Tracker Software 'Safe' System Security Whitepaper
Thousands of customers already trust Tracker Products for managing their evidence and assets. Enhancing the security of your data and processes within SAFE is one of our top priorities, which is why we are constantly focusing our efforts on confidentiality, integrity, and availability by use of technology, security-minded service partners, and enhanced internal support processes. Information security is based on widely-accepted standards.
Physical SecuritySAFE server, network, and storage infrastructure components are hosted at Amazon Web Services (“AWS”). Amazon’s data centers are built to exacting, rigorous standards and deliver exceptional security, power, connectivity, and environmental control. Hosting at AWS allows us to leverage a solid, securely managed infrastructure and platform base that is audited many times each year, trusted by millions of customers with varying security needs, and compliant with multiple security standards including SOC2, FedRAMP, CJIS , and ISO 27001.
Note: While our primary infrastructure is stored in AWS GovCloud, we provide private platforms in other AWS regions along with Azure (any region or Gov Cloud), Rackspace or Google.
Physical access to AWS facilities is strictly controlled, both at the parameter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. Data center access is only available to employees and contractors who have a legitimate business need for such privileges.
AWS data centers also have automatic fire detection and suppression systems and fully redundant electrical power systems that can be maintained without impact to operations. This includes uninterruptible power supply (UPS) units and generators. Climate is controlled to maintain a consistent operating temperature for all servers and other hardware, which prevents overheating and reduces the possibility of service outages.
When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals.
Logical Data SeparationThe standard SAFE software platform is a multi-tenant database structure with security controls in place to prevent cross-client data access. For clients that require stand-alone machines, we can provide private cloud options at an extra cost.
Private Cloud Facility OptionsFor clients that desire a Private cloud system (separate machines and software in your own dedicated structure) we can store your machine at any hosting facility offered by Amazon and Azure including GovCloud options for both.
Availability, Redundancy, and Business ContinuityThe SAFE system is hosted within multiple AWS availability zones for computing and storage infrastructure and platforms. This means SAFE servers, networks, and customer data span multiple, secure, data centers located and physically separated within a metropolitan region. SAFE will automatically fail-over to an alternate availability zone if computing at the primary zone is interrupted as well as balance processing between multiple availability zones. For capacity demands, SAFE utilizes elastic computing that allows automatic scaling of resources during busy workloads, redundant databases, and network load balancing.
While SAFE has redundancies built into the AWS infrastructure with real-time database replication within the primary AWS hosting region, SAFE customer data is also fully backed up daily (database logs are dumped every 5 minutes) and copies are available in the primary AWS region where SAFE is hosted and copies of the backups are also replicated to a secondary AWS region. In the unlikely event of the primary AWS region being totally down, the backup copy within the secondary AWS region could be utilized to restore the SAFE system within 24 hours with a recovery point objective of 5 minutes. System and Network Security
SAFE servers run a hardened OS with scheduled security patches applied to provide ongoing protection from exploits. All system access is logged and tracked for auditing purposes and AWS support resources with access to SAFE servers undergo a thorough background check. Tracker support personnel utilize unique credentials to access SAFE servers and backend processes as well as multi-factor authentication into the AWS environment.
Application SecurityAll access to SAFE is protected by Transport Layer Security (TLS 1.2) providing both server authentication and data encryption using 256-bit certificates. This ensures your data is safe, secure, and available only to registered users in your organization with the proper permissions.
Application penetration testing (Pen-Test) is routinely conducted by a 3rd party security firm. This includes the OWASP Top Ten (Open Web Application Security Project) vulnerabilities. Any exploits found during manual and automated penetration tests are addressed and retested to ensure they are remediated in a timely manner.
SAFE requires each user to have a unique username and password that must be entered each time a user logs on. Password strength parameters are enforced by the application and include: password lengths of 10-128 characters, passwords cannot contain 2 identical characters in a row, must contain at least 3 character types out of 4 (upper case, lower case, numbers, and special characters), and passwords cannot be “reused” for one year. In addition, accounts are locked after 5 failed login attempts for a duration of 10 minutes or until unlocked by an administrator.
SAFE supports single sign-on via SAML 2.0 as well as Multi-Factor Authentication via Google Authenticator. Both are optional and configurable by the client.
People and ProcessesAll Tracker resources that support SAFE must complete basic security awareness training as well as role-based training where applicable. We have developed and adhere to internal change, incident, and related management processes to enhance SAFE’s reliability and to maintain information security and incorporate these processes into all aspects of service delivery. Limited support resources at Tracker have access to Amazon Web Services infrastructure and platforms for SAFE. All access and changes to AWS SAFE services are logged and periodically reviewed for appropriateness.
Tracker Products is willing to take part in any agency or state required background vetting process. Please see your sales rep if this needs to be done.
CJIS StanardsCJIS standards are rigid guidelines to ensure that the customer (you) and your data are secured and protected. CJIS guidelines were written by the FBI specifically geared towards law enforcement agencies that are using, storing and securing 'CJI' data.
There are five primary requirements to being in line with CJIS standards.
- CJIS Compliance Guidelines found here
- Vendor Compliance with Infrastructure General - GovCloud Security - FIPS 140-2 - FedRamp
- Vendor Compliance with Software
- Client Compliance
- Agreements between Client and Vendor
- Data In Transit When CJI is transmitted outside the boundary of the physically secure location, the data shall be immediately protected via encryption. When encryption is employed, the cryptographic module used shall be FIPS 140-2 certified and use a symmetric cipher key strength of at least 128 bit strength to protect CJI.
Response: Standard connections with SAFE is protected by Transport Layer Security (TLS 1.2) providing both server authentication and data encryption using 256-bit certificates. For clients that wish to achieve the full FIPS 140-2 compliance we offer secure end to end VPN tunnels at no additional cost.
- Data At Rest When CJI is at rest (i.e. stored digitally) outside the boundary of the physically secure location, the data shall be protected via encryption. When encryption is employed, agencies shall either encrypt CJI in accordance with the standard in Section 184.108.40.206.1 above, or use a symmetric cipher that is FIPS 197 certified (AES) and at least 256 bit strength.
Response: We encrypt all storage devices with the highest level encryption offered. See statement below for how we store date at rest.
- Section 220.127.116.11.1 Passwords Agencies shall follow the secure password attributes, below, to authenticate an individual’s unique ID. Passwords shall
Response: Safe software is compliant with all requirements in this section. 1. Minimum 8 characters 2. Not be in a dictionary or proper name 3. Not be the same as the UserID 4. Expire within a maximum 90 days 5. Not be identical to previous 10 passwords 6. Not transmitted in clear outside secure location 7. Not displayed when entered.
Frequently Asked Questions
What AWS zone do we store data
- All traffic and data for Secure.trackerproducts.com is stored in Amazon AWS GovCloud. See AWS GovCloud Site for many more details. All traffic and data for apac.trackerproducts.com is stored in Asia Pacific (Tokyo).
What levels of Security Certifications does AWS data centers offer
- There is a significant amount of information on AWS about certifications. See GovCloud Security or Non GovCloud Security and Compliance
What types of data are we compliant to store?
- There is a significant amount of information on AWS about certifications. See Security and Compliance
How does SAFE Support Encryption at Rest?
- The SAFE software system stores data in one of three data storage devices.
- All file attachments and media are stored in AWS S3. See AWS documentation for encryption of files in S3 Encryption
- SQL Database – All data is stored on encrypted EBS volumes. See AWS documentation for details on EBS Encryption
- Mongo Database - All data is stored on encrypted EBS volumes. See AWS documentation for details EBS Encryption
Do we charge extra for encryption at Rest?
- No, this is a standard feature of our product delivery.
Can customers have a copy of the encryption key?
- No, this is a managed function of AWS.
Hardware Change Management
- AWS, as part of their infrastructure, handles all hardware change management. See AWS for more information.
- Most of our software and data reside on services provided by AWS that automatically handles all patches. However, for machines we do control, we patch and update software OS and specific products every month.
Data & System Replication
- All data and systems that support SAFE are replicated with failover options in place to minimize the impact of a single system failure. We are constantly monitoring each system to ensure health and will replace hardware immediately should there be any failure.
What backup procedures are in place?
- All client stored data are not only stored on encrypted / replicated storage systems but all data is backed up daily and stored on AWS S3 and maintained for 30 full days.
What infrastructure is ‘shared’ v/s ‘dedicated’?
- All of our client sites are ‘shared’ unless client specifically purchased a Private Cloud Option (PCO). In the PCO scenario, we replicate a shared infrastructure but make it private for that client. This means that no hardware and data storage devices are shared but dedicated to a specific client. Additional charges apply to the PCO.
What are our options for long-term retention of data?
- Because SAFE, at its core, is a chain of custody tracking application, we never destroy any data collected. Even the logging, showing changes to data, is kept forever. The only client option to remove data is media payload files.
Do we support Multi-Factor Authentication?
- Yes, we support multiple IDP providers of SAML 2.0 OR Google Authenticator. Org Admins can track user usage in the User Admin area of the system.
Do we support Active Directory Authentication?
- Yes, each Organization in the SAFE product can tie users back to a SAML 2.0 system. Details
How do we handle access control and least privilege?
- Each account created in the SAFE system has no permissions by default. Org admins will assign systems permissions from there.
How do we monitor and report on account activity?
- The SAFE system logs all activity to the system including every API request. We are constantly monitoring for brute force attacks and will disable a IP if any activity is found to be brute force in nature. We also document each valid login back to originating IP address. From there, with API activity logs, we can track all user steps within the system.
How is client data returned at the end of a contract?
- All client data can be directly exported via the product UI. At no point, do we own or hold your data in such a way that you can’t retrieve it? After download of all your data, you can request that we delete all your data from all storage systems.
How do we test SAFE for Security flaws?
- Upon every release of SAFE, our QA team not only tests the product to make sure that our update did not break any existing feature but we also run those tests through a security program to look for code that might allow a hacker access to the program. While nothing is ever 100% perfect, this goes a long way to ensuring our code is not vulnerable to command hacks.
Service Level Agreement
- The SAFE SLA is a duplicate of the AWS SLA. We ensure software availability at the same rate. See AWS SLA for details
How are passwords stored in SAFE
- We locally storage passwords we Salt and Hash all passwords in the database. In addition, we support most OWASP standards for username and password complexity.
Can any third party (your service providers) access your data, and if so, how?
- No, all data is encrypted at rest. No one outside of Tracker employees (selected IT personnel with CJIS verified credentials.) will have access to your data.
Are login accounts deactivated for non use
- Yes, all accounts that have no activity in the last 60 days are disabled. Only an Org Admin can enable a deactivated User account.
Please see the link for more information regarding non-active User and Agency accounts - Overview
How do we protect against DDoS attack
- See AWS documentation for DDoS Mitigation and Prevention
Secure VPN TunnelFor clients that would like a secure VPN tunnel, we can use the AWS VPN cloud option to create a secure channel. Our network security team will need information about your network to make this happen.
How often to we roll out updates and when?
- Scheduled releases are pushed out every three to four weeks at a posted time. We notify all account admins at least two weeks prior an update. Updates will take place no later than 5am EST on the scheduled release date.
- Every so often we will release an unscheduled update. We will notify clients as early as possible and these will also be done no later than 5am. In extremely rare circumstances we will release a patch, if warranted, during normal business hours.
- If updates or maintenance will require an extended period of downtime we will complete these on a Sunday between 12am ET and 5am ET. Notifications will also be sent in regards to this.
What are the minimum client requirements?There are no plugins or ActiveX controllers for Safe clients. We suggest running the most current version of Chrome, Firefox or Safari. If you must use Internet Explorere, you must have at least v11. We highly suggest Edge if you must use IE.