Difference between revisions of "Lingoport Security Overview"

From Lingoport Wiki
Jump to: navigation, search
(Security and Service Projects)
(Product Security - specify review targets rather than review process)
 
(32 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 
== Overview ==
 
== Overview ==
   
Lingoport works to provide customers with a reliable service that safeguards private information. To that end, Lingoport values security and attempts to integrate the principles of Confidentiality, Integrity, and Availability throughout our organization. We implement various security centric policies in support of these principles. When engaged in service projects, Lingoport works to meet all client requirements. Finally, Lingoport also integrates security concerns into development cycles. Lingoport’s security standards have been built to support the security conscious, including customers in industries such as Human Resources, Finance, and Medical Systems.
+
Lingoport works to provide customers with a reliable service that safeguards private information. We implement various security-centric policies in support of these principles. Lingoport’s security standards have been built to support the security conscious, including customers in industries such as Human Resources, Finance, and Medical Systems.
   
  +
== Key Security Principles ==
== Confidentiality, Availability, and Integrity ==
 
   
 
Confidentiality, Availability, and Integrity are the core principles of information security. Lingoport works to address each one with care and diligence.
 
Confidentiality, Availability, and Integrity are the core principles of information security. Lingoport works to address each one with care and diligence.
  +
  +
=== Confidentiality — Sensitive information only accessible by authorized parties ===
  +
  +
Lingoport considers confidentiality at the organizational level, and throughout development processes. Lingoport is especially considerate of sensitive intellectual property, working hard to ensure that it is not accessible by non-authorized personnel.
   
 
=== Availability — Products and services useable when needed ===
 
=== Availability — Products and services useable when needed ===
Line 15: Line 19:
 
Lingoport guarantees the integrity of its data through following IT best practices and maintaining simplicity where possible. Server backups are taken at least daily. For critical infrastructure, backups are stored at multiple locations — in case of a data center failure. Restore processes are tested.
 
Lingoport guarantees the integrity of its data through following IT best practices and maintaining simplicity where possible. Server backups are taken at least daily. For critical infrastructure, backups are stored at multiple locations — in case of a data center failure. Restore processes are tested.
   
  +
== Security Throughout Lingoport ==
=== Confidentiality — Sensitive information only accessible by authorized parties ===
 
   
  +
Lingoport considers security throughout the various levels of our organization. This includes organizational-wide concerns, as well as IT security practices and security considerations during product development.
Lingoport considers confidentiality at the organizational level, and throughout development processes. Lingoport is especially considerate of sensitive intellectual property, working hard to ensure that it is not accessible by non-authorized parties.
 
   
==== Organizational level ====
+
=== Organizational level ===
At the organizational level, Lingoport works to instruct all employees on security best practices. Employees are made aware of common security threats such as phishing, re-use of passwords and out of date software. Training also includes emphasis on good security principles such as the principle of least privilege and defense in depth. Training places an emphasis on the ‘why’ for all instructions. Additionally, security centric tools are provided to increase the ease of following good security practices. Use of a password manager (1Password) is mandatory.
+
At the organizational level, Lingoport works to instruct all employees on security best practices. Employees are made aware of common security threats such as phishing, re-use of passwords and out of date software. Training also includes emphasis on good security principles such as the principle of least privilege and defense in depth. Training places an emphasis on the ‘why’ for all instructions. Additionally, security centric tools are provided to increase the ease of following good security practices. Use of a password manager is mandatory.
   
  +
All security concerns are managed by a designated security officer.
==== IT level ====
 
  +
  +
=== IT level ===
 
At the IT level, system administrators must be familiar with good security practice. Logs are kept for long durations — multiple years, depending on the nature of the log file. They are kept backed up, so a system critical loss will not invalidate the historical data. Administrators use very strong passwords, managed by a password manager and shared with only a limited number of people. Basic principles, such as avoiding root login where possible, are also followed. Servers are kept up to date, with the latest software from well known and respected software repositories.
 
At the IT level, system administrators must be familiar with good security practice. Logs are kept for long durations — multiple years, depending on the nature of the log file. They are kept backed up, so a system critical loss will not invalidate the historical data. Administrators use very strong passwords, managed by a password manager and shared with only a limited number of people. Basic principles, such as avoiding root login where possible, are also followed. Servers are kept up to date, with the latest software from well known and respected software repositories.
   
==== Product level ====
+
=== Product level ===
At the product level, Lingoport works to ensure that Lingoport products do not compromise customer security. Products are designed with security standards in mind, and go through a rigorous development cycle. Examples of requirements include that software must support granular and group-based access permissions. That passwords which are stored in databases must be hashed and salted. And that confidential data stays within customer firewalls. During release cycles, product security is tested using vulnerability scanning tools including Zed Attack Proxy and sqlmap.
+
At the product level, Lingoport works to ensure that Lingoport products do not compromise customer security. Products are designed with security standards in mind, and go through a rigorous development cycle. Examples of requirements include that software must support granular and group-based access permissions. That passwords which are stored in databases must be hashed and salted. And that confidential data stays within customer firewalls. During release cycles, product security is reviewed for OWASP top 10 and SANS top 25 issues.
   
 
== Security and Service Projects ==
 
== Security and Service Projects ==
   
Lingoport works actively with our clients to meet security project security requirements. Employees working on service projects are required to be based in the U.S. At client request, background checks may be performed for dedicated personnel. All employees must sign NDAs.
+
Lingoport works actively with our clients to meet service project security requirements. Employees working on service projects are required to be based in the U.S. At client request, background checks may be performed for dedicated personnel. All employees must sign NDAs.
   
Like all employees, employees working on service projects are expected to follow Lingoport security policy. This includes:
+
Like all Lingoport employees, personnel working on service projects are expected to follow Lingoport security policy. This includes:
 
* Keeping software up to date.
 
* Keeping software up to date.
 
* Using antivirus.
 
* Using antivirus.
Line 38: Line 44:
 
* Using secure communication tools such as SSH and SFTP.
 
* Using secure communication tools such as SSH and SFTP.
   
Often, clients will ask to control the exact environment that Lingoport service personnel work with. Typically, the client will send a laptop that meets all client security and IT requirements for each Lingoport employee working on a service project. This laptop may be authorized to connect to a client internal network via VPN. Sensitive data is kept only within the Laptop — it is not shared on other machines.
+
Optionally, clients can ask to control the exact environment that Lingoport service personnel work with. Typically, the client will send a laptop that meets all client security and IT requirements for each Lingoport employee working on a service project. This laptop may be authorized to connect to a client internal network via VPN. Sensitive data is kept only within the Laptop — it is not shared on other machines.
   
== Security and the Development Cycle ==
+
== Security and the Development Process ==
   
 
To provide secure products, Lingoport follows a defined development process. Software moves through continuous development cycle, which includes the following phases: Requirements / Defects - Specification / Design - Implementation - Installers - Dev Unit Tests - QA Tests / Defect Tracking - Pre-production Integration Tests - Release - Production. Automated test suites are run against software daily. During the leadup to a new release, software may be rebuilt and retested daily, or even multiple times per day. Finally, Lingoport employs extensive customer environment testing — ensuring the entire suite of software works correctly within mock customer environments.
 
To provide secure products, Lingoport follows a defined development process. Software moves through continuous development cycle, which includes the following phases: Requirements / Defects - Specification / Design - Implementation - Installers - Dev Unit Tests - QA Tests / Defect Tracking - Pre-production Integration Tests - Release - Production. Automated test suites are run against software daily. During the leadup to a new release, software may be rebuilt and retested daily, or even multiple times per day. Finally, Lingoport employs extensive customer environment testing — ensuring the entire suite of software works correctly within mock customer environments.
   
Releases have a frequency of 3 to 4 times per year. When issues are detected in the released software, updates are provided in a timely fashion. For critical issues, this may be as soon as one week after detection. Lingoport provides automatic update scripts/ansible playbooks for most software. Comprehensive instructions are always included.
+
When issues are detected in the released software, updates are provided in a timely fashion. For critical issues, this may be as soon as one week after detection. Lingoport provides automatic update scripts/ansible playbooks for most software. Comprehensive instructions are always included.
   
 
Security concerns are integrated within the release cycle at various phases. This starts with an enhancement request or bug placed in Lingoport’s bug tracking system (Bugzilla). Lingoport is also receptive to bug and enhancement requests from customers. Customer requests are both tracked in a support tracking system (Freshdesk) and entered into Bugzilla.
 
Security concerns are integrated within the release cycle at various phases. This starts with an enhancement request or bug placed in Lingoport’s bug tracking system (Bugzilla). Lingoport is also receptive to bug and enhancement requests from customers. Customer requests are both tracked in a support tracking system (Freshdesk) and entered into Bugzilla.
Line 53: Line 59:
   
 
An example of a security requirement is that all passwords stored in a database must be hashed and salted. Lingoport’s Globalyzer uses the bcrypt algorithm for password hashing.
 
An example of a security requirement is that all passwords stored in a database must be hashed and salted. Lingoport’s Globalyzer uses the bcrypt algorithm for password hashing.
  +
  +
== Security and Cloud Offerings ==
  +
  +
Lingoport Cloud-Offered servers are hosted on AWS, with all the associated security guarantees. We benefit from a data center and network architecture built to meet the requirements of the most security-sensitive organizations. More on AWS cloud security can be found here: https://aws.amazon.com/security/. See also an illustration of the layers of [[ AWS Security | AWS Security ]].
  +
  +
In addition to benefiting from AWS's security infrastructure, Lingoport takes the following steps to ensure Cloud Servers are managed securely:
  +
  +
* Granular permissions are required to connect to instances. Only authorized employees are enabled to connect to each instance. All connections require private-key based authentication, using individually assigned employee private keys.
  +
* Per-instance security groups with connections limited to Lingoport and Customer-provided whitelist.
  +
* All connections encrypted in transit with TLS

Latest revision as of 18:58, 17 December 2020

Overview

Lingoport works to provide customers with a reliable service that safeguards private information. We implement various security-centric policies in support of these principles. Lingoport’s security standards have been built to support the security conscious, including customers in industries such as Human Resources, Finance, and Medical Systems.

Key Security Principles

Confidentiality, Availability, and Integrity are the core principles of information security. Lingoport works to address each one with care and diligence.

Confidentiality — Sensitive information only accessible by authorized parties

Lingoport considers confidentiality at the organizational level, and throughout development processes. Lingoport is especially considerate of sensitive intellectual property, working hard to ensure that it is not accessible by non-authorized personnel.

Availability — Products and services useable when needed

Lingoport works to ensure that customers will be able to use Lingoport products and services. In our Service Level Agreements, we provide 99.7% availability outside of scheduled and announced maintenance windows. To support this level of coverage, we host web servers on Amazon AWS and Rackspace. Infrastructure is hosted behind load balancers. Systems are monitored, with alerts automatically sent to engineering teams in case of possible failure.

Integrity — Data remains correct, and is not lost or corrupted

Lingoport guarantees the integrity of its data through following IT best practices and maintaining simplicity where possible. Server backups are taken at least daily. For critical infrastructure, backups are stored at multiple locations — in case of a data center failure. Restore processes are tested.

Security Throughout Lingoport

Lingoport considers security throughout the various levels of our organization. This includes organizational-wide concerns, as well as IT security practices and security considerations during product development.

Organizational level

At the organizational level, Lingoport works to instruct all employees on security best practices. Employees are made aware of common security threats such as phishing, re-use of passwords and out of date software. Training also includes emphasis on good security principles such as the principle of least privilege and defense in depth. Training places an emphasis on the ‘why’ for all instructions. Additionally, security centric tools are provided to increase the ease of following good security practices. Use of a password manager is mandatory.

All security concerns are managed by a designated security officer.

IT level

At the IT level, system administrators must be familiar with good security practice. Logs are kept for long durations — multiple years, depending on the nature of the log file. They are kept backed up, so a system critical loss will not invalidate the historical data. Administrators use very strong passwords, managed by a password manager and shared with only a limited number of people. Basic principles, such as avoiding root login where possible, are also followed. Servers are kept up to date, with the latest software from well known and respected software repositories.

Product level

At the product level, Lingoport works to ensure that Lingoport products do not compromise customer security. Products are designed with security standards in mind, and go through a rigorous development cycle. Examples of requirements include that software must support granular and group-based access permissions. That passwords which are stored in databases must be hashed and salted. And that confidential data stays within customer firewalls. During release cycles, product security is reviewed for OWASP top 10 and SANS top 25 issues.

Security and Service Projects

Lingoport works actively with our clients to meet service project security requirements. Employees working on service projects are required to be based in the U.S. At client request, background checks may be performed for dedicated personnel. All employees must sign NDAs.

Like all Lingoport employees, personnel working on service projects are expected to follow Lingoport security policy. This includes:

  • Keeping software up to date.
  • Using antivirus.
  • Using a password manager.
  • Using secure communication tools such as SSH and SFTP.

Optionally, clients can ask to control the exact environment that Lingoport service personnel work with. Typically, the client will send a laptop that meets all client security and IT requirements for each Lingoport employee working on a service project. This laptop may be authorized to connect to a client internal network via VPN. Sensitive data is kept only within the Laptop — it is not shared on other machines.

Security and the Development Process

To provide secure products, Lingoport follows a defined development process. Software moves through continuous development cycle, which includes the following phases: Requirements / Defects - Specification / Design - Implementation - Installers - Dev Unit Tests - QA Tests / Defect Tracking - Pre-production Integration Tests - Release - Production. Automated test suites are run against software daily. During the leadup to a new release, software may be rebuilt and retested daily, or even multiple times per day. Finally, Lingoport employs extensive customer environment testing — ensuring the entire suite of software works correctly within mock customer environments.

When issues are detected in the released software, updates are provided in a timely fashion. For critical issues, this may be as soon as one week after detection. Lingoport provides automatic update scripts/ansible playbooks for most software. Comprehensive instructions are always included.

Security concerns are integrated within the release cycle at various phases. This starts with an enhancement request or bug placed in Lingoport’s bug tracking system (Bugzilla). Lingoport is also receptive to bug and enhancement requests from customers. Customer requests are both tracked in a support tracking system (Freshdesk) and entered into Bugzilla.

Enhancement requests are prioritized. Critical issues may cause development to stop and re-focus while a patch is released. High and medium priority issues are incorporated into the Specification / Design phase for the next release. They are then built into the software during Implementation and tested during QA. As Lingoport nears the later stages of a release cycle, security scans are performed using web penetration tools (Zed Attack Proxy, sqlmap). If the scans detect results, the results are placed into a bugtracker. All issues with a medium priority or above are expected to move through a full development cycle prior to a software release.

Automated analysis is also run against software in development to search for security issues. For example, Findbugs Security (“Find Security Bugs”) is used.

An example of a security requirement is that all passwords stored in a database must be hashed and salted. Lingoport’s Globalyzer uses the bcrypt algorithm for password hashing.

Security and Cloud Offerings

Lingoport Cloud-Offered servers are hosted on AWS, with all the associated security guarantees. We benefit from a data center and network architecture built to meet the requirements of the most security-sensitive organizations. More on AWS cloud security can be found here: https://aws.amazon.com/security/. See also an illustration of the layers of AWS Security .

In addition to benefiting from AWS's security infrastructure, Lingoport takes the following steps to ensure Cloud Servers are managed securely:

  • Granular permissions are required to connect to instances. Only authorized employees are enabled to connect to each instance. All connections require private-key based authentication, using individually assigned employee private keys.
  • Per-instance security groups with connections limited to Lingoport and Customer-provided whitelist.
  • All connections encrypted in transit with TLS