Security whitepaper

One of the biggest challenges for digital businesses today is protecting a trusted user and preserving their ecosystem from fraud, bots, and bad actors.

Telesign’s account security platform is trusted by the world’s largest brands to prevent online fraud. Combining real-time data & analytics, phone verification and two-factor authentication, Telesign helps customers detect fraudulent onboarding risks and secure billions of end-user accounts from compromise.

Using each consumer’s phone number is the optimal way to authenticate a global user base. Nearly 15 year ago Telesign pioneered phone-based authentication services, and as we anticipated changes in fraudulent behavior, we introduced a new line of data products to fight back against the evolution of online fraud. Leveraging our proprietary insight into the volume of traffic around the world and the data captured by our products, we’ve developed the ability to predict potential fraud based on a variety of phone attributes, machine learning algorithms, data and behavioral patterns.

Today our expanded  products and solutions allow you to both preserve your ecosystem and your user base by detecting a suspicious user before account creation and identifying and blocking account takeover attacks before they occur.

In this whitepaper, we will provide an in-depth explanation of Telesign’s security measures through a review of our Security Architecture and Information Security.

COMPLIANCE
Telesign is ISO 27001 certified and HIPAA compliant. Telesign employs independent third parties to perform an ISO 27002-based Security Risk Assessment across the entire network on an annual basis to measure our compliance with the ISO-based standard as well as the GISP. The results of the Security Risk Assessment are used to build a Security Roadmap that encompasses security projects tied to each of the Security Risk Assessment’s findings as part of the remediation process.

REST API
The Telesign REST API is the publicly-exposed programming interface to Telesign’s web services. Requests to this web service are received via Transport Layer Security (TLS 1.2/1.3) connections. The API conforms to the REST Web service design model and, as such, Web services are treated as Domain Resources, and each one is accessed using its own unique URI.

Access to the Telesign REST API is restricted by authenticating each call. To receive results for web service calls, customers must digitally sign their request message with valid credentials, which are provided by the Telesign Customer Success team via a secure delivery channel.

DATA CENTERS
Telesign’s web services are co-located in Tier IV data centers located in the US and EU and hosted on leading cloud provider platforms. All our data centers and cloud providers are SSAE 16 SOC 2 Type II or ISO 27001 certified. Telesign data centers are designed such that each data center is capable of handling 100 percent of our forecasted traffic for the year and are highly available individually, including fully redundant Internet access using disparate access providers. All data centers are inter-connected for replication purposes.

Customer traffic is distributed via geo-load balancing among these active data centers. All data centers are externally monitored on a 24x7x365 basis. In the event of a disaster impacting one or more active data centers, Telesign will fail over from the impacted data centers within minutes as part of our Disaster Recovery (DR) process.

Telesign regularly shifts traffic in conjunction with scheduled activities including deployment of new releases, hot fixes, applying security patches, controlled performance testing and operational events that impact a subset of active data centers i.e. this DR process is regularly tested and exercised.

SECURITY ARCHITECTURE
The data center network architecture utilizes firewalls, intrusion prevention systems (IPS), load balancing farms and switching infrastructure — all of which are fully redundant with automated failover in the event of an individual component failure. Data center networks are segmented with all inter-segment traffic passing through a firewall cluster with only the ports necessary to support the traffic configured in the access lists. Access from the Internet into Telesign’s designated perimeter network (“DMZ”) requires traffic to pass through router access lists, firewall access lists, IPS policies and the server’s local firewalls.

High availability is a core tenant of Telesign’s infrastructure design. Redundancy is built into every layer of the platform to avoid single points of failure.

Databases are run in high-availability configuration and are backed up regularly. Customer transaction records in each active data center are moved to a centralized data warehouse every one to two minutes. This allows for two copies of DB transaction details in disparate geographical locations within minutes of a transaction being processed. Tests of DB restores from backups are performed at least monthly. Full backups are copied / maintained in two separate data centers with data retention of 90 days.

Telesign employs redundant well-known, industry-leading DNS providers to ensure high availability of DNS services. All network customer communication to/from Telesign, as well as communication links to third party providers supporting Telesign’s voice, SMS and data services, utilizes TLS encryption in-transit.

Telesign supports whitelisting of customer traffic and third-party providers to limit access to/from Telesign facilities/services.

TELEPORTAL
Customers may access their account data through Telesign’s customer portal – TelePortal (HTTPS only). Customers log in with their username and password to access the portal; credentials are provided via secure channels by Telesign’s Customer Success team. In addition, two-factor authentication (2FA) is mandatory, and is available via multiple channels, including voice, SMS, mobile push or soft tokens. SSO via SAML is also supported.

Telesign has established an information security management framework that is approved and endorsed by senior management. It describes the purpose, direction, principles and basic rules for how we maintain trust. This is accomplished by assessing risks and implementing administrative, technical, and physical safeguards to protect the security, confidentiality, integrity and availability of Telesign’s network, systems and data, including all of the information that we receive, store, process and transmit on behalf of our customers. Telesign annually reviews and updates security policies, provides security training, performs application and network security testing (including third-party penetration testing), monitors compliance with security policies as well as legal, regulatory and contractual requirements, and conducts internal and external risk assessments. 

GLOBAL INFORMATION SECURITY POLICY (GISP)
Telesign has an internal Global Information Security Policy (GISP) based on the ISO 27002:2013 standard for information security management. The GISP is reviewed and approved at least annually—based on the results of the annual Security Risk Assessment, see “Compliance” section above—and are enforced by Telesign’s Global Security Team. All employees must consent to receiving, reading, and complying with the GISP annually. In addition, the GISP applies to all vendors, subcontractors and relevant external parties via legal contracts with those entities. Violations, including a formal disciplinary process up to and including termination of employment or contract, and Exceptions are covered in the GISP. The GISP also includes a Mobile Device Policy and a Remote Access Policy.

In addition, Telesign has an Internal Privacy Policy (IPP) based on the EU’s General Data Protection Regulation (GDPR), and the IPP mirrors our Privacy Notice which is available at https://www.telesign.com/privacy-notice.

The security and privacy of your data is of paramount importance here at Telesign.

INFORMATION SECURITY ORGANIZATION
Telesign has a dedicated and global security team, under the leadership of the Chief Information Security Officer (CISO), with documented roles and responsibilities. This team is committed to using a multi-disciplinary approach to protect the confidentiality, integrity and availability of information assets, including your data. The global security team is accountable to senior management for creating and executing an Information Security Program that provides the security infrastructure necessary to protect information assets. This is done by:

• Establishing an information security architecture for standard security controls across Telesign’s network;
• Defining organizational roles and responsibilities for information security;
• Monitoring and measuring the implementation of the GISP; and
• You have the right to object to or ask us to restrict the processing of your Personal Data.
• Developing and delivering a program to maintain information security awareness.

The global security team will be your dedicated point of contact for information security matters. Please contact your Customer Success Manager for additional details.

HUMAN RESOURCE SECURITY
Telesign leverages a Human Resources Information System to automate the sensitive process of onboarding incoming employees (e.g. background checks, security policy acknowledgement, NDAs) and offboarding departing employees (e.g. account deprovisioning). The global security team works closely with HR to ensure that employees are consenting to the GISP and IPP, and attending information security training on an annual basis. New employees participate in mandatory security training and ongoing security awareness education. All employee access is promptly removed when an employee leaves the company.

ACCESS CONTROL
Telesign leverages Single Sign-On (SSO) and Active Directory for centralized management of user accounts. These accounts are authenticated using strong, complex passwords including mandatory 2FA for SSO. Telesign’s password policy includes complexity, history, expiration and lockout requirements.

Access is role-based and is limited only to systems and data required by users on a least-privileged and need-to-know basis. Access to Production systems and the network infrastructure (including firewalls), is tightly controlled and limited to a small number of administrators who must use separate accounts with elevated privileges and mandatory 2FA. Access is granted per approval by the system owner or manager and documented in the change management system. User accounts are reviewed quarterly and deprovisioned when no longer operationally required. Privileged and generic/service account access is tightly controlled and reviewed on a periodic basis. Service accounts are secured by very long and complex passwords and prohibited from performing interactive logons.  Shared user accounts are prohibited.

Customer transaction data is housed in a shared environment in colocation facilities and classified as confidential data. This data is logically separated in Telesign’s databases. Technical access controls and internal policies prohibit employees from arbitrarily accessing customer data. In order to protect customer privacy and security, only IT staff members have access to the environment where customer data is stored.

Any exceptions to baseline access permissions (e.g. temporary elevated privileges for a developer to perform a particular function) are documented using a change request ticket that is reviewed and approved under the change management process prior to implementation.

ASSET MANAGEMENT
Telesign maintains an inventory of all technology assets and physically protects them from theft or loss.  Unauthorized hardware is prohibited from the network and enforced using a Network Access Control (NAC) system.  Procedures are in place for asset decommissioning, including secure destruction of data from electronic media.  The usage of removable media (e.g. USB drives) is prohibited and enforced by technical means.

An Acceptable Use Policy governs usage of all assets, and includes a clean desk policy, PIN requirement and lockscreen timeout for mobile devices, and screensavers for workstations.

Telesign has a Mobile Device Policy that addresses BYOD. Personally-owned devices are not allowed on the secure network, and this is enforced by the NAC. Telesign has an information classification policy, which categorizes data into three categories: Sensitive, Confidential and Public.  This categorization takes into account the value, sensitivity and criticality of the data. Procedures are in place to address best practices for handling the storage and transmission of each of the three categories of data (e.g. Sensitive/Confidential data must be encrypted when transmitted over the Internet). Guidelines are also available for the labeling of Sensitive/Confidential data.

Customer data is considered Confidential data, and is retained for 30 days for operational troubleshooting and billing purposes. Thirty days is the minimum required for Telesign to operate its business and service platform effectively.

CRYPTOGRAPHY
Telesign encrypts all customer transactions to our APIs via the Internet with TLS 1.2/1.3, as well as customer access to our management console, TelePortal. Advanced Encryption Standard (AES 256) and Secure Hash Algorithm 2 (SHA-2) are the most widely-used encryption and hashing algorithms within Telesign.

For services requiring third-party requests (e.g. SMS delivery), the requests are sent over TLS to ensure encryption of data in transit. Mobile devices (laptops, mobile phones, tablets, etc.) are encrypted. Encryption is also in use for remote access to the Telesign network, as well as company Wi-Fi.

COMMUNICATIONS & OPERATIONS SECURITY
Telesign secures its network using the “defense in depth” approach. Our network security and monitoring techniques are designed to provide multiple layers of protection and defense. The perimeter – including all office locations and data centers – is protected by enterprise-grade, next-generation stateful packet inspection firewalls and intrusion prevention systems. This strictly limits inbound access to specific source and port numbers, confines the destination to a DMZ and must be supported by approved business justification. Outbound access from the Production environment is also limited by restrictive egress filtering firewall rules, i.e., Web access from servers is blocked. Internal network segmentation is used to further isolate sensitive production resources (e.g. sensitive databases from the rest of the production network).

In addition, firewalls/IPS have application-level (Layer 7) controls and anti-malware as well as URL filtering capabilities and are implemented in a high-availability configuration. Firewalls and IPS strictly control traffic between the Internet-facing DMZ, the Production network and the Office network. Firewall rules are reviewed on a periodic basis and any changes are controlled via a change management process. In addition to anti-virus and malicious code detection software with automated updates on all systems, host-based firewalls and application whitelisting software are also in-use on production servers. Connectivity within the WAN is encrypted, providing for redundancy between data centers. Remote access into Telesign’s network is strongly authenticated (i.e. two- factor) and encrypted using VPN technology. Access privileges are restricted based on their role. Company Wi-Fi networks are secured using WPA2 Enterprise with 802.1x authentication.

Telesign identifies and mitigates risks via regular network and application security testing and auditing by both dedicated internal security teams and third-party security specialists.

Vulnerabilities – including hardware, operating system, software (third-party included) and applications – are patched in a timely manner (30 days for Critical, 45 days for High, 90 Days for Medium) based on regular external and internal vulnerability scans against the perimeter and internal nodes. Patching is automated via multiple patch management systems for the various hardware/software configurations. Telesign also engages external vendors to perform security code reviews on all our applications and APIs on a regular basis, and penetration testing of our external-facing networks regularly.

Centralized logging – including login attempts, access to services and executed activities – is enabled and synchronized to UTC to assist in the identification or investigation of security incidents and/or breaches and monitored for log correlation and alerting purposes.

Public-facing systems are subject to penetration testing by an approved third-party provider on a regular basis.

Backup procedures are in place and periodically tested.

SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE
Telesign’s systems are hardened using documented procedures to disable all unnecessary services before applications are installed on them. All changes to computer systems are subject to the change management process and procedures to ensure changes are adequately reviewed, approved and tracked.

A well-established SDLC process is in place for the development of Telesign applications, focusing on secure coding standards and guidelines such as OWASP and CWE Top 25 to ensure our products provide the highest level of security to our customers. Information security and privacy controls are built-in to the SDLC process as checkpoints, e.g. network/application-level vulnerability scans as well as static code analysis are performed on all applications prior to production roll-out. Development platforms are logically segregated from the QA/Staging and Production platforms. Developers do not have access to the production environment and all production changes are deployed by members of the IT staff.

THIRD-PARTY PROVIDERS
Telesign assesses all Third-Party Providers (e.g. external vendors, suppliers, consultants, service providers and individuals) that provide goods and services before they are allowed access to Sensitive and Confidential data. The assessment of the Third-Party Provider information security (based on the ISO 27002:2013 security domains) and privacy controls is conducted by the Security and Privacy teams. The process includes the Third-Party Provider signing a Data Processing Agreement (DPA) with Telesign for compliance with the GDPR, and completing a Vendor Self-Assessment (VSA) questionnaire. Once the assessment is complete, the Third-Party Provider will enter into a contract with Telesign, which is reviewed and approved by our Legal Department. The contract obligates the Third-Party Provider to adhere to Telesign’s information security and privacy policies/standards.

INCIDENT MANAGEMENT
Telesign is contractually obligated to report security incidents involving customer data to the affected customers, as well as to relevant authorities to comply with legal and regulatory requirements, in the earliest possible timeframe. Employees are regularly reminded via security training and awareness to report all security incidents without delay.

Telesign has an Incident Response Plan (IRP) covering the six phases of the incident response process for each of the five incident categories and types. The phases are: detection and identification, analysis, containment, recovery, closure and post-mortem. The categories are: unacceptable use/policy violation, lost/stolen asset, malicious code, denial of service and unauthorized access. Procedural checklists are available for each of the five categories based on priority level (high, medium or low) covering all six phases.

PHYSICAL SECURITY
Telesign has office locations in the US and Europe. The Telesign Global Security Team is responsible for enforcing physical security policy and overseeing the security of the offices. Physical access to office locations is restricted to authorized Telesign personnel via a badge access system. Visitors and guests are required to sign-in using a visitor registration system which maintains access logs in the cloud for 12 months.

Telesign has colocation facilities (“data centers”) in the US and EU. Physical access to colocation facilities where data-processing systems reside is restricted to personnel authorized by Telesign, as required to perform their job function. Only the VP of Global Operations and his/her designees are authorized to explicitly approve and grant access to these colocation facilities. Access to these facilities is reviewed quarterly.

All such requests for access, including justification, are recorded in Telesign’s internal issue tracking system and similarly approved. Once approval is received, a member of the Global Operations team will contact the colocation facility to request access by providing the requestor’s name and identification number (e.g. driver’s license number). The colocation facility will record that information in their own system and provide the approved Telesign personnel with badge access and, if possible, biometric scan access upon his/her next visits to the colocation facility. Once access is granted to approved individuals, the colocation facility is responsible for restricting access to authorized individuals only.

Visitors and guests are prohibited from accessing these secure colocation facilities.

Questions?
If you have any questions regarding Telesign’s Security Architecture and/or Information Security, please contact Telesign Support or your Customer Success Manager and your inquiry will be routed to the Global Security Team for a prompt response.