I have worked on a couple of Jive client accounts where the secure VPN is set-up. This is a very secure approach to open up only specific traffic coming from specific pre-defined locations at the client and Jive Datacenter. Simply put, it allows your company's firewall and Jive's to allow traffic to pass while no one else can jump in on the conversation. There are ways to do this to secure the authentication process while still being able to access your Jive site outside of your firewall (say from a personal computer or hotel/airport kiosk). I have seen that approach.
A more secure, but less flexible approach is to use "IP filtering" to "white list" which IP ranges can access the Jive site. In English, this means only computers on your company network will be allowed to access the Jive site. All other requests will be denied at the infrastructure layer at Jive's datacenter. Meaning, a potential hacker won't even be able to access the login page. The "less flexible" comment means that an employee on a personal laptop or at a hotel also can not gain access unless they first log into your company network. There are some ways to overcome that via mobile solutions, but I'll stop there as I may already have put you asleep.
Thanks that’s useful information.
We have quite a few people that we can’t always guarantee would be able to access via our network so the inflexible option may be too restrictive.
I think our network guy is questioning the security of the hardware setup and network at the hosting company. How segregated are we really from other customers, if our servers were compromised, what actions could someone take on our network or AD. I expect if we firewall the incoming VPN connection it should be secure.
In a previous setup we used reverse proxy web servers in the DMZ but that’s not Jive’s standard architecture. I think the issue here is that an attacker could compromise the app server and talk directly to our AD.
Have your other clients used some sort of security checklist they work against, have they insisted on an additional web server layer?
A few additional thoughts to build on Andrew's comments.
- One of our clients is using AD authentication, but is NOT using the VPN. Via the browser (SSL) the client authenticates against the LDAP server over a secure port. I don't know if this aligns with your security policies, but it is working fine for this client.
- In terms of the hosting center, the client is hosted at SunGard and there is a ton of documentation around this that Jive could provide. My understanding this is all single tenant setup.
- For Jive Cloud implementations....I believe that is multi-tenant.
- I also understand that Jive is moving towards their own hosting center for new clients. I am not familiar with how those are setup and the differences between the previous SunGard installations.
- Finally, I put this document together which may be of some value to you. LDAP and Active Directory Lessons Learned.
The Jive Phoenix data center basically offers the same security measures as in SunGuard. If you are hosted, you are single tenant as Bill said. Cloud is multi-tenant.
We are authenticating against our AD and are not using VPN. We are using ADFS, which is described here: http://msdn.microsoft.com/en-us/library/ee895361.aspx
Our security team submitted a list of questions to Jive to vet their SunGuard setup and has done the same with the Phoenix data center. Jive responded promplty and there were no issues.
I will check on the questionnaire and see if it is shareable. On the second question, we do not have true single sign-on, so logging in to Jive is a separate step. Although we do get some complaints, the benefit is that we have the same experience from everywhere--outside the office, on our home computer, etc.--which is important for us considering our audience. We are a digital agency and consultancy, so are frequently working from the road or from client sites.
I am interested in the questionnaire that your security team submitted to Jive. We are in a discovery process of moving from on-prem to private hosted solution and have concerns about the security aspects of this environment. I appreciate if you could share the list of questions here.
There is a good starter list of questions here: Top 12 Questions and Requirements for SaaS & Cloud Vendors – Technology, Security, Identity Management, Compliance, Standards** « Karthik Chakkarapani. In addition, we ask questions about security policy and training as well as PII handling. For example:
Is there a documented Information Security Policy that is approved by management?
Do employees attend security training at time of hire and annually?
Is there a dedicated security team responsible for information and physical security in the organization?
Do you conduct background checks at time of hire and thereafter (explain types of checks performed and when they occur)?
Is access to Our Company PII provided to employees only after the background verification is completed and is clear?
Do employees sign confidentiality and/or code of ethics upon hire?
Is there a clause related to confidentiality and protection of PII in contracts of all employees having access to Our Company PII? Is there a disciplinary procedure pertaining to violation?
Is there a procedure to request, approve, grant and revoke access to your facilities and Our Company information?
Is there a record of employees having access and privileges to Our Company PII?
Are access rights periodically reviewed and records maintained of such reviews?
Is there a procedure to ensure that access to Our Company PII is immediately revoked on termination of employment?
Are security events related to access and use of Our Company PII logged and such logs preserved?
Are security incidents reported, investigated and corrective actions taken promptly?
Do employees immediately report the loss of or unauthorized access of Our Company PII (explain)?
Are there documented procedures to ensure that such loss, unauthorized use or unauthorized disclosures are reported to Our Company immediately?
Are there documented policies and procedures to ensure that Our Company PII is only collected, stored and used only for its intended purpose?
In the past 12 months, have there been any data breaches or other data privacy concerns related to your organization (explain)?
Is Our Company information adequately protected against damage from fire, flood, earthquake, explosion, civil unrest, and other forms of natural or man-made disaster?
Is physical access to Our Company information restricted (explain)?
Is Our Company information handled, collected, processed or stored in hard-copy format?
Is Our Company information handled, collected, processed or stored in soft-copy format?
If Our Company information is in soft-copy, is it encrypted (explain for each case)?
Is Our Company PII encrypted in transit (explain)?
Is Our Company PII encrypted on your systems (explain)?
Is Our Company PII encrypted in storage (explain)?
Is Our Company PII available on employee laptops or other portable devices or media?
Are there controls to detect, prevent and recover from malware?
Is Our Company information securely erased from devices when no longer needed?
Do you regularly patch your operating systems and applications (explain)?
Are periodic security scans performed on your systems and network (explain)?
Hope that helps!