Quickbase is a multi-tenant cloud service providing a platform where our customers build and deploy a wide variety of business process applications directly to end users. That simple relationship can be characterized in different ways, depending on the context and industry, but it all comes down to Quickbase provides the platform where your organization builds and deploys apps to your users. In this context Quickbase may be considered a cloud service provider, a Processor as defined under EU GDPR, or as a Business Associate under HIPAA.
Risk managers, information security professionals, legal and compliance teams are tasked with ensuring that the use of an important service provider, like Quickbase, does not result in a potential business disruption or a negative impact on business performance. At the end of the day, vendor risk management is about establishing and verifying trust with your most critical service providers. In this post I will highlight the ways Quickbase supports your due diligence and, hopefully, demonstrate how we work to earn your trust.
Some History: Client-Server vs Cloud
Quickbase was a cloud platform ahead of its time when it was launched by Intuit in 2000. Multi-user business process database powered applications were not new of course, and many enterprises deployed products like Lotus Notes, Novell Groupwise or Microsoft Access to provide business applications to enterprise users. These products were hosted “on-prem” and delivered to users over private “behind the firewall” networks via thick Windows client applications in a client-server architecture.
Quickbase, on the other hand, has always been delivered from a multi-tenant architecture to an end users web browser over the Internet, a delivery model which has come to dominate IT services today.
In the client-server era, the main concerns from a security perspective were if the software could be configured securely and if it had been tested and patched for security bugs. Otherwise, the organization depended on its IT department to install, configure and manage the software, and hopefully that was being done well.
Because more of the tech stack is outsourced to a third-party, vendor risk management is more important to get right for a cloud service provider than it is for legacy hosted on-premises software. There is a greater responsibility placed on today’s vendor risk and related teams. Your job is to ensure your organization’s data is protected, your business processes are continuously available, and, in many cases, you remain compliant with relevant regulations which pertain to the types of data you store and process in a cloud service like Quickbase.
Additionally, client-server and on-premises hosted infrastructure are much more costly to maintain than outsourcing all that to a cloud service provider. By reducing costly overhead and enabling agility, cloud services like Quickbase have been successful.
Transparency is a core part of trust and we strive to be transparent with you, our customers. We look at your due diligence as a partnership to ensure our platform meets your high standards. It is also important to us that you know your input and feedback is appreciated. Customer feedback has been, and will continue to be, a big driver in the improvements we have made in our security posture of Quickbase and of the Quickbase platform.
Cloud Shared Responsibility
The responsibilities of management, security and compliance of cloud services are best defined in what is commonly called the Shared Responsibility Model. The Shared Responsibility Model organizes and defines areas of responsibility for information systems from the underlying infrastructure through the various layers to the management of users and access. As a cloud solution, Quickbase ‘takes care’ of much of the tech stack, and that is what enables efficiency and agility for our customers.
Our attestations and collateral speak to our management of roles and responsibility in the layers of the stack we maintain. Your IT responsibilities when using the Quickbase cloud platform are much lower than with on-premises hosted software, but you maintain the critical responsibilities to ensure the data uploaded and stored in Quickbase apps abides by applicable corporate policies and regulations, apps are designed securely and access and permissions are configured such that apps and data is shared with your authorized users.
Quickbase is responsible for the management of the infrastructure, hardware and software which make up the Quickbase platform. Naturally we use subservice providers in the delivery of Quickbase, such as our data center hosting provider, Flexential, and our use of Amazon AWS IaaS services which provide important underlying security to the Quickbase platform. We publish our important subservice vendors and you may subscribe to updates to receive notification of any changes. Since our service providers include data center hosting, we don’t perform our own audits of the physical and environmental controls of data center providers, but rather we depend on their third-party attestations and certifications (which, in most cases, we can share with you for your due diligence of those aspects of the delivery of the Quickbase platform).
Your Responsibilities as a Quickbase Customer
As a Quickbase customer your responsibility for ensuring the secure and compliant use of Quickbase in your organization is critically important. While Quickbase enables you to build secure apps, it is up to you as a Quickbase customer to configure your Quickbase settings appropriately, design apps for security and maintain access and appropriate permissions which ensure your app data remains secure in your use of the Quickbase platform.
Regarding data management, you the customer are in control of the data you store in Quickbase apps. Quickbase staff do not have a view or access to customer app data, and app data is not crawled, indexed or otherwise used for non-service related purposes. You may keep app data in our platform for as long as you are a customer, and you may delete it from our platform at any time. We back up your app data, encrypted, in our secure data centers for 6 months. Those backups are part of our disaster recovery planning and in case you need to restore an app you didn’t mean to delete, which can be accomplished with a support case.
Ok, let’s get into it!
Security ratings platforms have grown in popularity over the past few years. Security ratings services take a deep dive of all services a company presents on the Internet, categorized into areas like DNS, e-mail, web site security headers, and rates them in relation to security factors. Negative factors such as lack of email spam filtering protection for an email domain, a missing security patch or web security header will negatively impact a company’s score. It’s important to note that the ratings are generally based on companies rather than a specific product. This means that any reduced security on non-critical services such as non-production marketing, development, or parked domain will negatively impact a company’s score.
We began utilizing security ratings platforms such as BitSight and SecurityScoreCard after my CEO expressed a desire for a view of our security program benchmarked against industry standards and the competition. Security ratings are a useful way to gain a general sense of the overall security posture of a service provider and I have to confess our use of these platforms (and my including their metrics in reporting the status of our security program upstream) have spurred us to secure areas of our Internet presence which would not normally be prioritized, but are still important to do – think parked domains and dev marketing sites. Security ratings are now a part of our own comprehensive security toolset and we encourage you to view our security ratings including our (currently as of this writing) A rating from SecurityScoreCard.
SOC (System and Organization Controls) reports are a very valuable due diligence tool because it validates that a service providers controls are in line with a best practice framework, audited and attested to by a third-party. The American Institute of CPA Trust Principles criteria establish controls related to the Security, Availability, Confidentiality, Privacy and Processing Integrity.
SOC 2 is foundational importance for a cloud service provider with controls pertaining to security, availability, processing integrity, confidentiality of a system.
SOC 1 is focused on controls which are relevant to financial reporting. In the shared responsibility model, you may consider including Quickbase’s SOC 1 report to supplement your own audits of your apps used in core financial reporting processes.
Some customers use Quickbase to handle unclassified Department of Defense (DoD) Covered Defense Information (CDI). NIST Special Publication 800-171, Protecting Covered Defense Information in Nonfederal Systems and Organizations, otherwise known as DFARS (Defense Federal Acquisition Regulation Supplement), details the fourteen families of security requirements for protecting the confidentiality of CDI. It is a very good framework, and Quickbase incorporates NIST 800-171 controls into its operation and management of the Quickbase platform and provides independent attestation to our compliance via our annual third-party SOC examination.
Our SOC report inclusive of DFARS control mapping is available to customers or to prospective customers under NDA.
BITS Shared Assessments SIG
The Shared Assessments program was born from a consortium of financial institutions (BITS) who wanted to standardize a way to assess risk of outsourcing IT services to outside service providers. The Standard Information Gathering questionnaire (SIG) is generally aligned with other best practices IT frameworks such as ISO 27001 or NIST 800-53. There are 2 versions of the SIG: Lite and Full. Many of our customers utilize the SIG for the information gathering part of their risk management strategy, and Quickbase maintains an updated SIG Full which we are happy to share with our customers or our prospects under NDA.
Cloud Security Alliance
The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing and to provide education on the uses of Cloud Computing. The CSA is led by a broad coalition of industry practitioners, corporations, associations, and other key stakeholders.
CSA’s Security, Trust and Assurance Registry (STAR) is a free, publicly accessible registry of security controls provided by cloud computing offerings defined by the Consensus Assessments Initiative Questionnaire (CAIQ). The CAIQ provides a set of over 140 questions that a cloud consumer and cloud auditor may wish to ask of a cloud provider. I appreciate this initiative because it promotes transparency. Quickbase’s CAIQ is available for download from the CSA Star Registry
On the opposite end of the spectrum of security ratings are security penetration tests, or pen test. Rather than a very broad view, a pen test is designed to provide an independent third-party view as to what security defects a sophisticated team of security researchers can find as authenticated users and administrators with full access to source code, configuration files and documentation within a given period. Before 2016, when Quickbase was a part of Intuit, Quickbase utilized the talented security team within Intuit to conduct our annual pen tests. After our divestiture we contracted with a highly skilled security team, Leviathan Security Group, for our pen test and threat modelling work. Our pen tests have helped us improve the overall security of the Quickbase platform. We’re proud of our latest report which after mitigation work shows no high or medium risk security defects. As with other documents our pen test report is available to our customers or prospective customers under NDA.
Conducting Your Own Security Assessments
Many top tier companies use Quickbase and therefore many of our customers have conducted their own assessments of our services by their in-house security teams. Many of our customers, both large and small, have performed rigorous security assessments, which may include customized security questionnaires or standard formats such as the Shared Assessments SIG.
Customer Security Scans
As we describe on the security and compliance section of our website, customers may conduct vulnerability assessments against the Quickbase platform under certain conditions. Naturally as a multi-tenant shared platform we cannot allow activity which may disrupt our services.
You’re in Good Company
Did I mention top tier companies use Quickbase? We are proud of the great companies which trust Quickbase to run their business processes, and we are thankful for the positive impact they have had on us, as a cloud platform every area of improvement benefits all our customers. We appreciate your due diligence and hope to earn your trust too!