Wichtiger Hinweis

Innerhalb von Bluebeam Revu gibt es einen Echtzeit-Zusammensarbeitsraum, welcher mit einer AWS-Cloudtechnologie arbeitet und wahlweise verwendet oder blockiert werden kann. Das Bluebeam Studio kann nur über die Client Applikation Bluebeam Revu erreicht und verwendet werden. Mit der Installation Bluebeam Revu wird der Button “Bluebeam Studio” in der Anwendung eingeblendet und der Anwender kann sich über einen Registierungsmechanismus anmelden. Für die Anmeldung müssen seitens der IT die unten aufgeführten Domains freigegeben werden; diese sind in der Regel nicht freigegeben.

Dementsprechend gibt es eine “Online-Nutzung” und eine “Offline-Nutzung” von Bluebeam Revu. Nur bei der Online Nutung, also der Nutzung inkl. Bluebeam Studio, müssen Sie das folgende Dokument beachten. Bei einer Offline-Nutzung ohne Bluebeam Studio entfällt die Beachtung der folgenden Ausführung. Als einfachtes Vorgehen zur offline Nutzung sollte die IT die Bluebeam Studio Domains für Nutzer blockieren, wenn es nicht standardmäßig schon der Fall ist.

Introduction

This document provides clarification of questions we receive from Bluebeam Studio™ users regarding document and system security, access control, as well as the consequences of an infrastructure failure.

Accessing Bluebeam Studio

In order to participate in Studio Sessions and Projects, users must enter a username and password.

Studio server connections are initiated by Revu clients, but the system does not send inbound connection requests back to the client. Primary communication and transmission of files, markups and other rich data uses the HTTPS protocol, while encryption and authentication uses the Transport Layer Security (TLS) protocol.

Firewall Requirements

Revu 12.5 and above need access to the following domains in order to communicate with the Studio Server:

*.amazonaws.com:443

*.bluebeam.com:443

*.bluebeamstudio.co.uk:443

Studio-Related Email Domains

We use the following domains to communicate with end-users for support, licensing and Studio-related information. Please make sure they are white-listed to ensure successful email transmission:

@bluebeam.com

@bluebeamstudio.co.uk

@bluebeamops.com

@bluebeam-support.com

End-User Authentication & Access Control

The following protocols have been implemented for secure end-user authentication and access control:

Certificate Requirements

Connections to the Studio server (studio.bluebeam.com) are encrypted using a Public Key Infrastructure-based (PKI) SSL certificate, issued by Amazon Web Services Certificate Authority (AWS CA).

The certificate may be viewed by going to https://studio.bluebeam.com and clicking the padlock icon, located near the beginning of the URL in the address bar.

Password Requirements & Storage

All passwords must be between 8 and 32 characters, with at least one uppercase letter, one lowercase letter, one number and one special character, such as !@#$%^&*.

Password are hashed prior to storage, using a one-way strong hash algorithm with salt.

Along with this, an ‘exponential back-off’ algorithm locks accounts for progressively longer periods of time with each failed login attempt using an incorrect password. Login failures are logged, and our Operations Team is alerted if the quantity rises above a preset level.

Data and System Security

The measures described below have been implemented to address data and system security concerns.

Infrastructure and Data Storage

Bluebeam Studio is hosted on Amazon Elastic Compute Cloud (EC2) managed by Amazon Web Services (AWS).

The Studio infrastructure is comprised of application servers which serve Revu clients on Windows^®, macOS^®, and iOS, as well as a backend processing system and a data tier.

User data, Project and Session metadata, and Session markups are stored on SQL servers. Actual Project and Session documents reside on Amazon Simple Storage Service (Amazon S3) servers.

Bluebeam Studio has two separate insulated instances for data residency concerns, located in the United States and the United Kingdom. The SQL and S3 buckets containing customer data are not shared between the two instances. Both instances are accessible from anywhere in the world.

SLA’s for Amazon EC2 and Amazon S3 can be found in following locations:

• https://aws.amazon.com/ec2/sla/
• https://aws.amazon.com/s3/sla/

Data Protection

In addition to encryption of all SQL server backups and developer hard drives, all documents are automatically encrypted when uploaded to a Studio Session or Project using Revu 2015 and above, as described below.

Encryption

Encryption is done by AWS using a combination of an Amazon Resource Name (ARN) and an AWS Key Management Service (KMS) key ID.

All data is encrypted at-rest (AES-256 encryption) and in-transit. Data transfer is encrypted in transit via TLS1.2* between the Revu client and Amazon S3. In the server environment, files are encrypted in Amazon’s S3 service. SQL database backups are stored on encrypted volumes.

System security

We’ve ensured that all server instances perform in the same manner and are subjected to the same network policies and restrictions by building them with a validated and tested “template.” Once deployed, the following steps and policies are in place to provide additional security and consistency across the infrastructure:

Controlled Administrator Access

Only a select group of engineers have administrative rights within the Bluebeam Studio infrastructure, and management console access is controlled via Multi-Factor Authentication (MFA).

Change Control

All system changes and enhancements are documented and must undergo testing and approval by our DevOps and Security teams, before implementation in the production environment.

Logging

Audit logging of system and application-level changes and processes are centralized in our log management system.

Application and system security logs are retained for a minimum of 30 days. Only DevOps engineers have access to these logs. Developer access to logs for troubleshooting must be approved by security personnel.

Vulnerability Assessment and Remediation

We’ve implemented a comprehensive vulnerability assessment and remediation process to address any security issues that may arise. These measures include antivirus protection on all servers, proactive system patching policy, and file integrity monitoring (which detects unauthorized changes to the systems).

Applications with a web component are scanned prior to and after deployment to the production environment.

All production systems are scanned for infrastructure vulnerabilities on a recurring basis and are patched accordingly.

Inventory of Authorized Assets

All production asset additions and modifications are restricted to the DevOps team and follows Change Control procedures.  The DevOps team leverages AWS tools to maintain asset inventory.

Infrastructure & System Monitoring

To ensure a steady state of operations, a comprehensive monitoring and alert system is in place for the following:

• Server infrastructure: CPU, memory, disk space, and uptime.
• Applications: errors, performance degradation, and uptime.
• Network Performance: usage and bandwidth, server response time, throughput, and web requests.

System Maintenance

Regular maintenance tasks and emergency maintenance is performed in accordance with our established Change Control process.

Disaster Recovery (DR)

In case of emergency, Bluebeam Studio includes proactive infrastructure monitoring, which provides information and alerts on system availability as well as performance and error conditions. Additionally, the Bluebeam Studio team regularly tests their disaster recovery procedures.

To handle the unfortunate event of an infrastructure failure, we’ve also put the following contingencies in place:

Backup Protocol

Full backups of the SQL Databases and Files Stores are performed on a daily basis. The backup files are stored away from production servers, and their integrity is checked regularly.

Scheduling

SQL Database Backups

• Transaction log backups are taken every 15 minutes. Stored for 30 days.
• Full backups are taken once a day. Stored for 30 days.
• Monthly full backups. Stored for 10 years.

PDF File Backups

PDF file changes uploaded to Amazon S3 servers are copied to an isolated S3 bucket every night. These backup files are stored away from production servers, and their integrity is checked periodically.

All backups are replicated to a different AWS region.*

Infrastructure Redundancy

There is full redundancy for all Studio application servers. If a primary server fails, all traffic will automatically be switched to a secondary server.

Application servers run in a cluster behind a load balancer. Studio SQL use “AlwaysOn” to provide HA. DNS redundancy is provided by AWS Route53.

Regional Failure

In the event of a failure in our primary AWS region all data is replicated to a secondary region. Automation is in place to build all studio infrastructure so we can restore the backups and provide service from the secondary region.

*Regional failure scenario does not apply to bluebeamstudio.co.uk.

Change Log