Muv Security White Paper: Cloud-to-Cloud

Audience

This white paper covers all aspects of security related to Vertify and how it stores and moves data in cloud-to-cloud environments.  This document is intended for a technical audience who has experience with databases, file systems and networking.

Overview

The document outlines the security measures in place that Vertify uses to move data between two cloud-based based systems.

 

The diagram below represents the major components that could participate in any data movement through the Vertify data management platform.  The illustration below is only one of many possible scenarios and is provided for illustration purposes only.  It outlines data movement between two cloud-based providers.

Cloud to Muv

The Vertify platform can connect directly to any cloud-based provider using their API. Vertify uses standard TCP/IP protocols (HTTP, HTTPS, etc.) and can access both SOAP-based and REST-based APIs that are hosted in the cloud.  The user provides connection information (e.g. username, password, authentication tokens, URIs, etc.) through the Vertify website, which is stored securely in an encrypted format and is used by the Vertify platform to make a connection between to the cloud-based API.  All encryption, or lack thereof, is the result of the connection between Vertify and the API is out of Muv’s control, and is determined by the cloud provider.  Most cloud-based APIs recognize the need for encryption and are secured use the HTTPS protocol.  All of Vertify’s commercially available connectors (e.g. NetSuite, Salesforce.com, Marketo, etc.) use HTTPS as the protocol of choice to secure and encrypt data.

The Vertify platform is hosted on Amazon Web Services, who go through great lengths to protect customer data.  Multiple lines of defense are present no matter which direction a potential attack originates, including multiple levels of encryption, authentication, and timeouts to name a few.  

We adhere to Amazon Web Services best practices for securing applications hosted in their cloud, which you can read about by visiting http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-best-practices.html.  

You can read more about Amazon Web Services Security by visiting their website at https://aws.amazon.com/security.

For more information about the security available from cloud providers, please visit their respective websites.  If you are not sure, contact us at support@vertify.com.

Vertify Internal Processing

When Vertify servers receive information from a Cloud Provider, it captures and persists metadata about the information being transferred, which is then used in subsequent integrations to track changes made to data and to ensure that data is delivered to the correct location successfully.  The metadata contains no information about the actual data itself, except for the last modified date of the record (if available from the data source) and the primary key of the data, which is typically a system-assigned ID value that usually has no direct correlation to the data itself.

When data is stored at rest, it is encrypted using the AES cipher.  Data is stored, encrypted, and secured on cloud servers behind our firewalls as well as the firewalls that Amazon Web Services provides.  Other than the data itself and its metadata, no other data is stored along with the data other than a unique 64-bit auto-generated integer ID that identifies each record and a GUID relating the metadata to the configuration and the encrypted connection information used to move data between systems.  The encrypted connection information is stored in a separate database behind a different firewall.  None of the metadata stored along with the data can be linked directly to an account or user.  Although the risk of interception within our own internal networks is next to nothing, we still ensure that all data is encrypted in memory before its transmitted internally or stored in any internal database.  We also restrict access to our production environment to a few key employees, limiting access to our production environment to other employees.

The Vertify platform will cache or persist data based upon your environment settings.  If caching is enabled, data is held anywhere from 1-30 days on our servers, which is configurable by the end user.  This allows you to track status, activity, and changes made to data through our website, troubleshoot issues, and automatically recover from scenarios that temporarily prevent data from moving (e.g. authentication issues to the source or target system, systems taken down for maintenance, etc.) during the caching period.  Once the caching period expires, the data is deleted from our servers.  The only data that remains once data is deleted in cached environment is the metadata.

Vertify database servers are backed up on a 7-day rotation, which includes both metadata and data, and are only intended as a precautionary measure should a database server fail and need to be recovered.  After 7 days, the database backups are replaced, ensuring that data in cached environments that has expired is not only deleted from the environment database itself, but from any of the database backups created.  Database backups are encrypted and stored in Amazon S3 and are protected by Amazon Web Services.  We restrict access to database backups to a few key employees as well.

Vertify API

All Vertify functionality can be accessed through our API.  All API communication is encrypted over HTTPS and is SOAP-based.  Vertify authentication requires a username, password, and domain name, and is cookie-based, which expires after a short and fixed amount of time.  Vertify requires strong passwords consisting of at least 8 characters, one upper, one lower, one digit, and one special character.  Credentials are passed using a POST method over HTTPS ensuring that credentials as well as all data is always encrypted during transit.

About the Author

Dean founded the company in 2009. As CEO, he’s responsible for creating and executing the company’s vision, overseeing business operations, and forging strong relationships with employees, customers, and partners.

Before Vertify, Dean co-founded a company called Xolved. Prior to scratching his entrepreneurial itch, Dean was a senior member of NetSuite where he helped transition the company from targeting small businesses to mid-market enterprises. Before that, he held sales and marketing roles at SkillSoft and CMGI.

Dean holds a Bachelor of Science degree in Marketing and MIS from Northeastern University. A big Red Sox fan and horror movie buff, he lives in Austin, TX with his beautiful wife, ridiculously adorable daughter, and their many plants. He is never sarcastic.