Data Management
Data Encryption
Users provide an AES-256 or equivalent key when connecting Salesforce orgs. This key is used to encrypt the data in-flight between Salesforce and the Flosum tool and at-rest in the Flosum tool. The data is further encrypted by a TLS 1.2 pipe through the HTTPS protocol in-flight and with an AES-256 or equivalent key when at-rest in the tool's disks. We encrypt your data at rest, with server-side encryption (SSE), using S3 managed keys (SSE-S3), AWS Key Management Service (SSE-KMS), and server-side encryption with your customer-provided keys (SSE-C). Flosum Backup & Archive only supports TLS 1.2 and its later versions and data encryption is provided throughout the entire pipeline. Flosum manages data access with Identity Access Management (IAM). We have IAM policies and permissions in place, to ensure only authorized users and services can access AWS S3 buckets and objects, and avoid using root account credentials. And, Flosum restricts bucket policies. Our bucket policies define what requests are allowed or denied on the bucket. We lock these down to deny all requests by default and only allow necessary permissions.
At-Rest Encryption
Confidential Information or PII at rest on computer systems owned by and located within Flosum-controlled spaces, devices, and networks should be protected by one or more of the following mechanisms:
Disk/File System Encryption (e.g. Microsoft EFS technology)
Use of Virtual Private Networks (VPN’s) and Firewalls with strict access controls that authenticate the identity of those individuals accessing the Confidential Information or PII
Sanitizing, redacting, and/or de-identifying the data requiring protection during storage to prevent unauthorized risk and exposure (e.g., masking or blurring PII)
Supplemental compensating or complementary security controls including complex passwords, and physical isolation/access to the data
Strong cryptography on authentication credentials (i.e. passwords/phrases) shall be made unreadable during transmission and storage on all information systems
Password protection to be used in combination with all controls including encryption
File systems, disks, and tape drives in servers and Storage Area Network (SAN) environments are encrypted using industry standard encryption technology
Computer hard drives and other storage media that have been encrypted shall be sanitized to prevent unauthorized exposure upon return for redistribution or disposal
Portable Device Encryption
As a general practice, confidential Information or PII shall not be copied to or stored on a portable computing device or Flosum-owned computing device. However, in situations requiring Confidential Information or PII to be stored on such devices, encryption reduces the risk of unauthorized disclosure in the event that the device becomes lost or stolen. The following procedures shall be implemented when using portable storage:
Hard drives (laptops, tablets, smartphones and personal digital assistants (PDAs)) shall be encrypted using products and/or methods approved by the Flosum office of the CISO. Unless otherwise approved by management, such devices shall have full disk encryption with pre-boot authentication.
Devices shall not be used for the long-term storage of any Confidential Information or PII.
All devices shall have proper and appropriate protection mechanisms installed including approved anti-malware/virus software, personal firewalls with unneeded services and ports turned off, and properly configured applications.
Removable media including CD’s, DVD’s, USB flash drives, etc. shall not be used to store Confidential Information or PII.
In-Transit Encryption
In-transit encryption refers to the transmission of data between end-points. These policies intend to ensure that Confidential Information or PII transmitted between companies, across physical networks, or wirelessly is secured and encrypted in a fashion that protects Confidential Information or PII from a breach. Data transmission and system console access is performed using channel encryption. The Chief Information Security Officer or their designee shall ensure:
Formal transfer policies, protocols, procedures, and controls are implemented to protect the transfer of information through the use of all types of communication and transmission facilities.
Users follow Flosum acceptable use policies when transmitting data and take particular care when transmitting or re-transmitting Confidential Information or PII received from non-Flosum staff.
Formal transfer policies, protocols, procedures, and controls are implemented to protect the transfer of information through the use of all types of communication and transmission facilities.
Users follow Flosum acceptable use policies when transmitting data and take particular care when transmitting or re-transmitting Confidential Information or PII received from non-Flosum staff.
Strong cryptography and security protocols (e.g. TLS, IPSEC, SSH, etc.) are used to safeguard Confidential Information or PII during transmission over open public networks. Such controls include only accepting trusted keys and certificates, protocols in use only support secure versions or configurations, and encryption strength is appropriate for the encryption methodology in use.
Only accepting trusted keys and certificates, protocols in use only support secure versions or configurations, and encryption strength is appropriate for the encryption methodology in use.
Public networks include but are not limited to the Internet, Wireless technologies, including 802.11, Bluetooth, and cellular technologies.
Confidential Information or PII transmitted in e-mail messages are encrypted. Any Confidential Information or PII transmitted through a public network (e.g. Internet) to and from vendors, customers, or entities doing business with Flosum must be encrypted or transmitted through an encrypted tunnel (VPN) or point-to-point tunneling protocols (PPTP) that include current transport layer security (TLS) implementations.
Wireless (Wi-Fi) transmissions used to access Flosum computing devices or internal networks must be encrypted using current wireless security standard protocols (e.g. RADIUS, WPS private/public keys or other industry standard mechanisms).
Encryption or an encrypted/secured channel is required when users access Flosum Confidential Information or PII remotely from a shared network, including connections from a Bluetooth device to a Flosum PDA or cell phone.
Secure encrypted transfer of documents and Confidential Information or PII over the internet uses current secure file transfer programs such as “SFTP” (FTP over SSH) and secure copy command (SCP).
All non-console administrative access such as browser/web based management tools are encrypted using SSL based browser technologies using the most current security algorithm.
Encryption Key Management
Effective enterprise public and private key management is a crucial element in ensuring encryption system security. Key management procedures must ensure that authorized users can access and decrypt all encrypted Confidential Information or PII using controls that meet operational needs. Flosum key management systems are characterized by following security precautions and attributes:
Flosum uses procedural controls to enforce the concepts of least privilege and separation of duties for staff. These controls apply to persons involved in encryption key management or who have access to security-relevant encryption key facilities and processes, including Certificate Authority (CA) and Registration Authority (RA), and/or contractor staff.
Chief Information Security Officer shall verify backup storage for key passwords, files, and Confidential Information or PII to avoid single point of failure and ensure access to encrypted Confidential Information or PII.
Key management should be fully automated. Flosum Chief Information Security Officer should not have the opportunity to expose a key or influence the key creation.
Keys in storage and transit must be encrypted.
Private keys must be kept confidential.
Application and system resource owners should be responsible for establishing data encryption policies that grant exceptions based on demonstration of a business need and an assessment of the risk of unauthorized access to or loss of Confidential Information or PII.
Decryption keys are not associated with user accounts. They are cached in RAM for a short duration but not stored in the application.
Documentation and procedures exist to protect keys used to secure stored Confidential Information or PII against disclosure and misuse.
Restrict access to cryptographic keys to the fewest number of custodians necessary.
Cryptographic keys are stored in the fewest possible locations.
Key management processes and procedures for cryptographic keys are fully documented.
Retirement or replacement (for example, archiving, destruction, and/or revocation) of keys as deemed necessary when the integrity of the key has been weakened or keys are suspected of being compromised.
Audit Controls and Management
On-demand documented procedures and evidence of practice should be in place for this operational policy as part of Flosum operational methodology.
Flosum shall inventory encrypted devices and validate implementation of encryption products at least annually.
Documentation shall exist for key management procedures.
At-Rest encryption procedures exist and can be demonstrated.
In-Transit encryption procedures exist and can be demonstrated.
Exception logs exist and can be produced for those resources that are excluded from this policy.
Data Geo-Fencing
Geo-fencing for certain regions. This ensures that specific data can be stored in specific regions, as required by clients.
Data Residency
Flosum Hosts Backup & Archive Instances in the United States (Ohio), Japan and Germany. Customers can use these hosted sites if they have residency requirements. Customers can also self-host in countries/regions if needed. Each Salesforce org is connected to one Flosum tenant.
Last updated
Was this helpful?