Eagle Point Software Corporation
SECURITY OF PINNACLE SERIES
Updated as of: June 11, 2018
This document is intended to explain the security measures in effect when using the cloud versions of Pinnacle Series.
Pinnacle Series Application Background
Pinnacle Series is a revolutionary way of helping organizations provide Continuous Learning to their people, Capture and Share Knowledge and ultimately increase Productivity.
Security and Privacy
Eagle Point takes security seriously and as such, recognizes the importance of securing the Pinnacle Series application itself as well as the cloud platform to ensure your information is protected. Eagle Point relies on the combination of the Windows Azure security measures along with specific security measures to prevent access to the application for questionable/malicious purposes.
Management Utility Security
From an application security standpoint, the Management Utility code is obfuscated which protects against reverse engineering and inhibits hackers from understanding underlying data structures and connections to data services.
Additionally, Pinnacle Series guards against a user with malicious intent using SQL injection techniques to gain access to the system by using SQL injection on the login screen. If left unchecked, a user may be able to enter text into the username field that anticipates the SQL call being made and tries in some way to manipulate the query. Without these checks, a username (such as Any_name' or 1=1';--) may have tricked a SQL statement into thinking the user exists. Two separate SQL queries are intentionally called when verifying the username and password to further prevent access via injection.
Management Utility Passwords
At Sign-In, password information is encrypted prior to transmission to the Pinnacle Series Windows Azure Services. The encryption is performed utilizing 256-bit AES encryption. The Encrypt-then-MAC methodology is implemented to ensure the highest definition of security in Authenticated Encryption. Password information stored in customer database tables is also encrypted.
Pinnacle Series 2018 Security and Passwords
The 2018 platform is secured via Secure Socket Layer (SSL) connections, between both the browser client and a stateless Representational State Transfer (REST) Application Program Interface (API), ensuring that the passed data remains private. Authorization is handled by the API, and further session data passed back and forth is done through the use of an encrypted key provided upon authorization.
Enabling Single Sign On (SSO) Capabilities
As an option, customer organizations can choose to configure Pinnacle Series to utilize Single Sign On (SS0) technology. This eliminates the need to remember a separate password when signing into Pinnacle Series whether people are in the office, at home or on a mobile device. Users simply supply their Windows (Active Directory) password when signing into the Pinnacle Series applications.
Pinnacle Series SSO utilizes the organization’s implementation of Exchange Web Services (EWS). Microsoft Exchange Server 2007 or greater must be used with EWS and SSL enabled. Microsoft Office 365 email users can also utilize the SSO feature. Additionally, the Synchronize with Active Directory feature within Pinnacle Series must be used to keep user lists in sync.
The SSO method of authentication bypasses the storing of passwords in the Pinnacle Series Platform. At sign-in, users supply their email address and Windows password to gain access. Multiple validation methods are used in order to authorize/validate user credentials. This is to accommodate both on-premises deployments of Exchange Server as well as organizations utilizing Microsoft Office 365 for email. At no time is Pinnacle Series accessing/requesting any user specific information (passwords, email, calendars, files, etc.) from the email server.
How Pinnacle Series SSO Works
With the location of customer organization’s Exchange Web Services known (Auto Discovered or administrator specified), calls are made to the Exchange Server to test the user credentials.
Note: Pinnacle Series SSO attempts multiple types of authentication to allow for hybrid Office 365 deployments (where some users access email through an on-premises server while others access email from the cloud).
Prior to testing the credentials, the Microsoft Data Protection API (DPAPI) is used to encrypt the password. Next, the validity of the Exchange server's SSL certificate is checked (certificate is valid/not expired).
Upon the certificate passing validation, a request is made to return a list of members in an empty group. Because valid credentials are required in order to make this innocuous request, it will become known whether or not the supplied credentials are of an authenticated user of the organization.
Note: By using an empty group name in the query, no user/company information is passed back to the Pinnacle Series Web service.
When making this request, an exception is thrown if the credentials are invalid and the user will not be allowed to sign into the Pinnacle Series. If the credentials are valid, the user is allowed to sign in.
In addition, customers can organizationally enable the “Check Windows Authentication first” option for users accessing Pinnacle Series through the Management Utility while authenticated to their Windows Domain (typically while “in office”). This option will first check if the user attempting to sign into Pinnacle Series is already authenticated in the Windows Domain through the Microsoft Active Directory API. If authenticated, that user would not have to supply password credentials to be allowed access into Pinnacle Series.
Should a user wish to, a similar feature exists in Pinnacle Series 2018. Before signing in, a user can check the Remember Me option. This option creates an encrypted long lived token upon successful authorization that is stored in the browser storage, which exists until a user explicitly signs out. This token will allow the browser to bypass the sign in whenever the portal for Pinnacle Series 2018 is opened.
Because password policy will be managed by the customer organization, enabling the SSO feature disables all other forms of Pinnacle Series password policies.
Pinnacle Series Permissions
An Administration Utility is also included with the Management Utility. This provides Administrators the tools necessary to manage user accounts and establish permissions/restrictions to certain features. Permissions include setting role/user level access to enable content editing, limiting content access, as well as disabling Chat and Support features.
Cloud Platform Security and Privacy
Eagle Point selected Microsoft Windows Azure as the Pinnacle Series cloud platform because of its scalability, security and reliability. Key security requirements are met by the Filtering Routers, Firewalls, Intrusion Detection Systems, Security Monitoring, Software Security Patch Management and overall Physical Security of Microsoft’s global data centers. Additionally, Azure Fault tolerance and Redundancy are key reasons Eagle Point chose the Windows Azure platform. Information about the Security of Windows Azure can be found online in the Trust Center at https://www.microsoft.com/en-us/TrustCenter/Security/default.aspx. Included on the Trust Center website is detailed information about Windows Azure Services as it pertains to security, privacy, compliance, and risk management requirements defined in the Cloud Security Alliance (CSA) Cloud Control Matrix (CCM).
Customer Information and Content
All of your custom content is stored in your own private tenant in a Windows SQL Azure Database. This includes custom Workflows, Cheat Sheet, Videos, Courses and saved Chat Sessions .
Note: Individual chat messages are not saved during an active session, rather a user saves the chat thread that has been developed and displayed in their Pinnacle Series Chat window. If required, the Chat feature can also be completely disabled by the customer’s Pinnacle Series Administrator.
Project data and drawing files are not part of the content that is placed into or accessed by the Pinnacle Series.
All of the information transmitted and stored by the Pinnacle Series platform is protected under the Windows Azure Privacy Statement (https://privacy.microsoft.com/en-us/privacystatement).
If you choose to let your subscription expire, Eagle Point will destroy all user content that has been uploaded or otherwise published to Windows Azure Services after 30 days. Other terms and conditions regarding the access to and the storage of information through the Pinnacle Series can be found in the Subscription License Agreement found at http://www.eaglepoint.com/sla/.