Skip to main content
V
victor17901-Visitor
1-Visitor
May 29, 2020
Solved

Cybersecurity Concerns / Large Customer

  • May 29, 2020
  • 1 reply
  • 2728 views

Hi All, I have some questions that were brought from a customer cybersecurity team, hope you could help me clarify..     

 

Based on the document “FAD_ChalkSecurityOverview_Apr_2020”, this looks like PTC built a SaaS solution on AWS. However:

  1.       How is PTC’s Chalk service setup in AWS? Does PTC uses AWS as IaaS or PaaS or SaaS?  
  2.       It mentioned that the Chalk service uses AWS’s Cognito for access control.  How will admin and user be authenticated?  Any MFA used?
  3.       Does it has PEN test report from a 3rd party
  4. PTC has placed the user access control responsibilities onto their customers.  So how will the user account, password/MFA policy be managed and how will the user access be monitored?  For any information stored in the Chalk, who will be responsible for deleting them when no longer needed?   

Hope somebody could help me.

 

Regards

 

VF

Best answer by tmccombie

Hi @victor1790 

 

I've asked for clarification on number 1 from our product team. I'll do my best to answer the rest:

 

2.  Chalk user authentication and user identity is managed by Amazon Web Services (Cognito). Additionally, different roles are assigned to users within the Chalk application for managing access. Chalk offers SAML-based SSO if the customer prefers to manage user authentication themselves. Vuforia Chalk admins invite users to the system by email, both for direct and single sign-on (SSO) authentication. Access to any user data requires successful authentication. When using the Vuforia Chalk SAML-based SSO capability, customers can rely on their own Identity Management System (IdMS) for User Identity Authentication. User management (granting SSO-federated users access to Chalk, removing users from Chalk access, modifying their personal information, etc) is managed through the Chalk Admin Center, irrespective of the authentication provider (SSO or direct with Chalk). There are authorization rules to restrict based on role-based privileges.

 

3.  Yes, vulnerabilities are scanned as part of internal and third-party penetration testing which has been performed for all software components.

 

4. Customers can enable MFA, enforce password limits, etc by using federated authenticaion (SSO). I think the answer to #2 covers this question as well. 

1 reply

T
tmccombie21-Topaz IAnswer
21-Topaz I
May 29, 2020

Hi @victor1790 

 

I've asked for clarification on number 1 from our product team. I'll do my best to answer the rest:

 

2.  Chalk user authentication and user identity is managed by Amazon Web Services (Cognito). Additionally, different roles are assigned to users within the Chalk application for managing access. Chalk offers SAML-based SSO if the customer prefers to manage user authentication themselves. Vuforia Chalk admins invite users to the system by email, both for direct and single sign-on (SSO) authentication. Access to any user data requires successful authentication. When using the Vuforia Chalk SAML-based SSO capability, customers can rely on their own Identity Management System (IdMS) for User Identity Authentication. User management (granting SSO-federated users access to Chalk, removing users from Chalk access, modifying their personal information, etc) is managed through the Chalk Admin Center, irrespective of the authentication provider (SSO or direct with Chalk). There are authorization rules to restrict based on role-based privileges.

 

3.  Yes, vulnerabilities are scanned as part of internal and third-party penetration testing which has been performed for all software components.

 

4. Customers can enable MFA, enforce password limits, etc by using federated authenticaion (SSO). I think the answer to #2 covers this question as well. 

    V
    victor17901-VisitorAuthor
    1-Visitor
    May 29, 2020

    Hi @tmccombie

     

    thank you very much for your help. With regards to your answers:

     

    3.- Can PTC share this reports (PEN) or provide a document where the PEN test are referenced?

     

    4.- What happens when a customer ends its subscription? How is their information handled? Does PTC delete it? Is there any document referring this?

     

    Thanks again!

     

    VF

     

     

     

     

    T
    tmccombie21-Topaz I
    21-Topaz I
    June 2, 2020

    Hi Victor

     

    1. We use AWS as a PaaS and IaaS provider with Chalk being SaaS

     

    3. You can email VuforiaComplianceTeam@ptc.com  for a copy of our SOC 2 report

     

    I'm getting clarification on 4 and will update you once I have it. 

     

     

      Terms & ConditionsCookie settingsAccessibility statement