Security

Summary


  • No breached passwords
  • Two-factor authentication
  • Encryption in-transit and at-rest
  • Strict employee access policies
  • Annual penetration testing
  • Read-only access to AWS configuration

1. Passwords


The security of your account begins with a strong password. In addition to requiring a password of at least 12 characters in length, KirkpatrickPrice follows the recommendations outlined in NIST SP 800-63B and compares passwords against lists of known breaches.

When you create a new account, your password is checked against the Have I Been Pwned service. If your password has shown up in any breaches indexed by Have I Been Pwned, we will ask that you choose a different, stronger password.

We do not store, log, or share your password in plain-text. To check your password against Have I Been Pwned, we generate a one-way cryptographic hash of the password and use a portion of the hash to compare against hashes of known breaches. You can read more about how this process works here.

2. Two-factor authentication


While passwords serve as the foundation of account security, on their own, they are susceptible to our tendency as humans to make them too easy to guess. To add an additional layer of security KirkpatrickPrice offers two-factor authentication (2FA) using the TOTP protocol.

You can use any TOTP apps such as Google Authenticator, Duo, Authy, Microsoft Authenticator, 1Password, or LastPass to add a second authentication factor to your account.

3. Encryption


All traffic to and from KirkpatrickPrice uses industry standard TLS encryption. In addition data, files, backups, and storage are all encrypted at-rest.

4. Employee access


Access to customer data held in KirkpatrickPrice's platform is limited to employees who need access to operate and support the system. All access is logged and audited to maintain security and privacy of our customers.

5. Pentesting


KirkpatrickPrice performs annual penetration testing with qualified experts to test and find potential vulnerabilities in our system.

6. Cloud account connection


To perform a security assessment of your cloud account you will first need to allow KirkpatrickPrice to connect to your account. Once access is established you can run your scan.

AWS

Instructions for establishing a secure, read-only connection to AWS can be found here.

Azure

Instructions for establishing a secure, read-only connection to Azure can be found here.

GCP

Instructions for establishing a secure, read-only connection to GCP can be found here.