We provide strong encryption of all data in transit andat rest. Encryption in transit is achieved via the industry- standard TLS (Transport Layer Security) 1.2 protocol. Public Key Infrastructure (PKI) utilizes 2048-bit RSA Public/ Private key pairs and SHA-2 for hashing.
Encryption at rest is achieved using AES utilizing Cipher Block Chaining (CBC) with a key length of 256 bits and a random initialization vector (IV). Data protection keys are managed on a per-customer basis at a minimum, with a two-key system and document-level encryption. The master encryption key is never stored in plain text and use of the customer master key to decrypt data protection keys is restricted to a Key Management Service (KMS) using a FIPS 140-2 L3 Hardware Security Module. Secrets are managed using industry-standard HSM devices.
Any data downloaded to a user’s device is encrypted by the app using an offline data protection key. This encrypts the data with AES encryption. This is in addition to any encryption provided by the device’s OS.
Identity and Access Management: Authentication
Authentication is performed by an authentication service that stores the passwords in hashed form only. Username and password are required by default and the password policy is configurable by the customer.
After a set number of incorrect login attempts, user accounts are locked out of the system.
Identity and Access Management: SSO / Federated Identity
The Diligent Boards Web App and iOS App support login using client identity providers. This allows customers to sign into Boards with their own identity provider, as long as it uses a supported protocol.
Currently ADFS, Azure AD, and Okta are supported via SAML 2.0. Customer can leverage federated integration to support their own SSO (single sign on) or other strong authentication methods such as adaptive or 2FA authentications based on customer’s internal security policy.
Identity and Access Management: Multifactor Authentication (MFA)
Boards users can be configured to require MFA for authentication. The second factor is dependent on the application’s platform. When accessing the web client, the user will require an SMS code, while accessing the mobile apps will require a certificate to be installed on the device. This certificate is implemented via the Device Authorization feature.
Device Authorization provides a 2FA solution that is compatible with the offline functionality offered by the Boards mobile applications. This feature associates a user with a specific device via a certificate installed on the device, and restricts the user’s access to Diligent Boards from that specific device. By restricting access to specific devices, customer organizations can prevent access from unknown and untrusted devices providing additional control of access rights and access locations. Device level authorization controls are also available, please contact Diligent CSM for details.
Authorization in the Diligent platform is by determined the client and set by our customer success teams. This process applies to both direct and federated identity authentication to the application.
Diligent Boards employs a role-based access control (RBAC) model. The role-based permissions in Diligent Boards support both standardized roles and granular permissions per user. Privileges such as exporting materials can be disabled.
User Inactivity Timeout – Closes all windows and logs user out after specified amount of time.
- Inactive Session Timeout – Timeout period after last server request. Requires re-authentication to resume access.
- Maximum Server Session Duration – Forces reauthentication periodically according to a specified timeframe.
Platform Specific Considerations
On all platforms, Diligent Boards is designed to protect itself and data in the platform using secure design techniques and the available security resources of each platform. However, there are additional considerations outside of the controls available in Diligent client apps that can further strengthen the platform’s security.
Enterprise Mobility Management/Mobile Device Management
IP restrictions allows organizations to configure one or more IP (Internet Protocol) addresses or IP address ranges from which a user may access the organization. IP restrictions may be used as an additional factor in multi-factor authentication, in addition to password credentials, to ensure only authorized users access the organization.
Diligent Boards can be configured to disable certain features. While the Diligent Boards mobile apps contains some features typically included in EMM/MDM software, implementing an actual MDM solution to enforce a security policy for the device adds another layer of control especially for email, social networking, and printing.
Customers cannot distribute the iOS app from a private enterprise app store.
Requiring the use of a passcode, and preferably a strong passcode, is a first line defense in mitigating stolen devices or devices that may be accessed by unauthorized individuals.
Apple allows users to track, find, and wipe their missing Apple devices when Find My iPhone is turned on.
Diligent Boards Web Client
The web interface code is written in industry-standard programming languages and supported by top-tier web services and web hosting. Most modern standards- compliant browsers are supported.
The following controls protect the web client:
- Boards Web is developed in accordance with Diligent’s Software Development Lifecycle (SDLC). The program adheres to secure coding practices and guidance from OWASP SAMM (Software Assurance Maturity Model).
- Development follow guidance from OWASP to code protections against the OWASP top 10 most critical web application security risks, which includes attacks such as Cross-Site Scripting (XSS) and SQL Injection.
- No plug-ins or ActiveX Controls are needed in the web browser.
- Session information is stored as short-lived bearer tokens. The access token is randomly generated and hashed.
- Boards Web has configurable inactivity timeouts and a maximum session timeout. The timeouts fully terminate the session. Boards Web communicates securely with the Boards platform using HTTPS via TLS 1.2.
- Boards Web utilizes a third-party Runtime Application Self-Protection (RASP) product. The product protects against reverse engineering, IP theft, and tamping threats.
- Diligent regularly involves a specialist third-party to perform manual application penetration testing for Boards Web, including against the OWASP Top 10.
Diligent Boards for iOS
This security strategy intentionally complicates the code base in order to prevent reverse engineering
or other compromises to the underlying structure of Diligent Boards for iOS. By protecting the underlying programming language of Diligent Boards for iOS, code obfuscation acts as an additional defense against outsiders maliciously uncovering the methodology behind our security, encryption and data transfer practices.
The iOS App contains jailbreak detection code that
will prevent the Diligent Boards App from running on devices that have been jailbroken. A number of jailbreak detection techniques are used ranging from process forking to detection of certain files and modules that are not normally present within iOS.
Touch ID/Face ID
If enabled, Diligent Boards utilizes Apple’s proprietary fingerprint-reading technology “Touch ID” to allow users to sign in. Face ID replaces Touch ID thumbprint identification functionality on most iPhone devices, as these devices no longer have a home button or fingerprint reader. Face ID is currently present on iPhone and iPad Pro devices.
Screen Security prevents Diligent Boards previews from appearing in the app switcher.
Data Backup Protection
Diligent Products contain controls to ensure that application data is not backed up to iTunes or iCloud.
The Diligent Platform includes a security-auditing framework that is designed to record any changes that are made to security settings, or information that could affect security. Auditing is automatically enabled for all clients, and the audit database is available for the duration of the customer’s relationship with Diligent. All administrative functions are logged.
Diligent uses a security information and event management (SIEM) system to provide a data analysis function that enhances the ability to detect and
respond to security incidents in a timely manner. The SIEM ingests logs from applications, servers, and
other infrastructure components that form the Boards production environments, acting as a central repository of aggregated logs, allowing Diligent to monitor all system access, VPN access, privilege escalation (successful and failed attempts), and end-point protection, etc. The SIEM is managed by Diligent’s Security Operations team using alerts and dashboards.
Only Diligent has access to SIEM logs. Customer related application logs must be manually requested and are provided in CSV format. There is no functionality to export customer application logs into the customer’ SIEM.
Role Change Notification
If an email address is nominated by an Authorized Representative, all notification emails associated with user role changes will be sent to this address.
Account Change Notification
If an email address is nominated by an Authorized Representative, all notification emails associated with user email, security question, and password updates, will be sent to this address.
Account Lockout Notification
If an email address is nominated by an Authorized Representative, all notifications relating to a user account lockout will be sent to this address.