Tulip IT Security Guide

Here's the guide to all of Tulip's security policies.

This article is divided into two sections. The first, “Application Security”, discusses security considerations at the application level, including end user administration and access, user data security, and interfaces using Connectors. The second section, “Infrastructure Security”, discusses security for the infrastructure used by Tulip employees to run and administrate the Tulip application within our Cloud Providers.

Application Security

Network Access

All end-user access to the Tulip application (including the Administrator interface, the Tulip Player runtime, and all device access) is transacted to known IP addresses using TLS encryption. The IP addresses for our different regions are available in our Networking Requirements article

The encryption uses the strongest ciphers available by the client. Tulip services handling production data receive an A+ from the Qualys SSL Labs test. Modern browsers connecting to Tulip will use Elliptic-Curve Diffie-Hellman Ephemeral (ECDHE) for key exchange adding perfect forward secrecy (PFS), RSA for authentication, 128-bit AES in Galois/Counter Mode for encryption, and SHA256 for MAC. Outdated cipher suites are forbidden; our servers will refuse to use any suite weaker than RSA_WITH_3DES_EDE_CBC_SHA.

It is the responsibility End users must take responsibility to ensure the security of their client devices, networks, proxies, etc.

User Identity Management

Tulip is provided with a built-in user management functionality allowing the end user to control access to and permissions within the Tulip Application. Passwords are required to meet a minimum complexity and are hashed client-side with SHA256 prior to transmission to the server (encrypted with TLS), at which point the passwords are salted and hashed with industry-standard bcrypt before being written to persistent storage.

Enterprise users are also able to use an external identity provider (LDAP or SAML) to govern access to the Tulip Application, which bypasses the built-in user management functionality within Tulip.

It is the responsibility of the end user to ensure the security of the external identity provider and to ensure secure communication between Tulip and the identity provider.

Login attempts with incorrect credentials will timeout users after 10 attempts for 10 minutes before allowing additional attempts to login.

Single Logins & Authentication

Tulip ensures separate logins for each admin. Authentication for the Tulip Player is done on a per-device basis based on a randomly-generated shared secret. Once a device is authenticated with Tulip, an operator can use it by entering using an RFID badge or their credentials.

User Data

Tulip does not allow direct access to internal databases and limits access according to permissions within the Tulip Application. All database calls are parameterized to prevent injection attacks. Databases are backed up daily.

User images, videos, and other non-database assets are stored in object storage and are encrypted at rest. Users retrieve this data with single-use signed URLs.

Data Egress and External Connections

Tulip allows users to configure connections to external services such as HTTP APIs, SQL Databases, OPC UA servers, and SMTP and SMS providers. These connections are sandboxed within the Tulip application to prevent introducing security vulnerabilities to Tulip, however, end users must take responsibility to ensure that the information transmitted through these services are treated appropriately. This includes ensuring proper encryption for API and database connections and ensuring that sensitive or regulated data is not sent to an unregulated destination.

For a customer-centric discussion of the possibility of security vulnerabilities, check out our article on Tulip Connector Hosts

Infrastructure Security

Tulip Employee Access Rights

Access to Tulip internal and production systems is strictly controlled and provided only to employees as needed. Tulip terminates personnel physical and logical access to Tulip Information Systems no later than the date of separation.

Authentication to Infrastructure

Tulip requires the use of strong passwords and 2 Factor Authentication for all Tulip employee accounts having access to Customer Data, including requirements for minimum password length, lockout, expiration period, complexity, encryption, changing of default passwords, and usage of temporary passwords. User account credentials (e.g., login ID, password) are never shared.

Third Party Cloud Hosting Providers

Tulip uses Amazon Web Services (AWS) and Microsoft Azure (AZ) to provide the necessary hardware, software, networking, storage, and related technology required to run our service. Individual customer sites are restricted to a single provider of Tulip’s choosing by default, however customers can request deployment in a particular provider’s cloud should the need arise.

The IT infrastructure provided to us is designed and managed in alignment with security best practices and a variety of IT security standards, including: SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70), SOC 2, SOC 3, FISMA, DIACAP, and FedRAMP, DOD CSM Levels 1-5, PCI DSS Level 1, ISO 9001 / ISO 27001, ITAR, FIPS 140-2, MTCS Level 3. Tulip continually evaluates the policies of our hosting providers to ensure compliance with our internal standards.

Additional information for each provider is available at the links below:

• AWS
• AWS GovCloud
• Azure

Firewall/IDS/IPS

All Tulip servers are behind a firewall that limits administration from outside of a Tulip controlled IP address. Network devices, including firewall and other boundary devices, are put in place by our hosting providers to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, access control lists (ACL), and configurations to enforce the flow of information to specific information system services. Tulip uses monitoring tools designed to detect unusual or unauthorized activities and conditions at ingress and egress communication points. These tools monitor server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts. Our cloud providers provide significant protection against traditional network security issues such as Distributed Denial Of Service (DDoS) Attacks, Man in the Middle (MITM) Attacks, IP spoofing, packet sniffing, and port scanning. We implement additional security controls such as IDS and IPS systems at the entry points into our cloud environments.

Security Updates

Tulip makes a good faith effort to patch all critical and high security issues soon after a patch is released. We utilize automated testing for vulnerability management which allows for early detection.

Database Security

Databases are located within each Cloud Provider and are open only to traffic from within the Tulip VPC. Authentication keys are randomly generated. Parameterization is used to avoid injection attacks. Data is encrypted at rest.

Penetration Testing

Tulip periodically performs 3rd-party penetration tests. Additionally, we use static analysis of our code base to continually check for common vulnerabilities.

Development and Test Environments

Development and testing environments are physically and logically separated from production environments.

Security Incidents

Security Incidents on Tulip Information Systems are logged and immediately addressed. These secured logs are regularly reviewed and maintained for a minimum of twelve (12) months. The Tulip technical operations team employs industry-standard diagnostic procedures to drive resolution during business-impacting events. Staff operators provide 24x7x365 coverage to detect incidents and to manage the impact and resolution. Documentation is maintained to aid and inform operations personnel in handling incidents or issues. If the resolution of an issue requires collaboration, the operations team will page additional staff and collaborate using electronic conferencing technology that logs communication for review. Post-mortems are convened after any significant operational issue, regardless of external impact, and identify root-cause and additional technological or procedural improvements to implement additional preventative measures to prevent recurrence. Tulip has implemented various methods of internal communication to help all employees understand their individual roles and responsibilities and to communicate significant events in a timely manner. These methods include orientation and training programs for newly hired employees; regular all-hands meetings for updates on business performance and other matters; and electronic means such as video conferencing, electronic mail messages, and the posting of information via Tulip internal communication channels.

Data Recovery and Redundancy

All backups of Customer Data are stored in at least two separate facilities and can be recovered in the event of a loss of any individual data center. Backups are stored using AWS S3 or Azure Storage, which stores all backup data redundantly in multiple geographic regions and provides 99.999999999% durability and 99.99% availability.

Change Management

Tulip implements documented change management procedures that provide a consistent approach for controlling, implementing and documenting changes (including emergency changes) for Tulip Information Systems that includes immutable records of all code and infrastructure changes and systematic review of changes. Updates to Tulip code and infrastructure are done to minimize any impact on the customer and their use of services, including the use of zero-downtime deployment strategies and scheduling downtime around customer production schedules to prevent service interruption during working hours. Tulip will communicate with customers when unplanned downtime may affect customers' use of Tulip services, or in the unlikely event that downtime must occur during operating hours.

Availability

The data centers of our hosting providers are built in clusters in various global regions. All data centers are online and serving customers; no data center is “cold.” In case of failure, automated processes move customer data traffic away from the affected area. Core applications are deployed in an N+1 configuration, so that in the event of a data center failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites. Data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24x7x365. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide back-up power for the entire facility.