HotDocs Document Services was launched in January 2012 and has already filled a great need for many customers. Since the launch, one of the questions we have been asked frequently by people who are interested in Document Services is “How is my data protected?” This is a perfectly valid question, given the sensitive nature of the information that HotDocs processes on a regular basis.
When we started designing HotDocs Document Services, we quickly recognized the supreme importance of protecting customer data. During the designing process, protection of client data was given priority above all else-- including “cool” features and convenience for users. We recognize that without tight security, HotDocs Document Services would be of no use to anyone, so we take security and data protection very seriously.
The HotDocs Document Services data security model is built on the premise of security first and mitigation second. In other words, the product is built to be air-tight, with no holes; however, we have also built mitigation strategies into the product to protect your data even if it did become compromised.
Here is a list of just some of the security features built in to HotDocs Document Services:
- Document Services is hosted in the world-class Microsoft Azure platform. Microsoft has received many relevant certifications and audits related to data center operations and the Azure software stack. Details are available here: http://www.globalfoundationservices.com/
- All communication between the various components of HotDocs Document Services is encrypted using SSL/TLS. This includes communication from the browser to the web server, from HotDocs Developer 10.2 to the web application, and among all the various parts and pieces of the Document Services stack. Additionally, the VLAN and packet filtering system built into the hosting stack provide an extra layer of isolation.
- Best development practices were followed when building Document Services. Our staff members who are responsible for the design, construction and maintenance of security are all experienced engineers who have previous work experience at a security software firm. We also periodically run several automated security tests against the application to ensure it stays robust.
- Access to the Document Services database is controlled by strong credentials and is based on the principle of least-privilege. All sensitive data is encrypted. Access to documents, answer files, and templates is tightly controlled. Data is never stored to disk in an unencrypted form. Key management is distributed, so even if individual services in the application were compromised, it would be impossible to gain access to all the required keys to decrypt a file from the DMS. Data is encrypted using industry standard AES-256.
Comedian Emo Philips said, “A computer once beat me at chess, but it was no match for me at kick boxing.” It would be foolish for us to think that we cannot be beaten by determined people who have different skills than we do. We have worked very hard to produce software that is iron-clad and resistant to all threats, but we acknowledge that there is a possibility we could be bested by someone out there who is smarter than us. So, to protect customer data in the event that a previously undiscovered hole in the software reveals itself, we have adopted a policy of mitigation. In other words, we have designed fail safes into the program to prevent a compromise of one part of the system from exposing data in other parts of the system. Additionally, we have built the system to prevent a breach from becoming a foothold for attackers to make lateral moves into other areas.
For example, in the highly unlikely event that a bad guy was able to enter the database, we obviously would not want him to gain any useful data from it or extend his attack to other areas of the software (like data not stored in the database, including completed documents and answer files), so we have encrypted all sensitive data with keys managed by other services, and we store only parts of the required keys in any single place.
Another example: If an attacker somehow worms his way into our DMS service (where documents, answer files, and templates are stored), he would not be able to read those items. Even if he is able to access our code, without all pieces of the puzzle, our documents and answer files would appear to him as meaningless streams of bytes.
No matter what cool, fancy, security-focused features we add to prevent breaches in Document Services, and no matter how many firewalls, security access devices, and encryptions we use to secure the data, the biggest back door into your customer data is your own users. Any system designed to retrieve data for a specific user runs the risk of that data being handed to a bad guy who is impersonating the user. Our system authenticates users with passwords, but those can be guessed, brute-forced, or stolen from other systems if the password has been recycled. However, we have given Document Services admins several tools to help keep their user accounts secure, including
- Password length and complexity requirements.
- A password-strength UI that helps users understand how strong their chosen password is.
- Configurable password expiration policies to prevent users from keeping the same password for long periods of time.
- IP access restrictions. Administrators can restrict access to specific IP address ranges. That way, even if someone knows your favorite password is “password123,” unless they access the site from a recognized IP network, it doesn’t do them any good.
- Mechanisms to discourage brute-force attacks. We use CAPTCHA and other techniques to make brute-force attacks more expensive and difficult to carry out.
This is obviously not a complete and detailed analysis of everything we do to secure your data, but we hope it serves as an assurance that we work very hard to make sure everything in HotDocs Document Services is air-tight. We have tried our best to build a resilient piece of software that can isolate any breaches of security. We hope that the mitigation elements of our design are never tested – that no one ever makes it past our first lines of defense. However, it serves us well to remember the quote from Gene Spafford: “The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards.” Unfortunately, if we built this “truly secure” system, no one would buy it. No one wants an inaccessible block of concrete, so we went with the next best idea – which became HotDocs Document Services. And we are confident you will be satisfied with the results.