Jive leverages multiple layers of defense to protect key information and handle all critical facets of network and application security, including authentication, authorization and assurance. Our ISMS (Information Security Management System) is a structured approach that has management support all the way up to our board of directors. Our program systematically evaluates our information security risks, taking into account the impact of company threats and vulnerabilities. Adherence to the ISO 27001 standard, regular third-party audits and close attention to customer input and industry trends help ensure that our security programs keep pace with a changing security landscape and meet evolving customer requirements.
Jive Security Architecture
Jive’s security architecture is designed to protect the confidentiality, integrity and availability of all customer information that we host. To that end, we apply stringent, risk-adjusted security controls in layers ranging from facilities (physical security) to network infrastructure (network security), IT systems (system/host security) and information and applications (application security). Jive has the following security controls:
- Secure data centers – Jive maintains top-tier data centers with strong security controls, confirmed by third-party reports (SSAE16 or ISO27001).
- Logical isolation – Jive completely isolates its customer systems using VMs and VLANs. This allows data separation from OSI layer 2 (Data Link Layer). Customer traffic is routed directly to their instances to prevent any shared traffic.
- Security monitoring – All of our networks and systems are constantly being monitored by leading security tools.
- Best-in-class hardware – Jive uses the best hardware in the industry to ensure high availability.
- Strict access controls (both system and network) – Jive enforces strict access control on all its systems. We perform regular internal audits and use automated tools to verify desired configurations.
- Everything is audited (internally and by 3rd parties) – Includes strong third-party auditing from EY in the form of our SOC2.
- Strict ingress and egress points – Access to the application is restricted to ports 80/443. Jive administration is limited to a small group of Jive workers using a secure 2-factor VPN to access customer environments. All activity is logged.
- Hardened operating systems – All operating systems are customer-configured with only required services and are configured to meet strict security requirements. Strong encryption is used from the client to our systems.
- Separated services (web, database and storage) – All services are isolated and not shared, minimizing the risk of unintended data disclosure.
Virtualization capabilities at the server, storage and network layers ensure strict separation of customer instances and prevent any information leakage. Our virtualized security starts at layer 2 of the OSI model, the lowest-level protection after the physical separation. All our customers are protected using strict Access Control Lists (ACLs) that completely isolate each customer.
Network Infrastructure Security
All of our security controls and risk analysis are based on the protection of customer data. Jive hosting supports various encryption methods to protect data transiting over untrusted networks. Customers can choose to implement SSL or VPN technology to add a layer of protection to their hosted site. Encryption has also been implemented for both transit and storage of offsite backups in the remote data center facilities.
In addition to encryption, Jive’s customer data security controls include:
- Restricted access to customer data – Jive employee access to customer data is highly restricted and must be approved by senior management. Before access is granted, employees must complete special security training to handle customer data.
- Logging and audit – All activity is logged in a protected system and is audited using automated tools.
- Incident and response – Jive has an incident response process designed to handle customer data incidents.
- Training – All Jive employees are required to participate in security training. Employees with access to customer data are required to take additional security training.
Certification of Compliance
Third-party certifications are an important component of any mature security program. We have a number of respected third-party agencies certify our security and share the results with our customers. These certifications include:
- ISO 27001:2013 certified.
- SOC2 Type 2 certified.
- Safe Harbor and Truste certified.
- Jive’s third party data center facilities in the United States are SSAE 16 SOC1 (previously SAS-70) certified. Jive’s third party data center facilities in Europe are ISO 27001 certified.
Certified Security Personnel
Jive’s Security team includes certified Information Security professionals with expertise in application, network and architecture security who help define our security policies and security controls. Most of the Jive security team is composed of professionals with graduate-level security degrees, 15 years industry experience and security certifications such as CISSP, CISA and MSIA.
Software Engineering Security Process
Security is continuously improved and tested throughout the Jive product lifecycle. All new feature designs are audited for high-level security considerations, and feature implementations are checked for security flaws throughout development. Existing features are audited for security vulnerability regressions, and application-wide audits are performed to ensure that feature integration is secure. Third-party components used by Jive are researched and monitored carefully for vulnerabilities. Jive has a security QA team focused on security testing, using both manual and automated testing.
Jive maintains secure programming best practice documents based on OWASP requirements, which are mandatory reading for all of our developers. Best practice documents are updated on a regular basis to reflect current vulnerability knowledge, and also provide developers with real-world examples of previous programming mistakes and how to avoid them. Topics covered include input/output data sanitation, proper usage of authentication and authorization, avoiding information disclosure and secure file system (and other resource) usage. Jive invites industry recognized security experts to present best practices to our development team on a regular basis.
Jive engages a third-party tester to perform a comprehensive review of our product. These tests include:
- Black and white box testing
- Source code security reviews
- Methodology based on OWASP and NIST standards
- Full penetration tests
QA Security Process
Security Assessment Policy
Jive’s release readiness workflow includes continuous security tests and assessments. Many manual and automated security tests are conducted at milestones leading up to public release. Security vulnerabilities discovered during these tests are then reviewed for criticality and remedied prior to release. This ensures that every release is deemed fully secure out of the gate.
Jive maintains accurate records of discovered vulnerabilities and their remediations. Critical vulnerabilities are fixed within one business week, and customers are notified of critical vulnerabilities. Customers are free to install the security patches in an on-premise instance, and the hosting team is available to apply security patches per customer requests. Jive leverages US-CERT alerts, open source and internal testing to identify potential vulnerabilities. Remediation efforts are determined by the risk level calculated by the Common Vulnerability Scoring System (CVSS).
Product Security Features
The Jive platform has a number of built-in features for configuring security at a level appropriate to your organization. Our Professional Services team is also available to perform customizations if the out-of-the-box options don’t meet your security requirements.
Jive utilizes best-in-class security tools to monitor our environment, such as:
- Intrusion Detection Systems (IDS)
- Distributed Denial of Service (DDoS ) Detection
- Security Information and Event Management (SIEM)
- Regular application security scans using multiple products
Jive strives to maintain excellent uptime for our customers. Below are our actual uptime metrics for the last 8 months, consistently exceeding our customer SLAs.
These numbers represent monthly averages of all hosted customer instance uptimes. Updates will be posted monthly. Note that customers have instance-specific uptime reports delivered to them each month.
Month Uptime Aug, 2014 99.9994% Sep, 2014 99.9974% Oct, 2014 99.9982% Nov, 2014 99.9988% Dec, 2014 99.9991% Jan, 2015 99.9985% Feb, 2015 99.9998%
*Monthly uptime numbers may be delayed.
**Definition of availability: The solution is available if Jive can complete the following tasks using its automated metric calculation tools:
- Access the home page of the administrative interface for the community and confirm correct rendering of the page,
- Log into the solution using the Private Jive Account (i.e., no SSO login) and confirm correct rendering of the page,
- Navigate to the community landing page and confirm correct rendering of the page.
Our commitment to privacy is second to none in the industry. When it comes to protecting the data that our customers, partners and website visitors entrust to us, we make no compromises.
The following certifications attest to our best-in-class privacy program.
U.S. – European Safe Harbor & U.S. – Swiss Safe Harbor
To support our customers, partners and website visitors in the European Union and Switzerland, Jive has certified its adherence to the U.S. – European Safe Harbor program and the U.S. – Swiss Safe Harbor program.
TRUSTe has conducted a third-party audit of our privacy program and awarded us the following privacy seals:
- EU Safe Harbor Seal
Identifies companies that adhere to the EU Safe Harbor Framework, enabling the transfer of data from EU citizens to the US. TRUSTe’s strict online privacy principles protect the privacy of your personal information collected through their websites, including mobile web. Companies self-certify with the US Department of Commerce.
- Trusted Cloud
Identifies Service Providers offering data processing services through Cloud or SaaS platforms that adhere to TRUSTe’s strict online privacy principles and protect the privacy of personal information collected.
Skyhigh Networks performs objective and thorough evaluations of the enterprise-readiness of cloud service based on a detailed set of criteria developed in conjunction with the Cloud Security Alliance (CSA). Services designated as Skyhigh Enterprise-Ready are the services receiving the highest CloudTrust™ Ratings, which fully satisfy the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection.
- EU Safe Harbor Seal
Our Commitment to Security, Availability and Privacy
Millions of users across the private and public sectors depend on Jive every day to keep their information safe and drive mission-critical business processes. That’s why we’ve taken a no-compromises approach to security, privacy and availability that combines best-of-breed technology, a highly trained and experienced staff, adherence to the strictest standards in the industry and the flexibility to meet diverse customer requirements.