Data Security has 3 main elements:
- Confidentiality ensures that data is accessed only by authorized individuals.
- Integrity ensures that information is reliable as well as accurate.
- Availability ensures that data is both available and accessible to satisfy business needs.
Jive security and privacy features are designed to meet the requirements of the most tightly regulated global industries and government agencies. You can read the Jive Security Whitepaper for a detailed description of how Jive implemented security features.
Aurea is committed to being compliant with GDPR requirements and providing customers with documentation on how Aurea intends to be compliant.
CSP, X-Frame, and HSTS
Customers often raise tickets when they have conducted a security audit and found some issues that they would like fixed.
HSTS stands for HTTP Strict-Transport-Security. The HSTS Response Header informs browsers that the site should only be accessed using HTTPS and that any future attempts to access it using HTTP should automatically be converted to HTTPS. The max-age directive tells the browser the time that it should remember that a site is to only be accessed using HTTPS. This value is in seconds. In Jive this value is set to 15768000 seconds (or 6 months).
You, as a customer, may run a security audit and ask for this age to be increased. Such a request would have to be a feature request, as the age is set intentionally at 1576800 seconds.
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution. X-Frame options are part of the CSP. In Jive, these are set by default to SAMEORIGIN. This means that a page can only be displayed in a frame of the same origin as the page itself.
If a customer finds that this header is not set for their instance, then a JVCLD engineering ticket is required.