July 10, 2020
Silo for Safe Access and Silo for Research (Toolbox) (together, “Silo”) shall be configured and operated in accordance with this Use and Configuration Guide (“Guide”). For support related to the implementation mechanisms for these guidelines, Silo customers’ registered agents, usually one or more identified Silo administrators within the customer organization, may seek additional guidance from their assigned Authentic8 representative (e.g., account executive, program manager, etc.) or Authentic8 Support (i.e., firstname.lastname@example.org) in accordance with the requirements below.
Customer – An organization provisioned with access to Silo and its users, both privileged and non-privileged.
Customer Data – Any information entered into Silo by the Customer. Customer Data includes information that may be transported, processed, or stored.
Identity Provider (IdP) – A system, service, or entity configured and leveraged by the Customer to provide authentication services for access to Silo by way of Security Assertion Markup Language (SAML) based Single Sign-On.
Multifactor Authentication (MFA) – An authentication method that grants access to Silo only after successfully presenting at least one additional piece of evidence in addition to the user’s primary password or PIN. Silo’s built-in mechanism for MFA is provided in the form of an out-of-band, one-time passcode (OTP) that is issued via text message (Short Message Service). Additional mechanisms for MFA can be leveraged through the Customer’s configured IdP, examples of which are CAC/PIV, hardware-based OTP, and public-key cryptography and authentication.
Personal Identifiable Information (PII) – Personal data that is directly related to an identifiable person. Examples of PII are first name, last name, and date of birth. A subset of PII, “Sensitive PII” is personal data that could result in substantial harm to the individual if lost, compromised, or disclosed. Examples of Sensitive PII are social security numbers, healthcare related information, and bank account numbers.
Registered Agent – Identified Silo administrators for a Customer who are approved to provide first-tier support to Customer users, receive second-tier support from Authentic8, and provide authorization to Authentic8 Support personnel to access defined Customer Data for the purpose of provisioning and support.
Root-Organization-Level - For a given Customer, the root-organization-level is the topmost hierarchy Silo “org” to which users and policies may be provisioned. Additional users and policies may be provisioned within subordinate Silo orgs, and policies may be applied that flow down to lower-level organizations.
Sensitive Customer Data – Any Customer Data that is not approved for general/public dissemination, use, processing, or storage.
Customer shall configure Silo as follows:
1. USERS & ORGS
Org Information. Selected Org Name field must not contain PII or Sensitive Customer Data. If configured, the Vanity URL field must not contain PII or Sensitive Customer Data.
User Information. First Name, Last Name, and Email fields associated with individual Silo user accounts must not contain PII or Sensitive Customer Data. For root-organization-level Silo administrator accounts, a non-sensitive phone number shall be entered in the Phone field for use as a backup MFA mechanism in the event of an IdP outage or misconfiguration of the organization’s SAML Single Sign-On settings (see Configuration Guide, Section 3, Access & Authentication and Use Guide, Section 3, Launching Silo). The Phone field for all other user accounts must not contain sensitive PII or Sensitive Customer Data. The Username must not contain PII or Sensitive Customer Data.
Security Recommendation: To shield against enumeration attempts by potential bad actors, Customer shall establish usernames and vanity URLs that are not easily guessable, are at least 12 characters, and include customer-established complexity requirements that include both alphabetic and numeric characters.
Account Shortcuts. Web Apps, if provisioned, should be set as “Admin Controlled” to retain privacy-oriented control of the content stored in Silo. On a per-web app basis, the login identifier field may vary in accordance with the web resource being accessed. In all cases, this identifier (e.g., email address, login ID, username, member ID, etc.) must not contain PII or Sensitive Customer Data. The Additional Login Info field must not contain PII or Sensitive Customer Data.
2. WEB APPS
Web Apps. Any Web Apps assigned at the organization level are accessible by all users provisioned within that organization or within any subordinate-level organization. The assignment of shared Web Apps acts as implicit authorization to allow users to access the configured login identifier(s) and the information in the Additional Login Info field. Web Apps, if provisioned, should be set as “Admin Controlled” to retain privacy-oriented control of the content stored in Silo. On a per-web app basis, the login identifier field may vary in accordance with the web resource being accessed. In all cases, this identifier (e.g., email address, login ID, username, member ID, etc.) must not contain PII or Sensitive Customer Data. In all cases, the Additional Login Info field must not contain PII or Sensitive Customer Data.
Storage Spaces. Any storage space assigned at the organization level enables access to “Pooled Storage” (see Configuration Guide, Section 3, Encrypted Cloud Storage), and is accessible and shared by all users provisioned within that organization or within any subordinate-level organization. The assignment of shared storage space shall be deemed Customer authorization for the sharing of information among these users in accordance with the Access Rights configuration. For this configuration, “Read/Write” allows all users with access to the storage space to access stored file objects, add stored file objects, modify stored file objects, and delete stored file objects; “Read Only” allows users to access stored file objects; and “Write Only” allows users to add stored file objects.
Browser Settings. URL Category Filtering. The Enable option for URL Category Filtering shall be deemed Customer authorization to allow the sharing of URL domain and path information with subprocessor organization(s) in aggregate form in order to allow website category information lookups (e.g., shopping, social networking, malicious, questionable & offensive, etc.). Information is queried in aggregate, with no organization or user information shared with the subprocessor organization, and URL parameters are NOT transported to or processed by the subprocessor organization. A list of all subprocessor organizations used to provide Silo services is maintained at https://www.authentic8.com/third-party-processors/ along with their processing activities, their entity location, and potential processing location(s).
Block Page Content. If URL Category Filtering or Domain Filtering is configured, users will be presented with a message when they are blocked from accessing a page. The URL Block Message field, if used, must not contain PII or Sensitive Customer Data.
Access & Authorization. Device Trust. The fingerprint information configuration must be set to As Hashed Text. This option will pseudonymize all Silo users’ machine factor data that is used by Silo to identify whether their devices are trusted or not in accordance with Device Trust configuration settings.
Single Sign-On. The SAML Single Sign-On enabled option shall be set by Customer, and Customer shall configure their service with IdP integration that meets their authentication requirements (including MFA requirements) to avoid the need to store individual user’s phone numbers in the system. Information system account identifiers that are used as a component of SAML Single Sign-On must not include PII or Sensitive Customer Data. See the “Launching Silo” section, below, for additional information.
Password Saving. Password Saving shall be configured as Disabled. This setting, in concert with the Web Apps configured by the Silo administrator (see Configuration Guide, Section 3, Web Apps) allow the Customer to maintain privacy-oriented control of the content stored in the associated login identifier fields and the Additional Login Info field.
Encrypted Cloud Storage. Pooled Storage shall only be enabled in conjunction with the Storage Space assignments, described in Configuration Guide, Section 3, Web Apps. Configuring access to Pooled Storage (“storage space”) shall be deemed Customer authorization for the sharing of information among the users to which it is made available.
Customization. Silo Branding. Within the branding subsection of the Customization configuration, the Silo Vanity URL field must not contain PII or Sensitive Customer Data.
Advanced. Log Encryption. Log encryption must be enabled by selecting the option for User activity logs are stored encrypted. The Silo customer organization administrator is responsible for establishing a public/private encryption key pair in accordance with the guidelines identified at https://support.authentic8.com/support/solutions/articles/16000026626-log-encryption. Once the key pair is established, the public key must be copied to the Public Key field and a name assigned to the key in the Key Name field. The Key Name field must not contain PII or Sensitive Customer Data. The customer organization’s corresponding private key must never be shared with Authentic8.
Silo Location. If the option for Silo can run in any data center option is selected, this shall be deemed Customer authorization for the processing and transmission of Customer Data by all Authentic8 subprocessor Infrastructure as a Service (IaaS) providers at all available geographic locations. If the option for Silo is restricted to only run in specified data centers is selected, this shall be deemed Customer authorization for the processing and transmission of Customer Data by the Authentic8 subprocessor IaaS providers associated with the selected data center locations. To limit the processing of Silo browser sessions to providers with the United States, either the Global Servers > North America > United States option must be selected or an option at a lower hierarchy level than United States must be selected. All Authentic8 subprocessors are identified at https://www.authentic8.com/third-party-processors/ along with their function, entity location, and the location where they may process or transmit data.
Message Bar. If a Display Option is selected to Always display the Message Bar or Let users turn the Message Bar on & off, then any content configured in the Set Custom Message field may be displayed to all users within the applicable Silo organization. This field must not contain PII or Sensitive Customer Data.
Customer shall use Silo as follows:
1. SUPPORT SERVICE
Support. To receive support, a registered agent of the Customer’s organization may contact Authentic8 via email, support portal (i.e., ticket submission), or telephone. Email requests shall be made using the email address registered with Authentic8 during the Silo onboarding process or explicitly updated by the customer organization through Authentic8 Support. Information exchanged via email and support portal requests must not include sensitive PII. Unencrypted credential-related information must not be exchanged via email or support portal. Generally, the only credential-related information that may be exchanged is a temporary password provided to a registered agent as a component of second-level support service. Customers must never share their Silo PIN or other credentials with Authentic8 Support.
FedRAMP Support. For customer organizations configured for, and licensed to leverage, Silo as a FedRAMP authorized service, support must be initiated via email and must use the email address registered with Authentic8 during the Silo onboarding process or explicitly updated by the customer organization through Authentic8 Support. Any telephone-based support must be initiated by Authentic8 to the registered agent’s telephone number that is registered with Authentic8 or configured for the associated administrator account within Silo.
2. USER PROFILE MANAGEMENT
Personal Information. Silo users’ Personal Information must not be updated to include PII or Sensitive Customer Data. For users who are not registered agents, this includes the First Name, Last Name, and Phone fields. For registered agents, this includes the First Name and Last Name fields; the Phone field shall be set to a non-sensitive phone number that can act as a backup method of MFA in the event of an IdP service outage or misconfiguration of SAML Single Sign-On.
2-Factor Authentication. For users who are not registered agents, 2-Factor Authentication must not be updated to include phone numbers considered to be PII. For registered agents, the Phone field shall be set to a non-sensitive phone number that can act as a backup method of MFA in the event of an IdP service outage or misconfiguration of SAML Single Sign-On.
3. LAUNCHING SILO
Login. When launching Silo using PIN-based credentials, Customer shall require MFA. Users shall not be configured using phone numbers considered to be sensitive or PII. To eliminate any storage and processing of phone numbers otherwise considered to be sensitive or PII, users shall launch Silo using the Use Single Single-On (SSO) option.
4. SAVING CREDENTIALS
Credential Management. If Web Apps are configured with the User Controlled or Shared options configured (see Configuration Guide, Section 2) or if Password Saving is enabled (see Configuration Guide, Section 3), users must not include PII or Sensitive Customer Data in any applicable login identifier fields associated with the web resource credentials being saved.
5. ENCRYPTED CLOUD STORAGE
Use of Shared Cloud Drives. Any file objects stored in shared cloud drives may be accessed by other Silo users who have been provisioned for access to those drives (see Configuration Guides, Sections 2 and 3). Any PII and Customer Data stored within shared cloud drives shall be deemed approved by Customer to be stored within Encrypted Cloud Storage and to be shared with other users that have been granted access to the shared drives by their Silo administrator(s).