FedCheck Data Security Whitepaper

Date of Last Revision: September 10, 2020

Introduction

This paper outlines Ident’s approach to security and compliance for FedCheck, our critical infrastructure visitor screening app that identifies possible threats from thousands of databases in real time. A detailed focus on organizational and technical security controls is presented, answering questions you may have regarding how Ident protects your data.

Ident’s Security Culture

Ident is all about security. We have created a security culture that is rooted into every team and the roles and responsibilities of our employees. The pervasive influence of this culture is apparent during the hiring process, employee onboarding, as part of ongoing training, and in company-wide events to raise awareness.

Employee Background Checks

Before joining our staff, a candidate’s state of residency, education, and previous employment will be verified, in addition to performing internal and external reference checks. Every candidate must provide evidence and legal authority to work in the Unites States and must pass an exhaustive national and local fingerprint-based criminal background check. Additionally, Ident ensures that all employees maintain clean records by registering them with the FBI Rap Back service, which enables Ident to receive notifications of any criminal activity committed by its employees. Due to our relationship with law enforcement, we simply cannot employ or utilize the service of individuals of whom law enforcement disapproves.

Some of our employees will have privileged access to viewing sensitive FBI-source data for the purpose of administering, operating, and maintaining FedCheck systems. In order to attain that privileged access, these employees must also comply with each jurisdictional request from state government-based justice departments to submit fingerprint cards for additional background checks.

Security Training for All Employees

All Ident employees undergo security training as part of the orientation process and receive ongoing security training throughout their Ident careers. During orientation, new employees agree to our Code of Conduct, which highlights our commitment to keep customer information safe and secure. Depending on their job role, additional training on specific aspects of security may be required. For instance, the information security team instructs new engineers on topics like secure coding practices, product design, and automated vulnerability testing tools. Engineers also attend technical presentations on security-related topics and receive a security newsletter that covers new threats, attack patterns, mitigation techniques and more.

Additionally, our relationship with law enforcement requires that we ensure that each employee receive specific security awareness training regarding FBI CJIS policies as part of the orientation process and receive ongoing training at least every 2 years thereafter.

Information Security Team

Ident’s information security team is driven by information security professionals who are part of our engineering division with roles in development and operations. They are tasked with maintaining the company’s defense systems, developing security review processes, building security infrastructure, and implementing Ident’s security policies. Ident actively scans for security threats using commercial tools, penetration tests performed by both engineering staff and external third-parties, quality assurance (QA) measures, and software security reviews.

The information security team reviews security plans for all networks, systems, and services. They provide project-specific consulting services to Ident’s product and engineering teams. They monitor for suspicious activity on Ident’s networks, address information security threats, perform routine security evaluations and audits, and engage outside experts to conduct regular security assessments.

Operational Security

Security is an integral part of our engineering processes. Due to FedCheck’s privileged use of sensitive FBI data sources, Ident relies on the depth and breadth of advice within the formal risk management program outlined in the NIST CyberSecurity Framework to constantly question our current methods of operations for security risks and to identify and align our processes to recommended security best practices.

Vulnerability Management

Ident administrates a vulnerability management process that actively scans for security threats using a variety of commercially available tools, intensive automated and manual penetration efforts, quality assurance processes, software security reviews, and external audits. The information security team is responsible for tracking and following up on vulnerabilities. Once a vulnerability requiring remediation has been identified, it is logged, prioritized according to severity, and assigned an owner. The engineering management team tracks such issues and follows up frequently until they can verify that the issues have been remediated. Ident also maintains relationships with industry experts and collaborates with security advisories to ensure our systems are maximally protected against vulnerabilities.

Malware Prevention

An effective malware attack can lead to account compromise, data theft, and possibly additional access to a network. Ident takes these threats to its systems and customer data seriously. All FedCheck and other critical systems employ protection mechanisms to detect and eradicate malicious code such as viruses, worms, spyware, spam, and other forms of malware.

Patch Management

Ident executes a patch management policy that proscribes the patching of systems to ensure that they receive the latest security relevant patches. Security patches are applied on a schedule appropriate to the severity of the risk they mitigate. At a minimum, systems and applications are analyzed for patches at least once a month. The urgency towards applying individual patches is based upon reliable methods of notifications from vendor support and community publications. Critical patches are escalated and assigned as the highest operational priority.

Engineers at Ident place a premium on systems that are 1) easy to keep up to date with simple, straightforward patching procedures, 2) have an active, vibrant community and vendor support, and 3) have a proven reputation for finding vulnerabilities, openly communicating risks, and releasing mitigating patches. Patches are tested in pre-production environments for quality, stability, performance, and security. Engineering ensures that all patches have rollback capabilities to ensure high availability and utilize commercial and custom tooling to ensure systems successfully received the patches as intended.

Monitoring

We have internalized the belief that protecting a system requires proactive threat analysis and broad visibility to all internal activities. Thus, Ident utilizes a comprehensive monitoring program to gather information from internal network traffic, employee actions on systems, and unauthorized attempts to access our systems. Network analysis is performed using a combination of open-source and commercial tools for traffic capture and parsing, supplemented by examining system logs to identify unusual behavior, such as attempted access of customer data. Our security team actively reviews inbound security reports, monitors public mailing lists, blog posts, and wikis, and actively participates in information security community events.

Automated network analysis and intrusion prevention tools monitor inbound and outbound communications for unusual or unauthorized activities. Monitoring logs are aggregated to a central logging system in order to correlate threat attempts in the scope of a system-wide analysis. Our security team responds to network and intrusion alerts within 24 hours, reviews access logs weekly, audits and removes inactive administrative accounts monthly, and performs a full access control audit quarterly.

Incident Management

We have a rigorous incident management process for security events which may affect the confidentiality, integrity, or availability of systems or data. If an incident occurs, the security team logs and prioritizes it according to its severity. Events that directly impact customers are assigned the highest priority. This process specifies courses of action, procedures for notification, escalation, mitigation, and documentation.

Ident’s security incident management program is structured around the NIST recommendations on security incident handling (NIST SP 800–61). The security team is trained in forensics and evidence handling, including the use of third-party and proprietary tools. Testing of incident response plans is performed for key areas, including systems that store sensitive customer information. To help ensure the swift resolution of security incidents, the Ident security team is available 24/7 to all employees. After receiving a security incident alert, the security team will perform an expeditious and thorough analysis to determine if the symptoms might indicate a security incident. A verified incident will trigger the execution of the team’s emergency containment, eradication, and recovery plan. If an incident involves sensitive FBI data sources, Ident will notify the appropriate law enforcement agencies within four hours after the resolution of the incident. If an incident involves customer data, Ident will inform the affected customers within 48 hours after the resolution of the incident and support ongoing investigative efforts via our support team.

Server Access

FedCheck servers are configured to CIS benchmarks for security. Preconfigured passwords and access codes are changed or disabled. Ident engineers are required to access servers by their own name and not a default or shared account. Instead of polluting servers with administrative accounts and keys, servers are accessed through a role-based access control system which authenticates both the connecting user and the target server using issued certificates that can be revoked with a single command. All user sessions to servers are recorded in real-time and stored for later playback.

Physical Security

Ident takes a holistic approach to securing our facilities, wherein policies and procedures aim to achieve a state that perfectly balances security and usability. While we see the value in using badges to identify employees, we prioritize questioning fellow employees who we don’t recognize and pulling in management if answers don’t add up. New hires, job role changes, and departures are communicated well to staff. Staff is encouraged to report any and all suspicious activity promptly. All access points to the secure locations of our facility has continuously operating security cameras and follow least-privilege and need-to-know concepts to match access privileges to defined responsibilities.

All visitors to the secure locations of our facility are authorized by presenting an approved photo identification document, logged using our visitation software, validated against an expected visitor’s list, and escorted through our facility by authorized personnel. If visitors are being escorted into an area where sensitive information is often displayed, announcements will be made to ensure staff can hide or obscure this information before visitors enter the area.

Our staff takes special care to prevent theft of laptops and other devices that may contain sensitive information or privileged access to secure systems, ensuring that they take proactive measures to lock unattended sessions, secure the devices physically, and reduce the opportunities for theft.

Technology Used by FedCheck

FedCheck is built with security at its core and is the foundation for all phases of the development lifecycle: from the tools and libraries used to create and build the software, to the technology platform that is conceived, designed and built to operate securely.

Secure Data Center

Ident has partnered with Nlets to host FedCheck Services. Nlets is a private, not-for-profit corporation jointly owned by the State law enforcement agencies of the United States for the purpose of securely linking together state, local, and federal law enforcement, justice, and public safety agencies in order to securely exchange critical public safety information. Nlets utilizes a fully encrypted, private Multi-Protocol Label Switching (MPLS) network to connect State systems for superior connectivity and dependability, backed by a robust wireless capability to ensure network uptime is at or above the critical needs of public safety.  Nlets encrypts all traffic between State systems utilizing FIPS 140-2 compliant end-to-end AES encryption using a 256-bit symmetric cipher key.

Since Ident and FedCheck’s public safety mission aligns so closely with law enforcement, Ident has been approved by the Nlets Board as an approved Strategic Partner. This partnership provides Ident with the following privileges:

  • Access to the Nlets private encrypted network to query FBI data sources
  • Secure hosting services at the Nlets facility
  • FBI CJIS policy auditing services

By hosting FedCheck systems at the Nlets secure facility, we receive the following physical security features that comply with FBI CJIS policies:

  • Monitoring by both fixed and pan-tilt/zoom security cameras
  • Protection by intrusion detection system
  • Two-factor authentication required for building access
  • Biometric iris authorization required for data center access
  • Extensive pre-employment background investigation process
  • On-site building security and data center monitoring staffed 24/7/365

Using the latest, state-of-the-art technology, Nlets provides an unparalleled secure environment with redundant technical infrastructure and onsite experts continually monitoring hardware and connectivity.

As per FBI policy regarding jurisdictional rights of State, FedCheck is required to request information from FBI data sources through State servers. Ident utilizes the private Nlets network to communicate with State systems in order to query FBI data sources, as per their policy. However, in a few rare cases, some States will only allow connections to their secure systems from within the physical geographical boundaries of their State. In order to allow FedCheck the ability to communicate with these particular State systems, Ident partners with local law enforcement agencies to host sub-components of the FedCheck system in their agency’s own FBI CJIS policy compliant data centers within the boundaries of these particular States. The single, dedicated purpose of these sub-systems is to broker requests of FBI data sources from the primary FedCheck system hosted at Nlets to State servers. No customer nor criminal justice data is stored in these sub-systems.

Server Hardware and Software

Ident’s philosophy towards server hardware and software is to simplify maintenance with homogeneous environments, reducing the attack surface by removing unnecessary components, and continually monitoring systems for unexpected performance and modification changes. Server resources are dynamically allocated, allowing for flexibility in growth and the ability to adapt quickly and efficiently, adding or reallocating resources based on customer demand, and enabling quick recovery to security incidents. If a modification is found that differs from the standard image, the modifications are discarded and the system is reverted back to its standard image. These mechanisms are designed to enable Ident to monitor and remediate destabilizing events, receive notifications about incidents, and slow down potential compromise on the network.

Hardware Tracking and Disposal

Ident tracks the location and status of all equipment within our data centers from acquisition to installation to retirement to destruction via barcodes and asset tags. Video surveillance 24/7/365 helps to ensure that no equipment leaves the data center floor without authorization. Hard drives that contain sensitive data utilize data-at-rest encryption technologies. When a hard drive is retired, authorized personnel verify that the disk is erased and sanitized by the US DoD 5220.22-M wipe method, which is a multiple-step verification process to ensure the drive contains no data. If the drive cannot be erased for any reason, it is stored securely until it can be physically destroyed. Physical destruction of disks is a multistage process beginning with a crusher that deforms the drive, followed by a shredder that breaks the drive into small pieces, which are then recycled at a secure facility.

Network Defenses

Ident utilizes multiple layers of defense that protect FedCheck’s network from external attacks. Only authorized services and protocols that meet our security requirements are allowed to traverse it; anything else is automatically dropped. All traffic is routed through industry-standard firewalls with access control lists (ACLs) that are used to enforce network segregation. All traffic is passed through industry-leading Next-Generation Intrusion Prevention Systems that utilizes multiple techniques to detect and protect against even the most sophisticated network attacks. Servers within the FedCheck network are only allowed to communicate with a controlled list of servers internally; this “default deny” and “fail closed” configuration prevents access to unintended resources. Systems and components are grouped by purpose of access and segregated by separate network interfaces; for example, servers that host web applications are in a separate network from servers that persist user data. Servers are never directly accessible to the internet. Access to networked devices is restricted to authorized personnel. Logs are routinely examined to reveal any exploitation of programming errors and unauthorized access attempts.

Securing Data in Transit

Since data is vulnerable to unauthorized access as it travels across the Internet or between networks, Ident places a high priority in securing data in transit. All communication with FedCheck systems is secured by encryption ciphers that are FIPS 140-2 compliant, using a symmetric cipher key with a minimum length of 128-bits. FedCheck supports only modern browsers and devices, allowing us to utilize only the strongest TLS encryption protocols – TLSv1.2 and TLSv1.3.

Securing Data-at-Rest

In order to further protect all types of sensitive data, FedCheck utilizes a file-level encryption program to secure all data-at-rest collected by FedCheck servers. All encrypted data is secured by ciphers that are FIPS 140-2 compliant, using a symmetric cipher key with a minimum length of 128-bits. Cryptographic keys are stored and managed in a centralized and secure key management system, providing privileged user access control and detailed data access audit logging.

Service Availability

Ident designs the components of our system to be highly redundant with the all-encompassing goal of eliminating any and all single points of failure. This “redundancy of everything” philosophy is deeply engrained into all aspects of our server designs, guiding each step towards fulfilling a FedCheck service request: networking, load balancing, software service componentization, and data storage. When Ident needs to service or upgrade FedCheck systems, users do not experience any downtime due to our redundancy philosophy. While it is impossible to create a system that provides zero outages for all users, Ident holds fast to the belief that a system should never go down for regular updates to systems and services. 

For major outages, Ident has a comprehensive Disaster Recovery / Business Continuity plan that includes rolling FedCheck Services over to a secondary data center that is geographically distributed to minimize the effects of regional disruptions such as natural disasters and significant local outages.

Service Resiliency

All applications have an inherent risk of failure. Instead of crossing fingers and hoping for the best, Ident designs and builds resilient systems with failure as a normal event, one that is tested and exercised, even in production environments. Instead of trying to anticipate failure, resilient systems make purposeful decisions to proactively fail. One of the results of a resilient system is sometimes rejecting a single request when the system has determined that this request will be added to a lengthy queue that, if left unchecked, will grow out of control and result in cascading failure. It is much better to deny singular client requests than to jam systems that will bring outages to all clients. More importantly, it is better to prioritize computing resources towards critical execution paths than to have non-critical requests grind the system to a halt.

Authentication

Application access to FedCheck Services requires an access token from the Ident Authentication Service, which implements the common internet standard for authentication, OAuth 2.0. Application developers must first petition Ident for access and pass a security risk assessment before they receive application client credentials and are authorized to request access tokens. If the Ident Authentication Service can identify the application as authorized and the user credentials are valid, an Ident Access Token is issued. If Two-Factor Authentication is enabled for the user, receiving an Ident Access Token is a two-step process where they are first issued a limited access token that only allows access to submitting the 2nd factor, and then receives a full access token after a successful 2nd factor submission.

The Ident Authorization Service guards against fraudulent or tampered access tokens by including an RSA digital signature generated using secret ephemeral keys and are configured to expire after 30 minutes. When an application receives an Ident Access Token from the Ident Authentication Service, it is also issued a refresh token, which the application can use to keep the user’s session alive by requesting a new Ident Access Token without prompting the user to re-enter his/her password, provided the request is made before the current Ident Access Token itself expires.

Ident never uses temporary passwords or allows anyone to set a password for another user. Users are uniquely identified by an email address and should not share accounts or passwords. New users are sent an invitation to FedCheck Services via email whereby the user can activate their account and set a password by clicking on the included link. If users fail to activate their account within 7 days, a new invitation will need to be sent. Users who forget their password can perform a reset using the Ident Authentication Service, which will in turn send an email to the registered user with a reset link that expires after 1 hour.

When a customer signs up for FedCheck Services, Ident Customer Services creates an Administrative User to manage user access for their facilities and invites them to the service via email as a new user. Administrative Users can add, enable, and disable the users for their facilities. Ident Customer Services will assist with other setup tasks such as enabling 2FA for the users of their facilities.

Several checks are enforced when a user chooses a password, prohibiting the following: any of their previous 10 passwords, any of the 30,000 most commonly used passwords, similar to username, common names/surnames according to US census data, popular English words, and common patterns such as dates, repeats (aaa), sequences (abcd), keyboard patterns (qwertyuiop), and l33t speak. Additionally, customers can choose to comply with FBI CJIS password policies, which includes additional requirements for complexity and 90-day expiration. Ident servers store only a salted hash of user’s passwords, never in plain text. Passwords are never printed in server logs, nor can passwords be retrieved or reproduced by Ident personnel.

The Ident Authentication Service supports Two-Factor Authentication by allowing users to activate their accounts with a secret password and configuring a time-based one-time passcode (TOTP) authenticator. Using Two-Factor Authentication improves security by requiring users to access FedCheck Services using their secret password as the “something they know” and their TOTP-based authenticator as the “something they have”. TOTP-based Two-Factor Authentication involves generating a temporary, unique passcode that only works for 30 seconds using a TOTP-compatible mobile application such as Google Authenticator.

Independent Security Audits

As an approved Strategic Partner with Nlets, Ident is privileged to have FedCheck systems audited by the Nlets Security Team to ensure it meets both the FBI CJIS and Nlets security policies. As per FBI policy, formal exhaustive audits of all FedCheck systems will be conducted at least once every year to assess compliance with applicable statutes, regulations, and policies. Additionally, the Nlets Security Team is authorized to conduct unannounced security inspections at any time. Any discrepancies to the FBI CJIS and Nlets security policies found during an audit must and will be mitigated immediately by Ident personnel in order to maintain our ability to access sensitive FBI data sources.

A copy of our letter of compliance from the latest Nlets Information Technology Security Assessment is available on request.

Data Usage

Our Philosophy

FedCheck users own their data, not Ident. We promise not to use your data for any purpose other than to provide related products and services to you. We do not scan it for advertisements nor sell it to third parties. We do not share your data with non-affiliate companies. Our employees are committed to safeguarding your data and keeping it confidential.

Data Privacy

For a full description of our privacy policy regarding FedCheck Services, please read our full Privacy Policy.

Data Lifetime

We will retain customer data for as long as a customer uses FedCheck Services and for a reasonable time thereafter.

If a FedCheck customer requests to close their account and to have their own data deleted, we commit to deleting it from our systems within 180 days.

Law Enforcement Partnership

If a FedCheck customer desires the ability to have FBI data sources included in their FedCheck Services data set, they must forge an agreement with their local law enforcement agency to sponsor their access. As part of this arrangement, the sponsoring law enforcement agency receives a copy of the data from the identification documents used to query FBI data sources, and they own the rights to that data as it is used for auditing purposes in accordance to their security policies. This data set is limited to at least a portion of the following: document photo, number, state, country, issue and expiration dates, and details about the person including full name, zip code, sex, height, weight, hair and eye color, and date of birth.

The actual raw data received from FBI data sources contain criminal justice information (CJI) and is retained in rolling log files for a period of 3 weeks in order to facilitate auditing and maintenance activities. This retention period can be configured to a customized period of time in order to meet State security policies, as necessary.

Data Access and Restrictions

Architecture

FedCheck was architected with the primary goal of supporting data sharing between critical infrastructure facilities and law enforcement sponsors. To that end, logical data segregation of customer data is addressed using a multi-tenancy approach constrained by strict framework controls and comprehensive automated testing to prevent errors in development. Customer access to FedCheck data sources is restricted to well-regulated API endpoints that enforce data segregation. FedCheck users share server resources, but data and end-users are kept safely apart from each other using carefully architected system controls.

Administrative Access

Only a small group of Ident employees have access to customer data. For Ident employees, access rights and levels are based on their job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. Ident employees are initially only granted a limited set of default permissions to access company resources, such as employee email and training documentation. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives, as dictated by Ident’s security policies. Approvals are managed by workflow tools that maintain audit records of all changes. These tools control both the modification of authorization settings and the approval process to ensure consistent application of the approval policies. An employee’s authorization settings are used to control access to all resources, including FedCheck data and systems. Ident personnel access is monitored and audited by our security team, and logs of access privilege are available as needed upon request.

Privileged access removal follows the same formal process. Changes to an employee’s job roles and responsibilities, disciplinary actions, long-term absences, or discontinued association with the company all trigger privileged access change workflows. Since Nlets security personnel, State system administrators, and select law enforcement agencies maintain a list of Ident personnel with privileged access to information and systems they administer, removal of an employee’s privileged access will require prompt notification to these partners in order to keep their access lists up to date.

Law Enforcement Data Requests

The customer, as the data owner, is primarily responsible for responding to law enforcement data requests. However, like other technology and communications companies, Ident may receive direct requests from United States federal and state governments and courts about how a person has used FedCheck. We value our customers’ privacy and thus will take measures to limit excessive requests while also meeting our legal obligations. In general, our policy is to require such requests be made in writing, signed by an authorized official of the requesting agency, and issued under an appropriate statute or ordinance. If our legal team believes a request is overly broad, we’ll seek to narrow it and push back if necessary. Our policy is to notify customers about requests for their data unless specifically prohibited by law or court order.

Third-Party Suppliers

Ident employees directly provide virtually all services in connection with FedCheck. However, we may utilize third-party service providers to provide supplemental specialized services for FedCheck, including technical and customer support. Prior to engaging in a partnership with a third-party supplier, Ident will perform a security risk assessment to ensure that these business entities can and will provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. Once the risk assessment has been quantified to meet our requirements, the supplier is required to enter into appropriate security, confidentiality, and privacy contract terms.

If service by third-party providers to FedCheck systems require privileged access to protected information systems, Ident security policies require engineering staff to virtually escort their activities utilizing remote desktop sharing tools to ensure that the virtual escort can terminate the session at any time. After carefully evaluating the risks and long-reaching impacts of the proposed service plan, engineering will choose a virtual escort that has expertise with the systems receiving maintenance. The virtual escort will continually monitor and document the work being done in order to give a full account of the activities performed.

Conclusion

Here at Ident, the protection of your data is at the root of every design consideration for all of FedCheck’s infrastructure, products, and personnel operations. Our security team continually reviews policies and procedures to ensure that we are always improving our ability to identify vulnerabilities, to quickly resolve them, and to implement controls to prevent them entirely.

Your data is your most valuable asset; your trust is our most valuable asset. Ident commits to earning that trust over and over by a continued investment into security technologies and procedures that keep us on the forefront of industry best practices.