Security
Keeper Connection Manager security and encryption model

Keeper is Fanatical About Data Protection

Keeper utilizes best-in-class security with a zero-trust framework and zero-knowledge security architecture to safeguard your infrastructure and mitigate the risk of a data breach.

Overview

Keeper Security, Inc. (KSI) is passionate about protecting its customer's information and infrastructure with Keeper desktop and mobile security software. Millions of consumers and businesses trust Keeper to secure and access remote systems, passwords and private information. Keeper's software is constantly improved and updated to provide our customers with the latest in technology and protection. This page provides an overview of Keeper's security architecture and encryption methodologies.

System Architecture

The Keeper Connection Manager Gateway is a platform that is fully hosted by the customer in any cloud, on-prem or virtual environment. Keeper Security provides the customer with several installation methods including a Simple Docker Install, Custom Docker Install and Advanced Linux Install method.
Keeper provides Enterprise packages that are made up of several core components including:
  • Apache Guacamole web application software
  • Apache Guacamole "guacd" protocol service
  • NGINX for SSL termination and reverse proxy
  • Apache Tomcat services
  • MySQL, PostgreSQL or other supported databases
Additional packages that support Enterprise capabilities such as SAML 2.0 / SSO, OpenID Connect, TOTP, Vault Integration and components are provided as part of the package installers or as separate add-on components.
Architecture Diagram

Apache Guacamole™

The engineering team at Keeper Security that built Keeper Connection Manager (formerly Glyptodon) are the inventors and primary maintainers of the open source Apache Guacamole project. Keeper Security is proud to support the open source community and millions of users who use the Apache Guacamole remote desktop software.

Least Privilege Access

The packages provided by Keeper Connection Manager have been designed to follow best practices with respect to security, particularly with respect to the Principle of Least Privilege. This is accomplished through careful delegation of rights through users and groups which are automatically created by the Keeper Connection Manager packages, and through strict file permissions.

Production Configuration

Once ready to deploy Keeper Connection Manager to production, it is critically important that customers configure SSL encryption. You will need to obtain an SSL certificate for your server such that all Keeper Connection Manager traffic is encrypted.
If you have have deployed Keeper Connection Manager using the Simple Docker Install or Custom Docker Install method, you may have already configured SSL.
If you deployed Keeper Connection Manager using the Advanced Linux Install method, we recommend using a reverse proxy like Apache or NGINX for SSL termination. We provide documentation for configuring either of these reverse proxies:
In addition, as the user-mapping.xml authentication mechanism is meant only as a quick means of testing Guacamole (it is not supported for production deployments), customers need to migrate to a production-ready authentication mechanism. All authentication methods packaged within Keeper Connection Manager and which are not user-mapping.xml are production-ready:
If you wish to enable multi-factor authentication in front of Keeper Connection Manager, you may do so with Duo or TOTP (the standard supported by Google Authenticator and similar apps). Multi-factor authentication is supported in front of any of the above production-ready authentication mechanisms:
In addition to the above authentication methods, Keeper Connection Manager supports the use of Client Certificates to lock down access to specific machines that are managed by the Enterprise.

Service/System Accounts and Groups

The Keeper Connection Manager packages create the following users and groups in order to limit the access of services within the Guacamole stack:
  • The "guacamole" group - owns all files which the Guacamole web application should be able to read.
  • The "guacd" group - owns all files which the guacd service should be able to read.
  • The "guacd" user - the sole member of the "guacd" group, and the user which runs the guacd service.
When installing Keeper Connection Manager using the Advanced Linux Install method with Tomcat, you will need to ensure the "tomcat" user is a member of the "guacamole" group. If this is not done, the Guacamole web application will not be able to read its own configuration files, and web application startup will fail:
1
$ sudo usermod -aG guacamole tomcat
Copied!
The "guacd" user and group are intentionally limited in privilege. If you need guacd to have access to additional files or directories, such as for file transfer or storing session recordings, you will need to set the ownership and permissions of those files appropriately.

Users and File Ownership

The ownership and permissions of sensitive files like guacamole.properties, user-mapping.xml, and guacd.conf have been set such that only the components of the Apache Guacamole stack that should be able to read those files can read those files, and such that no component within the Guacamole stack can write or otherwise modify those files:
1
$ ls -l /etc/guacamole/
2
total 20
3
drwxr-xr-x. 2 root root 47 Apr 27 23:17 extensions
4
-rw-r-----. 1 root guacamole 10748 Jun 24 2017 guacamole.properties
5
-rw-r-----. 1 root guacd 1334 Apr 26 05:18 guacd.conf
6
drwxr-xr-x. 2 root root 32 Apr 27 23:17 lib
7
-rw-r-----. 1 root guacamole 1938 Apr 27 22:40 user-mapping.xml
8
$
Copied!

Upgrade Methods

  • Customers who deploy the Advanced Linux Install through package management are provided update packages through Keeper Connection Manager's YUM repository (the “yum” tool will automatically apply updates when the administrator runs the command to do so).
  • Customers who deploy the Simple Docker Install version can use the built-in update capabilities.
  • Customers who deploy the Custom Docker Install version can use the Docker update capabilities.

Compliance & Audits

Certified SOC 2 Compliant

Customer vault records are protected using stringent and tightly monitored internal control practices. Keeper is certified as SOC 2 Type 2 compliant in accordance with the AICPA Service Organization Control framework. SOC 2 certification helps ensure that your vault is kept secure through the implementation of standardized controls as defined in the AICPA Trust Service Principles framework.

ISO 27001 Certified (Information Security Management System)

Keeper Security is ISO 27001 certified, covering the Keeper Security Information Management System which supports the Keeper Enterprise Platform. Keeper's ISO 27001 certification is scoped to include the management and operation of the digital vault and cloud services, software and application development, and protection of digital assets for the digital vault and cloud services.

GDPR Compliance

Keeper is GDPR compliant and we are committed to ensuring our business processes and products continue to maintain compliance for our customers in the European Union. Click here to learn more about Keeper's GDPR compliance and download data processing agreements.

Protection of Patient Medical Data

Keeper software is compliant with global, medical data protection standards covering, without limitation, HIPAA (Health Insurance Portability and Accountability Act) and DPA (Data Protection Act).

HIPAA Compliance and Business Associate Agreements

Keeper is a SOC2-certified and ISO 27001-certified zero-knowledge security platform that is HIPAA compliant. Strict adherence and controls covering privacy, confidentiality, integrity and availability are maintained. With this security architecture, Keeper cannot decrypt, view or access any information, including ePHI, stored in a user’s Keeper Vault. For the foregoing reasons, Keeper is not a Business Associate as defined in the Health Insurance Portability and Accountability Act (HIPAA), and therefore, is not subject to a Business Associate Agreement.
To learn more about the additional benefits for healthcare providers and health insurance companies, please read our Security Disclosure and visit our Enterprise Guide.

Penetration Testing

Keeper performs quarterly pen testing with 3rd party experts including NCC Group and Cybertest. In addition, Keeper works with independent security researchers who test against all of our products and systems through our Bugcrowd bug bounty program.

Third-Party Security Scanning & Penetration Tests

Keeper Security environments are tested daily by TrustedSite to ensure that the Keeper web application and KSI's Cloud Security Vault are secure from known remote exploits, vulnerabilities and denial-of-service attacks. A comprehensive external security scan is conducted monthly on the Keeper websites, Keeper web application, and Keeper Cloud Security Vault by TrustedSite. Keeper staff periodically initiate on-demand external scans.

Payment Processing and PCI Compliance

Keeper Security uses PayPal and Stripe for securely processing credit and debit card payments through the KSI payment website. PayPal and Stripe are PCI-DSS compliant transaction processing solutions. Keeper Security is certified PCI-DSS compliant by McAfee Secure.

EU-US Privacy Shield

The Keeper web client, Android App, Windows Phone App, iPhone/iPad App and browser extensions have been certified Privacy Shield compliant with the U.S. Department of Commerce's EU-U.S. Privacy Shield program, meeting the European Commission's Directive on Data Protection. For more information about the U.S. Department of Commerce U.S. Privacy Shield program, see https://www.privacyshield.gov

FIPS 140-2 Validated

Keeper utilizes FIPS 140-2 validated encryption modules to address rigorous government and public sector security requirements. Keeper’s encryption has been certified by the NIST CMVP and validated to the FIPS 140 standard by accredited third party laboratories. Keeper has been issued certificate #3967 under the NIST CMVP.

U.S. Department of Commerce Export Licensed Under EAR

Keeper is certified by the U.S. Department of Commerce Bureau of Industry and Security under Export Commodity Classification Control Number 5D992, in compliance with Export Administration Regulations (EAR). For more information about EAR: https://www.bis.doc.gov

24x7 Remote Monitoring

Keeper is monitored 24x7x365 by a global third-party monitoring network to ensure that our website and Cloud Security Vault are available worldwide. If you have any questions regarding this security disclosure, please contact us.

Phishing or Spoofed Emails

If you receive an email purporting to be sent from KSI and you are unsure if it is legitimate, it may be a “phishing email” where the sender's email address is forged or “spoofed”. In that case, an email may contain links to a website that looks like KeeperSecurity.com but is not our site. The website may ask you for your Keeper Security master password or try to install unwanted software on your computer in an attempt to steal your personal information or access your computer. Other emails contain links that may redirect you to other potentially dangerous web sites. The message may also include attachments, which typically contain unwanted software called "malware." If you are unsure about an email received in your inbox, you should delete it without clicking any links or opening any attachments. If you wish to report an email purporting to be from KSI that you believe is a forgery or you have other security concerns involving other matters with KSI, please contact us.

Hosting Infrastructure Certified to the Strictest Industry Standards

Keeper Connection Manager is hosted by the customer. The Keeper website and cloud storage runs on secure Amazon Web Services (AWS) cloud computing infrastructure. The AWS cloud infrastructure which hosts Keeper's system architecture has been certified to meet the following third-party attestations, reports and certifications:
  • SOC 1 / SSAE 16 / ISAE 3402 (SAS70)
  • SOC 2
  • SOC 3
  • PCI DSS Level 1
  • ISO 27001
  • FedRamp
  • DIACAP
  • FISMA
  • ITAC
  • FIPS 140-2
  • CSA
  • MPAA

Vulnerability Reporting and Bug Bounty Program

Keeper Security is committed to the industry best practice of responsible disclosure of potential security issues. We take your security and privacy seriously are committed to protecting our customers’ privacy and personal data. KSI’s mission is to build world’s most secure and innovative security apps, and we believe that bug reports from the worldwide community of security researchers is a valuable component to ensuring the security of KSI’s products and services.
Keeping our users secure is core to our values as an organization. We value the input of good-faith researchers and believe that an ongoing relationship with the cybersecurity community helps us ensure their security and privacy, and makes the Internet a more secure place. This includes encouraging responsible security testing and disclosure of security vulnerabilities.
The Keeper Connection Manager team actively monitors the upstream Apache Guacamole project for newly-disclosed security vulnerabilities, and has procedures in place for releasing security updates outside the normal release cycle. Should a vulnerability be found in Guacamole, the patch for that vulnerability will made be immediately available through the Keeper Connection Manager repository, and can be applied automatically using the upgrade process based on your installation method.

Guidelines

Keeper's Vulnerability Disclosure Policy sets out expectations when working with good-faith researchers, as well as what you can expect from us.
If security testing and reporting is done within the guidelines of this policy, we:
  • Consider it to be authorized in accordance with Computer Fraud and Abuse Act,
  • Consider it exempt from DMCA, and will not bring a claim against you for bypassing any security or technology controls,
  • Consider it legal, and will not pursue or support any legal action related to this program against you,
  • Will work with you to understand and resolve the issue quickly, and
  • Will recognize your contributions publicly if you are the first to report the issue and we make a code or configuration change based on the issue.
If at any time you are concerned or uncertain about testing in a way that is consistent with the Guidelines and Scope of this policy, please contact us at [email protected] before proceeding.
To encourage good-faith security testing and disclosure of discovered vulnerabilities, we ask that you:
  • Avoid violating privacy, harming user experience, disrupting production or corporate systems, and/or destroying data,
  • Perform research only within the scope set out by the Bugcrowd vulnerability disclosure program linked below, and respect systems and activities which are out-of-scope,
  • Contact us immediately at [email protected] if you encounter any user data during testing, and
  • You give us reasonable time to analyze, confirm and resolve the reported issue before publicly disclosing any vulnerability finding.

Submitting a Report

Keeper has partnered with Bugcrowd to manage our vulnerability disclosure program.
Bugcrowd
Please submit reports through [https://bugcrowd.com/keepersecurity].

Additional Information

Keeper Security utilizes best-in-class security with a Zero-Knowledge security architecture and Zero-Trust framework. Additional technical documentation about Keeper's Zero-Knowledge encryption model can be found at the links below:
Keeper is SOC 2 Type 2, ISO27001 certified. Customers may request access to our certification reports, 3rd party penetration reports and technical architecture documentation with a signed mutual NDA.