Cloud Security White Paper For Clarizen services running on Amazon Web Services

January 2021

Introduction

Enterprises today rely on third-party software and services to handle

business-critical processes and operations. Whether on-premises or in a

hybrid cloud architecture, these solutions must provide a level of security

that protects critical company data while minimizing business risk. This

white paper addresses security controls, and best practices deployed by

Clarizen to support Clarizen services in the cloud.

The Clarizen Cloud is designed, built, maintained, monitored, and regularly

updated with enterprise grade security included by design. Clarizen

leverages Amazon Web Services (AWS), the industry leading cloud platform.

The shared security responsibility model is a framework adopted by cloud

providers. Under this model, AWS is exclusively responsible for physical

security, while application, infrastructure, and operational security controls

are implemented, deployed, and monitored by the Clarizen security and

compliance team.

Application Security

APPLICATION SECURITY

Encryption DATA AT REST ENCRYPTION Clarizen deploys industry-leading encryption algorithms,

Advanced Encryption Standard (AES) 256, to secure all our

customer data. This ensures that sensitive data stored on AWS

is not readable by any user or application without a valid key.

Clarizen deploys data at rest encryption to all elastic blocks,

simple storage services and S3 buckets.

DATA IN TRANSIT Upon sending any data between the user browser and

Clarizen, a secure TLS connection (a cryptographic protocol

that provides communications security over public computer

networks) is established encrypting all communication between

the web server and the client. Additionally, Clarizen secures

the identification of the web server via an industry leading

certificate authority.

Authentication Users can authenticate to Clarizen with a password in one of

two ways: delegated authentication or local password.

DELEGATED AUTHENTICATION When users authenticate with their Office 365 credentials or

Clarizen One login credentials, passwords are maintained and

stored within the provider. This model of authentication is called

delegated authentication. When delegated authentication is

configured, the customer’s password policy for Office 365 or

Clarizen One is enforced.

LOCAL AUTHENTICATION When users authenticate to Clarizen with a local password,

Clarizen integrates with Okta, the leading identity and access

management platform. Passwords are stored in the Okta

cloud and are encrypted using bcrypt salt with a high number

of rounds to protect the passwords. Unlike other hashing

algorithms designed for speed and thus susceptible to rainbow

table or brute-force attacks, bcrypt is very slow and an

adaptive function, meaning its hash function can be made more

expansive and thus slower as computing power increases.

Passwords PASSWOD POLICY Clarizen’s strong password policy requirements govern the

creation, protection and frequency of password changes. These

requirements serve as a baseline or minimum recommended

password requirement. Passwords are transmitted via

a hypertext transfer protocol secured (HTTP with TLS)

connection that encrypts communication between the web

server and browser and secures the identification of the web

server.

PASSWORD PROTECTION Clarizen takes a multi-level approach to storing all sign-in

credentials. Protection begins with “hashing” passwords, a

common approach for taking passwords of varied lengths and

turning them into cryptic, fixed-length phrases for storage.

Clarizen also “salts” customer passwords, to add extra data

that is unique, and random, to every HASH to employ an

additional level of password protection.

Penetration tests EXTERNAL SECURITY AUDITS Clarizen engages external security testers and professional

application auditors on an annual basis as part of its security

testing processes. These experts perform penetration tests using

the Open Web Application Security Project (OWASP) Top Ten

methodology for multiple attack scenarios in conjunction with

several internally developed and managed proprietary attack

methodologies and scenarios.

PENETRATION TEST SUMMARY REPORT Penetration test summary reports are provided to customers

upon request. This includes all test findings, along with all

remedial actions taken to address any issues that may have

been identified during the test.

Application content filtering WEB TRAFFIC INSPECTION AND SANITATION To prevent all forms of cross-site scripting (XSS), SQL injection

and other such malicious attacks, Clarizen has fully integrated a

proprietary sanitation engine into the platform, which inspects

all incoming traffic to the web server.

Copyright © Clarizen. All rights reserved. 4

Infrastructure Security

INFRASTRUCTURE SECURITY

Network security

DISTRIBUTED DENIAL OF SERVICE [DDoS] PROTECTION Clarizen deploys AWS Shield to leverage DDoS mitigation

techniques. AWS provides enhanced resource-specific

detection and employs advanced mitigation and routing

techniques for sophisticated or larger attacks.

MAN IN THE MIDDLE [MITM ] ATTACKS Servers automatically generates new SSH host certificates

on first boot and logs them into the Clarizen console. Clarizen

leverages secure APIs to access the host certificates before

logging into an instance for the first time.

[IP] SPOOFING Servers running on the AWS network cannot send spoofed

network traffic. The AWS controlled, host-based firewall

infrastructure does not permit an instance to send traffic with a

source IP or MAC address other than its own.

PORT SCANNING Unauthorized port scans are a violation of the AWS Acceptable

Use Policy (AUP). Violations of the AUP are taken seriously, and

every reported violation is investigated. When unauthorized port

scanning is detected, it is stopped and blocked. Port scans of

Amazon EC2 instances are ineffective because, by default, all

inbound ports on Amazon EC2 instances are closed.

PACKET SNIFFING It is not possible for a virtual instance running in promiscuous

mode to receive or “sniff” traffic that is intended for a different

virtual instance. Even two virtual instances that are located

on the same physical host cannot listen to each other’s traffic.

Attacks such as ARP cache poisoning do not work within

Amazon EC2.

Access control

NETWORK FIREWALLS Clarizen has deployed Amazon’s Security Group in its cloud

architecture. Security Groups act as network firewalls designed

to protect the Clarizen instance from east-west and north-south

data center unauthorized traffic. Security Group also controls the

inbound traffic to the Clarizen Virtual Private Network.

LEAST PRIVILAGE Clarizen deploys identity and access management with a “least

privilege” approach to control and manage the access layer for

the Clarizen cloud infrastructure. Additionally, Clarizen relies on

complex password policies being enforced that include minimum

length, alphanumeric character requirements, and usage

frequency to rotate user passwords.

TWO-FACTOR [2FA] AUTHENTICATION Clarizen administrative access to the guest-host operating

systems requires the use of two-factor authentication.

Clarizen deploys software-based tokens on all our cloud-

administered devices.

ANTI MALWARE PREVENTION Clarizen deploy OPSWAT Metadefender to ensure advanced

threat detection and prevention.

All files uploaded to Clarizen are scanned by multi engine

scanning technology to ensure files are free from viruses

malware and malicious content.

Copyright © Clarizen. All rights reserved. 6

INFRASTRUCTURE SECURITY

Network architecture

Copyright © Clarizen. All rights reserved. 7

INFRASTRUCTURE SECURITY

Vulnerability management VULNERABILITY SCANNING AND PATCH MANAGEMENT Clarizen automatically scans all production cloud assets for vulnerabilities or

deviations from industry practices. Clarizen leverages the Amazon Inspector

service to secure all workloads. Detailed findings are regularly communicated to

the Clarizen management team.

Identified and validated vulnerabilities are prioritized and assigned an

appropriate remediation rating process according to the type of issue, its

impact severity, and exposure. Patches are deployed to the infrastructure after

passing required quality assurance and UAT tests according to a management

approval process.

Continuous security monitoring CLOUD GUARD Clarizen deploys Check Point CloudGuard, to ensure continuous security

monitoring for comprehensive, real-time cloud security and compliance

automation. The Clarizen security team can visualize and assess current

security posture, detect misconfigurations in real time, model and actively

enforce security best practices, and protect against identity theft and data loss

in the cloud.

Copyright © Clarizen. All rights reserved. 8

The following practices are followed to prevent unauthorized access to the Clarizen instance:

CLOUDGUARD

MONITORING

Operation Security

OPERATION SECURITY

Operation security DATABASE BACKUP Clarizen leverages Amazon RDS snapshots to automate

the cloud database backup process and validate restore

capabilities. These database snapshots create a storage

volume copy of the cloud database instance and back up the

entire instance—not just individual databases.

DATABASE REPLICATION AND DISASTER RECOVERY Clarizen utilizes Amazon Availability Zones to replicate our

cloud databases and ensure disaster recovery goals are

met. Customer data is stored in the primary database which

is replicated in real time to the secondary database that is

located in a separate physical zone.

BACKUP RETENTION Backup files of the cloud database are saved according to the

Clarizen backup retention policy which is monitored by the

Clarizen compliance team. Clarizen’s retention policy is set to

30 days.

SERVICE MONITORING Clarizen products are monitored 24/7, using external and

internal probes to monitor service availability and security

issues. These probes are configured to send alerts on a

wide variety of criteria, including security, availability and

performance degradation. The Clarizen system status

site provides real-time information about Clarizen service

availability in a clean and easy-to-read format.

https://status.clarizen.com/

LOG ANALYSIS Clarizen collects servers and application logs to identify

anomalies or any events that are relevant to the security,

availability and performance of the Clarizen platform.

LEAST PRIVILEGE ACCESS POLICY Clarizen requires that all access to its cloud infrastructure,

application, and data be controlled based on business

and operational requirements. Following the principles

of segregation of duties and least privilege, the Clarizen

Cloud Administrators are responsible for maintaining the

production environment, including code deployments. Cloud

administrative access is based on the concept of least

privilege. Clarizen users are limited to the minimum set of

privileges required to perform their jobs.

Personnel security HIRING POLICY Before hiring, Clarizen employees undergo background checks

where permitted by law. The pre-employment evaluation

includes criminal and dishonest behavior indicators.

After hiring, employees and contractors are made aware of their

job responsibilities, Clarizen operational and security policies, as

well as repercussions for failure to adhere to said responsibilities

and policies.

Copyright © Clarizen. All rights reserved. 10

Clarizen

Physical Security

PHYSICAL SECURITY

AWS data center security Clarizen has a physical security strategy focused on preserving

the confidentiality, integrity, and availability of our services from

physical threats. The enterprise-grade secure infrastructure

provided by AWS holds a wide range of certifications backed by

various security controls.

SURVEILLANCE & DETECTION Physical access is controlled at building ingress points by

professional security staff utilizing surveillance, detection

systems, and other electronic means. All ingress and egress

points to server rooms are secured with devices that require

everyone to provide multi-factor authentication before being

granted entry or exit. Physical access points to server rooms

are recorded by Closed Circuit Television Camera (CCTV)

and all images are retained according to legal and compliance

requirements.

POWER AWS data center electrical power systems are designed to be

fully redundant and maintainable without impact to operations,

24 hours a day. Data centers are equipped with back-up power

supply to ensure power is available to maintain operations in

the event of an electrical failure for critical and essential loads

in the facility.

CLIMATE AND TEMPERATURE AWS data centers use mechanisms to control climate and

maintain an appropriate operating temperature for servers

and other hardware to prevent overheating and reduce the

possibility of service outages. Personnel and systems monitor

and control temperature and humidity at appropriate levels.

FIRE DETECTION AND SUPPRESSION Data centers are equipped with automatic fire detection

and suppression equipment. Fire detection systems utilize

smoke detection sensors within networking, mechanical,

and infrastructure spaces. These areas are also protected by

suppression systems.

REDUNDANCY Data centers are designed to anticipate and tolerate failure

while maintaining service levels. In case of failure, automated

processes move traffic away from the affected area. Core

applications are deployed to an N+1 standard, so that in the

event of a data center failure, there is sufficient capacity to

enable traffic to be load-balanced to the remaining sites.

Given the importance of access control mechanisms, Clarizen continuously monitors and tests its security system and processes, to ensure they are functioning properly.

Copyright © Clarizen. All rights reserved. 12

PHYSICAL SECURITY

that sets out requirements and best practices for a systematic

approach to managing company and customer information

that’s based on periodic risk assessments appropriate to ever-

changing threat scenarios.

AWS - Data center security certifications SOC II TYPE II The SOC 2 report is an attestation report that expands

the evaluation of controls to the criteria set forth by the

American Institute of Certified Public Accountants (AICPA)

Trust Services Principles. These principles define leading

practice controls relevant to security, availability, processing

integrity, confidentiality, and privacy applicable to service

organizations. SOC 2 is an evaluation of the design and

operating effectiveness of controls that meet the criteria for the

security and availability principles set forth in the AICPA’s Trust

Services Principles criteria.

ISO 27001 ISO 27001 certification for Information Security Management

System (ISMS) covers infrastructure, data centers, and services.

ISO 27001/27002 is a widely-adopted global security standard

FEDRAMP Federal Risk and Authorization Management Program

Compliant Cloud Service Provider. Core infrastructure

component testing includes testing performed by a FedRAMP

accredited Third-Party Assessment Organization (3PAO) and

has been granted two Agency Authority to Operate (ATOs)

by the US Department of Health and Human Services (HHS)

after demonstrating compliance with FedRAMP requirements

at the Moderate impact level. All U.S. government agencies

can leverage the AWS Agency ATO packages stored in the

FedRAMP repository to evaluate AWS for their applications

and workloads, provide authorizations to use AWS, and

transition workloads into the AWS environment. The two

FedRAMP Agency ATOs encompass all U.S. regions (the AWS

GovCloud (US) region and the AWS US East/West regions).

GDPR The European Union’s General Data Protection Regulation

(GDPR) protects European Union data subjects’ fundamental

right to privacy and the protection of personal data. It

introduces robust requirements that will raise and harmonize

standards for data protection, security, and compliance. AWS-

based services comply with GDPR.

Copyright © 2021 Clarizen. All rights reserved.

In addition to leveraging AWS for physical security at data centers, Clarizen provides security at our offices.