Difference between revisions of "Security Strategy"
(→FAQ) |
(→Typical Deployment of the Lingoport Suite and Ports) |
||
Line 20: | Line 20: | ||
* The code repository needs to be able to read and write from the Continuous Globalization Server. This is done through the Jenkins jobs and Lingobot. The code repository contains the code to be scanned by Globalyzer for localization issues and the resource files to be sent and returned from translation. |
* The code repository needs to be able to read and write from the Continuous Globalization Server. This is done through the Jenkins jobs and Lingobot. The code repository contains the code to be scanned by Globalyzer for localization issues and the resource files to be sent and returned from translation. |
||
* The Continuous Globalization Server accesses the Globalyzer rulesets that are located either on our hosted server or on a local server. Several security enhancements have been implemented for the Lingoport Globalyzer Server. |
* The Continuous Globalization Server accesses the Globalyzer rulesets that are located either on our hosted server or on a local server. Several security enhancements have been implemented for the Lingoport Globalyzer Server. |
||
+ | **All passwords are salted and hashed. |
||
− | **Our password encryption algorithm uses bcrypt |
||
+ | **Globalyzer server passwords are encrypted via the bcrypt encryption algorithm. |
||
− | **Forgot password performs a password reset rather than a retrieval |
||
+ | **Forgot password performs a password reset rather than a retrieval. |
||
− | **We guard against clickjacking and directory/path traversal attacks. |
||
+ | **We guard against clickjacking and directory/path traversal attacks. |
||
− | **Our version of Tomcat enables some of these security features. |
||
**Alternatively, the rulesets can be located in the repo or on the Continuous Globalization Server, eliminating the need for the Globalyzer Server. |
**Alternatively, the rulesets can be located in the repo or on the Continuous Globalization Server, eliminating the need for the Globalyzer Server. |
||
− | * The Continuous Globalization Server needs to be able to send and receive resource files with the Translation Management System. |
+ | * The Continuous Globalization Server needs to be able to send and receive resource files with the Translation Management System or Machine Translation Engine (not Lingoport managed). |
+ | ** Files will be sent encrypted in transit (typically either SSH or HTTPS using TLS v1.2+) |
||
* Additionally, there are administrative needs for the Continuous Globalization Server to be able to access Jenkins plugins, SMTP email, and SSH access. |
* Additionally, there are administrative needs for the Continuous Globalization Server to be able to access Jenkins plugins, SMTP email, and SSH access. |
||
Revision as of 16:47, 9 June 2021
Contents
- 1 Overview
- 2 Typical Deployment of the Lingoport Suite and Ports
- 3 FAQ
- 3.1 Can other customers see our rulesets and information on Globalyzer.com ?
- 3.2 How often is security testing done on the code or the systems?
- 3.3 Is data transferred between the customer and the Continuous Globalization System securely?
- 3.4 Is data transferred between the Continuous Globalization System and the translation vendors?
- 3.5 For Services customers, how do you ensure that the code and company information is secure?
- 3.6 How are security issues and concerns handled within the company?
- 3.7 How does Lingoport monitor an AWS VM for security issues ( logins, invalid logins, data transfers, etc)?
- 3.8 Has Lingoport had any security breaches?
- 3.9 Where do I send my security concerns?
- 3.10 What encryption protocol are in place?
- 3.11 Does Lingoport support LDAP?
Overview
Lingoport works to provide customers with a reliable service that safeguards private information. We implement various security-centric policies in support of these principles. Lingoport’s security standards have been built to support the security conscious, including customers in industries such as Human Resources, Finance, and Medical Systems.
- We protect our organization, and our customers, by addressing Key Security Principles
- We consider security Throughout Our Organization.
- We take customer security very seriously during Service Projects.
- We minimize security exposure to our customers through Security Conscious Product Design.
- We adhere to standard security practices in our cloud hosted environments. Security and Cloud Offerings
For more details on any of these, please see Lingoport Security Overview.
Typical Deployment of the Lingoport Suite and Ports
Setting up the Lingoport Suite on a customer's system can be done in many ways. The following is a generalized diagram to show the necessary access to the system. The central system is the Continuous Globalization Server which has the Lingoport Products installed on it and accesses those products and their reports using Jenkins and the Lingoport Dashboard.
- The code repository needs to be able to read and write from the Continuous Globalization Server. This is done through the Jenkins jobs and Lingobot. The code repository contains the code to be scanned by Globalyzer for localization issues and the resource files to be sent and returned from translation.
- The Continuous Globalization Server accesses the Globalyzer rulesets that are located either on our hosted server or on a local server. Several security enhancements have been implemented for the Lingoport Globalyzer Server.
- All passwords are salted and hashed.
- Globalyzer server passwords are encrypted via the bcrypt encryption algorithm.
- Forgot password performs a password reset rather than a retrieval.
- We guard against clickjacking and directory/path traversal attacks.
- Alternatively, the rulesets can be located in the repo or on the Continuous Globalization Server, eliminating the need for the Globalyzer Server.
- The Continuous Globalization Server needs to be able to send and receive resource files with the Translation Management System or Machine Translation Engine (not Lingoport managed).
- Files will be sent encrypted in transit (typically either SSH or HTTPS using TLS v1.2+)
- Additionally, there are administrative needs for the Continuous Globalization Server to be able to access Jenkins plugins, SMTP email, and SSH access.
Ports
- Jenkins is accessed via
- port 80 or 443
- port 8080 if installed prior to May 2018
- Lingoport Dashboard is accessed via
- port 80 or 443
- port 9000 if installed prior to May 2018
- The Translation Vendor may be accessed by different means, for instance
- port 21 for FTP or
- port 22 for SFTP.
- Other ports for different vendors
- Access for the Lingoport (or internal) installation team is recommended to be done over SSH / via PuTTY. Screen sharing applications can be used, but they can be much slower.
- The system must be able to access https://www.globalyzer.com if the Globalyzer rulesets are on Lingoport's hosted server.
Other aspects
- Jenkins installation requires access to the Jenkins update site, http://updates.jenkins-ci.org
- Notifications are sent using an SMTP account: The system must allow access to an SMTP server (e.g. smtp.gmail.com for Google)
- The Continuous Globalization Server can be deployed in the Cloud using an Amazon AWS virtual system. For more detail on this option please see AWS Security.
FAQ
Can other customers see our rulesets and information on Globalyzer.com ?
No. Each company is set up with an administrator and users. There is no way for another company member (administrator or member) to access or modify your rulesests.
How often is security testing done on the code or the systems?
Security Testing is ongoing and continually improving. For each release of the Lingoport suitem we revisit security testing.
Is data transferred between the customer and the Continuous Globalization System securely?
Yes. It depends on the deployment option, but with any option (AWS Cloud server or local globalization server or others) we limit access to the server.
Is data transferred between the Continuous Globalization System and the translation vendors?
Depending on the translation vendor, the data transfer is done via:
- SFTP with IP Security Groups and SSH keys (very secure)
- Direct API calls over specific ports (very secure)
For Services customers, how do you ensure that the code and company information is secure?
Lingoport works closely with customers to ensure the best security protocol. We want to make sure that the customer is comfortable and confident letting us work with their code. We do not access customer data, we only access repository code.
- Lingoport can obtain secured laptops with access to the company's repositories
- Lingoport has also worked with special VPN access to the code repositories
How are security issues and concerns handled within the company?
Security issues are dealt with as soon as detected and then become part of our ongoing security tests.
How does Lingoport monitor an AWS VM for security issues ( logins, invalid logins, data transfers, etc)?
A process is being developed.
Has Lingoport had any security breaches?
Yes on external test systems. Those have been remedied in a timely fashion and did not affect any of our customers or our internal system. Our security has been reinforced based on this breach.
Where do I send my security concerns?
Please send any security inquiries or reports to either support@lingoport.com or security@lingoport.com.
What encryption protocol are in place?
- Globalyzer supports the additional security of HTTPS for all data that passes between the Client and the globalyzer.com Server.
- L10n Vendor Lingoport FTP Protocol: FTP supports SSH and SSL encryption; The FTP system can allow only some IP ranges to access the FTP port(s)
Does Lingoport support LDAP?
Globalyzer server, Jenkins, and Dashboard support LDAP. Other components do not need LDAP.