TeamConnect Cloud Services Security Overview

Last updated
Save as PDF

This document provides a general overview of the hosted TeamConnect platform, along with Mitratech’s information security policies and practices.

Introduction

The hosted Mitratech Cloud environment is supported by a dedicated team of IT, Security, Engineering, and Governance, Risk and Compliance professionals. The Mitratech Cloud Services and Security teams take a coordinated and collaborative approach to security, focusing on guiding and implementing both technical and procedural security solutions.

This document is meant to provide a general overview of the hosted TeamConnect Platform and Mitratech’s Information Security policies and practices.

Data Ownership and Scope

Before getting into the specific security services and processes that Mitratech employs, it is important to clearly define ownership and scope. Client instances are deployed on the TeamConnect Platform. Feature security settings, access control, end user maintenance, etc. at the client instance level are ultimately the responsibility of the client. When it comes to the Platforms, Mitratech actively monitors and manages the environment, implementing solutions to help enhance security.

Mitratech Cloud Services follow industry standards and best practices when providing the computer and application resources that host the various client environments. While Mitratech manages the cloud infrastructure, including the compute resources, it is the client that ultimately is in control of application behavior, such as end-user management, application features and settings, etc.

General Security

Below is a list of general security functions that Mitratech supports or implements as part of the Mitratech Platform:

Encryption

Mitratech uses multiple methods to secure client data including, but not limited to:

HTTPS (Customer browser sessions to TeamConnect are encrypted in-transit via TLS 1.2)
Implementation of At-Rest encryption (AES)
Transparent Data Encryption is used for bulk database encryption of client data in production databases using AES-256.
All network traffic within the data center (i.e. between webserver and application server, or application server and database) is encrypted
SFTP sites are encrypted using secure algorithms
API Security - Web Services and REST APIs communicate over HTTPS connections using TLS 1.2

Mitratech utilizes industry standard SSL ciphers and reserves the right to disable weaker ciphers according to industry best practices.

Application Security and Auditing

Clients can utilize TeamConnect's user, user role, or group (role based permissions) security permissions within the system. The access levels granted, regarding what a user is allowed or denied to perform, is determined by the client’s TeamConnect administrator. For example, if the user is not allowed to edit a record, the edit button is not visible. Additionally, for auditing purposes, change tracking and updates on any field can be recorded in the system. A typical audit record contains a date and time stamp of the change, the user who made the change, and the previous and new value of the updated field(s).

DDoS Protection

The fight against DoS/DDoS attacks is complex and changes as technology evolves. Mitratech works with some of the most resilient data center providers in the world, utilizing solutions and tools to help mitigate and protect against these types of attacks on the TeamConnect Platform.

Single Sign On and Multi-Factor Authentication

TeamConnect supports SAML 2.0 compliant SSO platforms for additional ingress access control. Mitratech recommends the Service Provider model of SAML implementation to support email notifications with links to individual records. Clients who require SSO and MFA would need to select an IdP that provides MFA support. TeamConnect supports both SSO and integral username/password authentication on the same instance, with users assigned to the authentication method.

Multi-Factor Authentication (MFA) may be enabled instead of, or in addition to, Single Sign-On. Traditionally, SSO is deployed for internal users and MFA to users logging in from outside the corporate firewall. The TeamConnect MFA, which uses Google Authenticator, may be used for user authentication where the authentication is provided by TeamConnect (not SSO).

Intrusion Detection System (IDS)

Mitratech has implemented intrusion detection technologies to further promote the security of client’s hosted website and data. These technologies help to identify unauthorized access as one layer of the Mitratech security model.

Environment Segmentation

Mitratech Cloud Services separates all client data utilizing separate application instances and schema separation. This reduces exposure of client data or privilege waiver risk and prevents cross-data flow from occurring. Data segmentation and separation capability between clients is provided via network segmentation (DMZ), system segmentation (unique system instances e.g., virtualization), application segmentation (unique application instances, application ID, metadata tagging, etc.), and database schema and security segregation.

Password Policy (TeamConnect)

Customers are encouraged to configure strong password complexity settings and options at the application level. For example, a minimum of eight characters, one symbol, one capital, one lower and one digit. Passwords are hashed inside the TeamConnect database using SHA 256 with generated salt, single iteration (iteration count configurable). Application password settings include: Min Age, Max Age, Min Len, Max Len, Min Alpha, Min Num, Min Spec. Number Stored, Upper/Lower Case, Prohibit consecutive identical characters, Cannot contain username, first or last name, and Enable Password Reset.

If the customer is using SSO, the password policy will be managed by their internal security team at the IdP.

Penetration Testing

Mitratech contracts with a third party to conduct regular penetration testing on the Mitratech Platforms at least annually. Results of penetration tests are reviewed by members of the Cloud Services, Security Operations, and Engineering teams and any needed remediation steps are taken.

Vulnerability Scans

Mitratech utilizes a Vulnerability Management platform for its hosted environment. This tool utilizes discovery scans and agent based scans to determine vulnerabilities on hosted assets. Scans are performed regularly.

Development Practices and Testing

Mitratech has a Software Development Lifecycle (SDLC) that considers security in all aspects of software development including design and implementation. Static and Dynamic Code scanning tools are used as part of this process.

Firewalls

Mitratech implements protection on inbound and outbound network communications. Each network segment is firewalled in between and only the minimum number of communications ports are open to support the Mitratech Hosted Applications. Egress on non-standard ports is denied by default.

Firewall rule reviews are conducted quarterly and all changes are documented and approved through a strict change control process.

Anti Virus / Anti Malware

Mitratech has implemented anti-virus and endpoint protection on internal hosted systems. This does not cover TeamConnect-specific file uploads by the users.

Physical Facility Security

All client information will be stored in the physical data center. There is a documented physical security program that includes:

No signage for entrance
Access restricted logs
Electronic entrance systems
Security guards onsite, physical barriers, alarmed entrance and exit doors
Mechanisms such as man traps to prevent piggybacking, windows with contract or break alarms
CCTV monitoring, fluids/water sensors, air conditioning and humidity controls, heat detection, smoke detection, fire suppression
Escorts for all visitors (no visitors allowed in the server environment)

Access Control

Reminder: Customers are responsible for user level security/access control at the client application level.

Mitratech’s access control policy applies to systems which are managed and maintained by Mitratech (i.e. The Platform). Our internal access entitlements are reviewed and updated by Cloud Services on a quarterly basis. The Mitratech access control policy addresses control processes including, but not limited to:

User identification
Account provisioning processes
User account authentication
Password requirements
User account security settings
Privileged user access management
Access recertifications
Segregation of duties

The Mitratech Cloud Services environment is completely isolated from the Mitratech Corporate data center environment by way of geographical, physical, and network separation. All employees are restricted from physically accessing any hosting system. Employees with a sensitive data access requirement can be granted temporary, or read-only access for the purpose of diagnosing client problems. Examples of employee roles granted this limited, read-only access are: Tier 3 Support Engineers and Cloud Services Application Administrators. These privileged roles can only access the Cloud environment through select bastion host environments. Once they have terminal access to the environment, they can initiate an additional terminal access to the appropriate virtual machine or server. Additionally, Mitratech Cloud Services has created extensive policies, standards & guidelines along with security training for all employees with access to the data center environment. More information about Access Control is available in Mitratech’s annual SOC2 Type 2 report.

Change Management

Mitratech's change management policy applies to systems which are managed and maintained by Mitratech Cloud Services. The policy is reviewed and updated by the Cloud Services and Security Operations teams on a regular basis. Mitratech change management encompasses processes including, but not limited to:

Separation of production and non-production environments
Segregation of duties
Technical peer reviews
Notifications
Testing and validation
Rollback / backout procedures
Documentation of complete process
Emergency change procedures

Operations requiring the change management process include, but are not limited to:

Infrastructure and software deployments
Infrastructure and software upgrades and patches
Infrastructure, software, and environment decommissions
System configuration changes
Certificate deployments and updates
Queries that will or may alter data
System and application restarts
Environment refreshes

Proposed changes to Mitratech Platform components flow through a process that includes authorization, testing and approval prior to production deployment. This process and its operations are audited in Mitratech’s annual SOC 2 Type II report.

Patch Management

Mitratech applies regularly scheduled operating system and platform related updates. When security vulnerabilities are published, Mitratech promptly applies package updates to maintain the security of the environment. Risk scores are applied to vulnerabilities and are prioritized based on impact and severity.

Industry standard patching protocols are used, including applying patches to non-production environments, for testing prior to being deployed to production.

Backups

Mitratech has a backup standard that applies to systems which are managed and maintained by Mitratech and Mitratech’s managed hosting providers. The policy is reviewed and updated by Mitratech Cyber Risk, Governance and Compliance on a regular basis. The Mitratech backup policy addresses control processes including, but not limited to:

Backup scheduling and monitoring
Retention period
Restoration
Encryption
Data destruction

Mitratech client data is backed up regularly and stored in an encrypted format with the third party managed hosting providers. Logging is enabled to track backup status.

Destruction of physical documents containing sensitive data is accomplished using a third-party service. Destruction of electronic documents containing sensitive data is accomplished through the third-party hosting providers who follow documented destruction policies. This data is removed using industry standard data removal processes.

Business Continuity & Disaster Recovery (BC/DR)

Mitratech has partnered with industry leading cloud infrastructure providers to host client environments and facilitate increased uptime and availability. Mitratech as well as the managed cloud infrastructure providers are audited for SOC 2 Type II compliance, including the implementation of proper Business Continuity and Disaster Recovery (BC/DR) processes and controls.

Mitratech's BC/DR strategy includes a Business Impact Analysis (BIA), supported by an annual plan validation exercise. The BIA includes taking inventory of systems critical to business operations, measuring potential (or realized) operational impact of critical system disruption, and staffing models to support critical Mitratech systems and business operations. In the event of an unexpected outage or disruption at any office locations, employees can securely work remotely and continue facilitation of business operations and client service functions. This process has been successfully tested during the calendar year and will continue to be tested on an annual basis.

The Mitratech Disaster Recovery solution provides clients with a Recovery Point Objective (RPO) of 24 hours and a Recovery Time Objective (RTO) of five days.

Note: Mitratech also offers an optional fee-based disaster recovery service for TeamConnect which provides a near-zero-hour RPO and a 24-hour RTO.

Security Incident Response

Mitratech has system, network and security engineers continuously monitoring the Cloud Services environments. Support representatives follow a defined escalation procedure for affected sites when any incident arises.

In the event of a breach or security incident that relates to the Mitratech Platforms, the Mitratech Security team follows our Incident Response Plan. This is tested at least annually.

Risk Management

The concept of risk management is embedded within Mitratech Business and Cloud Services operations. Mitratech has established processes to identify and track potential or actual risk related to Mitratech’s business. The Management Team meets on a regular basis, has executive sponsorship, and is composed of members from across the organization.

The Mitratech Security Operations team monitors the environment for potential technical and procedural risks and brings any items identified to the Management Team for discussion. The Mitratech Security Operations team regularly evaluates risk impact and, if necessary, determines whether remediation efforts are required.

Compliance Reporting

Cloud Providers

Mitratech’s cloud hosting providers are regularly audited for SOC 2 compliance. Signed NDAs with Mitratech and the relevant hosting provider are both required prior to distributing copies of their reports to Mitratech clients for review.

Mitratech

SOC 1 (SSAE 18) - Due to the nature of Mitrtaech’s business as a SaaS provider, the data being hosted for clients is most likely not relevant to financial reporting. As such, Mitratech does not currently pursue SOC 1 compliance reporting.

SOC 2 (SSAE 18) - Mitratech completes an annual SOC 2 Type II audit.

PCI - Mitratech does not process, transmit or store sensitive credit card data that would bring Mitratech’s Platforms into PCI scope. As such, Mitratech does not and will not pursue PCI compliance certification.

HIPAA - Mitratech is not a health care provider, nor are we within the health care industry. As such, we are not required to directly comply with HIPAA. We are open to signing a BAA after review and negotiation.

Third Party Management

The Mitratech Cloud Services, Security Operations and Governance, Risk, and Compliance Teams are involved with vendor evaluation, selection and onboarding processes prior to vendors, sub-contractors, or other third parties being approved. Critical vendors are re-evaluated annually.

Notice

This document is provided for informational purposes only. It represents Mitratech's current product offerings and practices as of the date of issue of this document, which are subject to change without notice. This document does not create any warranties, representations, contractual commitments, conditions or assurances from Mitratech, its suppliers, or its licensors. The responsibilities and liabilities of Mitratech to its clients are controlled by Mitratech agreements, and this document is not part of, nor does it modify, any agreement between Mitratech and its clients.

FAQs

Can TeamConnect send application, access logs to my organization via flat file integration or API? Can these logs be sent to our security tools?
Log data collected and managed by the Mitratech Cloud Services organization is for the sole use of Mitratech and is not shared with individual clients.
Can we “bring our own key”?
No - At this time transparent data encryption is protected by platform managed keys.
Does the application store connection strings and sensitive configs in a keyvault or a secure OS password vault or an HSM?
No
How are updates to the application performed?
Updates and maintenance are applied to the application by the Mitratech Cloud Services Team upon request. Requests for maintenance can be submitted for review and execution by the Mitratech Support and Mitratech Services teams.
Does your system, including integrations, databases, user screens, setup processes, documents, files, batch jobs, emails, reports, archived or retained decommission content, etc., contain ACH DFI bank account numbers?
Collaborati has a Bank Account # field that law firm vendors can fill in but is not required. This data is protected during transit from Collaborati to TeamConnect through a secure connection. The data is masked at rest; it is not in plain text. Regarding databases and documents, the data on the record is not in plain text. The data is further restricted to certain maintenance IT technicians via access controls.
Do you provide for the encryption of this data at rest?
TeamConnect data resides on managed Cloud infrastructure which utilizes at rest encryption for all data residing within the Cloud Services environment. Refer to the General Settings / Encryption section of this document for more information.
How many ACH transactions do you initiate on an annual basis?
None. Mitratech does not utilize ACH transactions regarding payments as it pertains to TeamConnect. Mitratech would be privy to invoice data only, not including bank or account numbers, because that data is encrypted.
What steps is Mitratech taking to comply with the NACHA mandate?
TeamConnect does not directly process invoice payments nor utilize ACH in any manner.
TeamConnect does process vendor invoices for the purpose of review/approval, and then optionally passes them to an accounts payable system for payment. Within that activity, Collaborati and TeamConnect includes limited sensitive information, all of which is encrypted at rest with transparent data encryption, as well as in transit, including:

Vendor Tax ID Number - this field is required for the systems to identify vendors.
Bank Account Number - this field is optional; it is up to the client and vendor to decide if they will pass bank information via TeamConnect. Most clients choose not to store bank information within TeamConnect.
Payment Details - these are optional fields whereby the AP system can pass back payment information so that TeamConnect users may reference them. This typically includes a payment date, payment amount, and check number; however, this is configurable client by client.