Last updated June 2017
Noteninja enables companies to securely capture their sales and service calls and demos. Helping to protect the confidentiality, integrity, and availability of our customers’ data is of the utmost importance to Noteninja, as is maintaining customer trust and confidence. This document is intended to outline the security features Noteninja has put in place to protect customer data.
Noteninja Security Features:
- SSL restricted traffic for all client-server communication.
- Network and host based firewalls with least privilege rules.
- Preliminary Intrusion detection & prevention systems.
- Data encrypted at-rest.
- Change control measures with vulnerability scans and peer code reviews.
- Least privilege role based user management and regular reviews of access levels.
- Access controls to limit the data that users can view or edit.
- Routine software patching, including 24-hour patching for major security threats.
- Routine penetration testing.
Where do we host our services?
Noteninja hosts its software-as-a-service at Heroku and Google Cloud Platform (GCP) for their unparalleled security, scalability and availability. Heroku is a platform for hosting and scaling applications running in AWS data centers. Utilizing GCP and AWS infrastructure, Noteninja inherits GCP and AWS network, ops and monitoring to satisfy stringent physical and network intrusion requirements. GCP is SOC 2 Type 2 Certified, HIPAA compliant, and PCI compliant. For additional information see: https://aws.amazon.com/security and https://cloud.google.com/security/compliance
When was our hosting facility audited (SOC 2, ISO, etc.) and what were the detailed results?
The GCP SOC 1 and SOC 2 audit and AWS SOC 1 SOC 2 was completed within the last 18 months, and GCP and AWS received a favorable unbiased opinion from independent auditors. The control objectives and control activities of GCP and AWS are focused on operational performance and security to protect customer data. A copy of the report is available from GCP and AWS upon request and with an executed NDA in place with Google and/or Amazon. Noteninja has reviewed the SOC 2 audit in detail and is satisfied that GCP and AWS infrastructure meets or exceeds all critical SOC 2 audit protocols.
In addition, GCP and AWS have been accredited under the cloud specific standards ISO 27017:2015 and ISO 27018:2014, as well as ISO 9001, ISO 27001, PCI Level 1, FISMA Moderate, Sarbanes-Oxley (SOX).
What physical security controls in place to protect the environment processing or storing customer data?
GCP and AWS data centers are housed in nondescript facilities, and critical facilities have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
Google and Amazon only provides data center access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Google or Amazon. All physical and electronic access to data centers by Google and Amazon employees are logged and audited routinely.
Are our endpoints secured by HTTPS?
Yes. External HTTP requests are received by a load balancer that handles SSL termination. We utilize Heroku, the Salesforce-owned application development platform, to assist in load balancing and network security. For more information please see https://www.heroku.com/policy/security
What network security devices, such as firewalls and IDS/IPS are in use to protect critical systems and sensitive data?
Firewalls are utilized to restrict access to systems from external networks and between systems internally. By default all access is denied and only explicitly allowed ports and protocols are allowed based on business need. Each system is assigned to a firewall security group based on the system’s function. Security groups restrict access to only the ports and protocols required for a system’s specific function to mitigate risk. Host-based firewalls restrict applications from establishing localhost connections over the loopback network interface and further limit inbound and outbound connections as needed.
Firewalls prevent IP, MAC, and ARP spoofing on the network and between virtual hosts to ensure spoofing is not possible. Packet sniffing is prevented by infrastructure including the hypervisor which will not deliver traffic to an interface which it is not addressed to. Application isolation, operating system restrictions, and encrypted connections are used to further ensure risk is mitigated at all levels. Port scanning is prohibited and every reported instance is investigated by our infrastructure provider. When port scans are detected, they are stopped and access is blocked.
What change control and security code review procedures are in place?
The network and infrastructure systems are managed by our infrastructure provider, Google GCP. GCP data center operations have been accredited under: ISO 27001, SOC 1 and SOC 2, PCI DSS v3.1.
Changes to the Noteninja application go through the following process:
Automated test suite is run on changes before being merged into the code base. Static security analyzers are run as part of the test suite. Any potential vulnerabilities must be either confirmed as false positive or fixed before the change moves forward. Peer code review is performed, for code quality and security. Change is merged and deployed to a staging environment. Final testing is done on a staging environment to verify correctness. Change is then available to be merged to the production environment.
Are all servers and software at the current patch levels and fully supported?
Yes. New servers are deployed with the latest updates and security fixes, and existing servers are upgraded on a rolling basis, which is expedited for critical security patches.
Where is customer data retained? Is the data stored on laptops, mobile devices or removable media?
Data is retained in the application database and offsite backup copies of the database used for disaster recovery purposes only. In order to improve and support the Noteninja application, limited data is also stored in our analytics and customer support database. Data is not retained on any laptops, mobile devices, or removable media.
How is customer data protected when hardware is decommissioned?
Decommissioning hardware is managed by our infrastructure provider using a process designed to prevent customer data exposure. GCP uses techniques outlined in their terms utilizing their Disk Erase Policy. Details can be found here: https://cloud.google.com/terms/data-processing-terms
How is one customer’s data segmented from other customers’ data?
All customer data is tenanted within our database, and no access is allowed by the application outside of the logged in tenant. Tenants are logically separated at the application level. Optional access controls are also available inside the application to limit which information customer employees can view about other employees in the same company.
At the operating system layer, GCP currently utilizes a highly customized version of the KVM hypervisor. Because paravirtualized guests rely on the hypervisor to provide support for operations that normally require privileged access, the guest OS has no elevated access to the CPU. This explicit virtualization of the physical resources leads to a clear separation between guest and hypervisor, resulting in additional security separation between the two. Different instances running on the same physical machine are isolated from each other via the KVM hypervisor. In addition, the GCP firewall resides within the hypervisor layer, between the physical network interface and the instance’s virtual interface. All packets must pass through this layer, thus an instance’s neighbors have no more access to that instance than any other host on the Internet and can be treated as if they are on separate physical hosts. The physical RAM is separated using similar mechanisms.
GCP does not possess access rights to the operating system of Noteninja server instances. This separation of power provides a necessary structure of checks-and-balances to protect the integrity of the application.
Access to customer data stored in Noteninja is limited to staff who provide customer support and DevOps. Noteninja employees are trained to access this data only when there is a legitimate business need and all access is logged.
Is single sign-on (SSO) supported?
The Noteninja application does not currently support single sign-on.
What monitoring capabilities are implemented to identify access to customer data and servers that contain customer data?
All physical and electronic access to data centers by Google employees is logged and audited routinely. All application logins by customer’s users and Noteninja employees is logged.
What encryption mechanisms are in place both for data in transit and data at rest?
Data in transit and at rest are both encrypted. Data in Google Cloud Platform is broken into subfile chunks for storage, and each chunk is encrypted at the storage level with an individual encryption key. The key used to encrypt the data in a chunk is called a data encryption key (DEK). Because of the high volume of keys at Google, and the need for low latency and high availability, these keys are stored near the data that they encrypt. The DEKs are encrypted with (or “wrapped” by) a key encryption key (KEK). Customers can choose which key management solution they prefer for managing the KEKs that protect the DEKs that protect their data. For additional information see: https://cloud.google.com/security/encryption-at-rest/.
How long will customer data be retained? What options exist to destroy sensitive data at the end of the engagement?
Customer data is kept in the production database for live recovery purposes for 90 days after a customer terminates service with Noteninja. Data can be purged sooner upon request. Data will remain in database backups for the life of those backups.
Is the production environment physically and logically separated from development and test environments? Will customer data be in use in the development or test environment?
The production environment is completely separate from development and test environments. Customer data is not in use in the development or test environments.
What is the password policy for systems that host customer data, or allow access to systems that store/process customer data.
We rely on Okta for password management who has received HIPAA and ISO 27001 as well as CSA STAR level 2 and SOC 2 compliance. For more information see: https://www.okta.com/security
What is the user management processes for Noteninja staff?
Noteninja employees are granted least privilege access to systems storing customer data on an as needed basis. Access-levels that include access to the customer application data must be approved by the CTO. Access to the customer support systems must be approved by the CEO.
Each Noteninja employee’s access level is reviewed whenever their role changes, either through adding new access-levels or removing old ones. When an employee is terminated, their access to Noteninja systems and customer data is terminated on the day of termination, if not before.
What user account management capabilities are available for customer user accounts?
Customer users of Noteninja will have one of 2 roles, “Admin” or “Regular User”. Company Admins can view and edit information about other users. They also can control the viewing permissions of Regular Users. Company Admins have the power to change a Regular User’s role and make them a Company Admin, or change another Company Admins role and make them a Regular User. Admins are also in charge of authenticating permissions into the customer’s CRM.
What are the redundancy features of Noteninja?
Our hosting platform is designed with redundancy at all layers to prevent single points of failure, is able to automatically migrate workloads from failed components, and utilizes multiple data centers designed for resiliency. Application software is backed up as part of the deployment process and stored on secure, access controlled, and redundant storage. Application configuration and meta-information is backed up nightly to capture changes to the running applications after deployment. These backups are used bring the application back online in the event of an outage.
Base backups are taken while the database is fully available and make a verbatim copy of Postgres’ data files. This includes dead tuples, bloat, indexes and all structural characteristics of the currently running database. On Heroku Postgres, a base backup capture is rate limited to about 10 MB/s and imposes a minimal load on the running database. Committed transactions are recorded as WAL files, which are able to be replayed on top of the base backups, providing a method of completely reconstructing the state of a database. Base backups and WAL files are pushed to AWS’ S3 object store through an application called WAL-E as soon as they are made available by Postgres.
All databases managed by Heroku Postgres provide continuous protection by persisting base backups and WAL files to S3. Also, fork and follower databases are implemented by fetching persistent base backups and WAL files and replaying them on a fresh Postgres installation. Storing these physical backups in a highly available object store also enables us to recover entire databases in the event of hardware failure, data corruption or a large scale service interruption. For more information, see https://devcenter.heroku.com/articles/heroku-postgres-data-safety-and-continuous-protection
How do we detect, prevent and mitigation DDoS attacks?
Our infrastructure provides DDoS mitigation techniques including TCP Syn cookies and connection rate limiting in addition to maintaining multiple backbone connections and internal bandwidth capacity that exceeds the Internet carrier supplied bandwidth. We work closely with our providers to quickly respond to events and enable advanced DDoS mitigation controls when needed.
For more information, see https://www.heroku.com/policy/security
What is our Business Continuity Plan?
In the event that the Noteninja corporate office incurs a power outage, network outage, or disaster, we have arranged on-demand access alternate office space, sufficiently sized for our team to re-establish operations. In addition, we have created redundancy in our staff’s knowledge and ability to respond to issues, by routinely rotate escalated customer support and incident response roles, with a clearly defined flow of responsibility if the primary staff is unavailable.
What is covered by our penetration tests?
We regularly perform penetration testing on the Noteninja services using an OWASP ZAP scan. Testing attempts to identify extraneous services, known software vulnerabilities, and misconfigurations at the network and server levels. At the application level, testing includes input validation, authentication and authorization, and information disclosure as well as all of the OWASP Top Ten vulnerability threats.
What kind of background checks are performed prior to employment?
All new employees undergo pre-employment background checks, showing felonies, misdemeanors, sex offenses and more at the state and county level, plus results from terrorist watchlists. Employees also agree to company policies including security and confidentiality policies.
Do you have well defined and practiced incident response procedures?
Noteninja has defined threat response protocols. When an incident occurs, we follow these steps:
- Move to a central chat room to ensure everyone is on the same page.
- Designate a point person to lead the response effort.
- Respond to customers and proactively reach out to customers as appropriate.
- Assess the problem.
- Mitigate the problem.
- Coordinate response.
- Manage ongoing response.
- Post-incident cleanup.
- Post-incident follow-up.
- Forensic capabilities include analyzing user access logs, transaction logs, and working with our infrastructure providers to understand the extent and nature of an incident.
What notification and escalation processes exist in case of security incident? Is there a process to notify Customer about incidents that affect Customer’s business or data?
All security issues and suspicious activity are escalated to our CTO. Noteninja immediately notifies customers of unauthorized access to, or release of, their information of which we become aware. Upon request, we will promptly provide to you all information and documentation that we have available to us in connection with any such event.
How often are incident response procedures reviewed?
Incident response protocols are reviewed annually.