsEXTERNAL SECURITY AUDITS
Clarizen engages external security testers and professional
application auditors on an annual basis as part of its security
testing processes. These experts perform penetration tests using
the Open Web Application Security Project (OWASP TOP TEN)
methodology for multiple attack scenarios in conjunction with
several internally developed and managed proprietary attack
methodologies and scenarios.
PENETRATION TEST SUMMARY REPORT
Penetration test summary reports are provided to customers
upon request, including all test findings, along with all remedial
actions taken to address any issues that may have been
identified during testing
Software developmentOPEN SOURCE AND VULNARBILITY MANAGMENT
Clarizen Deployed white source scanners to ensure continues
audit and automation of open source components and detect
security vulnerabilities and license issue in open source
components. Clarizen Security and compliance team can
Matches the retrieved data with clarizen pre-defined policies and
Generates immediate up-to-date reports with all components
and issues detected
Application content filtering WEB TRAFFIC INSPECTION AND SANITATION
To prevent all forms of cross-site scripting (XSS), SQL injection
and other such malicious attacks, Clarizen has fully integrated a
proprietary sanitation engine into the platform, which inspects
all traffic prior to processing.
Authentication OAUTH AUTENTICATION
Clarizen deploys OAuth 2.0, which is recognized as the industry-
standard framework for authentication. Leveraging the OAuth
framework provides client applications with “secure delegated
access.” Authentication with Clarizen API via the OAuth 2.0
public interface
4
APPLICATION SECURITY
InfrastructureSecurityUs con corem re exerat ut aut officto blam, omnis prem ipsanti sciatem faccum endest rectendi dolupid
ererum im vento te endes ducipsam lignatist, quaeriatem que dolorisquiam am rendia voluptam
voluptio esci demolum sinctam et faceptium is esti vid quis si beribus moluptae derumqu iatiis dest ut
ut optati volorere aceprovid maximin estoremo volori accus.
Network security[DDoS] DISTRIBUTED DENIAL OF SERVICE PROTECTION
Clarizen deploy AWS Shield to leverages DDoS mitigation
techniques. Shield provides enhanced resource specific detection
and employs advanced mitigation and routing techniques for
sophisticated or larger attacks. AWS Shield provides visibility
and insights into all DDoS metrics and attack diagnostics.
[MITM ]MAN IN THE MIDDLE ATTACKS
Amazon EC2 automatically generate new SSH host certificates
on first boot and log them into clarizen console.
Clarizen leverages secure APIs to access the host certificates
before logging into an instance for the first time.
[IP] SPOFFING
Amazon EC2 running the Clarizen service cannot send spoofed
network traffic. The AWS controlled, host-based firewall
infrastructure does not permit an instance to send traffic with a
source IP or MAC address other than its own.
PORT SCANNING
Unauthorized port scans of EC2 are a violation of the
Acceptable Use Policy ( AUP ). Violations of the AUP are taken
seriously, and every reported violation is investigated. When
unauthorized port scanning is detected, it is stopped and
blocked. Port scans of Amazon EC2 instances are ineffective
because, by default, all inbound ports on Amazon EC2 instances
are closed.
PACKET SNIFFING
It is not possible for a virtual instance running in promiscuous
mode to receive or “sniff” traffic that is intended for a different
virtual instance. Even two virtual instances that are
located on the same physical host cannot listen to each other’s
traffic. Attacks such as ARP cache
poisoning do not work within Amazon EC2.
Copyright © Clarizen. All rights reserved.
Access control VIRTUAL FIREWALLS
Clarizen has implemented Amazon’s security group in its
cloud architecture. Security groups act as virtual firewalls
designed to protect the Clarizen instance from east-west and
north-south data center unauthorized traffic. Clarizen Security
groups also controls the inbound traffic to the Clarizen Virtual
Private Network.
LEAST PRIVILAGE
Clarizen deploys identity and access management with a “least
privilege” approach to control and manage the access layer for
the Clarizen cloud infrastructure.
Additionally, Clarizen relies on complex password policies being
enforced that include minimum length, alphanumeric character
requirements, and usage frequency to rotate user passwords.
[2FA] MULTI AUTHENTICATION
Administrative access to the guest host operating systems
for instance management and access to the amazon console
requires the use of multi-factor authentication. Clarizen
Deploy Software base tokens installed and managed on cloud
admins devices.
VPC INTER-COMMUNICATION
To ensure Clarizen component security within the Amazon
Virtual Private Network, the Clarizen microservices interact
between themselves via authenticated mechanisms.
This function is performed by way of an authentication header
key. Amazon Security Groups combined with header keys
ensures that only approved services can communicate within the
Clarizen infrastructure.
6
INFRASTRUCTURE SECURITY
Vulnerability management VULNERABILITY SCANNING AND PATCH MANAGEMENT
Clarizen leverages Amazon inspector service to secure all workloads and
ensure no deviation from security best practices Framework and common
vulnerability database. Clarizen automatically scans all production Cloud assets
for vulnerabilities or deviations from best practices. Detailed lists of findings are
regularly communicated to the management team.
Identified and validated vulnerabilities are prioritized and assigned an
appropriate remediation rating process according to the type of issue, its
impact severity, and exposure. Patches are deployed to the infrastructure
after passing required quality assurance and UAT tests according to a
management approval process.
Continuous security monitoring CLOUD GUARD
Clarizen Deployed Checkpoints Cloud Guard, Continues security monitoring
for comprehensive, real time cloud security and compliance automation.
Clarizen security team can visualize and assess current security posture, detect
misconfigurations in real time, model and actively enforce security best practices,
and protect against identity theft and data loss in the cloud.
ATTACK SIMULATION AND SECURITY CONTOLS VALIDATION
Clarizen Deployed Safebreach attack simulation and controls validation platform
to ensure cloud security controls and simulate attacked to insure our security
posture resilience. Clarizen security team can Simulate breach methods across
the entire kill chain based on attacker profile and data assets to be protected.
Quantify the real impact of a cyber-attack and see risk trends over time.
Copyright © Clarizen. All rights reserved. 7
INFRASTRUCTURE SECURITY
Cloud security operations
Visualize in real time security posture,
network topology and enforce gold
standard policies across accounts,
projects, regions and virtual networks.
Compliance and governance
Ensure that Clarizen cloud
infrastructure conforms to regulatory
compliance requirements and security
best practices always
Identity protectionProtect against identity theft by
enforcing just-in-time privilege elevation
for your most sensitive operations
The following practices are followed to prevent unauthorized access to the Clarizen instance:
• Maintain strict access control approval process
• Grant least privilege access
(access given on an as-needed basis)
• Record successful and failed login audit logs
• Content filtering
• Intrusion prevention
OperationSecurityUs con corem re exerat ut aut officto blam, omnis prem ipsanti sciatem faccum endest rectendi dolupid
ererum im vento te endes ducipsam lignatist, quaeriatem que dolorisquiam am rendia voluptam
voluptio esci demolum sinctam et faceptium is esti vid quis si beribus moluptae derumqu iatiis dest ut
ut optati volorere aceprovid maximin estoremo volori accus.
Operation securitySERVICE MONITORING
Clarizen platforms are monitored 24/7, using external and
internal probes to monitor service availability and security
issues. These probes are configured to send alerts on a
wide variety of criteria, including security, availability and
performance degradation. Clarizen Trust Site provides our
customers real-time information about Clarizen service
availability. Service Status information is provided in a clean
and easy-to-read format.
Clarizen communicates service status to customers via the
Clarizen Status Site: https://status.clarizen. com/.
LOG ANALYSIS
The Clarizen team analyzes servers and application logs
to identify anomalies or any events that are relevant to the
security, availability and performance of the Clarizen Cloud.
DATABASE BACKUP
Clarizen leverage amazon snapshots to automate the cloud
database backup process and validate restore capabilities.
Database snapshots creates a storage volume snapshot of the
cloud DB instance, backing up the entire DB instance and not
just individual databases. Backup files of the cloud database are
saved according to clarizen backup retention policy monitored
by clarizen compliance team.
BACKUP WINDOW
Automated backups occur daily during the backup window.
If the backup requires more time than allotted to the backup
window, the backup continues after the window ends.
Personnel securityLEAST PRIVILEGE ACCESS POLICY
Clarizen requires that all access to its cloud infrastructure,
application, and data to be controlled based on business
and operational requirements. Following the principles of
segregation of duties and least privilege.
Clarizen managed services team are responsible for
maintaining the production environment, including code
deploys, while the engineering team develops features and
Copyright © Clarizen. All rights reserved.
code in development and test environments. Our Cloud
administrative access is based on the concept of least
privilege. Clarizen users are limited to the minimum set of
privileges required to perform their required jobs.
HIRING POLICY AND SCRUTINIZING PROCESS
Before hiring Clarizen employees and contractors undergo
background checks where permitted by law. Background check
reviews both criminal and financial background indicators.
Employees and contractors are made aware of their
responsibilities, operational and security policies, as well as
repercussions for failure to adhere to said responsibilities
and policies.
9
OPERATION SECURITY
Before hiring
Background check
History of employment
While working at Clarizen
Continuous awareness training
Social engineering tests
Phishing Campaign
Continuous access review
When terminated
Immediate access revocation
Can i get a title here?
PhysicalSecurityClarizen Physical security strategy aims to preserve the confidentiality, integrity, and availability
of our services from physical threats. Amazon Web Services provides an enterprise grade secure
infrastructure. AWS holds a wide range of certifications backed by various security controls.
Data center physical security SURVEILLANCE & DETECTION
Physical access is controlled at building ingress points by
professional security staff utilizing surveillance, detection
systems, and other electronic means. All ingress and egress
points to server rooms are secured with devices that require
everyone to provide multi-factor authentication before granting
entry or exit. Physical access points to server rooms are
recorded by Closed Circuit Television Camera (CCTV). Images
are retained according to legal and compliance requirements.
POWER
AWS data center electrical power systems are designed to be
fully redundant and maintainable without impact to operations,
24 hours a day. Data centers are equipped with back-up power
supply to ensure power is available to maintain operations in
the event of an electrical failure for critical and essential loads
in the facility.
CLIMATE AND TEMPERATURE
AWS data centers use mechanisms to control climate and
maintain an appropriate operating temperature for servers
and other hardware to prevent overheating and reduce the
possibility of service outages. Personnel and systems monitor
and control temperature and humidity at appropriate levels.
Copyright © Clarizen. All rights reserved. 11
PHYSICAL SECURITY
FIRE DETECTION AND SUPPRESSION:
Data centers are equipped with automatic fire detection
and suppression equipment. Fire detection systems utilize
smoke detection sensors within networking, mechanical,
and infrastructure spaces. These areas are also protected by
suppression systems.
REDUNDANCY
Data centers are designed to anticipate and tolerate failure
while maintaining service levels. In case of failure, automated
processes move traffic away from the affected area. Core
applications are deployed to an N+1 standard, so that in the
event of a data center failure, there is sufficient capacity to
enable traffic to be load-balanced to the remaining sites.
AVAILABILITY LAWS has identified critical components required
to maintain system availability in the event of outage. Critical
system components are backed up across multiple, isolated
locations known as Availability Zones. Each Availability Zone
is engineered to operate independently with high reliability.
Availability Zones are connected to enable applications
automatically fail-over between Availability Zones without
interruption
Given the importance of access control mechanisms, Clarizen continuously monitors and tests its security system and processes, to ensure they are functioning properly.
ABOUT CLARIZEN
Clarizen delivers cloud-based enterprise collaborative work management solutions built on the vision of business agility. Clarizen’s PPM
solution was named a 2018 Gartner Peer Insights Customers’ Choice for Project Portfolio Management, Worldwide, and is the winner
of the prestigious 2018 SIIA CODiE and 2018 Gold Stevie® awards for Best Project Management Solution. Fortune 500 companies like
Dell, Newell Brands and Shaw Industries are just some of the more than 2,000 customers across 124 countries that rely on Clarizen to
help them quickly adapt to changing market conditions and achieve their business goals. In the last five years, Clarizen customers have
completed more than 25 million milestones and 1 million projects. To learn more, visit www.clarizen.com
Copyright © 2019 Clarizen. All rights reserved.
PHYSICAL SECURITY
Certifications SOC II TYPE II
The SOC 2 report is an attestation report that expands
the evaluation of controls to the criteria set forth by the
American Institute of Certified Public Accountants (AICPA)
Trust Services Principles. These principles define leading
practice controls relevant to security, availability, processing
integrity, confidentiality, and privacy applicable to service
organizations. SOC 2 is an evaluation of the design and
operating effectiveness of controls that meet the criteria for the
security and availability principles set forth in the AICPA’s Trust
Services Principles criteria.
ISO 27001
ISO 27001 certification for Information Security Management
System (ISMS) covering infrastructure, data centers, and
services. ISO 27001/27002 is a widely-adopted global security
standard that sets out requirements and best practices for a
systematic approach to managing company and customer
information that’s based on periodic risk assessments
appropriate to ever-changing threat scenarios.
FEDRAMP
Federal Risk and Authorization Management Program
Compliant Cloud Service Provider. Core infrastructure
component testing includes testing performed by a FedRAMP
accredited Third-Party Assessment Organization (3PAO) and
has been granted two Agency Authority to Operate (ATOs)
by the US Department of Health and Human Services (HHS)
after demonstrating compliance with FedRAMP requirements
at the Moderate impact level.
All U.S. government agencies can leverage the AWS
Agency ATO packages stored in the FedRAMP repository to
evaluate AWS for their applications and workloads, provide
authorizations to use AWS, and transition workloads into the
AWS environment. The two FedRAMP Agency ATOs encompass
all U.S. regions (the AWS GovCloud (US) region and the AWS US
East/West regions).
GDPR
The European Union’s General Data Protection Regulation
(GDPR) protects European Union data subjects’ fundamental
right to privacy and the protection of personal data. It introduces
robust requirements that will raise and harmonize standards for
data protection, security, and compliance. AWS-based services
comply with GDPR