Security of Your Data

General Security Questions

Where is my data located?

  • Redundantly at multiple secure data centers located on the east coast of the United States; data centers owned and operated by Amazon.com and Google.

Is my data secure at Amazon AWS data centers?

  • Yes [1]. Amazon has many years of experience in designing, constructing, and operating large-scale datacenters. This experience has been applied to the AWS platform and infrastructure. AWS datacenters are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access datacenter floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. AWS only provides datacenter access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to datacenters by AWS employees is logged and audited routinely.

Is my data secure at Google data centers?

  • Yes [2]. Google data center physical security features a layered security model, including safeguards like custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics, and the data center floor features laser beam intrusion detection. Data centers are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders. Access logs, activity records, and camera footage are available in case an incident occurs. Data centers are also routinely patrolled by experienced security guards who have undergone rigorous background checks and training. As you get closer to the data center floor, security measures also increase. Access to the data center floor is only possible via a security corridor which implements multi-factor access control using security badges and biometrics. Only approved employees with specific roles may enter. Less than one percent of Googlers will ever set foot in one of the data centers.

How is my data segregated from other customers?

  • As a true multi-tenant application, Clario segregates customer’s data. Clario assign data security rules that determine which users have access to which data. End users have the ability to authorize other users within their organization to access their data and projects if desired. All user access changes are logged.

Who can access my data in your company?

  • Clario System Administrators can access data for support purposes only.

How are the users authenticated and authorized?

  • Users are authenticated and authorized via internal, replicated LDAP servers that store the users information using industry standard one-way encryption/hash algorithms.

How secure is the Clario web application?

  • Clario uses 256 bit SSL technology to protect all data transmitted between the end-user’s web browser and the application server. Application servers are hosted inside the secure infrastructure provided by Amazon Web Services.

How do you protect my data from breaches?

  • Access to all data in Clario is controlled using a keyed-hash message authentication code (HMAC-SHA1) signature calculated from a Secret Access Key. Secret Access Keys are only available to Clario System Administrators.

Are you compliant with PCI DSS?

  • No. Clario does not receive or hold any credit card information.

Do you have a list of published policies and procedures that support information integrity objectives of the organization (Password Policies, User Access Policies, Incident Response Procedures, etc.)?

  • A full suite of policies and procedures are available upon request.

What are the password requirements Clario user accounts?

  • Clario requires a minimum of 8 characters: the use of one number, one uppercase, and one lowercase letter are required for a password to be accepted as valid

Who has access to my data?

  • Clario System Administrators can access data for support purposes only.

How is access to default accounts restricted?

  • Default accounts are locked down and not accessible remotely. Clario System Administrators are authenticated via SSH keys. All access is logged and reviewed.

Is access to my data logged?

  • Clario audits data access on a per object level and the access logs are available only to Clario System Administrators. Access log record contains details about the request such as the request type, the resource with which the request worked, and the time and date that the request was processed.

How long are logs retained?

  • Logged events are retained for 90 days before being expunged.

Does Clario utilize intrusion detection or prevention systems?

  • No. Ingress and egress rules explicitly deny all traffic. Allowances are only made for traffic that is required to pass between any two systems to reduce the effective attack surface area.

Is there a process for responding to suspected security incidents? How are these incidents resolved and mitigated?

  • NIST standard procedures [3] are documented and executed upon incident presentation.

Do documented configuration standards exist for the operating system versions running on systems that store, process or transmit my information?

  • A standard, minimal, hardened image is utilized as the basis for all client facing infrastructure. Changes to this image are strictly controlled and vetted through an approval process.

How do you ensure that configuration settings on systems have not changed?

  • All infrastructure is immutable. Configuration changes are controlled and vetted through an approval process. Approved changes are deployed to new infrastructure.

Do documented change management procedures for systems that support my data exist?

  • System change requests are put into a queue for approval. Change requests must include a justification, impact statement, and procedures for backing out changes should they have an unintended outcome.

Do you review privileged user access to systems that hold my data?

  • Yes. Root logins are trapped and logged. These logs are reviewed daily for anomalous activity.

What is your patch management procedure for systems that store and transmit my data?

  • Your data is stored (for a short time) on a hardened SFTP server. Patches to the system are applied (if available) quarterly. Patch notification is handled via an automated system that notifies Clario System Administrators of available updates. Updates are queued via a change request and staged for installation against a test environment that matches production. A standard set of regressions are run against test systems to ensure service continuity. If patches do not have an adverse impact, patches are applied and system documentation is updated to reflect new patchlevel.

Logical Security

Are shared accounts used to access systems where my data resides?

  • No. Shared accounts do not exist on Clario systems.

What services are enabled on the systems that store, process, or transmit my data?

  • ssh, Apache Tomcat

Are firewalls or other network controls used to protect my data?

  • Firewalls and secondary network access control provide network edge controls for client facing systems.

What traffic is allowed through the firewall?

  • For SFTP, port 22 TCP and port 443.
  • For load balancers, port 443.

What is the mechanism used to transfer files to Clario?

  • SFTP over SSHv2

Is encryption being used to protect my data while being transmitted?

  • Yes. aes256 is used to protect all SSH connections.

Is wireless technology being used on the network that holds my data?

  • No.

Operational Security

Who is responsible for monitoring production systems? Are they available 24x7x365?

  • Clario System Administrators are responsible for monitoring all systems. They are available 24x7x365.

Who is responsible for authorizing access to systems that store, process, or transmit my data?

  • Clario’s Vice President of Engineering is responsible for administrative access authorization.

Is anti-virus used on all the systems that hold and support my data?

  • Yes.

How often does Clario update its virus definitions?

  • Anti-virus signatures are updated hourly.

References

[1]
  1. Amazon Web Services Security Whitepaper
[2]
  1. Google Cloud Platform Security Whitepaper
[3]
  1. Tim Grance, Karen Kent, and Brian Kim. Computer Security Incident Handling Guide. NIST Special Publication 800-61. Gaithersburg, MD: National Institute of Standards and Technology, 2004.