Keyfactor has established an information security program to describe the principles and basic guidelines we abide by to maintain the trust and confidence of our customers. We accomplish this by continually evaluating risks to our operations and improving the security, confidentiality, integrity, and availability of our Keyfactor environment. We regularly review and update security policies, perform application and network security testing of our environment, and monitor compliance with security policies.

Below is a list and short description of our major Security policies that Keyfactor has put in place for our Keyfactor SaaS products.

Acceptable Use

At Keyfactor we hold ourselves to a high standard. We abide by an Acceptable Use Policy that helps protect us against malicious actors and protect your data. Included in our Acceptable Use Policy are responsibilities we require each of our employees to abide by when it comes to using security/proprietary information and electronic devices.

Included in our policy are guidelines that employees must follow when accessing systems and networks. Additional instructions and guidelines are listed for email and communication activities, downloading software, etc.

Access Control

From the Keyfactor side, a select few team members have access to customer’s data/environments. Each of these team members has extensive experience in PKI and customer relations. Each member is trained at least annually and vetted through a comprehensive background check prior to being brought onto the team.

To further ensure the security of your data, a manager over the EJBCA SaaS product will review the access of each member of the team on a periodic basis for appropriateness, extending access only when truly necessary. A more detailed playbook for accessing the customer’s environment is supported by the Incident Management Playbook.

Additionally, to preserve data integrity and customer trust, employees are not allowed to store, access, and/or transport records containing personal information outside of Keyfactor.

Business Continuity and Disaster Recovery 

Today's world is extremely unpredictable. With EBJCA SaaS we understand that we need to protect your data at all costs and plan for unexpected events. We use our Disaster Recovery and Business Continuity policy to help us prepare for any unexpected events in the future. Our Business Continuity and Disaster Recovery policy sets requirements for creating RTO (Recovery Time Objective) and RPO (Recovery Point Objective). The policy also sets requirements for managing business risk and how to quickly bounce back from any unforeseen incidents.

Change Management

We live in a constantly changing world. The needs of our customers and the goals and aspirations of our company will change and grow. At Keyfactor, we make sure our change management process is both efficient and comprehensive. The Change Management Policy provides specific steps for creating, testing, and approving changes. Our policy also covers potential changes that fall outside the scope of our change management process, including changes to non-production elements, user additions/deletions, or password resets. We also cover how emergency changes are to be handled including specific steps that need to be taken for proper handling of these unique developments.

Communication

Communication is key in everything we do at Keyfactor. We communicate regularly with our customers, either through email or a support ticket if necessary. It is up to the team’s discretion to choose the best way to keep the customer informed.

Data Security

The Keyfactor Data Classification Policy establishes requirements for classifying data. The end goal is to appropriately protect and handle your data. Every member of the Keyfactor team shares a responsibility to treat information with the appropriate level of protection. To facilitate that aim, we have created the Data Classification Policy for internal employees. The policy includes guidance for:

  • Classifying data into the appropriate level of security. This includes data in all forms, including paper, electronic documents, copies, applications, etc.
  • Specific guidelines to follow when handling data at each level of security
  • Determining who is responsible for protecting and classifying types of data
  • How to accurately classify data while promoting internal work efficiency

Data Retention

With EJBCA SaaS, we keep only the information necessary to protect you while keeping our product functioning as designed. By default, customer data is incrementally backed up to our RDS database on a daily basis. Information is archived for a maximum of one year. If a customer unsubscribes to our product or refuses to pay their bill, we hold their data for 90 days and then delete their data. This 90 day requirement follows what is set by AWS and Azure.

Incident/Problem Reporting

Customer concerns are important to us. As a Keyfactor team, we are here to serve our customers and make their experience with EJBCA SaaS the best possible. Our Keyfactor response team is comprised of PKI experts that are trained and ready to answer customer questions and fix any EJBCA SaaS problems. To get started, there are two ways to contact with our Support Team:

Please keep in mind that Keyfactor Support is not in charge of:

  • Custom programming services
  • On-site support, including installation of hardware or software
  • Support of any software not constituting part of the EJBCA SaaS
  • Training
  • General system infrastructure, network design or troubleshooting, installation assistance, or configuration support for third-party components

For help addressing any of the problems listed above, please contact sales@Keyfactor.com.

To save time and energy, the customer should consider answering the following questions before contacting Keyfactor Support:

  • What were you doing when the error occurred?
  • When was the last time that this worked (if ever)?
  • Does this happen every time you do X?
  • Did you attempt to fix the problem? If so, what steps did you take to resolve the issue?
  • What did the error look like on your screen?

Information Security

Your information security is one of our top concerns. With EJBCA SaaS we classify each type of data and use sufficient controls to protect the information. To understand better what we do with your data and how long we retain it, refer to our Privacy Policy at https://www.keyfactor.com/terms_and_conditions_of_use/

Logging and Monitoring 

Logging is extremely important to manage security and operations. With EJBCA SaaS we collect logs from the EJBCA application as well as the AWS and Azure infrastructures. We use a combination of the cloud providers native tools and open source tools including Fluentd, CloudTrail, CloudWatch, Azure Monitor, and Azure Application Insights. The operations team also monitors all logs for EJBCA SaaS through AWS CloudWatch and Azure Application Insights.

Onboarding and Termination

One of our biggest concerns at Keyfactor is that each employee has appropriate access to customer data. Employees may access only essential and pertinent customer data to perform his or her job responsibilities. As an organization we rely on our Access Onboarding and Termination Policy to establish formal procedures for controlling access to customer data when employees change positions, are hired, or are dismissed.

Password Management

As passwords are one of the most important lines of defense against hackers or unauthorized users, we have implemented password requirements. The password requirements are required for both users and Keyfactor operators. The requirements follow the guidelines in which OWASP has suggested:

  • Minimum length: 8 characters.
  • The use of bcrypt for password hashing
  • The use of a common password validators that prohibits the use of the most commonly used/compromised passwords

Physical Security

As our managed services are hosted in the cloud, we rely on our cloud provider’s physical security controls and physical security policies. Our cloud providers have strong physical security controls as they are each ISO 27001, SOC 2, and CSA Star certified. As for local office security, we rely on our Office Security policy. In the policy, there are steps for provisioning and deprovisioning access to the offices as well as steps for obtaining guest access.

Risk Assessment

On an annual basis, the Keyfactor team performs a risk assessment for risks facing the company as a whole. Included in the risk assessment are risks pertinent EJBCA SaaS. A comprehensive list of risks is created including the risk’s asset and the asset owner. The consequence of the risk is then identified and classified by whether the risk affects confidentiality, availability, or integrity. The team also brainstorms on mitigating controls that help lower overall risk. Each risk is then assigned a likelihood and impact value between 1-5 in each category (confidentiality, availability, and integrity). The likelihood and impact values are then multiplied together to get the risk value. To lower the risk value, more security controls are needed. Planned actions are then formulated and assigned to an individual. Those planned actions implemented and tracked until the next annual risk assessment is performed.

Vendor Management

Keyfactor has teamed up with the best cloud providers to bring you PKI managed services (EJBCA SaaS). In order to gain comfort that we can trust using each cloud provider, we rely on our Vendor Management Policy. The Vendor Management Policy guides us on what to do if we want to do business or continue business with vendors. With the Vendor Management Policy, we keep your data safe.