Tech Brief
Hippo On Demand – Security Brief
Securing your digital enterprise This document describes how Hippo OnDemand delivers a secure hosted environment for digital experience management.
Amsterdam • Boston
Follow the Hippo trail: onehippo.com
Tech Brief
Table of Contents
2.
3.
4.
5.
Introduction
3
Physical Security
3
Hosting and infrastructure
3
Network Security
3
Software Security
4
Web-browser security
4
Database Security
4
Application Security
4
Application Access and User Permissions
5
User and Permission Management
5
Authentication: Password Management and Access Controls
5
Authorization: Roles, Groups and Permissions
6
Security Extensions / Integrations
6
Data Security and backups
6
Data Ownership
6
Application Data Access
7
Encryption, SSl & Certificates
7
Data Integrity & Backups
7
Compliance and Security Protocol
8
Standards & Security Audits
8
Logging & Monitoring
8
Vulnerability Testing
8
Vulnerability Remediation / Patch Management
9
Security Incident Management
9
Business Continuity and Disaster Recovery
9
10
About Hippo
Amsterdam • Boston
Follow the Hippo trail: onehippo.com
Hippo On Demand - Security Brief
1.
2
Tech Brief
Introduction What is Hippo OnDemand? Hippo OnDemand is Hippo’s cloud offering for web
How does Hippo OnDemand handle security?
content management. Along with access to the Hippo CMS
Hippo offers out of the box authentication and
Enterprise Edition, Hippo OnDemand offers on-going
authorization services but also uses an extensible security
support and maintenance as part of the subscription.
mechanism allowing for very flexible integrations with
Deployed in a three tiered web architecture, Hippo
external authentication and authorization services.
OnDemand is functionally separated into: •
the delivery tier - which has the Hippo Site toolkit (HST) application
•
•
The sections below cover the security capabilities of the Hippo OnDemand platform starting with data center and network security and moving on to application, user and
the repository - where all content, metadata, user and
data security before touching on security procedures and
workflow data are stored
audits.
the authoring (content management) tier - CMS web application to edit and publish
Monitoring & Management
Web layer
Application Layer: HST & Site servers
Storage Layer
Customer A MySQL in High Availability
Internet
VPN
Load Balancers and proxy servers in high availability
Customer B
Customer Z
DNS, Authentication and other Services
Amsterdam • Boston
Follow the Hippo trail: onehippo.com
Couchbase Cluster
Hippo On Demand - Security Brief
3
Tech Brief
Network Security
4
Hosting and infrastructure
Hippo insulates the OnDemand platform from
For the delivery of Hippo OnDemand, Hippo works with
inappropriate or malicious Internet traffic. To accomplish
certified hosting providers in North-America and EMEA
this, Hippo employs multiple network defenses, from
meeting the highest standards in availability and security.
firewalls and network intrusion detection to 24/7/365 network surveillance and incident response.
All data centers have redundant internet connectivity. Along with a clustered production environment,
Customers may connect to the CMS in any fashion over the internet as CMS security is independent of customer network connectivity. Hippo OnDemand is protected from
Hippo Data Centres Hippo Data Centres
Primary Data Centres Primary Data Centres
Secondary Data Centres Secondary Data Centres
US
Chicago
New York City
Canada
Toronto
Vancouver
EMEA
Amsterdam
Harlem
network intrusions and attacks by a redundant pair of perimeter firewalls. Bi-directional rules control the flow of traffic to and from the OnDemand platform, permitting only packets that are explicitly required to deliver the Hippo OnDemand service. Only secure sessions that pass inspection by the perimeter firewall can reach the OnDemand platform.
Hippo OnDemand also offers a Test environment and an acceptance (staging) environment as part of its standard offering giving customers full control for continuous Internet
development (test) and integration tests (acceptance) before deploying to production. The OnDemand environment is set up based on Hippo’s
Load Balancers
best practices. Each environment is made up of multiple layers: Load balance layer, Web proxy layer, Application layer and Database layer. Each virtual machine in each layer has its own host based firewall rules. And, because a
Webserver & reverseproxies
typical environment contains multiple instances (nodes) of the site application server and the CMS application server, it ensures delivering high performance and availability.
CMS Server
Site server
Database
Amsterdam • Boston
Follow the Hippo trail: onehippo.com
Hippo On Demand - Security Brief
1. Physical Security
Tech Brief
Hippo CMS software runs Linux servers and MySQL
3. Application Access and User Permissions
database servers. Multiple server pairs (CMS units) make
Hippo has an extensive security model that limit access
up the OnDemand platform. Each customer is granted
on repository level. By default, applications use a single
exclusive access to their own content management
(password) authentication and authorization mechanism.
environment and database instance. A combination of
If required, multi-factor authentication can be added by
Web, database, and application security methods and
configuration (not customization). Also, the complexity of
practices insulate customers both from each other and
the password can be configured and tailored to customer
from external attack.
specific needs. Passwords can expire on a configurable interval and this policy holds for all users.
Web-browser security To access the CMS Web interface, the customer’s browser
User and Permission Management
must have JavaScript and session cookies enabled.
User and permission management is a very important
Cookies used by the CMS application do not contain any
aspect of any type of enterprise software. For CMS
user credentials or session data. In other words, Hippo
systems this aspect needs to be split into user and
CMS does not store any sensitive information on the
permission management for site visitors and for CMS
user’s system.
users. Combined, they control which content a site visitor can see, or which content a CMS user can see or
Database Security
edit. Hippo CMS uses by default an internally developed authentication and authorization solution but also
Each customer is given their own separate database
provides the option to integrate with LDAP servers.
instance on the MySQL database cluster. Access to that
Certified options for LDAP include: Microsoft Active
database instance is protected by an auto-generated
Directory, OpenLDAP, Novell Directory Services (now
strong password, unique to each customer. In addition,
NetIQ Edirectory) and Apache DS.
each database can only be accessed from the CMS Web server to which that customer has been assigned.
Authentication: Password Management
Together, these database access controls protect the
and Access Controls
privacy and integrity of each customer’s managed content
By default, Hippo CMS only uses password authentication
Application Security
but a multi-factor authentication can be configured as well. Hippo also supports IP based access control lists
During the application development on Hippo CMS,
(ACL) so that only people coming from a customer
security guidelines are used to avoid introducing
specified set of IP addresses can access the CMS
application vulnerabilities that might otherwise be
environment. Password complexity can be configured
exploited to attack the Hippo OnDemand platform or gain
and tailored to match customer specific Security
unauthorized access. The Hippo CMS architecture and
Policies. Empty passwords are not allowed and password
its underlying frameworks (JCR) prevent SQL injection
expiration is enabled by default with configurable time
attacks by default.
frames to match customer specific security policies. A forgotten password feature can be configured in the clientspecific project. Admin users can reset a user’s password but passwords can be reset through Hippo Support Desk. After a configurable number of attempts a CAPTCHA must be filled in to prevent brute forcing passwords.
Amsterdam • Boston
Follow the Hippo trail: onehippo.com
5 Hippo On Demand - Security Brief
2. Software Security
Tech Brief
Hippo CMS allows for very fine authorization controls, which are fully configurable. By default the roles author, editor and admin are defined. Hippo CMS uses Context Aware Role Based Access Control (CA-RBAC). Roles can be assigned to only parts of the system (features and content). Typically, the users of the CMS are split into groups, where each group has their own set of access rights. These groups, as well as the actual users and their login credentials are stored in the repository. Next to storing this information in the repository, it is also possible to perform authentication against external systems. This allows for instance the reuse of an external LDAP or Active Directory system to authenticate users, removing the need to create and maintain a copy of all user information in the CMS.
Security Extensions / Integrations
6 Hippo CMS has been developed to align with Enterprise security policies. In addition to out of the box authentication and authorization solutions, Hippo also fully integrates with LDAP servers including Microsoft Active Directory, Open LDAP, Apache DS and other LDAP compliant directory services. This also allows for the use of Single Sign On mechanisms. Integration with other Identity management systems or single-sign on mechanism is available via Hippo’s open and extensible system. In case SSO solution is preferred, HTTP(s) or another reverse proxy is configured and used to redirect browser clients to a central Enterprise SSO server for authentication. After authentication, the user and his valid security token are then redirected back. Alternatively, the CMS and Site application can authenticate users using Form Authentication, JAAS or String Security Integration,
Actions taken to each CMS deployment are limited by
or using a custom implementation. Hippo CMS comes
network and system access controls, as defined by the
with a standard set of security providers to connect to
customer administrator (for user accounts) or Hippo
several types of external systems, but also allows flexibility to create custom security providers.
(for administrator accounts). Any CMS session that deviates from the previous 30 day profile for that user in at least three ways results will trigger a security alert. An email message is also sent to the customer administrator
4. Data Security and backups
to warn of potential user account compromise. User permissions are further defined and enforced at three
The most important part of a Hippo application is the
points:
database (repository). This repository contains the
•
Each user account is associated with defined Access Control Lists.
•
shown and managed by the CMS. Keeping this data safe and secure is key.
Each user account can also be granted specific CMS File/Folder permissions.
•
settings of the application, as well as the content that is
Each user account must be assigned one or more
Data Ownership
CMS Workflow permissions that determine whether
All content, configuration and targeting data belongs to
that user can create, edit, approve, or publish CMS-
the customer and entered through Hippo CMS interface.
managed content.
This includes, click-path and web-visitor information for the Relevance Module (Personalization / Content Targeting) which is stored in a separate NoSQL database (Couchbase).
Amsterdam • Boston
Follow the Hippo trail: onehippo.com
Hippo On Demand - Security Brief
Authorization: Roles, Groups and Permissions
Tech Brief
Data Integrity & Backups
This diagram shows the different layers of a Hippo
Hippo makes full backups of all customer data on a daily
application. Applications are built using Hippo’s tested
basis. Since Hippo CMS/repository stores all information
and secure application framework (HST – Hippo Site
in the database, backing up the database is sufficient.
Toolkit). The HST library enforces a security session is
The backups are transported to a second data center at a
always present, making it possible to restrict access up to
different location over a dedicated private line. From the
field level on documents. Hippo is functionally separated
backups the originals systems can be restored. Hippo is
into the authoring tier, the repository and the delivery
located in two data centers per region (North-America
tier, but also logically separated into load balance layer,
and EMEA) and backups are copied from the primary data
web proxy layer, application layer and a database layer.
center to the secondary and vice versa. In addition, Hippo
Each virtual machine in each layer has its own host based
can transfer a copy of the backup over a secure connection
firewall rules. Data lives less than seconds in the web layer
to a customer’s server at an additional premium. Hippo
as it’s only passed through by the proxies, unless (disk)
doesn’t have backups in the primary location and we have
caching is enabled in the proxy layer.
24x7 access 24/7 to the backups in the secondary location. The backup and retention policies for Hippo OnDemand
HippoCMS
Your Site
are as follows:
JSP
Production environments:
HST
1.
A full backup is made every night between 1 am and 8 am Central European Time
Hippo API
2.
For the last seven days all backups are kept;
Hippo Repository
3.
For the last month one backup per week is kept;
4.
For the last twelve months one backup per month is
Hippo API
kept
Hippo CMS UI Test and Acceptance (Staging) environments: 1.
A full backup is made every night between 1 am and 8 am Central European Time
Encryption , SSL & Certificates
2.
Backups are kept for at least three days
Hippo CMS will store important and sensitive data (such as user passwords) in an encrypted format using the
It is very common to restore a Production backup in a
(Java) SHA-1 hash/algorithm with salting (size 8). For the
Development or Testing environment for testing purposes
Hippo OnDemand platform, traffic from the web server
during a project / new release. The Hippo infrastructure
to the client is encrypted over an https connection. The
team that manages the Hippo OnDemand platform tests
data between the primary and secondary data centre is
the backup and restore procedures regularly.
transported over a private line. Hippo CMS supports SSL. For the Hippo OnDemand service, certificates (encryption keys) are provided by the clients and installed on Hippo’s servers. HTTPS is used by all processes that require secure communication (like password validation).
Amsterdam • Boston
Follow the Hippo trail: onehippo.com
7 Hippo On Demand - Security Brief
Application Data Access
Tech Brief
Standards & Security Audits
8 by Secure Shell (SSH) or Virtual Private Network (VPN) tunnels. •
For SSH administrative access, Hippo requires SSH version 2, RSA digital certificate authentication.
The data centers Hippo is contracting for the delivery of
Password authentication over SSH is not allowed.
Hippo OnDemand are ISO certified (270001 and 90001) and PCI PA. Hippo regularly asks external agencies to
•
For VPN administrative access, Hippo requires an
conduct security audits for Hippo CMS. These security
SSL VPN tunnel, protected with personal certificates,
audits ensure that the Hippo CMS and Delivery Tier
160-bit HMAC-SHA1 for message integrity, and 128-
comply with the latest security standards to protect Hippo
bit Blowfish encryption.
implementations against attacks. To date, all projects comply with these security audits. As a company, Hippo
These secure interfaces let Hippo investigate alerts
is responsible for ensuring the Hippo Platform is aligned
remotely, while preventing unauthorized access to the
with the latest best practices in security. Additionally,
OnDemand platform or disclosure, modification, or replay
Hippo has built up and documented a series of best
of sensitive management messages.
practices to help prevent vulnerabilities such as cross site in delivery channels.
Vulnerability Testing
Logging & Monitoring
Hippo OnDemand platform undergoes vulnerability
All activity in the CMS is registered and available for
In addition, clients of Hippo CMS conduct load and
reporting. The audit log contains among others, logins,
penetration tests periodically. Some Hippo CMS clients
workflow actions and any modifications to the system.
in government and cyber-security go even further by
Hippo OnDemand is monitored at the application level as
inspecting every single line of code on an annual basis.
well to ensure that CMS is running the way it should.
All security vulnerabilities are shared and resolved
assessments and penetration tests at regular intervals.
immediately in the core software if needed. Security-related events are routinely monitored and logged by Hippo’s firewalls and servers. A monitoring
Hippo’s clients (particularly in financial services or
daemon on each server also keeps an eye on operational
government ) engage third parties to conduct penetration
events, including host resources and environmental
tests on the OnDemand platform. If non-compliances are
factors. All alerts are relayed to Hippo’s Network
found in either the core software of Hippo CMS or the
Operations Centre (NOC). In addition, priority 1 alerts
platform, they are resolved on priority within hours.
are immediately escalated by paging Hippo NOC staff. At Hippo’s NOC, trained network and system administrators monitor incoming alerts 24/7/365, verifying each new alert before initiating the appropriate response. To investigate alerts, Hippo NOC staff uses strongly authenticated, encrypted administrative interfaces to remotely query Hippo On-Demand platform components. Specifically, all terminal server sessions are protected
Amsterdam • Boston
Follow the Hippo trail: onehippo.com
Hippo On Demand - Security Brief
5. Compliance and Security Protocol
Tech Brief
Business Continuity and Disaster
Management
Recovery
To help eliminate vulnerabilities before they can
Aside from backup and security protocols, Hippo has
possibly be exploited, Hippo combines proactive patch
an extensive business continuity and disaster recovery
management with periodic internal penetration tests.
plan. For details please refer to the Business Continuity Plan which is provided as a separate document.
•
Hippo monitors security lists for new exposures that may impact Hippo OnDemand
•
As new security patches become available, they are first reviewed for relevance to Hippo OnDemand Platform.
•
Relevant security patches are first verified on QA/ Staging servers, typically for two days before being applied to production servers.
•
Routine vulnerability scans are also performed by Hippo semi-annually.
Security Incident Management Hippo has a dedicated and specific process around security issues and issues are dealt with higher priority than other issues. During incident investigation, if NOC staff determines that an attack is underway or has occurred, actions will be taken to quarantine IP addresses and/or disconnect sessions as needed to contain the incident and prevent future damage. If necessary to mitigate the attack or protect customer content, staff may also temporarily disable CMS customer accounts and/or databases.The Hippo Service Manager assigned to each affected customer account will contact the customer to review the incident, actions taken, and impact on that customer.
Amsterdam • Boston
Follow the Hippo trail: onehippo.com
9 Hippo On Demand - Security Brief
Vulnerability Remediation / Patch
Tech Brief
About Hippo Hippo is on a mission to make the digital experience
serves a rapidly growing number of enterprise clients
more personable for every visitor. We’re redefining the
around the world including Condé Nast, Bell Aliant,
CMS space by engineering the world’s most advanced
Autodesk, Couchbase, the Dutch Foreign Office,
content performance platform, designed to help
Mailchimp, Randstad, Veikkaus, the University of
businesses understand their visitors – whether they
Maryland, NHS, 1&1 Internet, Bugaboo and Weleda.
are known or anonymous – and deliver the content they value in any context and on any device. Together
Connect with Hippo on Twitter and LinkedIn.
with its global network of Certified Partners, Hippo
For more information visit www.onehippo.com
Amsterdam • Boston
Follow the Hippo trail: onehippo.com
Hippo On Demand - Security Brief
10