Security at Zoho

Updated on: 13 May 2020

Introduction

Zoho provides Software as a Service(SaaS) products to millions of users worldwide to solve their business problems. Security is a key component in Zoho offerings, and is reflected in Zoho people, process, and products. This page covers topics like data security, operational security, and physical security to explain how Zoho offers security to it’s customers.

Overview

Zoho security strategy involves the following components

·      Organizational security

·      Physical security

·      Infrastructure security

·      Data security

·      Identity and access control

·      Operational security

·      Incident management

·      Responsible disclosures

·      Vendor management

·      Customer controls for security

Organizational security

Zoho has an Information Security Management System (ISMS) in place which takes into account Zoho security objectives and the risks and mitigations concerning all the interested parties. Zoho employs strict policies and procedures encompassing the security, availability, processing, integrity, and confidentiality of customer data.

Employee background checks

Each employee undergoes a process of background verification. Zoho hire reputed external agencies to perform this check on Zoho behalf. Zoho do this to verify their criminal records, previous employment records if any, and educational background. Until this check is performed, the employee is not assigned tasks that may pose risks to users. 

Security Awareness

Each employee, when inducted, signs a confidentiality agreement and acceptable use policy, after which they undergo training in information security, privacy, and compliance. Furthermore, Zoho evaluate their understanding through tests and quizzes to determine which topics they need further training in. Zoho provide training on specific aspects of security, that they may require based on their roles.

Zoho educate Zoho employees continually on information security, privacy, and compliance in Zoho internal community where Zoho employees check in regularly, to keep them updated regarding the security practices of the organization. Zoho also host internal events to raise awareness and drive innovation in security and privacy.

Dedicated security and privacy teams

Zoho have dedicated security and privacy teams that implement and manage Zoho security and privacy programs. They engineer and maintain Zoho defense systems, develop review processes for security, and constantly monitor Zoho networks to detect suspicious activity. They provide domain-specific consulting services and guidance to Zoho engineering teams.

Internal audit and compliance

Zoho have a dedicated compliance team to review procedures and policies in Zoho to align them with standards, and to determine what controls, processes, and systems are needed to meet the standards.This team also does periodic internal audits and facilitates independent audits and assessments by third parties.

For more details, check out Zoho compliance portfolio.

Endpoint security

All workstations issued to Zoho employees run up-to-date OS version and are configured with anti-virus software. They are configured such that they comply with Zoho standards for security, which require all workstations to be properly configured, patched, and be tracked and monitored by Zoho's endpoint management solutions. These workstations are secure by default as they are configured to encrypt data at rest, have strong passwords, and get locked when they are idle. Mobile devices used for business purposes are enrolled in the mobile device management system to ensure they meet Zoho security standards.

Physical security

At workplace

Zoho control access to Zoho resources (buildings, infrastructure and facilities), where accessing includes consumption, entry, and utilization, with the help of access cards. Zoho provide employees, contractors, vendors, and visitors with different access cards that only allow access strictly specific to the purpose of their entrance into the premises. Human Resource (HR) team establishes and maintains the purposes specific to roles. Zoho maintain access logs to spot and address anomalies. 

At Data Centers

At Zoho Data Centers, a co location provider takes responsibility of the building, cooling, power, and physical security, while Zoho provide the servers and storage. Access to the Data Centers is restricted to a small group of authorized personnel. Any other access is raised as a ticket and allowed only after the approval of respective managers. Additional two-factor authentication and biometric authentication are required to enter the premises. Access logs, activity records, and camera footage are available in case an incident occurs.

Monitoring

Zoho monitor all entry and exit movements throughout Zoho premises in all Zoho business centers and data centers through CCTV cameras deployed according to local regulations. Back-up footage is available up to a certain period, depending on the requirements for that location.

Infrastructure security

Network security

Zoho network security and monitoring techniques are designed to provide multiple layers of protection and defense. Zoho use firewalls to prevent Zoho network from unauthorized access and undesirable traffic. Zoho systems are segmented into separate networks to protect sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting Zoho's production infrastructure.

Zoho monitor firewall access with a strict, regular schedule. A network engineer reviews all changes made to the firewall everyday. Additionally, these changes are reviewed every three months to update and revise the rules. Zoho dedicated Network Operations Center team monitors the infrastructure and applications for any discrepancies or suspicious activities. All crucial parameters are continuously monitored using Zoho proprietary tool and notifications are triggered in any instance of abnormal or suspicious activities in Zoho production environment.

Network redundancy

All the components of Zoho platform are redundant. Zoho use a distributed grid architecture to shield Zoho system and services from the effects of possible server failures. If there's a server failure, users can carry on as usual because their data and Zoho services will still be available to them.

Zoho additionally use multiple switches, routers, and security gateways to ensure device-level redundancy. This prevents single-point failures in the internal network.

DDoS prevention

Zoho use technologies from well-established and trustworthy service providers to prevent DDoS attacks on Zoho servers. These technologies offer multiple DDoS mitigation capabilities to prevent disruptions caused by bad traffic, while allowing good traffic through. This keeps Zoho websites, applications, and APIs highly available and performing.

Server hardening

All servers provisioned for development and testing activities are hardened (by disabling unused ports and accounts, removing default passwords, etc.). The base Operating System (OS) image has server hardening built into it, and this OS image is provisioned in the servers, to ensure consistency across servers.

Intrusion detection and prevention

Zoho intrusion detection mechanism takes note of host-based signals on individual devices and network-based signals from monitoring points within Zoho servers. Administrative access, use of privileged commands, and system calls on all servers in Zoho production network are logged. Rules and machine intelligence built on top of this data give security engineers warnings of possible incidents. At the application layer, Zoho have Zoho proprietary WAF which operates on both whitelist and blacklist rules.

At the Internet Service Providers (ISP) level, a multi-layered security approach is implemented with scrubbing, network routing, rate limiting, and filtering to handle attacks from network layer to application layer.This system provides clean traffic, reliable proxy service, and a prompt reporting of attacks, if any. 

Data security

Secure by design

Every change and new feature is governed by a change management policy to ensure all application changes are authorised before implementation into production. Zoho Software Development Life Cycle (SDLC) mandates adherence to secure coding guidelines, as Zoholl as screening of code changes for potential security issues with Zoho code analyser tools, vulnerability scanners, and manual review processes.

Zoho robust security framework based on OWASP standards, implemented in the application layer, provides functionalities to mitigate threats such as SQL injection,Cross site scripting and application layer DOS attacks. 

Data isolation

Zoho framework distributes and maintains the cloud space for Zoho customers. Each customer's service data is logically separated from other customers' data using a set of secure protocols in the framework. This ensures that no customer's service data becomes accessible to another customer.

The service data is stored on Zoho servers when you use Zoho services. Your data is owned by you, and not by Zoho. Zoho do not share this data with any third-party without your consent.

Encryption

In transit: All customer data transmitted to Zoho servers over public networks is protected using strong encryption protocols. Zoho mandate all connections to Zoho servers use Transport Layer Security (TLS 1.2/1.3) encryption with strong ciphers, for all connections including web access,API access,Zoho mobile apps, and IMAP/POP/SMTP email client access. This ensures a secure connection by allowing the authentication of both parties involved in the connection, and by encrypting data to be transferred.Additionally for email, Zoho services leverages opportunistic TLS by default.TLS encrypts and delivers email securely, mitigating eavesdropping between mail servers where peer services support this protocol.

Zoho have full support for Perfect Forward Secrecy (PFS) with Zoho encrypted connections, which ensures that even if Zoho Zohore somehow compromised in the future, no previous communication could be decrypted. Zoho have enabled HTTP Strict Transport Security header (HSTS) to all Zoho web connections.This tells all modern browsers to only connect to us over an encrypted connection, even if you type a URL to an insecure page at Zoho site.Additionally, on the web Zoho flag all Zoho authentication cookies as secure.

At rest: Customer data at rest is encrypted using 256-bit Advanced Encryption Standard (AES).Zoho own and maintain the keys using Zoho in-house Key Management Service (KMS). Zoho provide additional layers of security by encrypting the data encryption keys using master keys. The master keys and data encryption keys are physically separated and stored in different servers with limited access.

Please click here for detailed information about encryption at Zoho.

Data retention and disposal

Zoho hold the data in your account as long as you choose to use Zoho Services. Once you terminate your Zoho user account, your data will get deleted from the active database during the next clean-up that occurs once every 6 months. The data deleted from the active database will be deleted from backups after 3 months. In case of your unpaid account being inactive for a continuous period of 120 days, Zoho will terminate it after giving you prior notice and option to back-up your data.

A verified and authorized vendor carries out the disposal of unusable devices. Until such time, Zoho categorize and store them in a secure location. Any information contained inside the devices is formatted before disposal. Zoho degauss failed hard drives and then physically destroy them using a shredder. Zoho crypto-erase and shred failed Solid State Devices (SSDs).

Identity and Access control

Single Sign-On (SSO)

Zoho offers single sign-on (SSO) that lets users access multiple services using the same sign-in page and authentication credentials. When you sign in to any Zoho service, it happens only through Zoho integrated Identity and Access Management (IAM) service.Zoho also support SAML for single sign-on that makes it possible for customers to integrate their company's identity provider like LDAP,ADFS when they login to Zoho services

SSO simplifies login process,ensures compliance,provides effective access control and reporting, and reduces risk of password fatigue, and hence Zohoak passwords.

Multi-Factor Authentication

It provides an extra layer of security by demanding an additional verification that the user must possess, in addition to the password. This can greatly reduce the risk of unauthorized access if a user’s password is compromised.Currently, different modes like biometric Touch ID or Face ID, Push Notification, QR code, and Time-based OTP are supported.

Administrative access

Zoho employ technical access controls and internal policies to prohibit employees from arbitrarily accessing user data. Zoho adhere to the principles of least privilege and role-based permissions to minimize the risk of data exposure.

Access to production environments is maintained by a central directory and authenticated using a combination of strong passwords, two-factor authentication, and passphrase-protected SSH keys. Furthermore, Zoho facilitate such access through a separate network with stricter rules and hardened devices. Additionally, Zoho log all the operations and audit them periodically.

Operational security

Logging and Monitoring

Zoho monitor and analyse information gathered from services, internal traffic in Zoho network, and usage of devices and terminals. Zoho record this information in the form of event logs, audit logs, fault logs, administrator logs, and operator logs. These logs are automatically monitored and analyzed to a reasonable extent that helps us identify anomalies such as unusual activity in employees’ accounts or attempts to access customer data. Zoho store these logs in a secure server isolated from full system access, to manage access control centrally and ensure availability. 

Detailed audit logging covering all update and delete operations performed by the user are available to the customers in every Zoho service.

Vulnerability management

Zoho have a dedicated vulnerability management process that actively scans for security threats using a combination of certified third-party scanning tools and in-house tools, and with automated and manual penetration testing efforts. Furthermore, Zoho security team actively reviews inbound security reports and monitors public mailing lists, blog posts, and wikis to spot security incidents that might affect the company’s infrastructure.

Once Zoho identify a vulnerability requiring remediation, it is logged, prioritized according to the severity, and assigned to an owner. Zoho further identify the associated risks and track the vulnerability until it is closed by either patching the vulnerable systems or applying relevant controls.

Malware and spam protection

Zoho scan all user files using Zoho automated scanning system that’s designed to stop malware from being spread through Zoho's ecosystem. Zoho custom anti-malware engine receives regular updates from external threat intelligence sources and scans files against blacklisted signatures and malicious patterns. Furthermore, Zoho proprietary detection engine bundled with machine learning techniques, ensures customer data is protected from malware. 

Zoho supports Domain-based Message Authentication, Reporting, and Conformance (DMARC) as a way to prevent spam. DMARC uses SPF and DKIM to verify that messages are authentic.Zoho also use Zoho proprietary detection engine for identifying abuse of Zoho services like phishing and spam activities.Additionally, Zoho have a dedicated anti-spam team to monitor the signals from the software and handle abuse complaints. For more information, click here

Backup

Zoho run full backups once a week and incremental backups everyday. Backup data in a DC is stored in the same location and encrypted at rest, as the original data. Zoho additionally restore and validate backups every week. All backed up data is retained for three months.

If a customer requests for data recovery within the retention period, Zoho will restore their data from the backup and make it available to them.

Disaster recovery and business continuity

Application data is stored on resilient storage that is replicated across data centers. Data in the primary DC is replicated in the secondary in near real time. In case of failure of the primary DC, secondary DC takes over and the operations are carried on smoothly with minimal or no loss of time. Both the centers are equipped with multiple ISPs.

Zoho have power back-up, temperature control systems and fire-prevention systems as physical measures to ensure business continuity. These measures help us achieve resilience. In addition to the redundancy of data, Zoho have a business continuity plan for Zoho major operations such as support and infrastructure management.

Incident Management

Reporting

Zoho have a dedicated incident management team. Zoho notify you of the incidents in Zoho environment that apply to you, along with suitable actions that you may need to take. Zoho track and close the incidents with appropriate corrective actions. Whenever applicable, Zoho will provide you with necessary evidences regarding incidents that apply to you. Furthermore, Zoho implement controls to prevent recurrence of similar situations.

Zoho respond to the security or privacy incidents you report to us through incidents@zohocorp.com, with high priority. For general incidents, Zoho will notify users through Zoho blogs, forums, and social media. For incidents specific to an individual user or an organization, Zoho will notify the concerned party through email (using their primary email address of the Organisation administrator registered with us). 

Breach notification

As data controllers, Zoho notify the concerned Data Protection Authority of a breach within 72 hours after Zoho become aware of it, according to the General Data Protection Regulation (GDPR). Depending on specific requirements, Zoho notify the customers too, when necessary. As data processors, Zoho inform the concerned data controllers without undue delay. 

Responsible Disclosure

A vulnerability reporting program in "Bug Bounty", to reach the community of researchers, is in place, which recognizes and rewards the work of security researchers. Zoho are committed to working with the community to verify, reproduce, respond to, legitimate, and implement appropriate solutions for the reported vulnerabilities.

If you happen to find any, please submit the issues at https://bugbounty.zoho.com/. If you want to directly report vulnerabilities to Zoho, mail security@zohocorp.com. 

Vendor and Third-party supplier management

Zoho evaluate and qualify Zoho vendors based on Zoho vendor management policy. Zoho onboard new vendors after understanding their processes for delivering us service, and performing risk assessments. Zoho take appropriate steps to ensure Zoho security stance is maintained by establishing agreements that require the vendors to adhere to confidentiality, availability, and integrity commitments Zoho have made to Zoho customers. Zoho monitor the effective operation of the organization’s process and security measures by conducting periodic reviews of their controls.

Customer controls for security

So far, we have discussed what Zoho do to offer security on various fronts to Zoho customers. Here are the things that you as a customer can do to ensure security from your end:

Conclusion

Security of your data is your right and a never-ending mission of Zoho. Zoho will continue to work hard to keep your data secure, like Zoho always has. For any further queries on this topic, feel free to contact Zoho at security@zohocorp.com.