Cloud Service Security
We Protect Your Data!
When it comes to using software as a service, security and privacy controls are always a top priority. At ClickSoftware we are committed to the protection of confidentiality, integrity, availability and privacy of our customer’s data and to their service continuity. We believe that information security is vital for our customer’s business operations and to our own success. These premises govern us and the way we do business. While there’s no bulletproof solution to cloud data and service protection, we do everything we can to exceed expectations. ClickSoftware’s cloud service is secure, reliable and trusted. The service offers a platform through which businesses can safely store and process personal and internal data.
ClickSoftware has received the following Cloud Service Certifications:
The ClickSoftware cloud service is based on Amazon Web Services (AWS) as an Infrastructure as a Service (IaaS) provider. AWS provides top industry security measures and is also compliant with the following certifications, assurance programs and third-party verifications:
- SOC2/SOC3/FIPS 140-2
- ISO 27001- Information Security Management System (ISMS) covering infrastructure, data centers, and services
- HIPAA – Health Insurance Portability and Accountability Act
- FISMA - Federal Information Security Management Act (FISMA)
- CSA – Cloud Security Alliance STAR registry
AWS also protects against common security threats to infrastructure such as:
- Distributed Denial of Service (DDoS) attacks
- Man In the Middle (MITM) attacks
- IP spoofing
- Port scanning
- Packet sniffing by other tenants
Technical Security Controls
The ClickSoftware cloud service leverages various security controls to further protect against security threats:
- Virtual Private Cloud (VPC): ClickSoftware cloud service uses a virtual private cloud that provides a private, isolated and controlled section of AWS.
- Network Traffic Controls: ClickSoftware cloud service uses firewall rules to control the inbound and outbound network traffic for each internal resource.
- TLS: ClickSoftware cloud service uses TLS protocol to encrypt the bidirectional traffic between the customer device and desktop and the service.
- Customer Data Isolation: Only authenticated and customer authorized users may access the customer data. ClickSoftware cloud service enforces a match between each row in the return set of a database query with user context and permissions following validation of the user identity in each session.
- Authentication: Access to ClickSoftware cloud service is controlled with authentication using strict password policy. ClickSoftware cloud service challenges password-brute force attempts. Optional Multi-Factor Authentication is available. Single Sign-on authentication is supported using Federation technology and SAML protocol. Client-Side Certificate Authentication is supported for outgoing messaging.
- User Management: OnlyClickSoftware cloud service customers administrators can manage their authorized users’ identities and permissions within the customer tenant. Each customer authorized user can have strict permissions within the customer tenant via assigned user group. Customer users manage their own passwords. Customer users’ repositories can also be synchronized.
- Authorization: Access to ClickSoftware cloud platform is restricted to authorized ClickSoftware employees only, according to documented processes, logged and tracked for auditing purposes. Remote access is also controlled by VPN with two-factor authentication. Permissions for access and actions in the ClickSoftware cloud platform are set using the segregation of duties and least-privileges principles.
- Web attacks protection: Unauthorized web access attempts to the ClickSoftware cloud service are filtered.
- Anti-Malware protection: Malicious software is prevented, detected and removed.
- Security patch management: Applications, services and operating systems are regularly patched to provide ongoing protection from exploits.
- Hardened systems: Only essential software packages are installed. Systems security policies are enabled. Unnecessary services are stopped and non-required ports closed.
- Intrusion detection: Intrusion detection sensors throughout the internal network report events to a security event management system for logging, alerts, and reports.
- Monitoring of security events: Audit policies and procedures, which includes log collection, correlation and alerts of security incidents are maintained.
- ClickSoftware cloud service architecture has been designed for fault tolerance and high availability with no single point of failure using AWS Availability Zone and Regions management and hardware redundancy, redundant instances, load balancing, availability zones, redundant DNS, and backup policy.
- Disaster Recovery (DR) procedures and documented, tested, trained, updated and implemented.
- Constant proactive Health Monitoring of both IT and application systems are performed.
- 24x7 Telephone and Email Support: Help is always available, with a “follow the sun” model to provide continuous support around the clock.
The following compliance programs are applicable to ClickSoftware cloud services, address all aspects of security and data privacy and maintains confidence of our customers in the status of information security that we provide.
ClickSoftware cloud service has been ISO 27001:2013 certified since 2012. This security standard outlines the requirements for information security management systems and is the highest level of global information security standard available today. This certification provides our customers the assurance that ClickSoftware cloud service meets stringent international standards on security. You can find the certificate here.
ClickSoftware cloud service has successfully completed the ISO/IEC 27018:2014 assessment, since 2015. This code of practice focuses on protection of personal data in the cloud. It is based on ISO information security standard 27002 and provides implementation guidance on ISO 27002 controls applicable to public cloud Personally Identifiable Information (PII). It also provides a set of additional controls and associated guidance intended to address cloud PII protection requirements not addressed by the existing ISO 27002 control set. You can find the certificate here.
ClickSoftware cloud service has successfully completed the ISO/IEC 27017:2015 assessment, since 2018. This code of practice supplements the guidance of the ISO/IEC 27002 and ISO/IEC 27001 standards with cloud-specific information security controls applicable to the provision and use of cloud services for cloud service providers and customers, respectively. You can find the certificate here.
SOC 2 Type II Audit Report
ClickSoftware cloud service is audited annually against the Service Organization Control (SOC) 2 Type II reporting framework by qualified independent auditors. The scope of audit for ClickSoftware cloud service covers key compliance controls and objectives applicable to in-scope trust principles. A copy of ClickSoftware cloud service SOC 2 Report can be requested via ClickSoftware Sales Account Team point of contact. For more information on SOC 2 Type II audit report, please refer to the AICPA - SOC 2 .
HIPAA through the Business Associate Agreement (BAA)
Customers from the medical services industry need to comply with HIPAA, and, as a cloud service provider, ClickSoftware enters into business associate agreements (BAAs) with HIPAA-covered entities, certifying that ClickSoftware cloud service protects personal health information (PHI) in accordance with HIPAA guidelines.
The ClickSoftware cloud service joined the CloudTrust Enterprise-Ready program, which provides an objective and comprehensive evaluation of the enterprise-readiness of the ClickSoftware cloud service based on a detailed set of criteria developed in conjunction with the Cloud Security Alliance (CSA). Services designated as Skyhigh Enterprise-Ready are the services receiving the highest CloudTrust™ Ratings, which fully satisfy the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection. Go to cloud-trust-program here.
Administrative Security Controls
- Information Security Policy: The ClickSoftware cloud service maintains a policy document that outlines standards of information security and privacy controls and is the basis for the information security and data privacy framework. This policy also governs all the ClickSoftware cloud service employees and contractors.
- Background checks: All cloud service candidates are required to pass background checks to the extent permitted by law as a condition of employment.
- Security Awareness Training: All ClickSoftware employees are trained on information security and data privacy procedures.
Information security risks in ClickSoftware cloud service are managed through external and internal audit processes, as detailed here:
- Code Security Inspection: For every software major release, security procedures are implemented and code security inspections are conducted by an independent third party.
- Penetration Testing: Clicksoftware cloud service performs periodic penetration testing and vulnerability assessments of the service and network by an independent third party.
- Audits: Clicksoftware cloud service performs periodic internal and external audits of users activities, systems and applications vulnerabilities, systems and data access controls, configuration changes and security processes in order to detect and mitigate security risks.
- Risk Assessment: Clicksoftware cloud service performs periodic risk assessments, by an independent third party, at least once a year, or whenever there is a major change in the technical or legal environment. The purpose is to evaluate the effectiveness of current controls and determine whether new risks require additional mitigating controls.
The ClickSoftware cloud service is committed to the customer’s data protection by implementing the following controls:
- Access to Customer Data: Access to the customer data is protected with strict authentication and permission controls and is done only to provide the service. ClickSoftware cloud service authorized customer users may always have real-time access to the stored personal data through the web-based tenant’s account interface.
- Audit trail: Detailed audit log which enables tracking of changes made to data in the ClickSoftware cloud service application is available within the service and the log can be exported. User login log is also available.
- Data Storage, Processing and Transfer: The customer data is stored in an encrypted storage only in the customer territory and is processed and transferred only by following the customer’s instructions and applicable laws, to support the subscription period.
- Data Processing Addendum: ClickSoftware and its service provider, have signed a Data Processing Addendum and Model Clauses for processing personal data. The Cloud Service offers its EU customers a Data Processing Addendum and Model Clauses for processing personal data.
- Data backup: The customer data is available for backup by the customer, in an encrypted using a customer managed encryption key. The customer data is also daily backed up and stored by ClickSoftware cloud service in an encrypted format in the AWS S3 storage service and is available for reliable and secured restore procedure when required with a 30 days data retention time.
- Data sanitization: Upon request, or in accordance with contractual obligations, all the customer data will be deleted in a reliable manner. The customer data backups will remain for additional of 30 days.
- Incident Management: Security incident management policies and procedures are maintained. ClickSoftware cloud service notifies impacted customers of any actual or reasonably suspected unauthorized disclosure of their respective customer data or personal information to the extent permitted by law.