Security is a key piece of the Dwolla Platform. Our Information Security (InfoSec) team is proud of the practices they employ to protect our data from potential adversaries.

Yet security work is never done.

Dwolla’s InfoSec team put together the following white paper to go into detail about the practices Dwolla uses to protect and store data. The white paper discusses cryptography, endpoint security, border protection and what we provide customers looking to integrate with Dwolla.

Dwolla’s mission is to build the ideal platform to move money. Doing so means living at the cutting edge of technology while maintaining vital security. This requires an iterative approach to managing risk that evolves alongside the technology, people and culture of Dwolla, our clients and our partners. We focus on the protection of data and identities in everything we do. As a learning organization, we know that we are never done with security. We seek out new technologies, process improvements, risk management techniques and trusted partners (whether that be to offer services or assess our security program) to continue to improve.

Dwolla has a dedicated team of security professionals charged with protecting client data, our Platform, and our corporate networks. This team is responsible for the execution and management of our security program as reported in our SSAE 18 SOC 2 Type II Report, and, taking into consideration other relevant frameworks, maintaining requirements and regulations. The team’s efforts are complemented by the high level of technical skill and security awareness found throughout our company and ecosystem.

Changes and additions to the Dwolla platform are driven by a secure software development life cycle grounded in careful design, code reviews, ruthless automation, ongoing monitoring, automated testing/scanning and continuous improvement. The Dwolla InfoSec team is physically embedded with our Engineering teams to continually partner on design/architecture decisions, testing and implementation of new solutions. This partnership emphasizes using secure defaults, architectural reviews and safe and standards-based cryptography across a platform powered and protected by AWS and Cloudflare technologies.

 

All Dwolla employees are required to complete annual Information Security training. This training is held within the first week for new employees joining the company, as well as annually for all employees. Additionally, all Engineering and Information Technology personnel attend annual training regarding security best practices and avoidance of common vulnerabilities.

Dwolla uses a combination of current and customized topics to drive training, including:

  • The risk-based nature of Dwolla’s information security program
  • Current trends in threats and countermeasures
  • Emerging technologies
  • Policies and procedures for the identification and reporting of security and privacy issues

Dwolla employees use hardware token-based multi-factor authentication to access sensitive information or administrative or business-critical capabilities.  This is in addition to network-based restrictions. To deliver security controls which match the needs of the Dwolla Platform, the security team uses a combination of commercially and internally developed solutions to aid in preventing, detecting and remediating security events.

Our security team reports directly to the CEO and is accountable for security and compliance efforts including external information security audits (such as the SOC 2 Type II report), strategies for data protection, security operations, third-party information security risk management, digital forensics and incident response. Represented on the team are current certifications including ISC2 CISSP, ISACA CISM and SANS GCFA, as well as backgrounds in industry, consulting, academia and the federal government. The team maintains situational awareness through memberships in local and national security communities and professional organizations, subscriptions to relevant industry and vendor communications and memberships in the FBI InfraGard and Financial Services Information Sharing and Analysis Center (FS-ISAC).

Dwolla strives to protect the confidentiality and integrity of data using cryptographic methods aligned with best practices of the financial and technology sectors. Dwolla assesses itself, as well as all integrating clients and partners, against the following standards. 

Data in Transit

The movement of data across trust boundaries requires a secure channel which authenticates and protects messages. Dwolla uses a configuration of Transport Layer Security (TLS) based on safe and current versions (≥ 1.2). Additionally, Dwolla employs a combination of techniques such as HTTP Strict Transport Security (HSTS), forward secrecy, secure renegotiation and downgrade attack prevention. The Dwolla Platform does not permit non-TLS (plaintext) traffic.

Data at Rest

Storage of data at rest is achieved through the application of symmetric key encryption or cryptographic hashing. For the storage of data which must only be compared (such as a password), data is protected using password-based hashing algorithms which incorporate salting and appropriate processing or memory work factors. Data which requires decryption is stored using the Advanced Encryption Standard (AES) with strong cipher modes.  

Key generation and cipher implementations are based on standards-based libraries, cryptographically secure pseudorandom number generators (CSPRNGs) and appropriate sources of kernel-mode entropy. Regular key rotation is augmented with automated key generation and rekeying operations ensuring that Dwolla’s encryption keys are never handled by a human.

Tokenization

The Dwolla Platform is aligned with the OAuth 2.0 specification. Dwolla’s short-lived tokenization methodology and granular permission scoping for partners decreases the risk of any single authentication token being exposed. Specifically, these provide multiple layers of additive protection: reference, timing, scope and cryptography.

  • Reference: Dwolla does not expose high-value data such as Bank Account or Routing Numbers via the API.
  • Timing: Dwolla tokens have an expiration time of one hour. If a token expires, this access token must be refreshed.
  • Scope: Tokens have a collection of authorized actions. These are tightly scoped to a given client application, or based on the specific needs and approved uses for Dwolla partners.

Cryptography: Tokenization enlists cryptography to secure the information in transit and uses randomization to ensure each token is unique.

Devices owned and secured by Dwolla are required for access to Dwolla resources. Each Dwolla endpoint is monitored using known-good configurations, multiple security agents (malicious code/suspicious network traffic, process and file monitoring) and continuous, credentialed vulnerability scanning and system updates.

Endpoints use encrypted filesystems, block the use of mass storage devices and lock when idle. Remote access to sensitive systems is controlled via centralized groups and multi-factor authentication including a valid username and password, a Dwolla-issued machine certificate and a hardware-based one-time passcode.

The Dwolla Platform is monitored 24/7/365 using a combination of internal and external tools and services. Infrastructure, service and event monitoring is based on centralized log collection, analysis and alerting. Engineering and Information Security teams follow escalation procedures to provide continuous coverage for the platform. Dwolla utilizes a leading Security Incident and Event Management (SIEM) provider independent from the Platform or Corporate network environments to collect, correlate and analyze logs for reporting and alerting on timeframes aligned with risk.

Dwolla leverages its enterprise partnership with Cloudflare and a range of AWS capabilities to provide a secure and highly available platform edge. Cloudflare secures Dwolla’s DNS zones, enforces TLS negotiation for all connections, and protects against volumetric distributed denial of service (DDoS) attacks.

Third-Party Risk Management

Dwolla maintains detailed review processes for its vendors and customers that include Information Security components to manage third-party risk across the platform:

  • Vendors and Partners: Dwolla maintains a risk-based program to manage and protect sensitive information that is shared with external parties. Adequate contractual language and due diligence processes support the protection of Dwolla Platform data. Dwolla maintains a Third-Party Risk Management process to evaluate prospective and existing vendors and partners. This process is designed to leverage independent third-party attestation and certification, as well as Dwolla’s own expertise to ensure that information security risk is at the core of every such decision.
  • Client Onboarding: Dwolla partners with clients to align Information Security practices and standards prior to granting production access. The review includes an evaluation of authentication, authorization, application security, vulnerability management and data protection controls across the client application. This is a value-add for clients who may not have the resources or expertise to assess their own applications in this way, and ensures the entire Dwolla ecosystem meets the same high standard to ensure the entire community stays safe. For one example of how Dwolla’s expertise and thought leadership can give our clients a leg up, check out this recent whitepaper by our Information Security Director, Benjamin Blakely, PhD CISSP CISM, on how to build and mature an information security program.

Dwolla maintains ongoing vulnerability management activities across the platform using a combination of internal and external services and firms to identify and remediate risks:

  • Code Deployment: Each Dwolla merge requires a code review by an additional engineer prior to approval focusing on coding convention, unit/integration tests and security soundness. Subsequent to an authorized and approved merge, front-end deployments initiate a security scan by a third-party tool to identify, track and monitor potential vulnerabilities. These potential issues are entered into Dwolla’s ticket tracking system and feed directly into InfoSec metrics and planning.
  • System Vulnerability Management: Servers, Endpoints and other network-connected devices are routinely scanned using a credentialed vulnerability scanning solution to detect potential configuration baseline deviations, vulnerable software which may require updating, or unauthorized storage of personally identifiable information. Automated software update solutions are used to provide ongoing patching on Mac, Windows and Linux systems. Additionally, in the Dwolla Platform, an immutable infrastructure is used to perform rolling deploys of load-balanced services for rapid software updates without downtime.
  • Independent Testing: Dwolla maintains relationships with multiple external providers of security assessment services. Dwolla performs penetration tests on a semi-annual basis covering external and internal environments, and undergoes external audits focused on control review including the design, implementation and operating effectiveness of controls. Dwolla also maintains a private bug bounty program. For more information about participating in that program, contact security@dwolla.com.
Benjamin Blakely, PhD CISSP CISM
Ben is the Director of Information Security at Dwolla. Previously, he has held positions in the private, public, and education sectors, and built an information security program to support growth of a cloud software startup through its initial public offering into the thousands of corporate customers. He earned his PhD and BS degrees in Computer Engineering from Iowa State University, with minors in psychology and political science. He holds the Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM) certifications, and is the lead inventor on two patents related to encryption key management in cloud infrastructures.