INTRODUCTION
Collavate fully understands the security implications of the cloud software model. Our cloud Software is designed to deliver better security than many traditional on-premises solutions. We make security a priority to protect our own operations, but because Collavate runs on the same software that we make available to our customers, your organization can directly benefit from these protections. That’s why we focus on security, and protection of data is among our primary design criteria. Security drives our organizational structure, training priorities and hiring processes. It shapes our data and the technology they house. It’s central to our everyday operations and disaster planning, including how we address threats. It’s prioritized in the way we handle customer data. And it’s the cornerstone of our account controls, our compliance audits and the certifications we offer our customers.
This paper outlines Collavate’s approach to security and compliance for Collavate Cloud Software and services. Used by organizations worldwide, from large enterprises and retailers with hundreds of thousands of users to fast-growing startups. This whitepaper focuses on security including details on organizational and technical controls regarding how Collavate protects your data.
Collavate Has a Strong Security Culture
Collavate has created a vibrant and inclusive security culture for all employees. The influence of this culture is apparent during the hiring process, employee onboarding, as part of ongoing training and in company-wide events to raise awareness.
Employee background checks
Before they join our staff, Collavate will verify an individual’s education and previous employment, and perform internal and external reference checks. Where local labor law or statutory regulations permit, Collavate may also conduct criminal, credit, immigration,
and security checks. The extent of these background checks is dependent on the desired position.
Security training for all employees
All Collavate employees undergo security training as part of the orientation process and receive ongoing security training throughout their Collavate careers. During orientation, new employees agree to our Code of Conduct , which highlights our commitment to keep customer information safe and secure. Depending on their job role, additional training on specific aspects of security may be required. For instance, the information security team instructs new engineers on topics like secure coding practices, product design and automated vulnerability testing tools. Engineers also attend technical presentations on security-related topics and receive a security newsletter that covers new threats, attack patterns, mitigation techniques and more.
Internal security and privacy events
Collavate hosts regular internal conferences to raise awareness and drive innovation in security and data privacy, which are open to all employees. Security and privacy is an ever-evolving area, and Collavate recognizes that dedicated employee engagement is a key means of raising awareness. One example is “Privacy Week,” during which Collavate hosts events across global offices to raise awareness of privacy in all facets, from software development, data handling and policy enforcement to living our privacy principles . Collavate also hosts regular “Workshop” focusing on subjects that often include security and privacy.
Our dedicated security team
Collavate employs security and privacy professionals, who are part of our software engineering and operations division. Our team includes Collavate CEO, one of foremost security experts in information, application and network. This team is tasked with maintaining the company’s defense systems, developing security review processes, building security infrastructure and implementing Collavate’s security policies. Collavate’s dedicated security team actively scans for security threats using commercial and custom tools, penetration tests, quality assurance (QA) measures and software security reviews.
Within Collavate, members of the information security team review security plans for all networks, systems and services. They provide project-specific consulting services to Collavate’s product and engineering teams. They monitor for suspicious activity on Collavate’s networks, address information security threats, perform routine security evaluations and audits, and engage outside experts to conduct regular security assessments.
Our dedicated privacy team
The Collavate privacy team operates separately from product development and security organizations, but participates in every Collavate product launch by reviewing design documentation and performing code reviews to ensure that privacy requirements are followed. They help release products that reflect strong privacy standards: transparent collection of user data and providing users and administrators with meaningful privacy configuration options, while continuing to be good stewards of any information stored on our platform. After products launch, the privacy team oversees automated processes that audit data traffic to verify appropriate data usage. In addition, the privacy team conducts research providing thought leadership on privacy best practices for our emerging technologies.
Internal audit and compliance specialists
Collavate has a dedicated internal audit team that reviews compliance with security laws and regulations around the world. As new auditing standards are created, the internal audit team determines what controls, processes, and systems are needed to meet them. This team facilitates and supports independent audits and assessments by third parties.
Operational Security
Far from being an afterthought or the focus of occasional initiatives, security is an integral part of our operations.
Vulnerability management
Collavate administers a vulnerability management process that actively scans for security threats using a combination of commercially available and purpose-built in-house tools, intensive automated and manual penetration efforts, quality assurance processes, software security reviews and external audits. The vulnerability management team is responsible for tracking and following up on vulnerabilities. Once a vulnerability requiring remediation has been identified, it is logged, prioritized according to severity, and assigned an owner. The vulnerability management team tracks such issues and follows up frequently until they can verify that the issues have been remediated.
Monitoring
Collavate’s security monitoring program is focused on information gathered from internal network traffic, employee actions on systems and outside knowledge of vulnerabilities. At many points across our global network, internal traffic is inspected for suspicious behavior, such as the presence of traffic that might indicate botnet connections. This analysis is performed using a combination of open-source and commercial tools for traffic capture and parsing. A proprietary correlation system built on top of Collavate technology also supports this analysis.
Network analysis is supplemented by examining system logs to identify unusual behavior, such as attempted access of customer data. Collavate security engineers place standing search alerts on public data repositories to look for security incidents that might affect the company’s infrastructure. They actively review inbound security reports and monitor public mailing lists, blog posts, and wikis. Automated network analysis helps determine when an unknown threat may exist and escalates to Collavate security staff, and network analysis is supplemented by automated analysis of system logs.
Incident management
We have a rigorous incident management process for security events that may affect the confidentiality, integrity, or availability of systems or data. If an incident occurs, the security team logs and prioritizes it according to its severity. Events that directly impact customers are assigned the highest priority. This process specifies courses of action, procedures for notification, escalation, mitigation, and documentation. Collavate’s security incident management program is structured around the NIST guidance on handling incidents (NIST SP 800–61). Key staff are trained in forensics and handling evidence in preparation for an event, including the use of third-party and proprietary tools. Testing of incident response plans is performed for key areas, such as systems that store sensitive customer information. These tests take into consideration a variety of scenarios, including insider threats and software vulnerabilities. To help ensure the swift resolution of security incidents, the Collavate security team is available 24/7 to all employees. If an incident involves customer data, Collavate or its partners will inform the customer and support investigative efforts via our support team.
Technology with Security at Its Core
Cloud Software runs on a technology platform that is conceived, designed and built to operate securely. Collavate is an innovator in software, network and system management technologies. We use Google’s custom- designed servers, proprietary operating system, and geographically distributed data centers. Using the principles of “defense in depth,” we’ve created an IT infrastructure that is more secure and easier to manage than more traditional technologies.
Hardware tracking and disposal
Collavate uses Google Data Center which meticulously tracks the location and status of all equipment within the data centers from acquisition to installation to retirement to destruction, via barcodes and asset tags.
—
A global network with unique security benefits
Collavate uses Google’s IP data network consists of it’s own fiber, public fiber, and undersea cables. This allows us to deliver highly available and low latency services across the globe for the service.
This is Google’s white paper about Google’s IP data network.
—
In other cloud services and on-premises solutions, customer data must make several journeys between devices, known as “hops,” across the public Internet. The number of hops depends on the distance between the customer’s ISP and the solution’s data center. Each additional hop introduces a new opportunity for data to be attacked or intercepted. Because it’s linked to most ISPs in the world, Google’s global network improves the security of data in transit by limiting hops across the public Internet.
Defense in depth describes the multiple layers of defense that protect Collavate’s network from external attacks. Only authorized services and protocols that meet our security requirements are allowed to traverse it; anything else is automatically dropped. Industry-standard firewalls and access control lists (ACLs) are used to enforce network segregation. All traffic is routed through custom GFE (Collavate Front End) servers to detect and stop malicious requests and Distributed Denial of Service (DDoS) attacks. Additionally, GFE servers are only allowed to communicate with a controlled list of servers internally; this “default deny” configuration prevents GFE servers from accessing unintended resources. Logs are routinely examined to reveal any exploitation of programming errors. Access to networked devices is restricted to authorized personnel. —
Securing data in transit
Data is vulnerable to unauthorized access as it travels across the Internet or within networks. For this reason, securing data in transit is a high priority for Collavate. The Collavate Front End (GFE) servers mentioned previously support strong encryption protocols such as TLS to secure the connections between customer devices and Collavate’s web services and APIs. Cloud customers can take advantage of this encryption for their services running on Collavate Cloud Software by using the Google Cloud Load Balancer. Google Cloud Platform also offers customers additional transport encryption options, including Collavate Cloud VPN for establishing IPSec virtual private networks.
Low latency and highly available solution
Collavate designs the components of our platform to be highly redundant. This redundancy applies to our server design, how we store data, network and Internet
connectivity, and the software services themselves. This “redundancy of everything” includes the handling of errors by design and creates a solution that is not dependent on a single server, data center, or network connection. Google’s highly redundant infrastructure also helps customers protect themselves from data loss. Cloud Platform resources can be created and deployed across multiple regions and zones. Allowing customers to build resilient and highly available systems.
Simply put, when Collavate needs to service or upgrade software, users do not experience downtime or maintenance windows.
Service availability
Some of Collavate’s services may not be available in some jurisdictions. Often these interruptions are temporary due to network outages, but others are permanent due to government-mandated blocks.
Data Usage, Data Access and Restrictions, Administrative access
To keep data private and secure, Collavate is installed to each customer’s Google Cloud Platform. Collavate employees have no access permission to customer data by default. For Collavate employees, special access rights and levels are based on customer’s special approval and their job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. Collavate employees are only granted a limited set of default permissions to access company resources, such as activity and error logs. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives, as dictated by Collavate’s security policies. Approvals are managed by Google’s workflow tools that maintain audit records of all changes.
These tools control both the modification of authorization settings and the approval process to ensure consistent application of the approval policies. An employee’s authorization settings are used to control access to all resources, including data and systems for Cloud Software products. Support services are only provided to authorized customer administrators whose identities have been verified in several ways. Collavater access is monitored and audited by our dedicated security, privacy, and internal audit teams.
For customer administrators
Within customer organizations, administrative roles and privileges for Collavate Cloud Software are configured and controlled by the project owner. This means that individual team members can manage certain services or perform specific administrative functions without gaining access to all settings and data.
Law enforcement data requests
The customer, as the data owner, is primarily responsible for responding to law enforcement data requests; however, like other technology and communications companies, Collavate may receive direct requests from governments and courts around the world about how a person has used the company’s services. We take measures to protect customers’ privacy and limit excessive requests while also meeting our legal obligations. Respect for the privacy and security of data you store with Collavate Cloud Software remains our priority as we comply with these legal requests. When we receive such a request, our team reviews the request to make sure it satisfies legal requirements and Collavate’s policies. Generally speaking, for us to comply, the request must be made in writing, signed by an authorized official of the requesting agency and issued under an appropriate law. If we believe a request is overly broad, we’ll seek to narrow it, and we push back often
and when necessary.
Regulatory Compliance
Our customers have varying regulatory compliance needs. Our clients operate across regulated industries, including finance, pharmaceutical and manufacturing.