Clockwork Recruiting Security Information
Security is important at Clockwork Recruiting. We take security seriously and take active measures to keep sensitive customer data safe and secure.
Systems
Clockwork is hosted on Amazon Web Services (AWS), a reputable provider with best-in-class service offerings.
Amazon Hosting SOC and ISO:
https://aws.amazon.com/compliance/iso-27001-faqs/
https://aws.amazon.com/compliance/iso-27018-faqs/
https://aws.amazon.com/compliance/soc-faqs/
Instance Management
- Strict internal access controls
Management of the AWS resources is done via the AWS Console and configuration tool sets.
Access is restricted to an extremely small number of individuals. We employ Identity and Access Management (IAM) to manage granular role-based restrictions and authorization and enable multi-factor authentication (MFA/2FA) for all user access.
Network Isolation
- AWS hosts are in private VPCs with network isolation, firewalls, and no public access
All Clockwork instances are maintained within a Virtual Private Cloud (VPC), with tight network isolation. None of the application instances or databases is accessible directly on the internet, and there is no public access. Rather, all direct access to instances requires secure access via SSH through gateways, and such access is highly restricted to a small list of authorized personnel.
In addition to only allowing in-network private access, all instances are protected by firewalls which restrict access to only necessary ports. Only the bare minimum of needed application ports are open.
Public access to application ports is allowed only on the load balancer, itself also within the VPC.
Databases
- Database data is protected
Databases are maintained within a private network (VPC) and not accessible externally. Even though traffic is restricted to in-network private access, internal communications are encrypted via SSL.
Database data is fully encrypted at-rest using industry standard AES-256 encryption, including the underlying storage for a DB instance, its automated backups, standby and replica instances, and snapshots.
Additionally, encrypted database backups are in a proprietary format and are not accessible as data or as a “dump” that can be queried or exported. They can only be used to create a new instance at AWS with a copy of the data at the time of the backup, and that process requires highly restricted privileges.
Sensitive data (such as passwords) are one-way encrypted in the database. No one, not even Clockwork personnel, can reverse the encryption and determine the original value.
Patches and Settings
- Security patches are applied promptly and system updates regularly
Instances are regularly updated with operating system updates, and security patches are applied promptly to all application levels.
Additionally, systems are configured as required to address security threats, such as BEAST, POODLE, and HeartBleed. This can include items such as proper versioning of SSL software and eliminating the use of vulnerable ciphers.
Applications
Administration
- Application administration is restricted
Clockwork application administrators use an administrative application to manage customer environments. These pages require authentication credentials and special roles. Passwords are updated frequently and access is limited to a few Clockwork employees.
Public Access
- Public and customer access is restricted
All pages (except pages such as the login page) require credentials to access. All failed login attempts are logged, along with associated source information such as the originating IP address.
All pages use SSL and all traffic is encrypted.
We check for domain forgeries in requests to combat man-in-the-middle (MITM) attacks. Our continuous integration process constantly checks for OWASP 10 type site vulnerabilities, such as cross-site scripting (XSS), Cross-Site Request Forgery (CSRF), and injection (JavaScript, SQL).
We periodically run penetration testing to check for system vulnerabilities, using tools such as Kali for OWASP Zed Attack Proxy (ZAP) and other tests.
URLs to data to be accessed external to the Clockwork application, such as the delivery of a requested report, are stored in S3 with permission controls and expire quickly.