High-performing proposal development teams require a solution that provides real-time collaboration across organizations with many contributors. Administering appropriate access and authorization of a system's users is only one aspect of managing the integrity and security of sensitive proposal content. Web-based platforms that enable teams to work together online are vulnerable to cyber attacks and other security breaches.
Privia has been designed around a core security architecture from the ground up. Throughout the functionality development process, careful consideration is made to ensure secure data. And, every modification to the product goes through a security review before it is put into production. Elements of Privia's secure architecture include:
Online solutions that are accessed by multiple users from multiple devices are susceptible to attacks by theft of a user's login and password. Privia has built in two-factor authentication to make sure that user accounts cannot be compromised by brute force password guesses. With two-factor authentication, users verify their login with a second confirmation, particularly when logging in from new locations or machines.
The Sarbanes-Oxley Act requires internal controls to protect the integrity of and access to financial data. Access to Privia accounts is controlled with three systems that can be separated to three different groups of control. For a user to log onto a Privia server, the user must:
All passwords for end users are stored in non-reversible encryption and are not stored in the primary Privia database. This cryptographic technique uses the user’s password to encrypt two keys that are unique to each system and the encrypted keys are then used to encrypt two strings that are unique to each system.
Privia servers use TLS 1.2 by default and disable the older, and vulnerable, SSL technology. All communications between the server and both the web and installed windows client are encrypted at all times. The only port that is ever needed on a Privia server is 443, making it easy to lock down a Privia server with a basic firewall.
From the start Privia has incorporated a handshake protocol for both the web client and the installed windows client to prevent man-in-the-middle attacks. When a client connects to a server, the server responds to redirect the client to the server’s public interface and will not accept connections if it doesn’t come directly from the client to the server.
Every release of Privia is put through a rigorous test to verify that Cross-Site Scripting and SQL Injection vulnerabilities are blocked by the application. The tests conform to OWASP best practices and ensure that a Privia server can safely be exposed to the internet without opening up vectors for attack.