DraftSpark Security Overview
Updated: December 10, 2019
Xerox, in conjunction with the research scientists at PARC, has developed DraftSpark, a SaaS application to assist Bid Management teams with responding to RFPs. The AI-native approach is designed to remove the drudgery and automate the tedium associated with managing a content DB while the workflow aspects facilitate and enhance collaboration. By reducing errors and freeing up time, Bid Proposal Managers may be unleashed to focus on creativity, personalization and differentiation in order to win more deals.
At a high level, the application begins by analyzing a set of historical proposals (i.e. an archive) to cultivate examples for training an artificial intelligence engine, unique to the particular customer. Then, when said customer enters the application and drops in a new RFP, the engine will leverage its ‘learning’ to generate, as accurately as possible, the first draft of a proposal. Workflow automation tools provided by the application will then enable collaboration by a group of people to pilot the first draft to a polished, final proposal.
Definitions and Terms
The security terms used in this document and their definitions can be found in the SANS Glossary.
During the design and development of the DraftSpark RFP Response Assistant software, the engineering team followed “secure by design” principles and based engineering decisions on recommendations provided by the Open Web Application Security Project (OWASP) to improve application security.
Data Handling and Storage
Data is stored in three locations depending on its functional purpose:
- Relational database (Amazon RDS service)
This data is used by API components and stores most of the data required for application usage:
- User specific data, such as name, email, phone and job title
- Organization specific data, such as name, address and phone
- Opportunity data, such as the parsed RFP and its breakdown, proposal content and tasks
- Elasticsearch service
This holds data that is used for fuzzy search through suggested answers to specific questions. As such, it stores Question+Answer pairs for future suggestions. This data is isolated by organization to avoid unauthorized access.
- Amazon S3 (Simple Storage Service)
This stores file-based data, including:
- User avatars
- Organization logos
- Original RFP files that were uploaded into the system
PostgreSQL is launched on Amazon RDS. Database storage and snapshots are encrypted by Amazon Web Services (AWS) with an industry standard AES-256 encryption algorithm. The RDS cluster is available only inside the Virtual Private Cloud (VPC).
S3 buckets are private, thus data can be accessed only by AWS entities with access granted to S3. The Elasticsearch cluster is available only inside the VPC.
Data Protection & Encryption
QA and production environments are located in separate VPCs. VPCs for each environment are divided into 2 subnets: private and public. Internal resources (i.e. databases and servers) are deployed in the private subnet and only the main load balancer is located in the public subnet. Thus, resources cannot be directly accessed via outside of the VPC and none of the data is transmitted across the Internet unencrypted.
PostgreSQL is launched on Amazon RDS. Database storage and snapshots are encrypted by AWS with an industry standard AES-256 encryption algorithm. Non-root Elastic Block Store (EBS) volumes attached to Amazon Elastic Compute Cloud (EC2) instances are encrypted.
For development and debugging purposes, however, a bastion server is available in a public subnet with access to a private network. The instance is accessible via port 22 (SSH) with key-based only authentication and is protected with AWS Security Groups. Also, Virtual Private Network (VPN) connections may be established to access internal resources. Minimal key length is 4096 bits.
Data in transit: The application is available only via https (TLS 1.2) and 80 443 redirect is enabled.
Data at rest: Database disks where users’ personal data is stored is encrypted using AES-256 encryption while at rest. The connection from the back end to the database is not encrypted, but the DB connection is closed to external connections. We store names and email addresses (which are required to use the application), and titles, phone numbers and profile pictures (which users may elect to add) as well as the content in our customers’ proposals.
Access to any kind of users’ data is strictly restricted. Only a very limited number of DevOps and Support engineers (currently a part of development team) have access to the data.
Least Privilege Principle is applied across the infrastructure.
The DraftSpark RFP Response Assistant utilizes Amazon’s AWS Cloud Server Infrastructure (N. Virginia region) for hosting of all services. The RFP Response Assistant is a web-based application operating on AWS utilizing Elasticsearch and PostgreSQL database servers. AWS meets our operational requirements by being in compliance with many auditing standards including SOC, ISO 9001, ISO 27001, FedRAMP and many others. For up-to-date Amazon operational, security and auditing requirements please see http://aws.amazon.com/security/.
Firewall and security group policy is used to protect resources from unauthorized access. Each environment is isolated from other infrastructure by AWS VPC routing rules.
Protection Against Attacks and Vulnerabilities
Common protection approaches such as firewalls, port management, key-managed (RSA2) only access to infrastructure and passwords for the service are utilized. Additionally, the AWS GuardDuty system is used for monitoring to identify usage patterns typical of someone trying to attack the system. When identified as an attacker, requests are redirected to avoid access to the systems.
- External and internal network traffic is firewalled using AWS Security Groups.
- Direct remote access to Servers is prohibited.
- The single point of entry is the Bastion server.
- Direct external ‘root’ user access is not allowed.
The Amazon GuardDuty system is monitoring traffic flow and continuously analyzing access to the environments. Also, the application is under Distributed Denial of Service (DDoS) protection via the AWS Shield system.
Web Application Firewall
The DraftSpark RFP Response Assistant utilizes the Web Application Firewall (WAF) provided by AWS.
WAF is a feature of the Application Load Balancer that provides centralized protection of web applications from common exploits and vulnerabilities.Common among these exploits are SQL injection attacks, cross-site scripting attacks and others. Preventing such attacks in application code can be challenging and may require rigorous maintenance, patching and monitoring at multiple layers of the application topology. A centralized web application firewall helps make security management much simpler and gives better assurance to application administrators against threats or intrusions. A WAF solution can also react to a security threat faster by patching a known vulnerability at a central location versus securing each individual web application. All Application Load Balancers have a web application firewall enabled by default.
The system defines three roles which have access to specific entities and areas. Permissions are split into the following:
- Regular users who operate within a given organization.
- Administrators who have access to user and company management functionality for the organizations to which they belong. In general, administrators have the ability to create and delete users within their organizations.
- Super Administrators who have access to all user and company management functionality across all organizations. In general, super administrators have the ability to create and delete organizations as well as create and delete users and administrators within those organizations.
Super Administrator privileges are restricted to a very limited number of people in the development operation at Xerox (currently less than 5). When a new organization would like an account within the application, a Super Administration will create that organization as well as an Administrator within that organization. The new Administrator will then be able to invite his or her colleagues to join.
Authorization & Authentication
When a user or Administrator account is created, he or she will receive an email with a link enabling him or her to create a password. Alternatively, the Super Administrator can create the password and then communicate it with the user somehow (e.g. via secure email
The application utilizes OWASP recommendations regarding password storing and complexity. This includes, but is not limited to, one-way encryption of passwords for end users and functionality that requires users to provide passwords with a certain complexity. The user is requested to generate a password that must meet the following complexity rules:
- at least 1 uppercase character (A-Z)
- at least 1 lowercase character (a-z)
- at least 1 digit (0-9)
- at least 1 special character (punctuation)
- at least 10 characters
- at most 128 characters
Passwords are transmitted via https only.
User sessions are managed using access tokens which are never stored in any persistent storage but are randomly generated each time the user signs into the system. Generally, the token indicates the session of the user.
On the browser side, these tokens are stored in user cookies and used to access the server. A token is sent to the server on each request and, on its side, the server checks that the token is valid (active) and the user is authenticated to access the system.
On the server side these tokens are stored in memory, never persisted in any kind of storage, and never sent anywhere under any circumstances (except for the initial sending of a token to a user as a response to a successful sign-in).
Each time a user signs out or is suspended by an Administrator, all sessions of this user are immediately invalidated so the user may no longer access the server.
Access tokens are automatically expired 12 hours after creation.
Finally, during a server restart all tokens are invalidated and all users must sign-in again to gain access to the system.
SSL Labs Report
As noted earlier, the application is only available via https (SSL) and the only supported version of TLS is 1.2. (More info about supported TLS ciphers may be found at the ELBSecurityPolicy-TLS-1-2-2017-01 description).
We verify the quality of our SSL deployment by reporting our SSL Report score. The report is generated by the unaffiliated 3rd party SSL Labs, a non-commercial research effort within Qualys. Here is the encryption report for https://draftlspark.ai/ from December 10, 2019. This represents an overall rating A on ssllabs.com: