Security features in Confirmit Horizons

Confirmit Horizons supports a number of features that help to increase security and safety for individual users and respondents, and for collected response data both in transit and at rest. Some of these features can be activated by the users themselves, others can be enforced for all users in a company level, or for individual surveys. Some features are activated on backend systems by Confirmit's engineers and apply to all users of the system. This section explores some of the security features that are available when using Confirmit Horizons.

Downloadable document about Security in Confirmit Horizons

Do you need a document to send to your internal or external clients, to reassure them about data being kept at the highest security standard on the Confirmit Horizons SaaS environment? Click here to download.
 

Using HTTPS in Confirmit Horizons

SSL certificates are installed for all web facing servers in our hosted Confirmit Horizons environments, allowing all users to encrypt their sessions by using HTTPS instead of plain-text HTTP when connecting to the hosted platform. HTTPS protects your session against network eavesdropping (sometimes referred to as "packet sniffing") by ensuring the traffic between the client computer and the server is encrypted.

By default, we enforce the HTTPS protocol for all login pages in Confirmit Horizons, i.e. for Professional users, Express users, Translators, Reportal users, and panelists. Exchanges of authentication credentials between the client and server are therefore always secured with SSL encryption. Users are then redirected back to regular, unencrypted HTTP once the server has successfully authenticated the login request. However, it is possible to enforce SSL encryption for the entire session when working in Confirmit Horizons.

As a logged on user, you can open your settings by clicking on your user name in the top right area of the screen in Confirmit Horizons to access your user settings (you can also use the Home -> User -> Settings menu selection to open the same page). This will bring up an overlay screen where the setting 'Use HTTPS connection' can be found:

If the checkbox is selected, Confirmit will always keep your session secured with HTTPS, even if you open windows to Confirmit Express, Reportal or Translator.

Using HTTPS in Confirmit surveys

Of course, Confirmit Horizons also supports HTTPS encryption for respondents. With the default settings, all surveys can be accessed over both HTTP and HTTPS at the same time.
The perhaps easiest way to deploy your surveys over SSL, is to select the 'Enforce https access to this survey' checkbox on the Survey Settings page when launching your survey.

By selecting this option, the Confirmit Horizons survey engine will ensure that every respondent that accesses the survey will be redirected to access the survey link over HTTPS. Regardless of whether you have an open or limited survey, respondents will be redirected to HTTPS even if you have sent out invitation emails using the ^SLINK^ primitive in emails (instead of ^SECURESLINK^, which will prefix all survey links with https://) or have an open survey where you have linked to the survey using a regular http:// link.

If you are linking to the survey from an external page, you can also simply set up your survey link to use the https:// prefix, this will work out of the box without having to compile the survey specifically to support HTTPS.

If you are creating a respondent email, you can select the 'Use HTTPS' checkbox, or use the ^SECURESLINK^ primitive in the email body to have survey links automatically formatted with the https:// prefix when emails are sent out. You can even use both the ^SLINK^ and ^SECURESLINK^ primitives in the same email to include both http:// and https:// links to the survey, providing respondents with the option to select for themselves which link they want to use.

HTTPS for Reportal viewers

Confirmit Horizons supports HTTPS encryption for Reportal users, and will enforce all Reportal login sessions to take place over HTTPS in order to encrypt the username and password exchange during the authentication process. This is also enforced for Reportal viewers and analysts. As a Confirmit Horizons user, you can also enforce HTTPS for entire Reportal sessions for your end users. This can be done on an individual end user list basis by enabling the 'Always use SSL' checkbox in the general settings for the end user list. All users uploaded to the particular end user list will inherit the setting.

Password / account security

Passwords in Confirmit Horizons must comply with the minimum requirements configured on the system. As seen in the below screenshot, these settings include:
- Locking of accounts after 5 consecutive failed login attempts
- Lock screen displayed after 60 minutes inactivity (Password required to unlock)
- Sessions logged off after 3 hours unless unlocked
- Passwords must be changed after 90 days
- Passwords can not be reused (history of last 12 passwords stored on the system)
- Passwords can not be changed more than once per day (to prevent circumvention of password history)
- Minimum requirements for passwords: 8 characters in length, at least one uppercase character and one numeric/symbol character

Passwords are not stored in clear text in the database, instead they are encrypted using one-way hashing technique (using the PBKDF2 key derivation function) with a unique salt value for each account, and the output hash value is stored in the database. The authentication mechanism will perform the same hash function on a password submitted from the login page and will try to match this against the hash value that is stored in the database for the user account, rather than verifying the actual password itself.

A side-effect of this is that no one, not even Confirmit's Account Management Team, can retrieve the original clear-text password from the database. Instead of retrieving existing passwords, it is possible for an account administrator to reset a user's password from the admin menu (and provide the user with the new, temporary password, which must be changed at the first subsequent login), or the user may request a password reset link to be sent to the registered email address for the account from the login page as long as they know their Confirmit Horizons user name.

Other options

Other security options are also available, but may depend on license specific add-ons. See Additional options for further details.

Enabling HTTPS for all Confirmit Horizons users in a company

If you want to ensure all your Confirmit Horizons users are always using HTTPS encryption, you can contact us at support and request that we enable this in your company settings. Alternatively, you can set this yourself if you have the company administrator permission in Confirmit Horizons (use the Home -> Company -> Company Settings menu option, select the 'Always use SSL in authoring and Reportal' checkbox and hit Save). This setting will apply to all Confirmit Horizons, Reportal, Express and Translator users.

Enabling HTTPS for all company surveys

If you want to enable HTTPS for all your company's surveys by default, you can set this yourself if you have the company administrator permission in Confirmit Horizons (use the Home -> Company -> Default Survey Settings menu option, select the 'Enforce https access to survey' checkbox and hit save). This setting will be inherited by all new surveys. The HTTPS requirement can be disabled on an individual survey by deselecting the 'Enforce https access to survey' checkbox on the survey settings page and (re)launching the survey.

If you want to enforce HTTPS for all future surveys without allowing users to bypass the HTTPS requirement on individual survey basis, you can either contact us at support and request that we enable this in your company settings, or you can set this yourself if you have the company administrator permission (use the Home -> Company -> Company Settings menu option, select the 'Always use SSL in surveys' checkbox and hit Save.) By selecting this option, the 'Enforce https access to survey' checkbox will always be selected in survey settings, and cannot be deselected even by the project owner.

Company password policy

Confirmit has applied a minimum password security profile that applies to all users on the SaaS system. If your company wants to apply a stronger password policy, this can be set up in your system company settings. Server side validation of passwords through JScript.NET allows for a more complex password policy design if necessary. If you have questions or requests about this feature, please contact support for additional details. Please note that a company password policy can not be set to reduce the minimum requirements on the system, it can only be used to increase security beyond the default settings.

Restricting survey access for Confirmit Technical Support

In order to provide fast troubleshooting support capabilities for the SaaS environments, Confirmit Technical Support and SaaS Operations employees have implicit access to all surveys on the system by default. However, we realize that some companies may have reasons for wanting to restrict the access to their surveys in Confirmit Horizons. This can now be achieved by requesting it through support, Company Administrators are able to see if this is enabled or not in the company settings page (highlighted in the illustration below). If selected, Confirmit Technical Support personnel will not be able to access any of the surveys created under the company. Explicit permission to a specific survey can be granted only by a user with privileges to do so (the survey creator/owner, or anyone whom the creator has granted Administrate permissions).

Note that enabling this feature may impede our ability to provide troubleshooting support, and that regular support SLA's may not apply in this case.

It should also be noted that our SaaS Operations team members will still be able to access the surveys through their system administrative permissions on the system.

Enabling database auditing for survey databases

Selecting this option will track all access to the survey database where responses are collected. The log can be extracted by database administrators and provided in case an audit is required.


Protecting Your Confirmit Horizons Surveys Against Fraud And Unauthorized Access

Detecting and preventing fraudulent responses to a survey are vitally important for maintaining the integrity and reliability of the survey results and thereby any decisions based on those results. It is also of great importance to prevent intruders from accessing or sniffing your respondents’ answers over the internet.
Confirmit Horizons has many built-in features that allow Survey Designers to protect their surveys. Listed below are some of the key features for securing your Confirmit Horizons Surveys:

Encrypt System Request Parameters - This prevents attempts to reverse-engineer URL state values within a survey. These state values can for example be used to identify individual survey pages and create fraudulent survey records automatically, something which could be done in order to generate large number of incentives. The Confirmit Horizons SaaS Environment default value, and our recommended setting, for this property for new surveys is ‘checked’.

Enforce HTTPS – This enables encryption between the browser and the Confirmit Horizons Servers to secure the data while it is transmitted over a public internet connection, and will protect your respondents answers from being "sniffed". This also prevents firewalls/proxy servers from inspecting http packets and causing issues when they are not handled properly for respondents. This can be enforced at the company level for all surveys. We recommend using this on all surveys.

Use Limited Surveys - This restricts survey access to a defined list of respondents, and prevents respondents from submitting more than one response to the survey.

Login Page – When the survey project manager does not want to send out long Limited Survey links, a login page can be enforced with username and password on a Limited Survey.

Continue links – Use Continue Links to allow respondents to continue their survey in the event of a network issue.

Allow Respondents To Change Their Original Answers – Uncheck this option to prevent Respondents changing their answers.

Allow respondents to re-enter a completed interview and change their answers – Uncheck this option to prevent Respondents from accessing their survey record after they have completed the survey.

Geolocation Flex Extension - Allows you to identify possibly fraudulent responses based on the geographical location of the respondent or whether or not a respondent is using an anonymous proxy or a satellite provider. You can then for example flag those responses such that they can be identified in the database, allowing you to investigate them further, or you can block them immediately, thereby preventing the data from those respondents being added to the database.

System-wide security settings in Confirmit Horizons SaaS

The system settings in Confirmit Horizons control many of the configurable built-in security features in the application, for instance timing values for session validity and password restrictions.

SSL Encryption

Confirmit has purchased SSL certificates for all its web facing systems, and these can be used freely by all customers without additional charge. By indicating in the system settings that certificates exist for front-end systems, the application will seamlessly redirect users to HTTPS for pages where authentication credentials are exchanged. On-Premise customers also have an option to enfoce SSL for all traffic on their environment (this option is not selected in Confirmit's Horizons SaaS environments however).

All certificates used in the Confirmit Horizons SaaS environments are purchased from a reputable supplier, and for surveys and Reportal services, we have even purchased Extended Validation (EV) certificates that will display the server address in green in clients' browsers, as seen below.

Backup Encryption

In order to ensure customer data is not accessible outside the controlled Confirmit Horizons servers, we have deployed solutions that encrypt all data before it is backed up to external media. For SQL Server databases, we use the SQL Backup Pro backup software from Red Gate to compress and encrypt backup files even as they are being backed up from the database server (no need to perform post-backup compression or encryption).

For Survey definitions data and launched survey packages we use zip compression and encryption.

All data is encrypted using the AES-256 algorithm. This algorithm is considered extremely secure in the industry and even theoretical methods for brute-forcing an encryption key are not considered computationally feasible.

Firewall protection

Confirmit uses industry-standard firewalls from Cisco and Juniper in its Horizons SaaS environments. As with any other network component, our firewalls are configured in an active/passive failover cluster consisting of two identical devices, reducing the time required to recover from a potential hardware failure. This also allows us to perform regular upgrades of device software/firmware without interrupting the availability of the system.

Firewall rulesets are designed to allow only required ports and services to pass through to servers, all other traffic is blocked at the firewall perimeter and silently dropped.

Threat Management

In addition to firewalls, we have installed a threat management system from Alert Logic. This consists of a device behind our firewalls which monitors all traffic that is allowed to pass through our network (the network packets are spanned (mirrored) to a secondary port on one of our switches and the original packets are not interrupted).

The network packets are inspected using heuristic methods to analyze the data in packets and match them against known attack patterns. The attack patterns themselves are continuously updated at Alert Logic's Security Operations Center, based on traffic logs from devices that have been placed in some of the most hostile network environments on earth. Attack recognition patterns are then pushed to customers' devices regularly, meaning new types of exploits and attacks can often be recognized before they are regularly used on the Internet.

If the device matches traffic on the network against a known attack vector, it will raise alerts to Alert Logic SOC which will perform a manual analysis and determine whether or not the traffic is part of an potential attack. Based on the findings, they will notify our hosting provider, who will in turn inform Confirmit's Operations team and add firewall blocks as necessary.

Security testing

The Alert Logic Threat Management device also has an additional feature: a built-in vulnerability scanner. Since the device is situated inside the network, behind our firewalls, it can access each host on the network and probe for known vulnerabilities on a host level (missing security updates, expired SSL certificates, standard administrator passwords, and so on). The device will perform a weekly scan of the entire network and sends a report to Confirmit's Operations team with the findings for each scan. We then analyze the findings and plan remediating actions accordingly where this is applicable.

In addition to this, we also regularly commission a third party to perform external vulnerability testing of our environment. In this scenario, a security company will use known attack methods and try to find vulnerabilities by simulating the behavior of a typical attacker using a variety of methods to find exploits in the system. Results are compiled into a report that is presented to our Operations team. We then plan and implement any changes required to remediate any vulnerabilities, and the third party finally performs a retest to verify whether remediation efforts have been successful. A final report is produced with the updated findings, along with an attestation letter and an executive summary of findings. (We may share the executive summary with customers under NDA upon request).

Similarly, our R&D architecture team regularly commissions vulnerability testing of the Confirmit application from an application perspective, targeting known vulnerabilities in the code (checking for XSS, SQL injection, etc.) as an authenticated user. This type of scan allows for a deeper testing of the application itself and ensures that our developers are keeping up to date with current security practices in their code design and execution.

Encryption of data exports

If you are concerned about the safety of your data while in transit, Confirmit Horizons offers an add-on module where data transfered to and from our servers can be PGP-encrypted. PGP encryption works by encrypting and decrypting files using a matching public/private keypair. The public key is used to encrypt a file, and the private key is used to decrypt a file that has been encrypted with the corresponding public key. Public keys can be distributed to anyone who will be sending you encrypted files, while private keys should be kept safe and never shared with anyone. In order to export encrypted files from Confirmit Horizons, we will need a copy of your public key so it can be associated with your user acocunt. Once uploaded, encryption of exports can be selected as shown in the screenshot below.

Similarly, in order to support uploading of encrypted files into Confirmit Horizons, Confirmit has a secure private key installed on servers that handle encrypted files, and the public key that should be used to encrypt these can be found in the Home -> Help -> Public PGP Key menu in Confirmit Horizons. You can upload files encrypted with this key directly into Confirmit Horizons without having to specify that the file is encrypted - Confirmit will automatically decrypt the file for import into the relevant database upon task execution.

PGP encryption can be enforced in company settings to apply to all file transfers (when enabled, this can not be bypassed by users).

The Confirmit Horizons PGP Encryption add-on is available at an additional charge. Contact your account manager for pricing details.

Secure data file transfers

The default delivery of files in Confirmit Horizons is via email for exports from the system, and direct upload through the Confirmit Horizons GUI for files that will be imported. Confirmit Horizons supports an additional delivery mechanism for both imports and exports: File delivery through FTP/SFTP. In our SaaS environments, we run an enterprise file transfer server that currently supports connections over FTP and SFTP for file delivery and downloads. By enabling this feature, scheduled uploads can be set up for accepting files on a recurring basis (e.g. for scheduled synchronization of respondents from a CRM system), and email size restrictions for exports are no longer an issue as the file transfer server does not limit the download file size. Additionally, transfers can be performed securely using SFTP, which uses the SSHv2 protocol to encrypt data and provides a similar command set as FTP (which means it can also be automated). Authentication methods over SFTP support username/password, key exchange (we associate a public key with your user account while you have the private key installed on your computer), or a combination of these two.

FTP for file transfer can be enforced in company settings to apply to all file transfers (when enabled, this can not be bypassed by users). SFTP can also be enforced on user or company basis in the file transfer software module.

The Confirmit Horizons File Transfer add-on is available at an additional charge. Contact your account manager for pricing details.

Database encryption

In addition to providing encryption of data for and under transit, Confirmit Horizons also supports encryption of data at rest by completely encrypting a survey or SmartHub database. This encryption is possible through the use of the Transparent Data Encryption module (often abbreviated TDE), which is included in Microsoft SQL Server Enterprise. The TDE module uses certificates to encrypt databases on disk and supports different encryption algorithms (see this MSDN article for a brief introduction on this feature).

Database encryption can be enforced in system company settings to apply to all new survey and SmartHub databases (when enabled, this can not be bypassed by users). Note: this setting needs to be set by Confirmit support, please contact support for more information.

The Confirmit Horizons Database Encryption add-on is available at an additional charge. Contact your account manager for pricing details.