Technology behind QuickBooks Online – Security
This is a series of blog posts on QBO Technology. We start with taking a look at QBO security practices. In next few we will discuss Performance, Scalability, and SaaS architecture for QuickBooks Online.
Introduction
“Security is a smile from a headwaiter” – Russell Baker
SaaS (Software as a Service) applications are often referred to as “rented apps.” However, we believe that analogy needs work. Using a SaaS app should not be like renting an apartment where the landlord could bring in a mechanic without even notifying the renter ahead. Our users deserve much better. We believe that SaaS/Cloud apps should be more like renting a Lock Box at a bank. As a bank provides top notch security and is accountable for a fully exclusive private access only to the lock box user and no one else – QuickBooks Online’s job is to provide our users with accounting logic and compute capacity. User’s data is not only exclusively owned by him/her, but we strive to make the system as secure as most secure banks’ lock boxes, if not more. As a user, you and only you have the key (login) to access the data – when you want, using a device of your choice, for however long you want and manage that data with the accounting logic we provide. So, please be assured that your data and business assets are in safe hands.
QuickBooks Online security/privacy model is a three-legged stool. Each of the three buckets gets re-visited and re-calibrated at least once a year, and in reality a few times a year.
1) Physical and Access Security
Tier-4 Data Center: QBO is hosted on two Premier Tier-4 data centers. Tier-4 is the highest category in the data center tiers. There’s no tier-5!
Stringent Background Check: Intuit is in business of Consumer and Small Business Finance for decades. It has robust established practices of recruiting that involves several rounds of background and reference checks.
Site Security: All our key sites are guarded by Intuit Security, follow Access Card-based entry to each building and 24*7 perimeter vigil and control. Data center security is several orders of magnitude stricter and without special privilege pass even an Intuit employee cannot get inside our Data Centers. Maintaining a regime of “Compensating Control,” we have strict separation of roles between Development & Production, and Production access requires multiple levels of authorization. E.g., Operations function is vertically separated in Dev-Ops and Prod-Ops to enable highest degree of control on access of Intuit production assets.
Throttle and other limit put in every tier to prevent DDOS: From Firewall to web to app to storage tier to prevent malicious intent at each tier. Inappropriate accesses are audited from logs periodically. Access logs are audited typically at least a year to revisit past issues.
Password Policy: We follow a strong password policy and password duration for all environments.
2) Code and Infrastructure Security
Release process tied with strong security metrics with stringent exit criteria: We log thousands of hours of security Code Reviews every year by our senior most Staff, Principal and Distinguished Engineers for anti-patterns focusing on SQL injections; Cross-site scripting; Encryption Usage and Correct usage of application APIs. “Code Collaborator” tool is used to track the reviews and it is integrated with our source-code control system for review audits. We also use Static Code Analysis tools like Coverity, Fortify regularly to scan the code for presence of any existing anti-patterns. Consider this coarse-grained protection to complement the fine grained protections applied in Code Reviews.
Security Coding Standards & Best Practices followed in Business Logic; User Interface (JavaScript; CSS); Data/schema and Log: Authentication has built-in capabilities to prevent DOS and Brute Force resistance and to frustrate automated DOS attacks we use CAPTCHA after a certain number of failed attempts. Secret and sensitive information is encrypted in storage and in transit. For most confidential data, like Social Security, Bank Account and Credit Card, it is tokenized away from storage. Auditing, logging and reporting are in compliance with best security practices. E.g.,
- Capture essential forensic data, capturing data for critical events or exceptions, and stringent protection of logging data itself.
- Encode Output and Validate Input to make sure browser never displays an executable code or to-be-stored data is of a certain type and is not an executable code itself.
- Internal Wiki created by developers with each functional and technical area for on-boarding new internal developers.
Test Cases: Our developers also are required to write Unit tests to assure that code behaves properly in the face of common forms of attack. Some examples of security unit tests are given in the references.
Security patch update
Regular Update: We have quarterly/bi-yearly/yearly cycles to update software patches, including security patches for our hardware and software stacks.
Ad-hoc Security Patching: As needed. We listen to various security distribution from our vendors and communities (like JSR). e.g., the following recent security updates from Java and Tomcat were carefully discussed the same day and proper actions were rapidly taken to ensure security of QBO users where applicable.
‘Corporate Information Security’ (CIS) is a separate internal unit that deals with Security of application and corporate assets. This team has a great talent pool including some ex-law enforcers; highly experienced security domain experts; anti-phishing /anti-malware strategists etc. Also, there is an Intuit-wide “Security X-Team” with representations from all Business Units/Apps to enable shared learning from recent events.
3) Independent / External Validation of assets and practices
Regular (Independent) Penetration Testing: Despite our best practices and stringent processes, we know that humans make mistakes. To eliminate any vulnerability, we follow a daily/monthly/yearly regime of security tests.
- Daily: Static Automated Analysis with Tools.
- Monthly: Trustwave PCI Compliance Tests
- Yearly: Negative Penetration Tests by external independent security experts. Here we assume “everything is suspect” and simulate BOT attacks to test whether our Firewall, Web and App servers hold against most stringent denial of service and other malicious attacks. We have strategic partnerships with some of the most revered names in the security practices domain and we regularly bring those experts inhouse to “audit and break” our code. Some of the series tests we perform against ourselves are -
- Denial of Service attack using large number of attackers trying to overwhelm servers, or to use large payloads to break our application.
- Mass mining for Information attack to try to get sensitive data, with or without valid credentials.
- CSRF Attack to try hijack an (internal!) user session and forcing the browser to send request to malicious sites.
- Cross Site Scripting attacks to reflect attacker’s content back to the user to execute and pass on sensitive information to attacker
- SQL Injection attacks to inject SQL in the application with malicious intent
- Cookie Management
- Try to break Weak Passwords
- Packet Sniffing Attacks to intercept sensitive or private information in flight etc
Quarterly Review of “Application Security Dashboard” with our CTO and CIO: Every quarter, we review our “Application Security Dashboard” – an established set of questions that bring wide and deep data about QuickBooks Online’s security practices – with many of our executives.
References
QBO Security Disclaimer
PCI
NIST 800-53
How to write security test cases
CERT Secure Coding Standards for C and Java
Java Access Manager
March 13, 2013 at 5:41 pm
I would like to see different levels of access and security which would accomidate multiple users in the same account. (I would even pay a bit extra for the option) Example would be a partician and secure access for select users to different areas…ie payroll and billing, another would be check writing and low access could be to writing Purchase orders and vendor set up. These particians…would be nice so that an assistant could manage small task without any opportunity to get to financials……
March 30, 2013 at 7:07 pm
Candice,
Thanks very much for your suggestion. While QuickBooks Online for Accountant (http://accountants.intuit.com/accounting/quickbooks/online-accountant/) does offer some Practice Management, I will take your inputs for more fine-grained access-control to our leadership team. I see how a growing business could benefit from having some tasks delegated to someone other than administrator /business owner within the context of the same workspace.
Thanks,
NM
March 14, 2013 at 10:22 am
Some additional questions:
* What level of encryption do you employ for customer credentials and sensitive information, including social security numbers, credit card numbers? Is this information stored separately than the main QBO DB?
* Do you do any penetration testing involving social engineering?
* Have you considered going to multi-factor authentication, like many banks are doing?
* There is no option to have user passwords expire reset after a certain time interval
* It would be better if QODBC could connect with the DB over SSL with a cert. The current connection method is not very secure.
March 30, 2013 at 7:21 pm
David,
Sorry for late reply. Answers -
1. The sensitive information type you mentioned is stored separately from QBO DB. Our encryption has a minimum 128-bit key. We use triple DES algorithm to prevent against brute-force attacks.
2. Yes – the penetration testing does involve testing for social engineering based attacks.
3 & 4. We strive to aim a balance between usability and tight security – both ends of the spectrum for our small business users. That said, using MFA is indeed an interesting way to gain confidence from small businesses. If you do have a POV on the benefit of Multi-factor authentication, I would love to know more. Same reason we try to not forcefully retire passwords today.
5. Let me follow up with my engineering colleagues and I will get back to you on this one.
-NM
March 16, 2013 at 9:50 pm
Completely Off Topic: How do I file a bug report? I searched “bug report” in help and got nothing.
Transactions named “Office Deposit” are importing as “Office Depot”. It is not that they are being accidentally matched to a Vendor named “Office Depot”, the transaction itself is importing improperly and being renamed. It’s as if Quickbooks didn’t even see the “si” “in Deposit”.
March 30, 2013 at 7:25 pm
Ronald,
For now, you can enter a bug using “Feedback” button (typically on upper-right hand corner of pages; gold button). We are trying to offer a “Check if this is a Bug” option there. Till then, you can use “Bug:” in the subject. We do read each feedback. Actually, in our Mountain View offices there are several TV screens near our developers’ area that “live” streams the feedback as well. We also have formed a separate engineering team to go through and classify the feedback to act on.
As for the particular one you commented, I had entered a bug in our bug tracking system. We will follow up with it.
-NM
April 1, 2013 at 5:11 pm
Ronald
Nilendu mentioned about this issue. We work with 15000 banks. Could you pl provide the name of the bank in which you see this issue? This will help us to reproduce and isolate the issue.
-Raje J
March 21, 2013 at 1:25 pm
I don’t really know why am I getting billed for this, I never use this for my accounting needs and yet you guys are keep taking money from my account. This is unacceptable and I’m about to file a complaint against this company. Somebody needs to do something on this issue.
March 30, 2013 at 7:31 pm
Jacqueline,
Sorry for replying late!
I am really sorry if you are still getting billed. If you’d already not cancelled your (possibly) trial subscription using the product, you can call our support at 1-800-488-7330 and they would help you in getting refund of any wrong charge.
Meanwhile, I’d also emailed one of our support agents to look into your issue.
Thanks,
NM
March 30, 2013 at 6:08 pm
I appreciate your trying to be open and to disclose more.
Having a native-English language person edit the grammar will leave a better impression on your readers – always be conscious that other people with superior English will be reading what you write; strive to meet the challenge.
March 30, 2013 at 7:35 pm
Robert,
First, thanks for your candid feedback.
Second, I will make sure we spend more time into editing and reviewing the content from now on. Upon review of this particular post, we found and fixed few typos.
Regards,
NM
April 1, 2013 at 12:16 pm
I’d just like to second the request for optional multifactor authentication. Perhaps through SMS or Google Authenticator.
April 8, 2013 at 3:33 pm
For multifactor authentication, please note that I, personally, don’t have (or want) a cell phone; I don’t want to be forced to use anything related to Facebook or Google against my will. If MFA is optional, that will be fine. Thanks.
April 14, 2013 at 11:23 am
If It an`t broke don`t try and fix It.Some folk`s are sometimes asking for to much ! I don”t use a Cell Phone for my Business either,There is a time and place for some business to use these devices.Call me old fashioned but I am still in Business
April 14, 2013 at 9:10 pm
I think there is some confusion here. Multifactor authentication has nothing to do with phones. It’s an additional layer of security when you login. Most banks already have this to protect your account from a simple password theft. It can be as simple as asking for an additional security question, or as complex as requiring you to register each machine that you access QuickBooks from. Hackers have gotten much more sophisticated about cracking passwords, and QuickBooks contains a lot of sensitive financial information.
I have had my Facebook, Windows messenger, Hotmail, and Sony PlayStation all hacked. Multifactor authentication can prevent this.
May 7, 2013 at 9:00 am
[...] are highly secure. The data centers are Tier-4, the highest level possible. See this article on QuickBooks Online Security for more details. Privacy is a trickier issue. Intuit’s user agreement says that they may use [...]
May 7, 2013 at 9:59 am
Please clarify – The data center description sounds as if the Tier 4 facility is a separate entity. Are the physical data centers owned and managed by Intuit?
It would be unusual for an outside legal entity host to allow Intuit employees to directly secure a data center area.
By design, Intuit’s data contents could be remote key encryption-controlled by Intuit – but, that is different from physically securing the hypervisor equipment. Many cloud Hypervisor architecture deployments are susceptable to higher physical security risks from trusted insiders. Additional security measures – like encryption – can often be difficult to coordinate to implement compensating controls.
May 7, 2013 at 10:20 am
I believe the phone was mentioned above, because there are many MFA solutions that include sending a temp SMS code to a pre-authorized phone number, and others have a token generator on the phone that works like SecureID.