BluBØX Information Security

Networking 

In most IP networks, any device on the network is susceptible to hacking or unauthorized access. First and foremost, this is because most devices listen to network traffic in order to receive communications that might be intended for them: commands, broadcast messages, network management interactions, and so on. The willingness of a networked device to accept unsolicited external communications is its key vulnerability.

BluBØX’s control panel will not accept inbound connections. It will only listen to network traffic within the HTTPS session which was initiated by the control panel itself. This protects the control panel against unauthorized access because it simply will not accept unsolicited communications. For example, it is not possible to do any of the following to a BluBØX control panel; initiate a telnet, FTP, HTTP/S or any other type of communications session; burden the device through a denial of service (DoS) attack (although the rest of your network may be affected); give the device a virus; or gain access to the file system.

IP Configuration and DHCP 

The control panel must still have some communications with the rest of the IP network on which it resides, particularly with respect to establishing network operating parameters.

First, the control panel will need to have an IP address. This can be established in one of two ways: by a command line interface (CLI) accessible via a crossover Ethernet port, or via the “DHCP” protocol.

The BluBØX control panel supports the DHCP protocol for ease of configuration. DHCP has become the preferred method of managing network devices on most corporate LANs. Supporting DHCP presents no additional security risks for the control panel or the BluSKY® service itself due to other precautions BluBØX has designed into its products. Specifically, our implementation of certificate-based authentication (see section titled “Authentication”) defeats “DNS spoofing” and “host impersonation” types of attacks which can arise when a DHCP server points to a compromised or malicious DNS server.

For networks that do not support DHCP, or network administrators who would prefer to assign an IP address manually, the BluBØX control panel has a local web interface that allows the administrator to enter all network configuration parameters using a laptop and an Ethernet cable.

Overview of DHCP

DHCP stands for dynamic host configuration protocol. Before DHCP, network administrators had to enter various configuration parameters into every networked device in order for it to know how to communicate with the rest of the devices on the network.

DHCP is a mechanism for allowing a network device to query a “DHCP server” to obtain an IP address, a subnet mask, a default g

Non-Routable IP Address and NAT 

The BluBØX control panel initiates all communication sessions with BluBØX’s data center, so the IP address assigned to the panel need not be a static or routable IP address. Non-routable IP addresses cannot be transported over the Internet. This protects the device from exposure to the Internet because it is shielded behind the corporate routers and firewalls like all other devices on the network with non-routable IP addresses.

Specifically, this means that the control panels will operate with routers and firewalls configured to use Network Address Translation (NAT).

Compatible with Firewalls and Proxy Servers 

Many corporate networks are protected with proxy servers (stand-alone or in combination with a firewall). BluBØX anticipated this network architecture and built in support for the SOCKS53 and HTTP proxy protocols, so that it can authenticate itself to the proxy service and access the BluBØX data center.

For network administrators, this design ensures that no changes will have to be made to your existing IT architecture. For example, the BluBØX control panel does not need to have a “hole” put into the corporate firewall to listen for incoming traffic. All it requires is that outbound HTTPS traffic be allowed to go to BluBØX’s data center. Nor does the control panel need to be situated in a “DMZ” on your network. Since the panel operation does not depend on externally initiated transactions, there is no need to expose it to open Internet traffic. For networks with a proxy server, normal operations can continue, with only the addition of a login and password for the control panels added to your LAN.

Physical Security 

BluBØX data centers are outfitted with biometric scanners and secure card access to the collocation services areas of the data center. Additionally, all BluBØX equipment is kept in secure locations. On-site security personnel monitors hosting facilities 24/7 via indoor and outdoor video surveillance. Data center access requires security desk check-in and is managed 24/7. Local key management is enforced for racks and cabinets.

Network Security 

BluBØX has instituted a multi-layered approach to network security for the production BluSKY and disaster recovery environments to ensure the confidentiality of networks and data. BluBØX’s network security architecture includes the use of perimeter firewalls, IPS, network address translation (NAT), and network segmentation such that database servers are not visible to the public. In addition, these environments are both logically and physically distinct from BluBØX’s corporate office network. Internet access is offered through Tier-l OC-192 Internet backbones on dedicated customer circuits.

Access to the production and disaster recovery networks is controlled, logged, and monitored by BluBØX. In addition, encryption techniques are used to support the confidentiality of information sent from one system to another. Between data centers data is transmitted via IPSEC using randomly generated key values.

Redundancy and Disaster Recovery 

Every component in the BluBØX production data center is redundant in either an active/active or active/passive configuration. The BluSKY infrastructure at the production data center is designed with scalability and redundancy in mind so that there is no single point of failure. Therefore, every production component of the BluSKY has a redundant counterpart; including firewalls, load balancers, web servers, application servers, and database servers. The data center hosting provider also features redundant power supplies, dual management cards in each switch, redundant Ethernet, redundant gigabit fiber aggregators, and redundant Cisco GSR routers.

In case of disaster, BluBØX maintains DR services in three availability zones located more than 2,000 miles from our primary data center.

An Independent Network 

For security reasons, BluBØX’s operational network at its primary data center is completely independent of our corporate office network. What this means from a technical standpoint is:

• Physically distinct networking  equipment
• Distinct ISP relationship
• Distinct network address space
• Gateway to data center is dedicated link, with firewall against corporate network What this means in practice is:
• BluBØX employees cannot access data center accidentally or intentionally
• Access to operational network requires firewall login
• Any compromise of our internal corporate network does not “spread” to the operational network

Firewalls 

The first line of defense that protects your data at BluBØX’s data center is a firewall. A firewall is a device which examines incoming and outgoing data traffic and decides whether it should be allowed or blocked, based on a set of rules programmed by the network administrator. At our data center, BluBØX’s firewalls are configured to screen out all types of traffic except for HTTP (for our public site) and HTTPS (once you have accessed your account). There are no other “services” available on the Internet-facing aspect of our transaction processing system.

This means that many of the common forms of gaining access to computer systems are blocked right at the firewall itself. For example, it is not possible to access BluBØX using FTP, Telnet, POP or IMAP mail protocols, instant messaging protocols, or any of the many other types of IP traffic common on the Internet today.

Denial of Service Attacks 

Denial of Service (DoS) attacks are floods of traffic that slow down computers and networks to the point where they can no longer perform their primary functions. They come in two different forms: those that cripple an entire network, such as the Internet itself, and those that debilitate a specifically targeted computer system by forcing it to respond to too many requests.

While BluBØX can do nothing about DoS attacks that slow down the Internet itself, our data center resources are protected against DoS attacks at multiple layers. First, the firewalls block out the vast majority of types of traffic responsible for most widespread DoS attacks. The servers inside of the firewall never even see this traffic, and are thus unaffected by it. This would include all forms of attack that use protocols other than HTTP/S to achieve their effect.

A second line of defense is provided by the load balancers (see Figure 5: BluBØX Data Center Detail) used to spread traffic across multiple servers for scalability. The load balancers examine incoming traffic and make decisions about how (or whether) it should be routed. As part of this operation, they are also about to guard against a common form of attack known as a “SYN flood”, a technique whereby computers are disabled by trying to respond to connection requests. 

Intrusion Prevention Systems 

BluBØX uses an intrusion prevention system (IPS) to examine all incoming traffic for signs of hacking or other unauthorized access. An IPS is, in effect, a security guard that sits at the front door of the network and watches for “burglars.” If it sees one, it can directly respond to threats as well send out a notification that trigger human intervention.

Operating Systems 

The security of an application is ultimately only as good as the security of the operating system on which it is running, some operating systems being simply more immune to attack than others.

All operating systems have vulnerabilities, and, as they are discovered and published to the industry, it is essential to apply updates to the operating systems to ensure that all known weaknesses are eliminated. BluBØX monitors all of the major security advisories and makes a practice of constantly updating its server operating systems with the safest available software.

Web and Application Servers 

Web servers are vulnerable to a variety of attacks. Some of these will disable the server, while others may allow hackers to gain access to the operating system of the server itself, which then provides a beach-head for further malicious activities within the network under attack.

Due to their internal architecture, the web servers used in the data center are not vulnerable to many of the common types of attacks such as buffer overflows and malformed strings. This is largely due to the fact that they are based on the Java programming language, which has built-in safeguards against such errors. 

Database Server 

The database server is a highly protected resource which is separated from all other server resources. There are no unnecessary services running on the database server, which severely restricts the options for accessing the system at the operating system level or with direct connections to the database itself.

Application Security Model 

BluBØX’s application security model is based on the notion of Access Control Lists (ACLs). An ACL is a set of rules which specify which users can access with objects in a system. This concept will be familiar to anyone who uses a file server. The administrator of the file server establishes permissions for files, directories or folders, and executable programs. These permissions specify such properties as to who may read, write or execute the resource(s) in question, and under what circumstances they may do so.

In BluBØX applications, the same concepts are used, both explicitly at the UI level, as in the case of our Tiered Administration capabilities, and implicitly, in a behind-the-scenes “matrix” that indicates, for every object in the system, which authenticated entities may look at or alter the object.

For example, the object representing the control panel in an office may be accessed by any Administrator in your account who has sufficient permissions to do so. No Administrator outside of our account can see or make changes to the control panel.

Can an Administrator from another account get around these restrictions? Can they get around the application restrictions by accessing directories or files directly? The answer is “No” and the detailed technical reasons are explained in the next section.

Instance-Based Security 

BluBØX has implemented a computer industry standard application security model known as instance-based security. This approach is based on a programming model and set of modules which allows developers to implement a set of security measures that are consulted each time an end-user attempts to access an instance of data, such as a user record.

In contrast to some application designs (web-based as well as other technologies), the security framework enforces permissions not only when an end-user enters the application, but each and every time that user attempts to perform an operation on an object. In other words, a user’s permissions (such as those of an Administrative login) are checked each time an action is attempted. This means that even if an Administrator from another account attempts to gain access to another account (e.g., by altering URLs), the attempt will fail because that Administrator will not pass the authorization check for the object he or she is trying to change.

Information Security Policy 

BluBØX recognizes the key role played by humans in the security of its systems. Without strict information security policies and control, no amount of technology can provide security for your data. In fact, human error and malice are two of the most frequent causes of information security breaches. That’s why BluBØX has invested in information security policy development and training, augmented by frequent internal reviews and audits.

Our corporate information policies are based on the best practices of financial institutions and managed service providers, and are vetted by industry experts to ensure that they are always complete and up-to-date.

Audits 

Our 3rd party data centers have more 10,000 security controls and compliance policies formatted for FFIEC reporting and comprehensive practices for SSAE 16 SOC 1, SOC 2, PCI DSS, ISO 27001, Safe Harbor, Global Risk Management, BCDR, and FISMA (NIST 800-53).

BluSKY has is validated with continuous information security audits as well as the Cloud Security Alliance STAR designation and Safe Harbor certification from the Department of Commerce. We will comply with the evolving EU-U.S. Privacy Shield framework. BluSKY® is is FIPS 201-2 approved and hosted in a FISMA moderate data center.

These audits ensure that BluBØX:

• Utilizes proper administrative controls to protect sensitive information
• Implements the controls in a verifiable and measurable way
• Allows independent auditors to periodically check controls and systems to verify compliance

Information Security Audit Overview

An information security audit is a check to ensure that a service provider has implemented and is following a standard set of security policies or controls. The audit reviews polices and practices that are technical, physical and administrative in nature. Audits are typically based on regulations and guidance from industry groups, government agencies and regulatory entities such as these:

• The International Organization for Standardization (ISO)
• The Cloud Security Alliance (CSA)
• The National Institute of Standards and Technology (NIST)
• Payment Card Industry Data Security Standard (PCI DSS)

Audits cover topics such as the physical security of data centers, the logical security of applications as well as the disaster recovery processes and administrative procedures of service providers.

One common US audit standard is a Statement on Standards for Attestation Engagements (SSAE) No. 16. This is a report on controls at a service organization that is relevant to security and availability. Also known as an SSAE 16 SOC 3 Report.

The recognized international standard is ISO 27001, which is provided by the International Organization for Standardization (ISO) and is a certification and information security management system standard for IT system networks.

Specific Controls 

• BluBØX employs independent auditors to verify the following:
• Employees with access to sensitive information undergo background checks and receive enhanced security training
• A risk management strategy is employed and that all risks and the mitigating controls are documented
• BluBØX monitors the activity of systems and employees to ensure the quality and security of products
• There is a clear communication channel between support personnel, management, and customers, and an incident or problem is recorded.
• Changes to the system are reviewed, tested, and recorded prior to implementation

Continuous  Vulnerability Scans 

BluBØX routinely conducts vulnerability scans with multiple tools to enhance the security of its products. These tests are critical elements of any cloud security program. These tests ensure the privacy and security of customers by detecting, testing, and repairing vulnerabilities that could be exploited by a malicious party.

BluBØX conducts these tests in several layers to isolate problems and to ensure maximum security for our clients. First, each product is scanned during development for known errors. The second phase is to install each product in an isolated security environment with simulated data, and attempt to exploit the discovered or previously known vulnerabilities. Once any discovered weaknesses are addressed, the product is retested and released for general use.

Passwords 

BluBØX has imposed a password management protocol on its employees which ensures that passwords are changed frequently, that they are not likely to be guessable, that they are not written down anywhere, and that they not be shared across multiple servers or security domains.

What data is recorded in BluSKY? 

BluSKY provides the capability for Subscribers to store basic personal information such as an individuals name, email address and photograph. This information is used to correlate security events to the correct individual as well as to enable notifications and BluBØX Mobile Pass functionality. Though the system has the capability to store a number of personal data elements, these items are not essential for operation of the system. BluSKY records the actions of system Administrators as well as the status and the settings of various devices that have been configured to operate with BluSKY.

How is my data used? 

Customer Data entered in BluSKY by Subscribers or collected through the operation of the system are for the exclusive use of our Subscribers. BluBØX may access Customer Data only for the purpose of providing the Services or preventing or addressing service or technical problems or as may be required by law. BluBØX does not sell, rent or trade personally identifiable customer information with third parties. BluBØX shares data with relevant 3rd party processors when explicitly authorized by administrators in the relevant BluSKY account, for example, to enable integrations via our Application Programming Interface (API).

How secure is my data? 

The security of Customer Data, including personal data, is very important to BluBØX. BluBØX maintains a comprehensive, written information security program that contains industry standard, administrative, technical, and physical safeguards designed to prevent unauthorized access to Customer Data. BluSKY safeguards Personally Identifiable Information (PII), in accordance with NIST SP 800-122 and OMB memos M-06-16 and M-07-16 with specific provisions enabled by the Subscriber.

How does BluBØX prevent against hacking the web site? 

As described in the BluBØX Information Security white paper, BluBØX has followed industry best practices for securing data and applications in our data center. These measures include: physical security of the data center itself, network security instruments such as firewalls, authentication and string encryption, operational practices such as keeping operating systems and applications secure against known vulnerabilities, and engineering application-level security into BluBØX web services.

Can BluBØX employees see my data? 

BluBØX’s Customer Service Representatives (CSRs) can view certain data within your account when you authorize them to do so. The Journal in your account will reflect all such access.

No other BluBØX employees are permitted to view your data. This policy is enforced in several ways. First, the BluBØX corporate LAN is completely separate from the LAN at our data center. Network operations employees are authorized to access the data center via a dedicated link from our headquarters, but only through a firewall and only with the proper password information. Per BluBØX’s information security policy, these passwords are known by very few individuals and are changed on a regular basis.

Can I get my data out of BluSKY? 

Yes, customer data can be exported from BluSKY via our report functions. In situations of termination of an account BluBØX will provide a complete copy of the account data upon request.