senditcertified security documentation...senditcertified security documentation https/ssl message...

of 2 /2
Introduction Privacy Data Systems, LLC is the provider of SenditCertified, a web-based system that enables subscribers to securely exchange messages and large files online. SenditCertified includes four main components – encrypted bi-directional messaging, encrypted web-based storage, patented biometric authentication, and electronic signatures (ESIGN compliant). SenditCertified’s architecture meets NIST standards and Meaningful Use requirements for HIPAA compliance. SenditCertified Security Documentation HTTPS/SSL Message and Attachment Encryption HTTPS (Hyper Text Transfer Protocol Secure) is a secure version of the Hyper Text Transfer Protocol (http). HTTPS encrypts the session with a digital certificate i.e., HTTP over SSL (Secure Sockets Layer) which can be used by web browsers and HTTPS - capable client programs. Extended Validation SSL SGC CA With SGC (Server Gated Cryptography) a hacker with the time, tools, and motivation to attack using brute force would require a trillion years to break into a session protected by an SGC-enabled certificate. AES the Advanced Encryption Standard (AES) - Enables 256-bit encryption, much stronger than 128-bit. Protected Storage (Data at Rest) SenditCertified Data Centers are SSAE 16 compliant (formerly SAS 70 Type 2): Physical Security: 24x7 monitoring to ensure our servers are always safe Logged and monitored access into and out of facility monitored 24x7x365, with card access required Video monitoring inside and outside facility 24x7x365 N+1 power generator architecture, N+2 redundant data center HVAC (heating, ventilation, air conditioning) systems Advanced fire suppression systems to keep any fires localized Network Security 250+ Gbps of transit network capacity to six Tier 1 backbone networks 7-Factor Threat Scenario Modeling, automatically identifies irregular behavior patterns and threats Dedicated firewalls and load balancers, A + B power feeds available from multiple UPS’s, Dedicated Ethernet switch Brocade Server Iron line of load balancers DDoS – Distributed Denial Of Service attack Cisco physical firewalls, O/S hardened servers Protected Transmission (Data in Motion) Database Encryption – AES-256 AES Encryption Standard (AES) - encryption of entire database, data files, and log files Database is even protected from a physical on-premise attack Individual Data Objects – AES-256 Individual objects are encrypted with NIST/FIPS 140-2 approved CVMP Cryptographic Modules (Certificate available upon request) NIST 800-53 Compliant Key Management Infrastructure (KMI) – centralized management of encryption keys Multi-tiered Storage (separation of web-facing and non web-facing servers)

Author: others

Post on 03-May-2020

4 views

Category:

Documents


0 download

Embed Size (px)

TRANSCRIPT

  • Introduction

    Privacy Data Systems, LLC is the provider of SenditCertified, a web-based system that enables subscribers to securely exchange messages and large files online. SenditCertified includes four main components – encrypted bi-directional messaging, encrypted web-based storage, patented biometric authentication, and electronic signatures (ESIGN compliant). SenditCertified’s architecture meets NIST standards and Meaningful Use requirements for HIPAA compliance.

    SenditCertified Security Documentation

    ▪ HTTPS/SSL Message and Attachment Encryption

    ◦ HTTPS (Hyper Text Transfer Protocol Secure) is a secure version of the Hyper Text Transfer Protocol (http). ◦ HTTPS encrypts the session with a digital certificate i.e., HTTP over SSL (Secure Sockets Layer) which can be used by web browsers and HTTPS - capable client programs.

    ▪ Extended Validation SSL SGC CA

    ◦ With SGC (Server Gated Cryptography) a hacker with the time, tools, and motivation to attack using brute force would require a trillion years to break into a session protected by an SGC-enabled certificate.

    ▪ AES the Advanced Encryption Standard (AES) - Enables 256-bit encryption, much stronger than 128-bit.

    Protected Storage (Data at Rest)

    • SenditCertified Data Centers are SSAE 16 compliant (formerly SAS 70 Type 2): Physical Security:

    ◦ 24x7 monitoring to ensure our servers are always safe

    ◦ Logged and monitored access into and out of facility monitored

    ◦ 24x7x365, with card access required

    ◦ Video monitoring inside and outside facility 24x7x365

    ◦ N+1 power generator architecture, N+2 redundant data center HVAC

    (heating, ventilation, air conditioning) systems

    ◦ Advanced fire suppression systems to keep any fires localized

    Network Security

    ◦ 250+ Gbps of transit network capacity to six Tier 1 backbone networks

    ◦ 7-Factor Threat Scenario Modeling, automatically identifies irregular

    behavior patterns and threats

    ◦ Dedicated firewalls and load balancers, A + B power feeds available

    from multiple UPS’s, Dedicated Ethernet switch

    ◦ Brocade Server Iron line of load balancers

    ◦ DDoS – Distributed Denial Of Service attack

    ◦ Cisco physical firewalls, O/S hardened servers

    Protected Transmission (Data in Motion)

    • Database Encryption – AES-256

    ◦ AES Encryption Standard (AES) - encryption of entire database, data files, and log files

    ◦ Database is even protected from a physical on-premise attack

    • Individual Data Objects – AES-256

    ◦ Individual objects are encrypted with NIST/FIPS 140-2 approved CVMP Cryptographic Modules (Certificate available upon

    request)

    ◦ NIST 800-53 Compliant Key Management Infrastructure (KMI) – centralized management of encryption keys

    ◦ Multi-tiered Storage (separation of web-facing and non web-facing servers)

  • How It Works:

    An encrypted SecurePackage travels over an encrypted path directly to an encrypted vault for pickup by an authenticated recipient, also via a direct encrypted path. No special PC software required.

    StandardWebBrowser

    StandardWebBrowser

    Direct AES encrypted path

    OPTIONAL FINGERPRINT SCAN

    SENDER RECIPIENT

    OPTIONAL FINGERPRINT SCAN

    Direct AES encrypted path

    Authenticate Senderand Create SecurePackage

    Authenticate Recipientand Deliver SecurePackage

    Store SecurePackage(Storage Encryption)

    Authentication• Multi-Factor Protection

    ◦ Password protection

    ◦ Site Image Verification

    ◦ Optional Fingerprint scan authentication

    ◦ Keystroke Logging prevention via graphical virtual keyboard interface

    ◦ Session management – proprietary intrusion detection

    Privacy Certification• SenditCertified privacy standards have been reviewed and confirmed by TRUSTe

    TRUSTe is an independent non-profit organization best known for its Web Privacy Seal. TRUSTe runs the world's largest privacy seal

    program, with more than 2,000 Web sites certified, including major internet portals and leading brands such as IBM, Oracle Corporation,

    Intuit, and eBay. TRUSTe's purpose is to establish trusting relationships between individuals and online organizations based on respect for

    personal identity and information in the evolving networked world.

    • The TRUSTe Web Privacy Seal marks companies that adhere to TRUSTe's strict privacy principles, and comply with the TRUSTe Watchdog dispute

    resolution process. Principles include:

    Creating a privacy policy to be reviewed by TRUSTe

    Posting notice and disclosure of collection and use practices of personally identifiable information

    Giving users choice and consent over how their information is used and shared

    Code Signing VerificationCode Signing Digital IDs enable software developers to add a digital signature to software and macros including Microsoft Authenticode, Microsoft

    Office and VBA Signing, Sun Java Signing, Adobe Air, Netscape Object Signing, Macromedia Shockwave, and Marimba Castanet Channel Digital IDs

    for secure delivery over the Internet. Digital IDs are virtual "shrink-wrap" for your software; if your code is tampered with in any way after it is signed, the

    digital signature will break and alert customers that the code is not trustworthy.

    • Message Delivery Protection

    ◦ Electronic Signature – Required

    ◦ Optional Access Code (Password)

    ◦ Optional Biometric Authentication (Fingerprint Scan)

    ◦ Session management - proprietary intrusion detection

    DKIM for Email AlertsDomain Keys Identified Mail (DKIM) lets an organization take responsibility for alert messages while in transit. The organization is a handler of the

    message, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for delivery. Technically,

    DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.

    RecognitionPrivacy Data Systems was selected Top 20 “Best-in-Class” Security Companies of 2010 ;; SenditCertified was selected to introduce its innovative

    security technology during the Security Innovation Network™ (SINET) Showcase 2010 in Washington, D.C. SINET is an organization focused on

    advancing Cyber security innovation through public-private collaboration.