Security FAQ
Question: What are the standard password and session requirements for suppliers using Trial Interactive?
Answer: Users are identified by their email address, with verification of this email address by the customer providing access to this closed system. For Multi-Tenant customers, the Passwords must be minimum 8 characterslong with uppercase, lowercase, numbers, and punctuation marks required. Passwords expire by default every 60 days, and users cannot re-use their last 3 passwords. Users failing their authentication five (5) times for either login or eSignature are locked out of the system, requiring account reset by their customer. All sessions are subject to an interactivity timeout of 5 minutes. All of these options may be modified for Single- Tenant customers.
Question: Please describe the security architecture of Trial Interactive.
Answer: Trial Interactive has multiple layers of boundary protection on all hosted solutions. Trial Interactive has a shared application instance; however, each customer's documents are stored separately, which is logically and physically separated from the Trial Interactive database instance. There is a logical segmentation between client records, and all data is encrypted in-place and in-transit. Trial Interactive has gone through a rigorous 3rd party security break-in analysis and white box and black box testing to ensure both internal customer segments are secure as well as to ensure safety from the open Internet.
Trial Interactive uses double encryption (at-rest and in-transit) to provide optimal security. TransPerfect policies detail encryption and data protection, detection and controls, as well as systems and security. In terms of transport encryption (i.e. – data or password transmission from the client), the application uses TLS between the client browser, the application, and internal application servers. All data volumes and file content is encrypted. The application uses Hash: SHA-512 to protect shared secrets in storage. Cryptography is used in the application for data and password transmission, and data storage. SSL-2048 is used for HTTP communications and AES 256 is used for encrypted data at rest. AES 256 is used for server side encryption for RDBMS. Lastly, RSA_WITH_AES_256_CBC_SHA256 cipher suite is enabled for encryption and authentication. All communication with Trial Interactive servers goes over HTTPS/SSL. The enabled protocol is TLS v1.2 and the enabled ciphers are the ones recommended by the latest high security settings. This can be independently verified here: https://www.ssllabs.com/ssltest/analyze.html?d=login.trialinteractive.com.
Question: With many customers using Trial Interactive at the same time, their data will be co-mingled. Isn't that risky?
Answer: Data is actually co-mingled at many points on its journey through the Internet, in TransPerfect's internal network and eventually in Trial Interactive. Just as effective controls have been developed to segregate data in the Internet, TransPerfect has implemented identity based access controls in Trial Interactive to sustain the needed separation. Each user is identified and then authenticated to establish the session and each session is encrypted to maintain integrity and confidentiality.
Question: If a customer chooses the Trial Interactive multi-tenant product, is all the data and access still completely under a customer's control?
Answer: Yes. Even though Trial Interactive may be hosted as multi-tenant, it is still a completely closed system for each customer. This means that customers must explicitly invite each and every user to access Trial Interactive, and that all data collected in Trial Interactive is stored securely and within the customer's full control.
Question: At a technical level, please describe the security architecture and security data model of Trial Interactive.
Answer: The servers used are all hardened-kernel Linux with an externally facing hardware firewall, backed by an auto-correcting Web application layer firewall with intrusion detection through AWS Guard Duty and tied to the alert system. Access to every application service is tied to a set of standard security groups, and all services are orchestrated to zero access until enabled explicitly. A 3rd-party security white box / black box penetration test is executed at minimum once per year, and automated scans are executed every month. Only specifically trained TransPerfect employees are provided access to the TI production cloud hosting environment, and this limited group of individuals are provided access through a jump box with IP-range-limited, password-protected, expiring certificate security keys. An important characteristic of the Trial Interactive architecture is the separation of customer data. We take data segregation very seriously and understand our customers' concern regarding data cross-population in a SaaS model. Trial Interactive leverages multiple checkpoints to verify that data bleed does not occur.
Question: Why did we choose to use a third party for Trial Interactive hosting?
Answer: Advanced web service and messaging capabilities allow us to consider distributed architectures that leverage cost effective third-party alternatives to host where it makes the most business sense (e.g. for less intricate modules of our software) without compromising quality. In short, Trial Interactive takes advantage of these newer capabilities that work better for applications that require improved scalability and reliability. Specifically, use of the Cloud allows for a greater degree of horizontal scalability, so that we can ensure our customers always achieve a high quality user experience and performance when using TI.
Question: What kind of encryption is used by Trial Interactive?
Answer: Trial Interactive uses double encryption (at-rest and in-transit). TLS is used to encrypt all data in-transit. For data at-rest identify information (passwords) uses the SHA-512 hashing algorithm.
Question: Please describe the security testing processes used for Trial Interactive.
Answer: Trial Interactive has been tested by a 3rd party security testing firm, using a standard black-box attack test, as well as a white-box internal attack test. External DOS (Denial of Service) attacks are also prevented.
Question: Is Federated Identity supported by Trial Interactive?
Answer: Yes. Trial Interactive serves as a Service Provider (SP) for SAML based authentication requests from an Identity Provider (IdP)
Question: Please define how general facility access is managed for Trial Interactive? What kinds of safeguards exist to prevent unauthorized access?
Answer: Trial Interactive utilizes AWS for all Trial Interactive hosting. The selected hosting provider provides virtual servers in a SSAE 16 SOC 2 (formerly SAS 70) data center that incorporates safeguards at the physical, logical, network and data access layers of their infrastructure in accordance with this certification.
Question: Does TransPerfect allow external access to the Trial Interactive network? If yes, how is it controlled and monitored?
Answer: TransPerfect designs and manages all access into the Trial Interactive cloud services environment as per the access management procedure. Third party firewall technology is deployed at our perimeter to guard against unauthorized access and access to these devices is controlled via access control lists that are maintained by select resources in our operations organization. All communication is restricted to HTTP and HTTPS (ports 80 and 443) all other access are denied. An intrusion prevention system is deployed to alert SaaS operations of unauthorized attempts to access the cloud services environment. Application tiers that support the cloud services environment are segmented and to provide further security against unrestricted access.
Access to the Trial Interactive cloud services environment by internal TransPerfect resources is strictly controlled and based upon roles. Request for access are made in the Trial Interactive access control system and require executive and operations approval. The access control system will track and record the steps in the approval process. The Trial Interactive Cloud Services environment runs on a segregated network from the corporate network and requires a separate set of credentials to be accessed. Logs are kept and reviewed for internal TransPerfect resources accessing the Trial Interactive cloud services environment.
Question: Do you have SOPs in place to address the physical security of Trial Interactive computer systems?
Answer: TransPerfect is committed to secure in our corporate and cloud services environments. Access to the corporate TransPerfect environment requires a key card that is acquired by employees and contractors during the on-boarding process. The access list for these key cards are managed by the TransPerfect IT department and monitored by the leasing company. All perimeter access requires valid key cards to gain entry, there is a receptionist in the main entrance monitoring guest access and there are cameras monitoring common areas.
Question: Does TransPerfect have SOPs in place to address the control and access to the Trial Interactive virtual data center and network?
Answer: Yes. The allocation and use of any privileges in a multi-user information system environment is both restricted and controlled, i.e., privileges are assigned by role; privileges are allocated on need-to-use basis; privileges are allocated only after formal authorization process per TransPerfect logical access policy. The policy addresses those systems where every user is granted access (email account, for example) and others where explicit access is required.
Question: Does TransPerfect maintain a list of current and historical users that have/had access privileges to Trial Interactive? Does TransPerfect have SOPs in place to monitor unauthorized access attempts? Are logs and reports maintained?
Answer: Yes. Operating system logs include IP addresses, attempted / unsuccessful and successful logins.
Question: What kind of Security Policies and Procedures are in place for Trial Interactive?
Answer: The information security manager is responsible for overseeing security across the TransPerfect organization. The cloud services security policy is designed to communicate the security requirements that TransPerfect will utilize in delivering and supporting cloud services to our customers. It is the responsibility of the all employees of TransPerfect, Inc. involved in the design, delivery of maintenance of Trial Interactive Cloud Service environments to comply with the policies outlined in the cloud services security policy. It is the responsibility of the information security manager (ISM) to ensure that the current security policies relating to Trial Interactive Cloud services are being employed properly and that these policies remain current and up to date.
The key policies and procedures implemented to provide this compliance are the following:
- The Systems Development Lifecycle (SDLC) policy provides the details by which cloud services are developed and tested. In accordance with the cloud security policy a vulnerability assessment is conducted as part of the testing process that is focused on both application and environmental vulnerabilities.
- The access management procedure details the steps required for managing security in the cloud services environment as well as the process used to request and approve internal access to the production cloud services environment.
- The event management procedure details the steps involved in monitoring production cloud service environment inclusive of procedures for responding to alerts and organizational escalation.
- The disaster recovery procedure details the preparation and execution steps that would be required if a disaster impacted the production cloud services environment.
- The data management procedure details the steps required for securing information in the production cloud services environment as well as backing up information to a secondary cloud services environment.