Intelligent Locker LX Series Security FAQs

print
Products affected: Intelligent Locker LX Series

 

Server Security

Who is your hosting provider?

Google Cloud Computing and/or Amazon Web services

What are the components of the “technology stack” that supports your locker systems?

Linux, Apache, MySQL, PHP, iOS

What certifications and compliance standards do the hosting provider satisfy?

All servers are hosted on Google Cloud Platform and/or Amazon Web Services

https://cloud.google.com/security/compliance/#/ https://aws.amazon.com/compliance/programs/

Has a Network Vulnerability Assessment/Penetration Test and a Web Application Vulnerability Assessment/Penetration Test been (if applicable) been performed on the product? If so, when was the last one performed? Describe how often, done by whom, etc.

Yes. We utilize trustwave PCI scanning and at least semi-annual 3rd party penetration tests.

What is the authorization process for provisioning accounts?

Luxer One’s account administration work with customer to provision accounts.

Endpoint Security

Is Anti-Virus/Anti-Malware software installed and enforced on these endpoint devices?

All servers are hosted on Google Cloud Platform and/or Amazon Web Services who provide virus/malware monitoring.

What endpoint protection mechanisms that are in place?

All internal endpoints are protected with firewalls and network configurations to prevent any public access. Access to external endpoints (web and API) is logged and auditable. Standard SSL encryption is supported on all external endpoints.

Data Security

Who is your database hosting provider?

Google Cloud Computing and/or Amazon Web services

What is the Information Protection and Auditing Practices followed by your organization?

Monthly PCI Compliance testing.

What Information Protection features are supported by your product?

Primarily, Luxer One takes every effort not to store any sensitive information. Our systems are PCI compliant and tested on a monthly basis. Encryption is TLS 1.2. Passwords are stored following industry best practices (bcrypt algorithm, log redaction)

Is data at rest encrypted?

Yes, all data is encrypted at rest.

What is your encryption standard for data at rest?

https://cloud.google.com/security/encryption-at-rest/default- encryption

https://aws.amazon.com/rds/features/security/

Do you have a multi-tenant environment?

Single-tenant available for an additional fee.

If so, do you utilize unique encryption keys per each tenant?

Yes

Also, how do you segregate tenant data from one another?

Single-tenant environments use fully independent storage and processing at the system level. Multi-tenant environments data is logically separated based on user access controls.

Do you encrypt data in transit?

Yes

What is your protection mechanism for data in transit?

TLS 1.2

Will Luxer One store sensitive data?

Depending on implementation: May contain recipient address information, contact information (email or phone number) and/or tracking number.

Monitoring

Do you monitor interactions between your systems and any externally integrated system?

We have full tracking of all request and responses to any external system we may call.

Do you track user login information?

We have full tracking of every user session.

Do you track api access information?

We have full tracking of every api request and response.

Patch Management

Provide a brief summary of how critical patches are applied to all systems and applications.

All servers are hosted on AWS/G-cloud and are updated as required.

How do you prioritize or tier your patching?

Critical patches will be applied to servers and/or kiosk systems as needed to remediate emergency issues that substantially interfere with basic operations. All other patches are applied as part of the normal periodic update cycle or as determined by internal devops.

Do you have formal procedures for patch updates/management?

Patches/updates completed as required. All server configuration maintained by code. All devices in field are installed with the same configuration/software.

How often do you conduct patching (patch cycle)?

Patches/updates completed as required. All server configuration maintained by code. All devices in field are installed with the same configuartion/software.

Vulnerability Management

Do you conduct regular vulnerability scanning?

Yes

How frequently are scans run?

At least monthly

What is your policy around timelines for remediation?

Severity | Description | Response Time | Resolution Time

1 | Critical | 15mins | 2hrs

2 | High | 30mins | 1 business day

3 | Medium | 1 business day | 3 business days

4 | Low | 1 business day | mutually agreed upon

Do you keep vulnerability and remediation metrics?

Yes

Do you perform application penetration testing?

Yes. We work with a 3rd party security firm to perform at least semi-annual penetration tests.

Service Level Agreement

What are you sevice timelines based on severity.

Severity | Description | Response Time | Resolution Time

1 | Critical | 15mins | 2hrs

2 | High | 30mins | 1 business day

3 | Medium | 1 business day | 3 business days

4 | Low | 1 business day | mutually agreed upon

What is your data backup process?

All servers are cloud based with realtime replication and backups in separate geographic areas

How do you address scalability and load performance concerns?

We have load balancers, auto scaling sharding and redundant system. All servers are cloud hosted and we run relatively small instances, which means we can scale them up very easily if needed. We monitor the performance of all our servers and receive notifications when they are out of spec.

Are firewall and intrusion detection/prevention system logs collected centrally and secured?

Logs to be centrally located 3rd quarter 2019.

Is logging enabled on all servers and network devices?

Yes.

Are server and network device logs collected centrally and secured?

Logs to be centrally located 3rd quarter 2019.

What are the measures taken to ensure that tenant data is protected from all attacks?

We utilize trustwave PCI scanning and frequent 3rd party penetration tests. Access to user data is only available via a secure web interface and is strictly segregated by user roles. Direct access to the database is internally limited to defined and managed roles. All access to web and api interfaces are logged and auditable. All endpoints are behind cloud based load balancers to restrict port and protocol. We use network segregation best practices and restrict access to isolate systems to least required exposure. Access to systems is restricted via host and network firewalls.

Are application logs collected centrally and secured?

Logs to be centrally located 3rd quarter 2019.

Do you provide the option for clients to receive a realtime feed of logs pertaining to their data?

API for delivery/pickup information is available.

How is incident detection achieved?

All servers are hosted on Google Cloud Platform who provide malware monitoring. https://cloud.google. com/security/compliance/#/

How quickly do you notify a client if an incident impacts their data or operations?

As quickly as possible. An assigned account manager will alert the business owner to make them aware of any issue, timing, and implications

Network Security

Does utilization of this service require a firewall rule change on local networks?

Depending on implementation. Cellular solution is available.

What ports are required by the Locker System?

Local system requires pull access to the internet. This requires outbound ports 80 and 443 to be accessible.

If so, how do you ensure that production data is protected from unauthorized access or manipulation?

Same controls exist on QA systems as production systems.

How are super-user credentials protected?

We use sudo from individual administrator accounts where access is logged and access can be revoked. Root user is disabled on most systems and root access over ssh is disabled on all systems.

How do system administrators access the production networks?

Shell access requires a certificate-based login through a designated "bastion" server. Control panel access is allowed through appropriately limited user roles in GCloud and AWS.

Do you have firewalls and intrusion detection/prevention systems deployed at the perimeter of your network?

Google Cloud firewall is used to protect the application and api service layers.

How do you manage the process for firewall rule changes?

Firewall rule changes require review and sign-off by a dev-ops lead. We use network segregation best practices and restrict access to isolate systems to least required exposure

Application Security

What secure coding practices were utilized by the development team?

Feature branching utilizing pull requests, code reviews, unit tests, integration tests and acceptance testing.

Is the application a Content Management System (such as WordPress, Joomla, Drupal)?

No

How do you ensure that secure coding practices are followed?

All code changes reviewed for security concerns by a lead developer. PCI Compliance assessment and 3rd party security firms perform external penetration tests regularly

Please describe the security guidelines included in your software development process?

Feature branching utilizing pull requests, code reviews, unit tests, integration tests and acceptance testing.

Access Control

Do you follow the principles of least privilege?

Yes

Do you follow role based access control principles?

Yes

What is the process for adding/deleting users?

Depends on implementation. SSO is available for an additional fee.

Who can update user permissions?

Permissions are role based. Each new user is assigned a role. Only Administrator's may change a user's role.

What is the primary method of authentication to use this service?

Username and password. SSO is available for an additional fee.

What is the default method for assigning user permissions?

We work with your team to determine which roles have which access. We then build an access matrix to manage user access

What measures are taken to ensure that usernames, passwords and other user account details are stored in a secure manner?

All passwords are salted and hashed (bcrypt algorithm). All data is encrypted in transit or at rest. Log files are automatically redacted where necessary.

What measures are taken to ensure that user authentication is executed in a secure manner?

All passwords are salted and hashed (bcrypt algorithm). All data is encrypted in transit or at rest. User login only accessible via HTTPS. Log files are automatically redacted where necessary.

Can this service leverage Single-Sign On capabilities through integration with client user stores such as Active Directory, LDAP, etc?

Yes. Currently support SAML, but can support other types as necessary. This is for an additional fee.

Do you employ the use of any APIs to clients?

Yes

What access controls are in place for clients utilizing your APIs?

Managed Keys

Do you capture robust audit trails at the application layer for all user activities?

Yes

Architecture

What hardware platforms does the software run on?

iOS on the lockers. Google Cloud and/or Amazon Web Services for all servers.

Do you generally support having both non-prod and prod environments?

Yes. We have many non-prod environments. Developers develop on their local environment, then a new QA environment is spun up for each ticket. When passed QA, the ticket is merged into the production branch, QA'd and then released.

What operating systems and versions can the software run on?

iOS 10+ for application. Servers running 16.04.1-Ubuntu

What are the software components that comprise the application>

A managed iOS application runs on the iPad screen at the lockers.

There is firmware that runs on the electronics inside the lockers.

There is a web portal for customers.

There is a reporting system.

There is a server platform for managing the databases and APIs.

What is the primary technology and architecture that your application is built on?

Objective-C, Python and PHP

What database technologies does the proposed solution support? What DBMS and versions can be used?

MySQL 5.6 and later. Firebase NoSQL

Is there any scheduled down time required for the maintenance of the software?

Most server upgrades are done without any downtime due to the architecture of our applications which provide for full offline availability. Locker based upgrades can typically be done without downtime using a blue / green framework where we have 2 versions of our application loaded on the device. Non-emergency server maintenance that could result in downtime (this is typically less than 1 hour) is done after business hours, with at least 1 business day advance notice.

Hardware

What are the power capacity requirements?

Standard AC power plugged into 110v outlet

Are multiple outlets needed per unit depending on configuration? Can power be connected between units?

This all depends on the size of the system. Typically one outlet can handle all small-to-medium size configurations.

What kind of backup power is available.

There is a battery backup in the locker that maintains functionality in the event of a power outage.

What type of connectivity is supported?

Hardwired ethernet, Wi-Fi and LTE.

Is this additive or instead of Wi-Fi?

It can be either or both, depending on failover requirements.

UPDATED: November 03, 2020