Our commitment to security, privacy and availability
Millions of users across the private and public sectors depend on Jive every day to keep their information safe and drive mission-critical business processes. That’s why we’ve taken a no-compromises approach to security, privacy and availability that combines best-of-breed technology, a highly trained and experienced staff, adherence to the strictest standards in the industry and the flexibility to meet diverse customer requirements.
Current Version: Jive Fall 2013 Release
Jive leverages multiple layers of defense to protect key information and handle all critical facets of network and application security, including authentication, authorization and assurance. Our ISMS (Information Security Management System) is a structured approach that has management support all the way up to our board of directors. Our program systematically evaluates our information security risks, taking into account the impact of company threats and vulnerabilities. Adherence to the ISO 27001 standard, regular third-party audits and close attention to customer input and industry trends help ensure that our security programs keep pace with a changing security landscape and meet evolving customer requirements.
JIVE SECURITY ARCHITECTURE
Jive’s security architecture is designed to protect the confidentiality, integrity and availability of all customer information that we host. To that end, we apply stringent, risk-adjusted security controls in layers ranging from facilities (physical security) to network infrastructure (network security), IT systems (system/host security) and information and applications (application security). Jive has the following security controls:
- Secure data centers - Jive maintains top-tier data centers with strong security controls, confirmed by third-party reports (SSAE16 or ISO27001).
- Logical isolation - Jive completely isolates its customer systems using VMs and VLANs. This allows data separation from OSI layer 2 (Data Link Layer). Customer traffic is routed directly to their instances to prevent any shared traffic.
- Security monitoring - All of our networks and systems are constantly being monitored by leading security tools.
- Best-in-class hardware - Jive uses the best hardware in the industry to ensure high availability.
- Strict access controls (both system and network) - Jive enforces strict access control on all its systems. We perform regular internal audits and use automated tools to verify desired configurations.
- Everything is audited (internally and by 3rd parties) - Includes strong third-party auditing from EY in the form of our SOC2.
- Strict ingress and egress points - Access to the application is restricted to ports 80/443. Jive administration is limited to a small group of Jive workers using a secure 2-factor VPN to access customer environments. All activity is logged.
- Hardened operating systems - All operating systems are customer-configured with only required services and are configured to meet strict security requirements. Strong encryption is used from the client to our systems.
- Separated services (web, database and storage) - All services are isolated and not shared, minimizing the risk of unintended data disclosure.
Virtualization capabilities at the server, storage and network layers ensure strict separation of customer instances and prevent any information leakage. Our virtualized security starts at layer 2 of the OSI model, the lowest-level protection after the physical separation. All our customers are protected using strict Access Control Lists (ACLs) that completely isolate each customer.
NETWORK INFRASTRUCTURE SECURITY
Jive utilizes a highly available and redundant network security architecture. The logical protection includes firewalls and best-of-breed intrusion detection systems that monitor the network for sophisticated exploits ranging from network-based attacks to complex application layer attacks. Jive requires its data centers to utilize strong physical security controls to protect network appliances from unauthorized access. In addition to the physical security controls, our environments have redundant network connections to ensure high availability.
We also use DDOS (Distributed Denial of Service) detection to alert our security team in the event of a potential attack. Finally, Jive uses best-in-class scanning tools to alert the security team to network misconfigurations and new vulnerabilities.
All of our security controls and risk analysis are based on the protection of customer data. Jive hosting supports various encryption methods to protect data transiting over untrusted networks. Customers can choose to implement SSL or VPN technology to add a layer of protection to their hosted site. Encryption has also been implemented for both transit and storage of offsite backups in the remote data center facilities.
In addition to encryption, Jive’s customer data security controls include:
- Restricted access to customer data - Jive employee access to customer data is highly restricted and must be approved by senior management. Before access is granted, employees must complete special security training to handle customer data.
- Logging and audit - All activity is logged in a protected system and is audited using automated tools.
- Incident and response - Jive has an incident response process designed to handle customer data incidents.
- Training - All Jive employees are required to participate in security training. Employees with access to customer data are required to take additional security training.
CERTIFICATION OF COMPLIANCE
Third-party certifications are an important component of any mature security program. We have a number of respected third-party agencies certify our security and share the results with our customers. These certifications include:
- Jive Hosting is SOC2 certified.
- Data center facilities are SSAE 16 SOC1 (previously SAS-70) or ISO27001 certified.
- Safe Harbor and Truste certified.
CERTIFIED SECURITY PERSONNEL
Jive’s Security team includes certified Information Security professionals with expertise in application, network and architecture security who help define our security policies and security controls. Most of the Jive security team is composed of professionals with graduate-level security degrees, 15+ years industry experience and security certifications such as CISSP, CISA and MSIA.
SOFTWARE ENGINEERING SECURITY PROCESS
Security is continuously improved and tested throughout the Jive product lifecycle. All new feature designs are audited for high-level security considerations, and feature implementations are checked for security flaws throughout development. Existing features are audited for security vulnerability regressions, and application-wide audits are performed to ensure that feature integration is secure. Third-party components used by Jive are researched and monitored carefully for vulnerabilities. Jive has a security QA team focused on security testing, using both manual and automated testing.
Jive maintains secure programming best practice documents based on OWASP requirements, which are mandatory reading for all of our developers. Best practice documents are updated on a regular basis to reflect current vulnerability knowledge, and also provide developers with real-world examples of previous programming mistakes and how to avoid them. Topics covered include input/output data sanitation, proper usage of authentication and authorization, avoiding information disclosure and secure file system (and other resource) usage. Jive invites industry recognized security experts to present best practices to our development team on a regular basis.
Jive engages a third-party tester to perform a comprehensive review of our product. These tests include:
- Black and white box testing
- Source code security reviews
- Methodology based on OWASP and NIST standards
- Full penetration tests
QA SECURITY PROCESS
Security Assessment Policy
Jive’s release readiness workflow includes continuous security tests and assessments. Many manual and automated security tests are conducted at milestones leading up to public release. Security vulnerabilities discovered during these tests are then reviewed for criticality and remedied prior to release. This ensures that every release is deemed fully secure out of the gate.
Jive maintains accurate records of discovered vulnerabilities and their remediations. Critical vulnerabilities are fixed within one business week, and customers are notified of critical vulnerabilities. Customers are free to install the security patches in an on-premise instance, and the hosting team is available to apply security patches per customer requests. Jive leverages US-CERT alerts, open source and internal testing to identify potential vulnerabilities. Remediation efforts are determined by the risk level calculated by the Common Vulnerability Scoring System (CVSS).
Product Security Features
The Jive platform has a number of built-in features for configuring security at a level appropriate to your organization. Our Professional Services team is also available to perform customizations if the out-of-the-box options don’t meet your security requirements.
Jive utilizes best-in-class security tools to monitor our environment, such as:
- Intrusion Detection Systems (IDS)
- Distributed Denial of Service (DDoS ) Detection
- Security Information and Event Management (SIEM)
- Regular application security scans using multiple products
Jive strives to maintain excellent uptime for our customers. Below are our actual uptime metrics for the last 8 months, consistently exceeding our customer SLAs.
These numbers represent monthly averages of all hosted customer instance uptimes. Updates will be posted monthly. Note that customers have instance-specific uptime reports delivered to them each month.
*Monthly uptime numbers may be delayed.
**Definition of availability: The solution is available if Jive can complete the following tasks using its automated metric calculation tools:
- Access the home page of the administrative interface for the community and confirm correct rendering of the Page;
- Log into the solution using the Private Jive Account (i.e., no SSO login) and confirm correct rendering of the page
- Navigate to the community landing page and confirm correct rendering of the page.
Our commitment to privacy is second to none in the industry. When it comes to protecting the data that our customers, partners and website visitors entrust to us, we make no compromises.
The following certifications attest to our best-in-class privacy program.
To support our customers, partners and website visitors in the European Union and Switzerland, Jive has certified its adherence to the U.S.-European Safe Harbor program and the U.S. Swiss Safe Harbor program.
TRUSTe has conducted a third-party audit of our privacy program and awarded us the following privacy seals:
- EU Safe Harbor Seal
- Trusted Cloud
Jive Product Blog
Latest from the Jive Community
Fall Release Preview: Mobile 3
Dec 3, 2013
For the Fall Release, we wanted to offer our customers not only a description of the new feature or feature area, but also some thoughts about the feature by the Product Managers here at Jive. This post was written by Anuj Verma, Product Manager leading our Mobile innovations. NOTE: The... Read More »
Patch Release: 220.127.116.11 is now available
Nov 27, 2013
Jive 18.104.22.168 is now available. This release contains a single change: it adds a new system property that allows admins to block access to the community from the new Mobile 3 iOS app released earlier this month. This property is "jive.mobile.nativeapp.allowed" and installations wishing to block access from the Mobile... Read More »
Fall Release Preview: Video is Getting a Facelift
Nov 13, 2013
This post was written by Davin Kluttz, Product Manager in charge of Video Jive Video is getting a facelift, and whole lot more! Today, video has become one of the most popular forms of communication in the enterprise, as well as for customer communities. It's used for everything from executive... Read More »