senditcertified security documentation...senditcertified security documentation https/ssl message...

2
Introduction Privacy Data Systems, LLC is the provider of SenditCertified, a web-based system that enables subscribers to securely exchange messages and large files online. SenditCertified includes four main components – encrypted bi-directional messaging, encrypted web-based storage, patented biometric authentication, and electronic signatures (ESIGN compliant). SenditCertified’s architecture meets NIST standards and Meaningful Use requirements for HIPAA compliance. SenditCertified Security Documentation HTTPS/SSL Message and Attachment Encryption HTTPS (Hyper Text Transfer Protocol Secure) is a secure version of the Hyper Text Transfer Protocol (http). HTTPS encrypts the session with a digital certificate i.e., HTTP over SSL (Secure Sockets Layer) which can be used by web browsers and HTTPS - capable client programs. Extended Validation SSL SGC CA With SGC (Server Gated Cryptography) a hacker with the time, tools, and motivation to attack using brute force would require a trillion years to break into a session protected by an SGC-enabled certificate. AES the Advanced Encryption Standard (AES) - Enables 256-bit encryption, much stronger than 128-bit. Protected Storage (Data at Rest) SenditCertified Data Centers are SSAE 16 compliant (formerly SAS 70 Type 2): Physical Security: 24x7 monitoring to ensure our servers are always safe Logged and monitored access into and out of facility monitored 24x7x365, with card access required Video monitoring inside and outside facility 24x7x365 N+1 power generator architecture, N+2 redundant data center HVAC (heating, ventilation, air conditioning) systems Advanced fire suppression systems to keep any fires localized Network Security 250+ Gbps of transit network capacity to six Tier 1 backbone networks 7-Factor Threat Scenario Modeling, automatically identifies irregular behavior patterns and threats Dedicated firewalls and load balancers, A + B power feeds available from multiple UPS’s, Dedicated Ethernet switch Brocade Server Iron line of load balancers DDoS – Distributed Denial Of Service attack Cisco physical firewalls, O/S hardened servers Protected Transmission (Data in Motion) Database Encryption – AES-256 AES Encryption Standard (AES) - encryption of entire database, data files, and log files Database is even protected from a physical on-premise attack Individual Data Objects – AES-256 Individual objects are encrypted with NIST/FIPS 140-2 approved CVMP Cryptographic Modules (Certificate available upon request) NIST 800-53 Compliant Key Management Infrastructure (KMI) – centralized management of encryption keys Multi-tiered Storage (separation of web-facing and non web-facing servers)

Upload: others

Post on 03-May-2020

10 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: SenditCertified Security Documentation...SenditCertified Security Documentation HTTPS/SSL Message and Attachment Encryption HTTPS (Hyper Text Transfer Protocol Secure) is a secure

Introduction

Privacy Data Systems, LLC is the provider of SenditCertified, a web-based system that enables subscribers to securely exchange messages and large files online. SenditCertified includes four main components – encrypted bi-directional messaging, encrypted web-based storage, patented biometric authentication, and electronic signatures (ESIGN compliant). SenditCertified’s architecture meets NIST standards and Meaningful Use requirements for HIPAA compliance.

SenditCertified Security Documentation

▪ HTTPS/SSL Message and Attachment Encryption

◦ HTTPS (Hyper Text Transfer Protocol Secure) is a secure version of the Hyper Text Transfer Protocol (http). ◦ HTTPS encrypts the session with a digital certificate i.e., HTTP over SSL (Secure Sockets Layer) which can be used by web browsers and HTTPS - capable client programs.

▪ Extended Validation SSL SGC CA

◦ With SGC (Server Gated Cryptography) a hacker with the time, tools, and motivation to attack using brute force would require a trillion years to break into a session protected by an SGC-enabled certificate.

▪ AES the Advanced Encryption Standard (AES) - Enables 256-bit encryption, much stronger than 128-bit.

Protected Storage (Data at Rest)

• SenditCertified Data Centers are SSAE 16 compliant (formerly SAS 70 Type 2):

Physical Security:

◦ 24x7 monitoring to ensure our servers are always safe

◦ Logged and monitored access into and out of facility monitored

◦ 24x7x365, with card access required

◦ Video monitoring inside and outside facility 24x7x365

◦ N+1 power generator architecture, N+2 redundant data center HVAC

(heating, ventilation, air conditioning) systems

◦ Advanced fire suppression systems to keep any fires localized

Network Security

◦ 250+ Gbps of transit network capacity to six Tier 1 backbone networks

◦ 7-Factor Threat Scenario Modeling, automatically identifies irregular

behavior patterns and threats

◦ Dedicated firewalls and load balancers, A + B power feeds available

from multiple UPS’s, Dedicated Ethernet switch

◦ Brocade Server Iron line of load balancers

◦ DDoS – Distributed Denial Of Service attack

◦ Cisco physical firewalls, O/S hardened servers

Protected Transmission (Data in Motion)

• Database Encryption – AES-256

◦ AES Encryption Standard (AES) - encryption of entire database, data files, and log files

◦ Database is even protected from a physical on-premise attack

• Individual Data Objects – AES-256

◦ Individual objects are encrypted with NIST/FIPS 140-2 approved CVMP Cryptographic Modules (Certificate available upon

request)

◦ NIST 800-53 Compliant Key Management Infrastructure (KMI) – centralized management of encryption keys

◦ Multi-tiered Storage (separation of web-facing and non web-facing servers)

Page 2: SenditCertified Security Documentation...SenditCertified Security Documentation HTTPS/SSL Message and Attachment Encryption HTTPS (Hyper Text Transfer Protocol Secure) is a secure

How It Works:

An encrypted SecurePackage travels over an encrypted path directly to an encrypted vault for pickup by an authenticated recipient, also via a direct encrypted path. No special PC software required.

StandardWebBrowser

StandardWebBrowser

Direct AES encrypted path

OPTIONAL FINGERPRINT SCAN

SENDER RECIPIENT

OPTIONAL FINGERPRINT SCAN

Direct AES encrypted path

Authenticate Senderand Create SecurePackage

Authenticate Recipientand Deliver SecurePackage

Store SecurePackage(Storage Encryption)

Authentication• Multi-Factor Protection

◦ Password protection

◦ Site Image Verification

◦ Optional Fingerprint scan authentication

◦ Keystroke Logging prevention via graphical virtual keyboard interface

◦ Session management – proprietary intrusion detection

Privacy Certification• SenditCertified privacy standards have been reviewed and confirmed by TRUSTe

TRUSTe is an independent non-profit organization best known for its Web Privacy Seal. TRUSTe runs the world's largest privacy seal

program, with more than 2,000 Web sites certified, including major internet portals and leading brands such as IBM, Oracle Corporation,

Intuit, and eBay. TRUSTe's purpose is to establish trusting relationships between individuals and online organizations based on respect for

personal identity and information in the evolving networked world.

• The TRUSTe Web Privacy Seal marks companies that adhere to TRUSTe's strict privacy principles, and comply with the TRUSTe Watchdog dispute

resolution process. Principles include:

Creating a privacy policy to be reviewed by TRUSTe

Posting notice and disclosure of collection and use practices of personally identifiable information

Giving users choice and consent over how their information is used and shared

Code Signing VerificationCode Signing Digital IDs enable software developers to add a digital signature to software and macros including Microsoft Authenticode, Microsoft

Office and VBA Signing, Sun Java Signing, Adobe Air, Netscape Object Signing, Macromedia Shockwave, and Marimba Castanet Channel Digital IDs

for secure delivery over the Internet. Digital IDs are virtual "shrink-wrap" for your software; if your code is tampered with in any way after it is signed, the

digital signature will break and alert customers that the code is not trustworthy.

• Message Delivery Protection

◦ Electronic Signature – Required

◦ Optional Access Code (Password)

◦ Optional Biometric Authentication (Fingerprint Scan)

◦ Session management - proprietary intrusion detection

DKIM for Email AlertsDomain Keys Identified Mail (DKIM) lets an organization take responsibility for alert messages while in transit. The organization is a handler of the

message, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for delivery. Technically,

DKIM provides a method for validating a domain name identity that is associated with a message through cryptographic authentication.

RecognitionPrivacy Data Systems was selected Top 20 “Best-in-Class” Security Companies of 2010 ;; SenditCertified was selected to introduce its innovative

security technology during the Security Innovation Network™ (SINET) Showcase 2010 in Washington, D.C. SINET is an organization focused on

advancing Cyber security innovation through public-private collaboration.