Quick Base is a multi-tenant cloud service providing a platform where our customers build and deploy a wide variety of business process applications directly to end users. That simple relationship can be characterized in different ways, depending on the context and industry, but it all comes down to Quick Base provides the platform where your organization builds and deploys apps to your users. In this context Quick Base may be considered a cloud service provider, a Processor as defined under EU GDPR, or as a Business Associate under HIPAA.
Risk managers, information security professionals, legal and compliance teams are tasked with ensuring that the use of an important service provider, like Quick Base, does not result in a potential business disruption or a negative impact on business performance. At the end of the day, vendor risk management is about establishing and verifying trust with your most critical service providers. In this post I will highlight the ways Quick Base supports your due diligence and, hopefully, demonstrate how we work to earn your trust.
Quick Base was a cloud platform ahead of its time when it was launched by Intuit in 2000. Multi-user business process database powered applications were not new of course, and many enterprises deployed products like Lotus Notes, Novell Groupwise or Microsoft Access to provide business applications to enterprise users. These products were hosted “on-prem” and delivered to users over private “behind the firewall” networks via thick Windows client applications in a client-server architecture.
Quick Base, on the other hand, has always been delivered from a multi-tenant architecture to an end users web browser over the Internet, a delivery model which has come to dominate IT services today.
In the client-server era, the main concerns from a security perspective were if the software could be configured securely and if it had been tested and patched for security bugs. Otherwise, the organization depended on its IT department to install, configure and manage the software, and hopefully that was being done well.
Because more of the tech stack is outsourced to a third-party, vendor risk management is more important to get right for a cloud service provider than it is for legacy hosted on-premises software. There is a greater responsibility placed on today’s vendor risk and related teams. Your job is to ensure your organization’s data is protected, your business processes are continuously available, and, in many cases, you remain compliant with relevant regulations which pertain to the types of data you store and process in a cloud service like Quick Base.
Additionally, client-server and on-premises hosted infrastructure are much more costly to maintain than outsourcing all that to a cloud service provider. By reducing costly overhead and enabling agility, cloud services like Quick Base have been successful.
Transparency is a core part of trust and we strive to be transparent with you, our customers. We look at your due diligence as a partnership to ensure our platform meets your high standards. It is also important to us that you know your input and feedback is appreciated. Customer feedback has been, and will continue to be, a big driver in the improvements we have made in our security posture of Quick Base and of the Quick Base platform.
The responsibilities of management, security and compliance of cloud services are best defined in what is commonly called the Shared Responsibility Model. The Shared Responsibility Model organizes and defines areas of responsibility for information systems from the underlying infrastructure through the various layers to the management of users and access. As a cloud solution, Quick Base ‘takes care’ of much of the tech stack, and that is what enables efficiency and agility for our customers.
Our attestations and collateral speak to our management of roles and responsibility in the layers of the stack we maintain. Your IT responsibilities when using the Quick Base cloud platform are much lower than with on-premises hosted software, but you maintain the critical responsibilities to ensure the data uploaded and stored in Quick Base apps abides by applicable corporate policies and regulations, apps are designed securely and access and permissions are configured such that apps and data is shared with your authorized users.
Quick Base is responsible for the management of the infrastructure, hardware and software which make up the Quick Base platform. Naturally we use subservice providers in the delivery of Quick Base, such as our data center hosting provider, Flexential, and our use of Amazon AWS IaaS services which provide important underlying security to the Quick Base platform. We publish our important subservice vendors and you may subscribe to updates to receive notification of any changes. Since our service providers include data center hosting, we don’t perform our own audits of the physical and environmental controls of data center providers, but rather we depend on their third-party attestations and certifications (which, in most cases, we can share with you for your due diligence of those aspects of the delivery of the Quick Base platform).
As a Quick Base customer your responsibility for ensuring the secure and compliant use of Quick Base in your organization is critically important. While Quick Base enables you to build secure apps, it is up to you as a Quick Base customer to configure your Quick Base settings appropriately, design apps for security and maintain access and appropriate permissions which ensure your app data remains secure in your use of the Quick Base platform.
Regarding data management, you the customer are in control of the data you store in Quick Base apps. Quick Base staff do not have a view or access to customer app data, and app data is not crawled, indexed or otherwise used for non-service related purposes. You may keep app data in our platform for as long as you are a customer, and you may delete it from our platform at any time. We back up your app data, encrypted, in our secure data centers for 6 months. Those backups are part of our disaster recovery planning and in case you need to restore an app you didn’t mean to delete, which can be accomplished with a support case.
Ok, let’s get into it!
Security ratings platforms have grown in popularity over the past few years. Security ratings services take a deep dive of all services a company presents on the Internet, categorized into areas like DNS, e-mail, web site security headers, and rates them in relation to security factors. Negative factors such as lack of email spam filtering protection for an email domain, a missing security patch or web security header will negatively impact a company’s score. It’s important to note that the ratings are generally based on companies rather than a specific product. This means that any reduced security on non-critical services such as non-production marketing, development, or parked domain will negatively impact a company’s score.
We began utilizing security ratings platforms such as BitSight and SecurityScoreCard after my CEO expressed a desire for a view of our security program benchmarked against industry standards and the competition. Security ratings are a useful way to gain a general sense of the overall security posture of a service provider and I have to confess our use of these platforms (and my including their metrics in reporting the status of our security program upstream) have spurred us to secure areas of our Internet presence which would not normally be prioritized, but are still important to do – think parked domains and dev marketing sites. Security ratings are now a part of our own comprehensive security toolset and we encourage you to view our security ratings including our (currently as of this writing) A rating from SecurityScoreCard.
SOC (System and Organization Controls) reports are a very valuable due diligence tool because it validates that a service providers controls are in line with a best practice framework, audited and attested to by a third-party. The American Institute of CPA Trust Principles criteria establish controls related to the Security, Availability, Confidentiality, Privacy and Processing Integrity.
SOC 2 is foundational importance for a cloud service provider with controls pertaining to security, availability, processing integrity, confidentiality of a system.
SOC 1 is focused on controls which are relevant to financial reporting. In the shared responsibility model, you may consider including Quick Base’s SOC 1 report to supplement your own audits of your apps used in core financial reporting processes.
Some customers use Quick Base to handle unclassified Department of Defense (DoD) Covered Defense Information (CDI). NIST Special Publication 800-171, Protecting Covered Defense Information in Nonfederal Systems and Organizations, otherwise known as DFARS (Defense Federal Acquisition Regulation Supplement), details the fourteen families of security requirements for protecting the confidentiality of CDI. It is a very good framework, and Quick Base incorporates NIST 800-171 controls into its operation and management of the Quick Base platform and provides independent attestation to our compliance via our annual third-party SOC examination.
Our SOC report inclusive of DFARS control mapping is available to customers or to prospective customers under NDA.
The Shared Assessments program was born from a consortium of financial institutions (BITS) who wanted to standardize a way to assess risk of outsourcing IT services to outside service providers. The Standard Information Gathering questionnaire (SIG) is generally aligned with other best practices IT frameworks such as ISO 27001 or NIST 800-53. There are 2 versions of the SIG: Lite and Full. Many of our customers utilize the SIG for the information gathering part of their risk management strategy, and Quick Base maintains an updated SIG Full which we are happy to share with our customers or our prospects under NDA.
The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing and to provide education on the uses of Cloud Computing. The CSA is led by a broad coalition of industry practitioners, corporations, associations, and other key stakeholders.
CSA’s Security, Trust and Assurance Registry (STAR) is a free, publicly accessible registry of security controls provided by cloud computing offerings defined by the Consensus Assessments Initiative Questionnaire (CAIQ). The CAIQ provides a set of over 140 questions that a cloud consumer and cloud auditor may wish to ask of a cloud provider. I appreciate this initiative because it promotes transparency. Quick Base’s CAIQ is available for download from the CSA Star Registry
On the opposite end of the spectrum of security ratings are security penetration tests, or pen test. Rather than a very broad view, a pen test is designed to provide an independent third-party view as to what security defects a sophisticated team of security researchers can find as authenticated users and administrators with full access to source code, configuration files and documentation within a given period. Before 2016, when Quick Base was a part of Intuit, Quick Base utilized the talented security team within Intuit to conduct our annual pen tests. After our divestiture we contracted with a highly skilled security team, Leviathan Security Group, for our pen test and threat modelling work. Our pen tests have helped us improve the overall security of the Quick Base platform. We’re proud of our latest report which after mitigation work shows no high or medium risk security defects. As with other documents our pen test report is available to our customers or prospective customers under NDA.
Many top tier companies use Quick Base and therefore many of our customers have conducted their own assessments of our services by their in-house security teams. Many of our customers, both large and small, have performed rigorous security assessments, which may include customized security questionnaires or standard formats such as the Shared Assessments SIG.
As we describe on the security and compliance section of our website, customers may conduct vulnerability assessments against the Quick Base platform under certain conditions. Naturally as a multi-tenant shared platform we cannot allow activity which may disrupt our services.
Did I mention top tier companies use Quick Base? We are proud of the great companies which trust Quick Base to run their business processes, and we are thankful for the positive impact they have had on us, as a cloud platform every area of improvement benefits all our customers. We appreciate your due diligence and hope to earn your trust too!