Cloud Platform Security Approach

    Top cloud threats are the priority of our efforts to mitigate. We are constantly in risk assessment mode. Data breaches, data loss, account hijacking, insecure APIs, denial of service, and malicious insiders are at the top of the cloud adopter’s list of concerns and we prioritize efforts to mitigate those risks.

    Datacenter Colocation, Bandwidth, DNS, and Content Delivery Network Partners

    Our physical colocation facilities are located across the United States and Europe and secured with the highest security standards. The co-location providers we partner with all provide physical and environmental safeguards sophisticated enough to host banking, healthcare, commercial and government data.

    • Multiple Tier 3+ cutting edge datacenters with military grade security
    • Near real-time data replication to multiple geographies
    • Highly available hardware and software architecture
    • Best-of-breed delivery platform highlights
      • Designed from the ground up as a cloud enterprise software
      • Highly resilient DNS design
      • Content delivery network for performance, availability, and security
      • Bandwidth access to over 10 Providers – there’s always a path in
    Icon made by http://www.flaticon.com/authors/eucalyp
    Password

    Application Security and the Software Development Lifecycle

    • Secure Coding Guidelines - The OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls. It provides developers with a list of requirements for secure development.
    • Code Review - These are internal guidelines based on ASVS and are maintained and routinely referenced during the development lifecycle and upon code review.
    • Static Code Analysis - Testing tools are integrated and run where appropriate in our continuous delivery platform and run continuously.
    • Dynamic Code Analysis – Testing tools are used both manually and in an automated manner. Testing is done both internally and by third party experts. Long term relationships with the best security consulting firms we have access to so we can objectively validate our findings.
    • Threat Modeling - This provides a structured approach during the development phase to threat scenarios that shed light on vulnerabilities, determine risks from those threats, and establish appropriate mitigations.

    Infrastructure, Network, and Logical Security

    We think of security from the ground up: Solid network, logical, and physical security measures are in place and constantly enhanced.

    • Multi-factor authentication for ALL SpringCM operators who remote in. As data or systems are classified as more sensitive, more layers of security are presented to operators needing to administer it.
    • Hardening standards are guided by Center for Internet Security (CIS) benchmarks and validated using NIST Security Content Automation Protocol (SCAP) validation tools.
    • Application layer firewalls, intrusion detection, deep-packet inspection, traffic pattern analysis, and real-time alerting.
    • Zero-Trust Networking – Inspection of all traffic to sensitive areas to detect and alert for potentially malicious behaviors.
    • SIEM logging, correlation capabilities, analysis, and alerting with threat intelligence from the best feeds available.
    • Highly automated deployment mechanisms to quickly hotfix and patch vulnerabilities anywhere in the platform.
    • Extensive use of encryption of both data at rest (256-bit AES or better) and in transit (TLS 1.1 or better with PCI level configurations) throughout. Encryption levels will always be maintained at the highest standards as defined by PCI and NIST.  Validation of these encryption levels is continually monitored.
    • Military-grade security in our data centers with multiple factor access and multiple points to private cages.
    SpringCM Encryption
     Icon made by http://www.flaticon.com/authors/eucalyp

    Document Centric Security for a Document Centric Platform

    Some elements of SpringCM security are abstracted to the client’s account administrators for further fine-grained controls

    Role and Content Restrictions

    • Roles ensure that users only see features needed to complete tasks
    • Comprehensive time-stamped audit trail of every document interaction
    • Content access permissions to control access and rights to content

    Secure Enterprise mobility

    • Device management: Control who has access and through what device
    • Control what content reaches the mobile device, while the content remains encrypted on the device at rest.
    • Features PIN-protection and content encryption on mobile devices with an ability to control exactly what content is synced to them.

    Access Administration Control

    • Single Sign On (SSO) SAML v2.0 ready, so you can easily integrate with your chosen Identity Provider
    • IP white/black listing support
    • Session duration and time management (customized access)

    People

    What security program is complete without consideration of what role humans play in it?

    • Social Engineering testing is conducted on all SpringCM employees. Those with privileged access are tested more aggressively and by multiple third party security experts.  This involves voice and email phishing exercises. 
    • SpringCM’s Security Incident Response program involves periodic “mock security incidents” to test that all people that would be involved in an actual incident are well-rehearsed in what their roles are.
    • User training is extensive at SpringCM
      • Acceptable Use Policies
      • Remote Access Procedures, Physical Access, Credentialed Authentication, and Device Encryption Procedures
      • Password Strength Techniques, Phishing Recognition, Anti-Malware, and Insider Threat Management
      • Strong Mobile Device Security Practices
      • Developer and Engineering Security Coding and Configuration Practices
      • Security Testing Procedures for Developers and Engineers
      • System and Data Classification for Privileged Users
    • Security architecture and management by certified professionals
    • Confidentiality agreements are in place with all SpringCM professionals across all departments.
    • Background checks are mandatory for all new hires and for privileged users are run annually.

    All employees are given a comprehensive employee handbook that states a code of ethics.

    Icon made by http://www.flaticon.com/authors/eucalyp

    Our Security Story Continues

    Cloud Leader in Compliance

    We are constantly in risk assessment mode.

    Platform Availability

    Our platform benefits from being built on our own cloud infrastructure platform.

    Questions About Security?

    Fill out the form below and we will be in touch.

    SpringCM Security