Security Information for ProVault DBA Intake123
Your client’s matter information is stored in a highly secure online data center with the latest access, network, encryption, and data transfer security. The system provides frequent backups and change history. Never worry about losing important information, laptop security measures, or the client’s personal documents ending up in the wrong hands.
● World-class, highly secure data centers
● State-of-the art electronic surveillance
● Multi-factor access control systems
● Staffed 24x7 by trained security guards
● Access is authorized strictly on a least privileged basis
● Environmental systems
● Located in low risk zones for natural disaster
Data Backups & Change History
● Backups on different servers in different geographical regions and different availability zones (lower risk zones, and fed by different utilities grids)
● Backups taken every hour and stored 15 days
○ Protection from natural disaster and system failure
○ Protection from data corruption
● Records created for every change with: time date stamp, user, changed information
We have two servers, both with AWS EC2. On one server we host our dev & test environments, and the other we host our staging & production environments. Currently both are in the same data center on the US East Region (Northern Virginia).
Manuel, will you describe how frequently, and where, we do various types of backups. And which type is good for natural disasters and which are good for data corruption.
How often does your IT department do backups? What is your plan for disaster or system failure? How do you audit changes?
Access & Network Security
● Built-in firewalls & other boundary devices:
○ employ rule sets
○ access control lists (ACL): traffic flow policies
○ configurations to enforce the flow of information to specific information system services
○ Secure access points
● AWS Identity and Access Management (IAM)
○ AWS IAM enables you to implement security best practices, such as least privilege, by granting unique credentials to every user within your AWS Account and only granting permission to access the AWS services and resources required for the users to perform their jobs. AWS IAM is secure by default; new users have no access to AWS until permissions are explicitly granted.
● Virtual Private Cloud (VPC),
○ provides a private subnet within the AWS cloud
How does your IT department secure your access and network?
ProVault encrypts your clients’ data with AES-128 algorithm
Advanced Encryption Standard
● Adopted by the U.S. Government
● Used worldwide
● Federal Information Processing Standards (FIPS)
● Became Effective as a Standard in 2002
● Approved by NSA for Top Secret Information
ProVault uses different encryption keys for:
1. Client Data
2. Client Encryption Key (ProVault encrypts Clients’ Encryption Keys)
3. Client Password
4. Firm Secret Key
1. Client Data is encrypted with that Client’s Encryption Key.
2 & 3. Both the Client Encryption Key and the Client Password are encrypted with the Firm Secret Key. Firm Members access to Client Data:
Step 1: Firm Secret decrypts Client Encryption Key
Step 2: Client Encryption Key decrypts/encrypts Client Data.
4. On the Client record, the Firm Secret Key is encrypted with the Client Password. Client’s access to her own data:
Step 1: Client Password decrypts Firm Secret Key
Step 2: Firm Secret Key decrypts Client Encryption Key
Step 3: Client Encryption Key decrypts/encrypts Client data.
The only place any encryption key is stored without a user-defined encryption key is in a separate secure database. ProVault uses a ProVault-defined Encryption Key to encrypt the Firm Secret Keys and store in the separate secure database for the purpose of Client Password and Firm Secret Key recovery.
If a malicious person gained access to one of your computers in the office, or one of your laptops out of the office, what password and data encryption protection do you provide for your clients’ confidential data?
ProVault uses HTTPS
HTTPS combines theHypertext Transfer Protocol with the SecureSSL/TLS encryption protocol to provide encryption and secure identification of the server, which is a secure process of sending information.
Secret Key is passed encrypted between ProVault pages via CGI.
Do you use secure transfer protocols send client information and documents via email, or across your company’s network?
Is your firm’s IT department “up to the task” of providing the security required for your client’s confidential data?