Built with Security in Mind
The Security Team conducts periodic risk assessments for the organization using a methodology based on the ISO 27005:2018 guidelines for information security risk management. Top risks are selected and risk treatment plans are prepared. The risk assessment, top risk selection, and risk treatment plans are reviewed by the Security and Privacy Steering Committee, which also monitors progress on the risk treatment plans
Built with Security in Mind
Overview. Optimizely requires authentication for access to all application pages on the Optimizely Service, except for those intended to be public.
Secure Communication of Credentials. Optimizely currently uses TLS-encrypted POST requests to transmit authentication credentials to the Optimizely Service.
Password Management. We have processes designed to enforce minimum password requirements for the Optimizely Service. We currently enforce the following requirements and security standards for end user passwords on the Optimizely Service:
Passwords must be a minimum of 8 characters in length and include a mix of uppercase and lowercase letters as well as numbers and symbols
Multiple logins with the wrong username or password will result in a locked account, which will be disabled for a period of time to help prevent a brute-force login, but not long enough to prevent legitimate users from being unable to use the application
Email-based password reset links are sent only to a user’s pre-registered email address with a temporary link
Optimizely rate limits multiple login attempts from the same email address
Optimizely prevents reuse of recently-used passwords
Password Hashing. End user account passwords stored on the Optimizely Service are hashed with a random salt using industry-standard techniques. We currently use HMAC-SHA256 and run through 86000 rounds of PBKDF2.
2-Step Verification. 2-Step Verification increases the security of your Optimizely Service account by adding a second level of authentication when signing in. Instead of relying only on a password, 2-Step Verification will also require you to enter a temporary code that you access from your mobile phone. 2-Step Verification is intended to help you:
Protect your website and mobile application when your Optimizely password is stolen;
Add an additional layer of security against password phishing attacks; and
Adhere to guidelines set by your enterprise security policy.
Single Sign-On. Optimizely lets you implement Single Sign-On (SSO) through SAML 2.0, an open standard data format for exchanging authentication and authorization information. This allows your team to log in to Optimizely using their existing corporate credentials. SSO is an account-level feature that will apply across all projects and experiments. Single Sign-On is available on select packages only, so please consult your order form for eligibility.
Overview. Each time a user signs into the Optimizely Service, the system assigns them a new, unique session identifier, currently consisting of 64 bytes of random data designed for protection against brute forcing.
Session Timeout. All sessions are designed to have a hard timeout (currently set to 7 days). Single Sign-On sessions are configured with an inactivity timeout as well (currently, 4 hours). There is an optional setting to terminate any sessions after 15 minutes of inactivity.
Sign Out. When signing out of the Optimizely Service, the system is designed to delete the session cookie from the client and to invalidate the session identifier on Optimizely servers.
Network and Transmission Controls
By default all communications from your end users and your visitors with the Optimizely Service are encrypted using industry-standard communication encryption technology. Optimizely currently uses Transport Layer Security (TLS), with regular updates to ciphersuites and configurations.
Optimizely regularly updates network architecture schema and maintains an understanding of the data flows between its systems. Firewall rules and access restrictions are reviewed for appropriateness on a regular basis.
Optimizely uses an Intrusion Detection System (IDS), a Security Incident Event Management (SIEM) system and other security monitoring tools on the production servers hosting the Optimizely Service. Notifications from these tools are sent to the Optimizely Security Team so that they can take appropriate action.
Data Confidentiality and Job Controls
Access to your visitor and account data stored on the Optimizely Service is restricted within Optimizely to employees and contractors who have a need to know this information to perform their job function, for example, to provide customer support, to maintain infrastructure, or for product enhancements (for instance, to understand how an engineering change affects a group of customers).
Optimizely currently requires the use of single sign-on, strong passwords and/or 2-factor authentication for all employees to access production servers for the Optimizely Service.
Optimizely has implemented several employee job controls to help protect the information stored on the Optimizely Service:
All Optimizely employees are required to sign confidentiality agreements prior to accessing our production systems.
All Optimizely employees are required to receive security and privacy training at time of hire, as well as quarterly security and/or privacy awareness training.
Employee access to production systems that contain your data is logged and audited
Optimizely employees are subject to disciplinary action, including but not limited to termination, if they are found to have abused their access to customer data
Starting on May 18, 2017, new Optimizely employees are subject to background check prior to employment, where permitted by law
Security in Engineering
Optimizely’s software security practices are measured using industry-standard security models (currently, the Building Security In Maturity Model (BSIMM)). The Optimizely software development lifecycle (SDLC) for the Optimizely Service includes many activities intended to foster security:
Defining security requirements
Design (threat modeling and analysis, security design review)
Development controls (static analysis, manual peer code review)
Testing (dynamic analysis, Bug Bounty Program, 3rd party security vulnerability assessments)
We currently use unit, integration, and end-to-end tests, where applicable, to catch regressions
Deployment controls (such as change management and canary release process).
Optimizely designs, reviews and tests the software for the Optimizely Service using applicable OWASP standards.
The software we develop for the Optimizely Service is continually monitored and tested using processed designed to proactively identify and remediate vulnerabilities. We regularly conduct:
Automated source code analysis designed to find common defects
Peer review of all code prior to being pushed to production
Manual source code analysis on security-sensitive areas of code
Third-party application security assessments and penetration tests performed annually
Optimizely currently offers a bug bounty program to encourage reporting of security issues with our product. Bugs can be reported via the program, or via email at email@example.com.
The infrastructure for the Optimizely Service is designed to minimize service interruption due to hardware failure, natural disaster, or other catastrophes. Features include:
State of the art cloud providers: We use Google App Engine and Amazon Web Services, which are trusted by thousands of businesses to store and serve their data and services.
Data replication: To help ensure availability in the event of a disaster, we replicate data across multiple data centers.
Backups: We perform daily, weekly, and monthly backups of data stored on the Optimizely Service, which are tested regularly.
Continuity plan: We have an office located in Amsterdam to assist in business continuity should regional issues at our global headquarters in San Francisco, California disrupt our ability to provide the services or support to you.
Optimizely has an Incident Response Plan designed to promptly and systematically respond to security and availability incidents that may arise. The incident response plan is tested and refined on a regular basis.
The Optimizely Service is designed for use cases ranging from single account holders to large teams. User roles specify different levels of permissions that you can use to manage the users on your Optimizely Service account. You can invite users to your account without giving all team members the same levels of permissions. These user permission levels are especially useful when there are multiple people working on the same project or experiment.