Sawtooth Software: The Survey Software of Choice

Sawtooth Software strives to implement and maintain the best security practices for our software and services to protect our clients and their data.  This document is an overview of security measures in place for the Sawtooth Software hosting service.

Hosting Accounts

All hosting account information is stored on a server owned by our hardware provider (Rackspace Hosting, Inc.).  Account and project passwords are encrypted with 256-bit keys.  Access to passwords is restricted to Sawtooth Software employees on a need to know basis.  If a user forgets their password, they may request it over email.  The request is processed by a Sawtooth Software employee, who will send the account password sent to the email address on the user's account and no other email addresses.

Hosting Servers

The hosting service provides three different sizes of servers accounts to accommodate varying custom needs (based on respondent traffic, storage requirements, and performance): Lite, Basic, and Premium.  The Lite Server creates an account in a shared hosting environment where many other projects might be present on the same server, but are not accessible to anyone but the respective account owners.  Basic and Premium options create accounts on individual servers for a given project, i.e. no other projects will be running on that server. Basic and Premium servers only exist for the duration of the project, i.e. they are created when the project is requested, and destroyed when the project is closed.  All data for a project is backed up nightly to a cloud storage network.  This helps to ensure project data integrity.  Backup data is stored for 90 days after the project close date, and is then deleted.  Access to backups is restricted to Sawtooth Software employees on a “need-to-know” basis.  Each server is routinely monitored to make sure the software/services are functioning properly (automated checks are performed every few minutes).  Our hardware provider (Rackspace Hosting, Inc.) also monitors the servers every few minutes to ensure the computers are functioning correctly.  The servers are located at their facilities.  Each project has the option of including SSL for web traffic encryption. Projects that include SSL utilize 3072-bit RSA keys  for the certificates and 256-bit encryption.

All hosting servers are configured with:

  • Latest version of Ubuntu operating system.   Updates are applied monthly.
  • Root access protection.  The root access password is not stored anywhere.  If root access is needed, then the password is changed to a random pass-phrase which is used that one time and then discarded.
  • Access and error logs for the system, firewall, web server, ftp, ssh, and mysql software.  Only Sawtooth Software employees on a “need-to-know” basis are permitted to view these logs.
  • Firewall software which only allows certain system ports to be open for remote access.  All others are closed and blocked.
  • Virus scanners that update and run nightly.
  • User Permissions. The only users granted access to a server are those that have created projects for that server. All accounts are jailed/chrooted to their home directory (meaning they are not allowed browse anywhere on the server outside of their home directory and are not permitted to read, write, or execute any folders, files, or programs other than their own).  When a project is deleted, their  account is also removed.  Anonymous log-ins are not permitted.
  • File Transfer Protocols.  Two methods are provided for transferring files: plain FTP and SSH.
    • SSH allows users to FTP securely over SSH V2.  Command line access is disabled.  X11 forwarding is disabled.
    • The FTP server software is Very Secure File Transfer Protocol Daemon (vsftpd).  Please see https://security.appspot.com/vsftpd.html.  User ID's are hidden when asking for file/folder owners or for information on who is logged into the system from ftp client software.
  • Server tokens disabled, meaning it will not send its version number in any http headers.  It will not provide any information, except possibly error pages for links or addresses that do not exist on the server.
  • Fail2ban will ban ip addresses for repeated failed log in attempts over ssh and ftp.  It also bans ip addresses which attempt to perform a Denial of Service Attack.
  • PortSentry will block external port scanning programs.
  • MySql Database.  SSI Web V8 stores data in a mysql database.  Remote access to mysql is disabled.  Only programs located on the server itself can access mysql.  Command logging for mysql is disabled.

Additional Information

For more information, we invite you to review the Rackspace Hosting Security Document located at

http://broadcast.rackspace.com/downloads/pdfs/RackspaceSecurityApproach.pdf

Last updated 11/22/2013