cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Need help navigating or using the PTC Community? Contact the community team. X

Cybersecurity Concerns / Large Customer

victor1790
8-Gravel

Cybersecurity Concerns / Large Customer

Hi All, I have some questions that were brought from a customer cybersecurity team, hope you could help me clarify..     

 

Based on the document “FAD_ChalkSecurityOverview_Apr_2020”, this looks like PTC built a SaaS solution on AWS. However:

  1.       How is PTC’s Chalk service setup in AWS? Does PTC uses AWS as IaaS or PaaS or SaaS?  
  2.       It mentioned that the Chalk service uses AWS’s Cognito for access control.  How will admin and user be authenticated?  Any MFA used?
  3.       Does it has PEN test report from a 3rd party
  4. PTC has placed the user access control responsibilities onto their customers.  So how will the user account, password/MFA policy be managed and how will the user access be monitored?  For any information stored in the Chalk, who will be responsible for deleting them when no longer needed?   

Hope somebody could help me.

 

Regards

 

VF

1 ACCEPTED SOLUTION

Accepted Solutions

Hi @victor1790 

 

I've asked for clarification on number 1 from our product team. I'll do my best to answer the rest:

 

2.  Chalk user authentication and user identity is managed by Amazon Web Services (Cognito). Additionally, different roles are assigned to users within the Chalk application for managing access. Chalk offers SAML-based SSO if the customer prefers to manage user authentication themselves. Vuforia Chalk admins invite users to the system by email, both for direct and single sign-on (SSO) authentication. Access to any user data requires successful authentication. When using the Vuforia Chalk SAML-based SSO capability, customers can rely on their own Identity Management System (IdMS) for User Identity Authentication. User management (granting SSO-federated users access to Chalk, removing users from Chalk access, modifying their personal information, etc) is managed through the Chalk Admin Center, irrespective of the authentication provider (SSO or direct with Chalk). There are authorization rules to restrict based on role-based privileges.

 

3.  Yes, vulnerabilities are scanned as part of internal and third-party penetration testing which has been performed for all software components.

 

4. Customers can enable MFA, enforce password limits, etc by using federated authenticaion (SSO). I think the answer to #2 covers this question as well. 

View solution in original post

4 REPLIES 4

Hi @victor1790 

 

I've asked for clarification on number 1 from our product team. I'll do my best to answer the rest:

 

2.  Chalk user authentication and user identity is managed by Amazon Web Services (Cognito). Additionally, different roles are assigned to users within the Chalk application for managing access. Chalk offers SAML-based SSO if the customer prefers to manage user authentication themselves. Vuforia Chalk admins invite users to the system by email, both for direct and single sign-on (SSO) authentication. Access to any user data requires successful authentication. When using the Vuforia Chalk SAML-based SSO capability, customers can rely on their own Identity Management System (IdMS) for User Identity Authentication. User management (granting SSO-federated users access to Chalk, removing users from Chalk access, modifying their personal information, etc) is managed through the Chalk Admin Center, irrespective of the authentication provider (SSO or direct with Chalk). There are authorization rules to restrict based on role-based privileges.

 

3.  Yes, vulnerabilities are scanned as part of internal and third-party penetration testing which has been performed for all software components.

 

4. Customers can enable MFA, enforce password limits, etc by using federated authenticaion (SSO). I think the answer to #2 covers this question as well. 

Hi @tmccombie

 

thank you very much for your help. With regards to your answers:

 

3.- Can PTC share this reports (PEN) or provide a document where the PEN test are referenced?

 

4.- What happens when a customer ends its subscription? How is their information handled? Does PTC delete it? Is there any document referring this?

 

Thanks again!

 

VF

 

 

 

 

Hi Victor

 

1. We use AWS as a PaaS and IaaS provider with Chalk being SaaS

 

3. You can email VuforiaComplianceTeam@ptc.com  for a copy of our SOC 2 report

 

I'm getting clarification on 4 and will update you once I have it. 

 

 

For number 4, please see below.

 

When a customer's subscription ends, their account will go into “Suspended” where they would no longer have access to the Chalk Admin Center. Their data footprint is low (i.e., Company Info, User List and Session Activity) - but we can purge the data and export that data if requested by the customer.

Top Tags