Security

Summary


  • No breached passwords
  • Two-factor authentication
  • Encryption in-transit and at-rest
  • Strict employee access policies
  • Annual penetration testing
  • Read-only access to AWS configuration

1. Passwords


The security of your account begins with a strong password. In addition to requiring a password of at least 8 characters in length, KirkpatrickPrice follows the recommendations outlined in NIST SP 800-63B and compares passwords against lists of known breaches.

When you create a new account, your password is checked against the Have I Been Pwned service. If your password has shown up in any breaches indexed by Have I Been Pwned, we will ask that you choose a different, stronger password.

We do not store, log, or share your password in plain-text. To check your password against Have I Been Pwned, we generate a one-way cryptographic hash of the password and use a portion of the hash to compare against hashes of known breaches. You can read more about how this process works here.

2. Two-factor authentication


While passwords serve as the foundation of account security, on their own, they are susceptible to our tendency as humans to make them too easy to guess. To add an additional layer of security KirkpatrickPrice offers two-factor authentication (2FA) using the TOTP protocol.

You can use any TOTP apps such as Google Authenticator, Duo, Authy, Microsoft Authenticator, 1Password, or LastPass to add a second authentication factor to your account.

3. Encryption


All traffic to and from KirkpatrickPrice uses industry standard TLS encryption. In addition data, files, backups, and storage are all encrypted at-rest.

4. Employee access


Access to customer data held in KirkpatrickPrice's platform is limited to employees who need access to operate and support the system. All access is logged and audited to maintain security and privacy of our customers.

5. Pentesting


KirkpatrickPrice performs annual penetration testing with qualified experts to test and find potential vulnerabilities in our system.

6. AWS account connection


To perform a security assessment of your AWS account you will first need to allow KirkpatrickPrice to connect to your account. Once access is established you can run your scan.

KirkpatrickPrice accesses your AWS account by establishing a read-only, cross-account role. The cross-account role is given the AWS managed SecurityAudit policy. This policy only grants permissions to read metadata about the services you use in AWS and not the data contained in those services. For example, we will be able to see the configuration of your S3 buckets, but not the contents of those buckets.

To further protect access to your account, each cross-account role is given a unique external ID which is required when assuming the role.