Updated DNAnexus Impact Assessment for Cloudbleed: No evidence of exploitation.

As described in our February 27, 2017 blog post regarding the Cloudflare information leak (“Cloudbleed”), a  bug within the code running on Cloudflare edge servers was discovered by a Google security researcher.

Upon further investigation into the use of Cloudflare on DNAnexus we found, on February 27th at 2:39 PM PST, that contrary to what we had indicated in our blog post, HTTP requests to platform.dnanexus.com served by Cloudflare edge servers in some cases included session tokens with authentication information. We revoked all customer session tokens at 5:06 PM PST that same day, at which point all requests to DNAnexus required re-authentication. All existing tokens were unusable after this time.

On February 23rd Cloudflare provided their most recent update and stated that there was no evidence of exploitation; there have been no updates since that deviate from this information. Additionally, Cloudflare has completed analysis of edge server log data, and on March 3rd confirmed that platform.dnanexus.com was not found to have been impacted.

Our CDN usage design has been reviewed and we continue to believe no customer has been impacted by the incident. Any potential new exposure has been eliminated and there continues to be no evidence of exploitation.

We know how critical information security is to our customers so if you have any questions about your account, please do not hesitate to contact our customer support team at support@dnanexus.com.

DNAnexus Not Impacted by Cloudflare Information Leak (“Cloudbleed”)

A serious bug within the code running on Cloudflare edge servers may have leaked sensitive data from a large number of websites over many months. First, and most importantly, the DNAnexus Platform has not been impacted by this incident and no DNAnexus user data has been leaked.

Cloudflare provides Content Distribution Network (CDN) services, which enable providers of web content to enhance user experience by caching web content on edge servers geographically proximate to the web client. As part of a shared service, each edge server presents web content from multiple Cloudflare customers.

The bug led to a condition whereby the edge servers were returning content entirely unrelated to the requested web content, and that leaked content contained unencrypted private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. Search engines subsequently crawled and cached this leaked content, enabling it to be searched. For example, a web request to a ride sharing service could have resulted in leaked content being returned from a dating service.

DNAnexus uses the Cloudflare CDN service only to accelerate serving of public web content, such as web site images, help text, and html/css. DNAnexus does not serve any credentials, tokens, nor user data via the CDN and thus DNAnexus users are not impacted by this bug, and no DNAnexus user information has been leaked.

DNAnexus users do not need to change their DNAnexus password, unless they use similar passwords for other websites that were affected. We strongly recommend that users always choose a unique password for their DNAnexus account and that they configure their account to use two-factor authentication as described in the DNAnexus wiki documentation.

If you have any questions about your account, please contact our customer support team at support@dnanexus.com.

A Safe (and Compliant) Haven for Genomic Data in the Cloud

Despite a general comfort with putting personal information on Facebook or LinkedIn or plugging our credit card numbers into websites to book travel, buy birthday presents or rent movies, one of the earliest and most lasting concerns raised about storing genomic data in the cloud has been whether the data are secure.

And rightfully so. Data security isn’t a “nice-to-have” when it comes to personally-identifiable DNA sequence data; it’s essential. With genomic sequencing emerging as essential to clinical development and the delivery of both diagnostics and therapies, compliance with regulations that apply to the handling of genetic data and its subsequent integration into other medical data systems are equally critical. As raw data are converted into more meaningful information, they become an asset as valuable and sensitive as any other personal information, currency, or intellectual property.

We’ve taken a very proactive approach to security and compliance at DNAnexus. Just as hospitals put the highest possible premium on security of their data, so too do cloud platform providers — because their entire business rides on utilizing best-in-class measures to assure the security, integrity and availability of their customers’ data. Our platform was developed from the ground up with this in mind and includes a number of features that allow each user to create a secure and compliant environment that will meet their unique needs today and in the future.

More specifically, the DNAnexus platform was developed with the internationally accepted ISO 27002 controls for best practices in information security and includes a number of features to ensure the highest level of data security for both research and clinical use, including:

  • Data integrity:
    • SAS-70 and PCI certified physical security of data centers
    • Data encryption (with full-disk AES-256 for data storage and SSL/TLS for data transport)
    • Third-party security audit
  • Access control:
    • Member administrators control access and retention policies
    • Passwords must be complex and periodically changed
    • Accounts timeout when idle, and lock when unused, and after too many incorrect login attempts
  • Administrator restrictions:
    • Two-factor authentication required
    • All administrative access is controlled and logged
  • API access restrictions:
    • API key required and limited to a validity period

To provide additional assurance to our users, we received an independent auditors’ certification of our compliance with ISO-27001 with respect to the management of our information systems.

To comply with clinical requirements relating to data integrity and reproducability, DNAnexus supports data logging and auditability for 6 years, and versioned and reproducible analysis tools and results.  Collectively, the security and compliance features implemented in our platform enable compliance with HIPAA, CLIA, Good Clinical Practice (GCP), 21 CFR Parts 11, 58, 42 CFR part 493, European Data Privacy laws and regulations (EU Directive 95/46/EC) and dbGaP Best Practices. For additional details please review our following white papers on our security and compliance practices:

We also work closely with our partners at Amazon Web Services to develop and deploy security strategies that are often far more sophisticated than those used in, or even available to, most premises-based data centers. Whether your data is at rest or in motion as you share it across your project group, you can be sure it’s protected within the DNAnexus platform.

If you are interested in learning more about our security and compliance measures, please visit dnanexus.com.