Passportal Security Standards
Security, Data, and Privacy Policies
You can find this information here: N-able Privacy Notice
Data Encryption and the Organization Key (formally Key)
Each password stored within Passportal is AES-256 encrypted with multiple keys, Passportal uses a different key stretching algorithm that does not derive its security from large numbers of iterations. Two of the keys used are unique to each password record, and one of the keys is not generated by or stored within our system.
When a company registers any account with Passportal, they are required to choose an Organization Key which stands as a remote encryption key that lives outside of Passportal. This means that your password data is never stored at rest with or near all the keys required to decrypt it. The Organization Key is organization-wide and is the encryption key for your stored passwords. Passportal does not store or cache the Organization Key anywhere in our system, so it is vital that at least one member of your organization has stored this and is able to give it to users that require it.
To reset the Organization Key means all passwords will become irretrievable and the account will need to be reset.
The Organization Key is designed to ensure that there is a separate and additional level of security that protects your organization from unauthorized access to any data at Passportal.
All inbound and outbound data communication traffic with the Passportal Cloud happens over TLS 1.2 using 2048-bit SHA256 SSL certificates to ensure the protection of your data in transit.
Passportal services are hosted on Amazon Web Services (AWS) which proudly boasts some of the highest security classifications and compliance certifications. Our system has been architected with redundancy, resilience, and security at every point from gateways and web services to database clusters and automation servers.
Furthermore, in the US Passportal is designed, architected and resides in multiple AWS facilities that provide for both replication of secured data, ensuring maximum uptime and security should a failure in a single environment occur.
Amazon S3 Storage Security
Some documents, Runbooks in particular, are stored in a semi-public S3 bucket. In order to prevent unauthorized access to a company's runbook containing potentially sensitive information, we apply the following measures:
Directory traversal and viewing on the S3 bucket is disabled - a user must have the exact file name to access anything in the bucket, and there is no way to get a list of potential file names
All file names are generated as a hex encoded sequence of 36 random bytes, resulting in a 72 character file name. Since the exact sequence must be guessed to gain access to a file, this provides equivalent protection as a 288-bit password against brute force attacks
Because there is no lockout mechanism, we use an expiration policy of 3 days for data stored on the S3 bucket