Tech Brief

Hippo On Demand – Security Brief

Securing your digital enterprise This document describes how Hippo OnDemand delivers a secure hosted environment for digital experience management.

Amsterdam • Boston

Follow the Hippo trail: onehippo.com

Tech Brief

Table of Contents

2.

3.

4.

5.

Introduction

3

Physical Security

3

Hosting and infrastructure

3

Network Security

3

Software Security

4

Web-browser security

4

Database Security

4

Application Security

4

Application Access and User Permissions

5

User and Permission Management

5

Authentication: Password Management and Access Controls

5

Authorization: Roles, Groups and Permissions

6

Security Extensions / Integrations

6

Data Security and backups

6

Data Ownership

6

Application Data Access

7

Encryption, SSl & Certificates

7

Data Integrity & Backups

7

Compliance and Security Protocol

8

Standards & Security Audits

8

Logging & Monitoring

8

Vulnerability Testing

8

Vulnerability Remediation / Patch Management

9

Security Incident Management

9

Business Continuity and Disaster Recovery

9

10

About Hippo

Amsterdam • Boston

Follow the Hippo trail: onehippo.com

Hippo On Demand - Security Brief

1.

2

Tech Brief

Introduction What is Hippo OnDemand? Hippo OnDemand is Hippo’s cloud offering for web

How does Hippo OnDemand handle security?

content management. Along with access to the Hippo CMS

Hippo offers out of the box authentication and

Enterprise Edition, Hippo OnDemand offers on-going

authorization services but also uses an extensible security

support and maintenance as part of the subscription.

mechanism allowing for very flexible integrations with

Deployed in a three tiered web architecture, Hippo

external authentication and authorization services.

OnDemand is functionally separated into: •

the delivery tier - which has the Hippo Site toolkit (HST) application

•

•

The sections below cover the security capabilities of the Hippo OnDemand platform starting with data center and network security and moving on to application, user and

the repository - where all content, metadata, user and

data security before touching on security procedures and

workflow data are stored

audits.

the authoring (content management) tier - CMS web application to edit and publish

Monitoring & Management

Web layer

Application Layer: HST & Site servers

Storage Layer

Customer A MySQL in High Availability

Internet

VPN

Load Balancers and proxy servers in high availability

Customer B

Customer Z

DNS, Authentication and other Services

Amsterdam • Boston

Follow the Hippo trail: onehippo.com

Couchbase Cluster

Hippo On Demand - Security Brief

3

Tech Brief

Network Security

4

Hosting and infrastructure

Hippo insulates the OnDemand platform from

For the delivery of Hippo OnDemand, Hippo works with

inappropriate or malicious Internet traffic. To accomplish

certified hosting providers in North-America and EMEA

this, Hippo employs multiple network defenses, from

meeting the highest standards in availability and security.

firewalls and network intrusion detection to 24/7/365 network surveillance and incident response.

All data centers have redundant internet connectivity. Along with a clustered production environment,

Customers may connect to the CMS in any fashion over the internet as CMS security is independent of customer network connectivity. Hippo OnDemand is protected from

Hippo Data Centres Hippo Data Centres

Primary Data Centres Primary Data Centres

Secondary Data Centres Secondary Data Centres

US

Chicago

New York City

Canada

Toronto

Vancouver

EMEA

Amsterdam

Harlem

network intrusions and attacks by a redundant pair of perimeter firewalls. Bi-directional rules control the flow of traffic to and from the OnDemand platform, permitting only packets that are explicitly required to deliver the Hippo OnDemand service. Only secure sessions that pass inspection by the perimeter firewall can reach the OnDemand platform.

Hippo OnDemand also offers a Test environment and an acceptance (staging) environment as part of its standard offering giving customers full control for continuous Internet

development (test) and integration tests (acceptance) before deploying to production. The OnDemand environment is set up based on Hippo’s

Load Balancers

best practices. Each environment is made up of multiple layers: Load balance layer, Web proxy layer, Application layer and Database layer. Each virtual machine in each layer has its own host based firewall rules. And, because a

Webserver & reverseproxies

typical environment contains multiple instances (nodes) of the site application server and the CMS application server, it ensures delivering high performance and availability.

CMS Server

Site server

Database

Amsterdam • Boston

Follow the Hippo trail: onehippo.com

Hippo On Demand - Security Brief

1. Physical Security

Tech Brief

Hippo CMS software runs Linux servers and MySQL

3. Application Access and User Permissions

database servers. Multiple server pairs (CMS units) make

Hippo has an extensive security model that limit access

up the OnDemand platform. Each customer is granted

on repository level. By default, applications use a single

exclusive access to their own content management

(password) authentication and authorization mechanism.

environment and database instance. A combination of

If required, multi-factor authentication can be added by

Web, database, and application security methods and

configuration (not customization). Also, the complexity of

practices insulate customers both from each other and

the password can be configured and tailored to customer

from external attack.

specific needs. Passwords can expire on a configurable interval and this policy holds for all users.

Web-browser security To access the CMS Web interface, the customer’s browser

User and Permission Management

must have JavaScript and session cookies enabled.

User and permission management is a very important

Cookies used by the CMS application do not contain any

aspect of any type of enterprise software. For CMS

user credentials or session data. In other words, Hippo

systems this aspect needs to be split into user and

CMS does not store any sensitive information on the

permission management for site visitors and for CMS

user’s system.

users. Combined, they control which content a site visitor can see, or which content a CMS user can see or

Database Security

edit. Hippo CMS uses by default an internally developed authentication and authorization solution but also

Each customer is given their own separate database

provides the option to integrate with LDAP servers.

instance on the MySQL database cluster. Access to that

Certified options for LDAP include: Microsoft Active

database instance is protected by an auto-generated

Directory, OpenLDAP, Novell Directory Services (now

strong password, unique to each customer. In addition,

NetIQ Edirectory) and Apache DS.

each database can only be accessed from the CMS Web server to which that customer has been assigned.

Authentication: Password Management

Together, these database access controls protect the

and Access Controls

privacy and integrity of each customer’s managed content

By default, Hippo CMS only uses password authentication

Application Security

but a multi-factor authentication can be configured as well. Hippo also supports IP based access control lists

During the application development on Hippo CMS,

(ACL) so that only people coming from a customer

security guidelines are used to avoid introducing

specified set of IP addresses can access the CMS

application vulnerabilities that might otherwise be

environment. Password complexity can be configured

exploited to attack the Hippo OnDemand platform or gain

and tailored to match customer specific Security

unauthorized access. The Hippo CMS architecture and

Policies. Empty passwords are not allowed and password

its underlying frameworks (JCR) prevent SQL injection

expiration is enabled by default with configurable time

attacks by default.

frames to match customer specific security policies. A forgotten password feature can be configured in the clientspecific project. Admin users can reset a user’s password but passwords can be reset through Hippo Support Desk. After a configurable number of attempts a CAPTCHA must be filled in to prevent brute forcing passwords.

Amsterdam • Boston

Follow the Hippo trail: onehippo.com

5 Hippo On Demand - Security Brief

2. Software Security

Tech Brief

Hippo CMS allows for very fine authorization controls, which are fully configurable. By default the roles author, editor and admin are defined. Hippo CMS uses Context Aware Role Based Access Control (CA-RBAC). Roles can be assigned to only parts of the system (features and content). Typically, the users of the CMS are split into groups, where each group has their own set of access rights. These groups, as well as the actual users and their login credentials are stored in the repository. Next to storing this information in the repository, it is also possible to perform authentication against external systems. This allows for instance the reuse of an external LDAP or Active Directory system to authenticate users, removing the need to create and maintain a copy of all user information in the CMS.

Security Extensions / Integrations

6 Hippo CMS has been developed to align with Enterprise security policies. In addition to out of the box authentication and authorization solutions, Hippo also fully integrates with LDAP servers including Microsoft Active Directory, Open LDAP, Apache DS and other LDAP compliant directory services. This also allows for the use of Single Sign On mechanisms. Integration with other Identity management systems or single-sign on mechanism is available via Hippo’s open and extensible system. In case SSO solution is preferred, HTTP(s) or another reverse proxy is configured and used to redirect browser clients to a central Enterprise SSO server for authentication. After authentication, the user and his valid security token are then redirected back. Alternatively, the CMS and Site application can authenticate users using Form Authentication, JAAS or String Security Integration,

Actions taken to each CMS deployment are limited by

or using a custom implementation. Hippo CMS comes

network and system access controls, as defined by the

with a standard set of security providers to connect to

customer administrator (for user accounts) or Hippo

several types of external systems, but also allows flexibility to create custom security providers.

(for administrator accounts). Any CMS session that deviates from the previous 30 day profile for that user in at least three ways results will trigger a security alert. An email message is also sent to the customer administrator

4. Data Security and backups

to warn of potential user account compromise. User permissions are further defined and enforced at three

The most important part of a Hippo application is the

points:

database (repository). This repository contains the

•

Each user account is associated with defined Access Control Lists.

•

shown and managed by the CMS. Keeping this data safe and secure is key.

Each user account can also be granted specific CMS File/Folder permissions.

•

settings of the application, as well as the content that is

Each user account must be assigned one or more

Data Ownership

CMS Workflow permissions that determine whether

All content, configuration and targeting data belongs to

that user can create, edit, approve, or publish CMS-

the customer and entered through Hippo CMS interface.

managed content.

This includes, click-path and web-visitor information for the Relevance Module (Personalization / Content Targeting) which is stored in a separate NoSQL database (Couchbase).

Amsterdam • Boston

Follow the Hippo trail: onehippo.com

Hippo On Demand - Security Brief

Authorization: Roles, Groups and Permissions

Tech Brief

Data Integrity & Backups

This diagram shows the different layers of a Hippo

Hippo makes full backups of all customer data on a daily

application. Applications are built using Hippo’s tested

basis. Since Hippo CMS/repository stores all information

and secure application framework (HST – Hippo Site

in the database, backing up the database is sufficient.

Toolkit). The HST library enforces a security session is

The backups are transported to a second data center at a

always present, making it possible to restrict access up to

different location over a dedicated private line. From the

field level on documents. Hippo is functionally separated

backups the originals systems can be restored. Hippo is

into the authoring tier, the repository and the delivery

located in two data centers per region (North-America

tier, but also logically separated into load balance layer,

and EMEA) and backups are copied from the primary data

web proxy layer, application layer and a database layer.

center to the secondary and vice versa. In addition, Hippo

Each virtual machine in each layer has its own host based

can transfer a copy of the backup over a secure connection

firewall rules. Data lives less than seconds in the web layer

to a customer’s server at an additional premium. Hippo

as it’s only passed through by the proxies, unless (disk)

doesn’t have backups in the primary location and we have

caching is enabled in the proxy layer.

24x7 access 24/7 to the backups in the secondary location. The backup and retention policies for Hippo OnDemand

HippoCMS

Your Site

are as follows:

JSP

Production environments:

HST

1.

A full backup is made every night between 1 am and 8 am Central European Time

Hippo API

2.

For the last seven days all backups are kept;

Hippo Repository

3.

For the last month one backup per week is kept;

4.

For the last twelve months one backup per month is

Hippo API

kept

Hippo CMS UI Test and Acceptance (Staging) environments: 1.

A full backup is made every night between 1 am and 8 am Central European Time

Encryption , SSL & Certificates

2.

Backups are kept for at least three days

Hippo CMS will store important and sensitive data (such as user passwords) in an encrypted format using the

It is very common to restore a Production backup in a

(Java) SHA-1 hash/algorithm with salting (size 8). For the

Development or Testing environment for testing purposes

Hippo OnDemand platform, traffic from the web server

during a project / new release. The Hippo infrastructure

to the client is encrypted over an https connection. The

team that manages the Hippo OnDemand platform tests

data between the primary and secondary data centre is

the backup and restore procedures regularly.

transported over a private line. Hippo CMS supports SSL. For the Hippo OnDemand service, certificates (encryption keys) are provided by the clients and installed on Hippo’s servers. HTTPS is used by all processes that require secure communication (like password validation).

Amsterdam • Boston

Follow the Hippo trail: onehippo.com

7 Hippo On Demand - Security Brief

Application Data Access

Tech Brief

Standards & Security Audits

8 by Secure Shell (SSH) or Virtual Private Network (VPN) tunnels. •

For SSH administrative access, Hippo requires SSH version 2, RSA digital certificate authentication.

The data centers Hippo is contracting for the delivery of

Password authentication over SSH is not allowed.

Hippo OnDemand are ISO certified (270001 and 90001) and PCI PA. Hippo regularly asks external agencies to

•

For VPN administrative access, Hippo requires an

conduct security audits for Hippo CMS. These security

SSL VPN tunnel, protected with personal certificates,

audits ensure that the Hippo CMS and Delivery Tier

160-bit HMAC-SHA1 for message integrity, and 128-

comply with the latest security standards to protect Hippo

bit Blowfish encryption.

implementations against attacks. To date, all projects comply with these security audits. As a company, Hippo

These secure interfaces let Hippo investigate alerts

is responsible for ensuring the Hippo Platform is aligned

remotely, while preventing unauthorized access to the

with the latest best practices in security. Additionally,

OnDemand platform or disclosure, modification, or replay

Hippo has built up and documented a series of best

of sensitive management messages.

practices to help prevent vulnerabilities such as cross site in delivery channels.

Vulnerability Testing

Logging & Monitoring

Hippo OnDemand platform undergoes vulnerability

All activity in the CMS is registered and available for

In addition, clients of Hippo CMS conduct load and

reporting. The audit log contains among others, logins,

penetration tests periodically. Some Hippo CMS clients

workflow actions and any modifications to the system.

in government and cyber-security go even further by

Hippo OnDemand is monitored at the application level as

inspecting every single line of code on an annual basis.

well to ensure that CMS is running the way it should.

All security vulnerabilities are shared and resolved

assessments and penetration tests at regular intervals.

immediately in the core software if needed. Security-related events are routinely monitored and logged by Hippo’s firewalls and servers. A monitoring

Hippo’s clients (particularly in financial services or

daemon on each server also keeps an eye on operational

government ) engage third parties to conduct penetration

events, including host resources and environmental

tests on the OnDemand platform. If non-compliances are

factors. All alerts are relayed to Hippo’s Network

found in either the core software of Hippo CMS or the

Operations Centre (NOC). In addition, priority 1 alerts

platform, they are resolved on priority within hours.

are immediately escalated by paging Hippo NOC staff. At Hippo’s NOC, trained network and system administrators monitor incoming alerts 24/7/365, verifying each new alert before initiating the appropriate response. To investigate alerts, Hippo NOC staff uses strongly authenticated, encrypted administrative interfaces to remotely query Hippo On-Demand platform components. Specifically, all terminal server sessions are protected

Amsterdam • Boston

Follow the Hippo trail: onehippo.com

Hippo On Demand - Security Brief

5. Compliance and Security Protocol

Tech Brief

Business Continuity and Disaster

Management

Recovery

To help eliminate vulnerabilities before they can

Aside from backup and security protocols, Hippo has

possibly be exploited, Hippo combines proactive patch

an extensive business continuity and disaster recovery

management with periodic internal penetration tests.

plan. For details please refer to the Business Continuity Plan which is provided as a separate document.

•

Hippo monitors security lists for new exposures that may impact Hippo OnDemand

•

As new security patches become available, they are first reviewed for relevance to Hippo OnDemand Platform.

•

Relevant security patches are first verified on QA/ Staging servers, typically for two days before being applied to production servers.

•

Routine vulnerability scans are also performed by Hippo semi-annually.

Security Incident Management Hippo has a dedicated and specific process around security issues and issues are dealt with higher priority than other issues. During incident investigation, if NOC staff determines that an attack is underway or has occurred, actions will be taken to quarantine IP addresses and/or disconnect sessions as needed to contain the incident and prevent future damage. If necessary to mitigate the attack or protect customer content, staff may also temporarily disable CMS customer accounts and/or databases.The Hippo Service Manager assigned to each affected customer account will contact the customer to review the incident, actions taken, and impact on that customer.

Amsterdam • Boston

Follow the Hippo trail: onehippo.com

9 Hippo On Demand - Security Brief

Vulnerability Remediation / Patch

Tech Brief

About Hippo Hippo is on a mission to make the digital experience

serves a rapidly growing number of enterprise clients

more personable for every visitor. We’re redefining the

around the world including Condé Nast, Bell Aliant,

CMS space by engineering the world’s most advanced

Autodesk, Couchbase, the Dutch Foreign Office,

content performance platform, designed to help

Mailchimp, Randstad, Veikkaus, the University of

businesses understand their visitors – whether they

Maryland, NHS, 1&1 Internet, Bugaboo and Weleda.

are known or anonymous – and deliver the content they value in any context and on any device. Together

Connect with Hippo on Twitter and LinkedIn.

with its global network of Certified Partners, Hippo

For more information visit www.onehippo.com

Amsterdam • Boston

Follow the Hippo trail: onehippo.com

Hippo On Demand - Security Brief

10