Organizational Security¶

Introduction¶

Jitterbit strives to apply the operational best practices of leading cloud-computing providers around the world. This includes:

Confidentiality¶

Harmony's confidentiality measures work to protect sensitive customer data from unauthorized access. In addition to the physical and logical security layers provided by our software and physical infrastructure, our internal policies dictate:

Separation of Duties: Access to Harmony's production system is available only to the Jitterbit Operations team. Any changes to the production environment must be applied by the Jitterbit Operations team.
Minimum Necessary and Least Privilege: Within the Jitterbit Operations team, access is restricted to the various Jitterbit services on an as-needed basis. The team knows which employee has access to which Harmony production resource at any point in time and can revoke that access as needed.

Personnel Policy¶

Jitterbit's personnel policy is designed to maintain a high level of employee trustworthiness and to keep employees aware of key aspects of information security and privacy. Employees must comply with a code of conduct that emphasizes confidentiality, ethics, and professionalism in all interactions with Jitterbit's users, partners, and competitors. All employees sign a confidentiality agreement that protects Jitterbit's customer data. All Jitterbit employees receive regular security training and testing.

Jitterbit Operations¶

The Jitterbit Operations team is responsible for defining and executing procedures for application release management, hardware and operating system upgrades, system health monitoring, and other activities required for the maintenance of Harmony.

The team's responsibilities include:

Reviewing the security of cloud infrastructure design and implementation.
Implementing procedures that follow security standards, such as Cloud Security Alliance (CSA) and Cloud Internet Security (CIS).
Defining and implementing identity and access management policy, and procedures for assigning unique and trackable identities to each authorized Jitterbit team member.
Defining data confidentiality classifications that require employees who access Harmony customer information to do so in a prescribed manner that limits the possibility of unauthorized access.
Identifying and implementing technologies that secure customer information, including FIPS 140-2 level encryption technologies for data in transit and data at rest.
Conducting technical and non-technical information security assessments (evaluations) that are based on penetration tests, vulnerability scans, and audits against core regulations and standard codes of practice.
Monitoring the Harmony applications and infrastructure for possible security issues.
Remediating findings and issues quickly.

Jitterbit Engineering¶

The Jitterbit Engineering team is responsible for designing, developing, implementing, and testing the software services provided by Harmony. The Engineering team works closely with the Operations team to identify security concerns, develop monitoring procedures, and implement protective technology. The security responsibilities of the Engineering team include:

Defining and implementing secure design and coding practices.
Conducting design reviews to identify possible security concerns prior to coding.
Conducting code reviews to identify code that could be exploited to grant unauthorized access to customer data.
Conducting code reviews to identify code that could negatively impact availability.
Performing load tests in pre-production environments to verify that availability requirements have been met.

Jitterbit QA¶

The Jitterbit QA team is responsible for carrying out new and existing regression tests on all software released by Engineering to ensure no security or functional issues are introduced with changes in the software. The Jitterbit QA team performs its function in a separate environment that closely resembles production configurations. The Jitterbit QA team must approve any software release before the Jitterbit Operations team can deploy that software to the Harmony production environment.

Harmony Trust Site¶

Harmony availability and security statuses are monitored 24 hours a day, seven days a week by the Jitterbit Operations Team. The data pertaining to such monitoring is published on the Jitterbit Trust site giving users and the public transparent visibility into our operations.

Identity and Access Management¶

Access Control and Least Privilege¶

Identity and access management policy requires that all Jitterbit personnel that have access to Harmony production environments be provisioned with unique and trackable identities in the form of a user ID. Identity and access management policy enforces the principle of least privilege, which restricts personnel to the minimum level of access required to complete their assigned tasks.

Periodic Access Review¶

Virtual instances, firewalls, database servers, and other infrastructure software and hardware are protected by user identities that have been granted a limited set of permissions. Permission grants are regularly reviewed by the Operations team and revoked when an employee leaves the company. The Operations team enforces a password policy throughout Harmony production environments that require strong passwords, regular password expiration, and restrictions on password reuse.

Incident Management¶

The goal of the Jitterbit incident management policy is not only to quickly and effectively close incidents, but also to collect and distribute incident information so that processes are continuously improved and future responses are driven by accumulated knowledge.

Incident management includes initial diagnosis, classification, prioritization, escalation, and closure. All incidents that do not affect users of Harmony are recorded in the engineering issue tracking system. Any issues that affect users are recorded in the Customer Support system so that any effects on SLAs are tracked.

Patch Management and High Availability¶

Jitterbit is continually strengthening its products as new threats to security emerge. In addition, the software infrastructure we use is also being strengthened.

In order to keep software current, the Operations team works with the Engineering and QA team following a detailed patch management policy that covers the discovery, testing, and deployment of security patches. The AWS and Harmony's virtual infrastructure strategy allows Harmony to remain available, even during upgrades.

The Operations team actively monitors vendor security advisories and subscribes to new patch release notifications.

Capacity Management¶

Harmony currently supports thousands of active users who perform various integration processes. The Harmony platform has been developed to scale dynamically. The core services that expose APIs to our tools and users run on Apache Tomcat. Our systems track current usage rate and automatically provision and stop EC2 instances as required.