Product reliability and IT security build our customers loyalty
The trust our customers place in us is based on the security we provide in terms of continuity and good performance of our services as well as on the confidentiality and protection of documents and data involved. The reliability of our products and the safety of the operations carried out through them are fundamental factors that Penneo absolutely prioritizes.
At Penneo, we strive to provide a constant high-level service, meeting our customers' expectations day by day. IT security is of strategic importance for us and it is an essential part of our company culture. What is even more important than discovering vulnerabilities is being able to estimate the potential risks at an early stage of the product life cycle. Identification of security concerns and periodical testing of possible issues allow to estimate the severity of all of risks to the business and make informed decisions.
Penneo security strategy is based on a risk management paradigm, for which we focus on observing potential risks to minimize the chances of their verification. Our risk-based approach enables to save time and resources while ensuring the full comprehension of more serious threats.
Read more about Penneo's Security Management System to find out how our IT security is structured
Ensuring protections requires a collaborative effort and you have an essential role in building a strong security framework.
Penneo wants to make sure you have access to all the information you might need to protect your environments.
Read our Best Practices to find advice on
- how to recognize and report suspicious activities
- how to reduce risk and ensure protection from online security threats
- what are the recommended system and application access best practices
Customers as a security resource
Penneo's commitment to security takes shape starting from the preliminary phases of product and software development. From establishing internal projects to implementing IT systems, compliance and safety of our operations are always kept in mind. Our principles and technologies used in order to provide customers with the best outcome allow us to minimize risks, prevent threats and ensure our product security. The actual application of appropriate technical and organizational measures helps to create the foundation for effective prevention and mitigation of vulnerabilities, breaches and leaks, while promoting a stronger awareness of information security and data protection within all departments of the company.
Precautions and cautious planning inform our customer centric management framework and systematically ensure that the IT controls continue to meet security needs and standards on an ongoing basis, so that sensitive data remain secure. However, sometimes it may not be enough. Placing the clients and their satisfaction in the first place, Penneo values the contribution the customers themselves can make by reporting potential issues or worries. Having the widest possible view of the situation and being able to quickly identify the possible problems is as important as our proactive strategy. In other words, our ability to react immediately and efficiently also depends on you, and this is your active role in our security master plan.
Please do not hesitate to contact our Support Team whenever you have issues or questions about Penneo use or you want to report problems and suspicious activities.
Penneo's Security Management System &
Risk management and monitoring take a central role in the way Penneo is run.
Our security strategy is built on a risk-based approach, for which we focus on observing potential vulnerabilities to minimize the chances of verification of issues.
This risk management paradigm enables us to save time while ensuring the full comprehension of more serious threats.
Data center security
In order to manage and operate its software as a service (SaaS) and offer its product to customers, Penneo uses the IT infrastructure (IaaS) provided by Amazon Web Services (AWS). The choice of this highly-secure world-leading data center has been mainly dictated by security and operational reasons:
- the services provided by AWS enable us to automate most of our operational task related to the IT infrastructure thus minimizing human interaction. Since people fallibility is one of the biggest threats to any IT based company, heavily reducing the impact of the human factor in our threat scenario helps us provide extremely secure and reliable services.
- AWS gives us instant access to one of the world's biggest infrastructure resource pools. This allows us to handle any size of workload by automated infrastructure scaling and makes us able to recover from complete system failure in a matter of minutes instead of hours or days.
Coding and testing practices, vulnerability management, industry standard: Penneo's risk ranking framework
In line with our intention to obtain the best possible results in terms of performance, compliance and safety, Penneo relies on OWASP best practices: in the Application Security field, the OWASP (Open Web Application Security Project) is the worldwide best-recognized organization focused on improving the security of software by providing an unbiased source of information and guidelines.
The OWASP Risk Rating Methodology we use at Penneo involves several steps aimed at determining the severity of a risk based on its likelihood and impact:
- Identifying a security risk that needs to be rated: gather information about the threat agent involved, the attack that will be used, the vulnerability and the seriousness of the impact in the event of successful exploit on the business considering the worst-case option.
- Estimating Likelihood: it's essential to understand how likely a particular vulnerability is to be uncovered and exploited by an attacker and generally identify whether the likelihood is low, medium, or high by using a number of factors, involving threat agent factors (type and size of the group of threat agents, their skill level, their resources-opportunity and motive to find the vulnerability and the reward in exploiting it) and vulnerability factors (how easy it is for this group of threat agents to discover and actually exploit this vulnerability, how well known is this vulnerability and how likely an exploit is to be detected).
- Estimating Impact: it's important to realize what impact a successful attack might have and estimate its magnitude, both from a technical point of view (on the application, the data it uses and the functions it provides) and from the perspective of the business and company operating the application. The latter is probably more relevant since it's the business risk what justifies investment in fixing security problems. Technical impact factors are loss of confidentiality, integrity and availability due to disclosure, corruption and loss of data, and accountability in terms of traceability of threat agents. Business impact factors are financial and reputation damage, level of non-compliance exposure, privacy violation due to the disclosure of personally identifiable information.
- Determining the severity of the risk: putting together the likelihood estimate and the impact estimate allows to calculate an overall severity for the risk. This can be done by reviewing the factors and simply capturing the answers or going through a more formal process of rating the factors and calculating the result. Regardless the method used to combine the data, the final outcome will be an estimate of the severity rating for the risk.
Penneo has implemented a formal change management procedure to ensure that changes are always handled in a consistent and responsible way. The purpose of this ad hoc procedure is to minimize the risk of unauthorized access to data or resources and the chance of failure to process or validate documents. The procedure takes place in the event of alterations concerning both infrastructure and software: for every modification, the security implication is assessed. A change is security critical if it touches one or several of the following areas:
- firewall changes
- signature processing
- document packaging
- document sealing
- document validation
Regardless of the level of criticality, changes are always tested, reviewed and approved by at least two reviewers before they are authorized to be released into our production environments.
Every change to a business process has the potential to change the risk profile. When significant changes are made, the risk assessment is updated to reflect the new risk profile. Further, the risk assessment is reviewed and approved by management at least once a year.
Business Continuity and disaster recovery
The disaster recovery plan is a direct consequence of the vulnerabilities and worst-case scenarios identified through the performed risk assessment. A formal disaster recovery plan has been determined to detail how operations are re-established in case of emergency. A chain of command is set to minimize the time from when disaster hits until the recovery process begins. The disaster recovery plan deals with two important subjects:
- how to return to normal business operations;
- how to keep customers updated about the incident and its consequences.
According to our plan, systems will be re-established in a predefined order based on criticality and customers will be kept up to date with the process and timeline estimates. The disaster recovery plan is tested at least once a year and is kept up to date to reflect the current risk profile of the business.
To be able to deliver a secure high-quality service, Penneo has a formal policy in place to manage third party service providers. Replaceable high-risk or high-impact service providers must be able to produce an annually updated ISAE 3402 assurance report or similar for risk management purposes. These assurance reports are reviewed and assessed annually in order to determine whether any changes or deviations in the third-party providers controls can affect the risk profile of Penneo.
Logical security, employee access, isolated environment
Our logical security is built on the principle of least privilege, widely recognized as an essential design consideration in enhancing protection of data and functionality of platform. Its implementation enables a better system stability and improves the system security. The principle of least privilege requires that every user, program or process must be able to access only the information and resources that are necessary for its legitimate purpose: meaning that a user account or process will have only those minimal privileges which are essential to perform its intended function while any other privileges are blocked. The principle also takes shape in the logical isolation of the various segments (production, development, customer support and other corporate departments).
Access to the Penneo production environment is provided on work-based needs. To achieve this
- a role-based access control model is used
- access is logged
- assignment of privileges is reviewed every six months
- multi-factor authentication by at least two employees is always required to access the production environment and to perform operations such as firewall changes, assigning and revoking privileges, access to backups
Access to the virtual infrastructure is provided through an SSL-encrypted channel while access to the OS level is provided through SSH and its primary purpose is to support the software deployment process.
Safeguarding customers' data and documents is a key focal point for Penneo. To protect the confidentiality of our clients and their business privacy, personal data is
- never used outside the production environment for internal purposes;
- only accessible for Penneo employees if access is explicitly granted by the data owner;
- never shared with a third party through our systems unless initiated by the data owner.
Data is protected in accordance with local, national, and international statutes and regulations.
The access level security is configurable by the individual customers, but Penneo always advises customers to use the strictest settings applicable for the customer use case. In the strictest case all access to customer data is restricted using multi-factor authentication and data is always transmitted relying on end-to-end encrypted channels.
Encryption: NIST standards, AES 256, key hierarchy
Sensitive data and Personally Identifiable Information (PII) are encrypted following the cryptographic standards defined by the National Institute of Standards and Technology (NIST). Penneo only uses encryption algorithms that are FIPS-approved and NIST-recommended. In particular, our security system follows the Advanced Encryption Standard (AES), a specification for the encryption of electronic data established by NIST: originally adopted by the U.S. federal government, AES encryption has become the industry standard for data security and is used worldwide. To be more specific, Penneo's encryption system is built on AES 256, which provides the strongest level of encryption: the result is a tremendously sophisticated form of encryption that is virtually impenetrable using brute-force methods.
AES brings additional security because it uses a key expansion process in which the initial key is used to come up with a series of new keys called round keys; these round keys are generated over multiple rounds of modification, each of which makes it harder to break the encryption. In fact, what is most likely the best way to securely store encryption keys is using a key hierarchy, i.e. organize encryption keys so that a master key is used to encrypt other keys that are in turn used to encrypt the actual data you want to protect. A key hierarchy provides a powerful pattern for storing an application's cryptographic keys and allows to use different keys for different data while focusing your protection efforts on the master key.
An important aspect of a key hierarchy is that the master key can decrypt all the other keys, and therefore (indirectly) all of the data. To protect a master key while keeping it accessible and available when needed, Penneo uses the AWS CloudHSM service that stores the encryption keys in an HSM (Hardware Security Module), a purpose-built hardware designed to protect sensitive data. The HSM provides physical and logical protection for cryptographic key material and meet some of the most stringent security standards, offering a high level of security for the key and the data it encrypts.
Automated and encrypted backups of our databases
All data stored in the Penneo production environment is mirrored between three data centers in two physical locations and stored on multiple devices in each data center.
At Penneo, we define two classes of data that are treated differently when it comes to backup strategies. These categories can be described as follows:
- Customer data (documents): the document storage solution utilized by Penneo mirrors data in six different physical facilities. The solution performs regular, systematic data integrity checks and is built to be automatically "self-heal" if data is lost in four storage facilities. Every document is versioned and every change can be rolled back.
- System data: it's backed up daily with support for point-in-time recovery; the retention period for these backups is 30 days.
A Backup restore test is performed at least once a year and kept up to date to reflect the current risk profile of the business.
Disposal and data deletion policy
We have implemented a deletion policy for all customer data. The policy states that even though data is deleted through the customer facing interfaces, it will only be flagged for deletion in the production environment, i.e. not hard deleted. Hard deletion of a document (including all revisions) can only be performed by at least two employees working together. Data flagged for deletion will be hard deleted within 60 days of being flagged.
The customer is responsible for assessing any sensitive data and activating the build-in system functionality before sending documents for signing. Penneo provides its clients with configurable security features, but always recommends using the strictest settings applicable for the customer use case to ensure greater protection.
Even the strongest cryptographic systems are vulnerable if a hacker gains access to the key itself. That's why utilizing strong passwords, multifactor authentication, firewalls, and antivirus software is critical to the larger security picture. Properly trained users are the first line of defense against online threats.