Last updated: June 4, 2018
Openprise is committed to the security of your data in transit and at rest. We adopt security best practices to ensure your data is secure and only authorized users have access to it.
Hosting and Physical Security
Openprise uses Amazon Web Services (AWS) to host our servers. AWS is a premier cloud hosting company with a strong track record for security and trusted by the world’s largest companies. AWS servers are located in highly secure data centers. Physical access is restricted to authorized personnel. Premises are monitored and access is logged.
You can read further about AWS security and certifications here: aws.amazon.com/security/
Isolation of Services
Openprise servers run on Linux virtual machines which are isolated from one another and from the underlying hardware layer. Server processes are restricted to a particular directory.
Openprise services are accessible only over HTTPS secured connections. Traffic over HTTPS is encrypted and is protected from interception by unauthorized third parties. Openprise uses strong encryption algorithms with a minimum key length of 128 bits.
All network access, both within the data center and between the data center and outside services, is restricted by firewall and routing rules. Network access is logged and logs are retained for a minimum of 30 days.
Openprise servers deny access to all unauthorized ports, except that SSH access (protected by encryption and private key authentication) is enabled for administration. Administrative access is granted only to select Openprise administrators and IP addresses. Openprise administrators do not access customer data without explicit permission from the customer. Permission is requested only for the purpose of assisting the customer with configuration and debugging.
Customer data in Openprise is encrypted both in transit and at rest.
Openprise uses a three-tier data security model to help you control data access for your users, to ensure users are only allowed to access the data they are entitled to see and edit.
By default, all services and all data are available to all users within your company account. The data security policies are subtractive policies. Each policy layer acts as a filter to restrict users’ access to data. You can enable any of these 3 security layers independently.
- Access policy – The first level of security is controlling users’ access to the services. You can choose to restrict access by organization.
- Data ownership policy – Once a user has access to a service, the second level of security controls what subset of data each user is allowed to see. You can set policies to filter data for users from each organization.
- Data redaction policy – Once a user can see data, the third level of security controls how each attribute is presented to users. For example, you can mask social security numbers or scramble employee IDs.
By default, users within your account are allowed to see each other, including each other’s objects. However, you can restrict users’ access and edit privilege to the objects.
Openprise users log in to the system using email address and password. Openprise requires the use of reasonably strong passwords. Passwords are not stored in clear text, but as a secure hash. The hash is used because it is a good counter against common password guessing attacks and attempts to reverse engineer passwords from the hash.
Resetting a password requires access to a user’s registered email and the reset action is time limited.
Excessive failed login attempts will result in an account being automatically locked out.
If a session becomes inactive for a period of time, the user is automatically logged out and is required to authenticate again.
Access to Your Data Accounts
When Openprise connects to a data source like Google Drive using user-supplied credentials, where possible this is done using OAuth 2.0. The advantage of using OAuth is that Openprise does not need to store users’ credentials. Openprise simply stores an OAuth token that grants Openprise limited access to users’ data. Users can easily revoke this token at any time. If the data source does not support OAuth and Openprise is required to store users’ credentials, they are encrypted using a 256-bit key. Connections to data sources are via secure HTTPS connections if supported by the data source.
Openprise engineers have been trained in secure coding practices. Openprise application architecture includes mitigation measures for common security flaws such as those in the OWASP Top 10. The Openprise software uses industry standard, high-strength algorithms such as AES. Periodic security tests are conducted, including using scanning and fuzzing tools to check for vulnerabilities.