Shotgun security white paper

Updated: May 15, 2019

The information contained in this document represents the current view of Autodesk, Inc. as of the date of publication, and Autodesk assumes no responsibility for updating this information. Autodesk occasionally make improvements and other changes to its products or services, so the information within applies only to the version of Shotgun offered as of the date of publication. This whitepaper is for informational purposes only. Autodesk makes no warranties, express or implied, in this document, and the information in this whitepaper does not create any binding obligation or commitment on the part of Autodesk.

At Shotgun, we know that the security of your data is critical to your studio’s operation. As the industry shifts to the cloud, Shotgun knows that security and service models are more important than ever.

The confidentiality, integrity, and availability of your content is at the top of our priority list. Not only do we have a team of Shotgun engineers dedicated to platform security and performance, we are also backed by Autodesk’s security team, which also invests heavily in the security for its broad range of industries and customers. We constantly reassess, develop, and improve our risk management program because we know that the landscape of security is ever-changing.

In this document, we outline the practices put in place to maintain secure and dependable operation of Shotgun at your studio. If you have additional questions about Shotgun security, please contact us at: shotgun.security@autodesk.com

Infrastructure

Data center

Amazon

Shotgun has servers hosted in several regions to provide a better user experience; Amazon's certifications can be found  here .  

TierPoint

Shotgun has servers located in the United States; TierPoint's certifications can be found here. As of this writing, TierPoint has independent third-party issued SOC 2 Type II attestation reports.

Our physical servers are setup by our hosting partner, RimuHosting, who acts as a value-added intermediary between Autodesk and our TierPoint data center.

Cloud storage

All Shotgun sites store media files and attachments in Amazon Simple Structure Storage (S3) in the United States by default, but a client may elect to use another supported region (self-configured by the site's administrator).

Selecting a storage location for uploaded files:

  1. Why would I change the storage location for uploaded files?

    Having media files stored geographically close to your users will mean faster transfer times (uploads and downloads).

    For downloads, this means much less issues when playing back media. It also means faster page loads for pages that contain thumbnails.
  2. How can I change where files are uploaded?

    Select a new location from the dropdown menu in the 'Storage location for uploaded files' under Site Preferences > Advanced.
  3. What will this change do?

    This change will indicate where new files will be uploaded. Existing files will remain in their current storage location.
  4. Which uploaded files are impacted?

    All new files (media and others) that are uploaded to Shotgun will be uploaded to the selected storage location.

    Media created by Shotgun's transcoder (e.g., media files associated with Version entities) will also be uploaded to the selected storage location.
  5. Will my existing files be moved?

    No, existing files stay where they are.
  6. Will any of my files be offline during or after the transfer?

    No, your storage location can be updated while users are using the site. This change will not cause any files to go offline, not even temporarily.

    The only thing to double check is whether or not there are firewall restrictions that need to be modified when making the change. See the Technical Details section below.
  7. Which storage location should I pick?

    Typically, selecting a location that is geographically closer to the site users’ location is the best thing to do. In some cases it might be difficult to know.

    A web search for “speedtest for AWS” should point you to tools that can help you make the decision.
  8. Can I store files in multiple locations?

    You can only choose one current storage location at any time for a given Shotgun site. However, because existing files will not move locations, Shotgun will continue to provide access to files that were uploaded before you selected a closer storage location.

Technical Details

  • Shotgun media is stored on Amazon S3.

Shotgun uses a different S3 bucket for each region:

  S3 region URL of Shotgun S3 bucket
Dublin, Ireland eu-west-1

S3 region URL: sg-media-ireland.s3-eu-west-1.amazonaws.com

Accelerated S3 URL: sg-media-ireland.s3-accelerate.amazonaws.com

Regular S3 URL: sg-media-ireland.s3.amazonaws.com

Oregon, U.S. us-west-2

S3 region URL: sg-media-usor-01.s3-us-west-2.amazonaws.com

Accelerated S3 URL: sg-media-usor-01.s3-accelerate.amazonaws.com

Regular S3 URL: sg-media-usor-01.s3.amazonaws.com

Tokyo, Japan ap-northeast-1

S3 region URL: sg-media-tokyo.s3-ap-northeast-1.amazonaws.com

Accelerated S3 URL: sg-media-tokyo.s3-accelerate.amazonaws.com

Regular S3 URL: sg-media-tokyo.s3.amazonaws.com

Sao Paulo, Brazil sa-east-1

S3 region URL: sg-media-saopaulo.sa-east-1.amazonaws.com

Accelerated S3 URL: sg-media-saopaulo.sa-east-1-accelerate.amazonaws.com

Regular S3 URL: sg-media-saopaulo.s3.amazonaws.com

  • S3 acceleration is controlled by the Shotgun team. It is typically turned on for all hosted sites. However, in some extreme cases, the Shotgun team may turn it off with without prior notification.
  • Some companies have firewall restrictions in place which means that you may only have access to the S3 bucket you are currently using. If you are having issues:
    • Verify with your IT department if this is the case and ask them to allow access to the URL of the new region where you want to store media.
    • Since existing media is not moved, make sure the IT department keeps allowing access to the S3 URL you are currently using.
    • Also, make sure access is allowed for accelerated S3 URLs and regular S3 URLs.

Transport

All Shotgun servers support TLS 1.2 (downgrade to TLS 1.1, TLS 1.0, and SSLv3 is not possible). While the encryption level depends on a negotiation between the client and the server, we do support 256-bit encryption, but still allow 128-bit encryption in some cases.

We have an A-Rating from SSL labs as we have updated our certificates to the latest encryption level, and we also updated our list of ciphers to the strongest ones only.

Network accelerator

CDNetwork is a network accelerator that provides faster access for our customers located away from our Dallas data servers. It provides endpoints around the globe and connects to our data center in Dallas. From a security standpoint, CDNetwork is supporting HTTPS with the same level of security Shotgun supports (TLS 1.2  downgrade to TLS 1.1, TLS 1.0, and SSLv3 is not possible). While using CDNetwork is optional, it is activated by default for new accounts; this can be changed on demand.

Multi-tenancy

The Shotgun Web application is a single tenant application. Each tenant (site) runs in its own process and has its own logical PostgreSQL database.

API access

The Shotgun functionality is available through a Python API that wraps our HTTPS requests. All HTTPS requests to the Shotgun server are authenticated, and authentication can be done using either script keys managed in the Client Shotgun site or usernames and passwords.

Shotgun also provides a REST API.

Operations

Access to production servers

Logical access to our production servers is restricted to our support and operations team.

Log rotation and retention

Production logs are rotated every day and are kept for a maximum of four weeks.

Monitoring and notifications

Shotgun uses automated monitoring tools to oversee the proper operation of the system. We employ an incident management process to quickly respond to events that adversely affect Shotgun.  Incidents and maintenance of our data center are posted on the Shotgun status page for which our customers can register. We have various triggers in place to detect issues in advance that are actively monitored by our 24/7 Monitoring team. These include:

 

  • Network connectivity
  • System responsiveness
  • Unusual load on our servers
  • Transcoding issues
  • Failed logins

Scheduled maintenance

Whenever possible, maintenance windows will be announced on the  Shotgun status page  at least 24 hours in advance.

Our maintenance schedule can be found in the  Shotgun Maintenance Policy .

Operational support

On top of our customer-facing support team, we have technical on-call support for mission critical operational issues. Any issue is diligently reported to our  Shotgun status page  that we use to communicate with our users. You can also review the list of past incidents on the Shotgun status page.

Reliability

As reported by Pingdom  in December 2018, our systems displayed an uptime of 99.98%. Real-time metrics can be viewed on the Shotgun status page .

Please note, although we make every effort to stay within or above the mentioned uptime statistic, this section should not be interpreted as an uptime commitment.

Key management

All keys are kept in an encrypted data repository only accessible by the operations team.

Disaster recovery

At the moment, our disaster recovery would require us to rebuild our data center using our database backups. We estimate this process would take between 24 to 48 hours depending on the nature of the disaster. The testing of this procedure is exercised on a yearly basis.

Application usage

Event logging

Shotgun logs most activities as events in an event log. Operations such as modifying, creating, or deleting data are logged. Playing media (Versions) is also logged as an event. Although viewing any given page is not an event, users must be authenticated and authorized to access any page.

User authentication

We support both password-based and two-factor authentication (2FA) using Google Authenticator and Duo Mobile.

We support SSO over SAML2.

Credentials

When new users are created, they receive a welcome email from your studio's Shotgun application site with an invitation link. Clicking the link will then guide the user through creating a password to gain entry to the site. More information is available in the article, "Your People."

User authorization

Permissions are under the customer's control. Customers can create new roles as required by copying an existing role. There are set rules per roles (Artist, Admin, Manager, Client, Vendor) that can be changed. These rules apply to the entire site, not just a project. More information is available in the articles " Permissions " and " Your People ."

Data handling

Data storage

Work or application files (e.g., Maya, Nuke, Photoshop files, etc.) are usually stored on a client's local file system, and Shotgun stores metadata about these files in the cloud (revision number, location on disk, dependencies, etc.).  File attachments are uploaded to our production servers in TierPoint and asynchronously uploaded to Amazon S3.

By default, media associated to Versions is uploaded directly to Amazon S3 in the supported regions and transcoded in AWS. This default option can be disabled, causing the Version Media to be uploaded like file attachments, and will be transcoded onto our production servers in TierPoint and asynchronously uploaded to Amazon S3.

Each site has its own database which runs on one of our four PostgreSQL database server clusters. Each database server cluster consists of one master and one slave that are continuously replicated, and one warm slave running in AWS.

Data retention period for application data

Application data. Application data is data generated by the application, without the intervention of the users. For example, an entry created in the Event Log following a user action is application data. More concretely, if a user is creating a new Version, the Version itself is client data, while the event generated is application data. The retention period for application data is at Shotgun’s discretion and subject to change.

Events. Events are a subset of application data, but given their importance for a lot of our clients, we want to call out the events-specific data retention policy. The default retention period for events is six months. After that period, events are extracted from the database and archived on an external permanent storage. Archived events are no longer accessible through the Shotgun Web Application or the Shotgun API. However, these archived events can be downloaded in a CSV format through the Account Center. Events are archived for a period of five years.

Data encryption

All data on Amazon S3 is encrypted at rest using 256-bit AES encryption (details at AWS Server Side Encryption ). Data stored in our PostgreSQL databases (entities such as Tasks and Shots) is stored unencrypted for performance reasons. Passwords are hashed and salted using a cryptographically strong hashing algorithm with a high number of iterations and a randomly generated salt. Only the salt and the resulting hash are actually stored persistently in our database.

Access to client data

Shotgun is bound by the Confidentiality clause in our  Terms of Use  and treats all client data in accordance with our  Privacy Statement . Shotgun’s product and support teams may access client data in relation to a support request or for product improvement purposes.

Database backups

Snapshots are taken of our database servers multiple times a day. Database snapshots are encrypted at rest on AWS. Backups of media stored on Amazon S3 is directly managed by AWS.

Data retrieval

At any time, we can provide the customer with a copy of the data stored in their site. This includes the data and the meta-data.

Data deletion

Upon terminating a relationship with a client, we first remove all access to the client site (meaning, the site continues to exist and could be revived, but is not accessible to the customer). After 30 days, a backup of the database is made and of the uploaded data. After another 90 days, all files (database backups, media, and attachments) are then removed from our system.

Client information

Credit card and other payment information that the user enters upon signup in the Account Center is transferred and processed via PCI compliant service called Authorize.net. No credit card information is preserved within Shotgun systems. Customer contact information is stored in our internal database. This includes, but is not limited to, client's name, email, login, country, industry, invoices, etc. We share limited client information with external services in accordance with our  Privacy Statement .

GDPR

Please refer to our Privacy Statement for more details.

Security Processes

Governance

We have a close partnership with Autodesk's Information Security, Risk and Controls (ISRC) group which is led by Autodesk’s Chief Security Officer (CSO).

Audits

We partner with Independent Security Evaluators (ISE)  to perform quarterly SAN/CWE controls and OWASP security testing of Shotgun. The audits currently cover the Shotgun Web application, the Shotgun Review iOS app, and infrastructure.

The Shotgun Pipeline Toolkit is undergoing an internal audit and will be migrated to a third-party auditor in the near future. All severe and high-risk vulnerabilities are fixed as soon as they are identified. Medium risk items are put on the backlog of short term fixes. All other vulnerabilities are added to the backlog and dealt with in a timely manner.

Scanning and monitoring

Live intrusion detection systems are installed on all physical servers, monitored 24/7.

Anti-virus is installed on all physical servers. Definition are updated periodically.

Vulnerability scans are performed and analyzed on a monthly basis.

Risk management

As of September 2015, Autodesk has implemented a risk management program under the Autodesk ISRC group led by Autodesk’s CSO.

Information security policy

We are committed to adopting Autodesk's information security policies and are in the process of implementing controls to align with those security policies.

Asset management

Shotgun follows Autodesk’s Asset Management Policies. All employee desktops and laptops are centrally managed by Autodesk, which ensures all assets are tracked and properly secured. This includes the proper use of anti-virus software, automatic locking of workstations, password management, etc. We have a process to update on a periodic basis the inventory of all the servers in the data center that are used in Shotgun.

Incident management

When vulnerabilities are publicly disclosed, we quickly fix the issue. For vulnerabilities identified as part of our regular quarterly security audits, we make sure to prioritize and solve urgent and high priority issues in an expedited and timely manner, while medium and low severity issues are documented, prioritized, and added to our security backlog. We have an incident management process through which we can quickly respond to security incidents.

Account management

In order to access client data, members of the Shotgun team must first authenticate through an Autodesk VPN; second, they must authenticate to an internal database. Once within that database, team members are further restricted by permission rule sets determined by their role. Upon termination of any Shotgun team member, appropriate revocation or deletion of access is completed in a timely manner.

Secure software development

In order to ensure security is built into the Shotgun application, we are adopting Autodesk’s secure development standard which include practices such as secure development training, threat modeling, static and dynamic code analysis.

Human resources

Background checks

Background checks are required, where permitted by law, for employees with physical and/or logical access to the computing resources and support systems used by the Autodesk teams.

Security awareness

All Autodesk employees must affirm the importance of information security as part of new-hire orientation and yearly thereafter. Employees are required to read, understand, and take a training course on the company’s Code of Conduct. The Code requires every employee to conduct business lawfully, ethically , with integrity, and with respect for each other and the company’s users, partners, and competitors. Autodesk employees are required to follow the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards.

Confidentiality

New employees must sign a confidentiality agreement. New employee orientation emphasizes the confidentiality and privacy of client data. All employees are bound by non-disclosure agreements with Autodesk. Anyone found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, contract, or relationship with Autodesk.

 

The information contained in this document represents the current view of Autodesk, Inc. as of the date of publication, and Autodesk assumes no responsibility for updating this information. Autodesk occasionally makes improvements and other changes to its products or services, so the information within this whitepaper applies only to the version of Shotgun® offered as of the date of publication. This whitepaper is for informational purposes only. Autodesk makes no warranties, express or implied, in this document, and the information in this whitepaper does not create any binding obligation or commitment on the part of Autodesk.

Without limiting or modifying the foregoing, Shotgun services are provided subject to the applicable terms of use.

Autodesk, the Autodesk logo, and Shotgun are registered trademarks or trademarks of Autodesk, Inc., and/or its subsidiaries and/or affiliates in the USA and/or other countries. All other brand names, product names, or trademarks belong to their respective holders. Autodesk reserves the right to alter product and services offerings, and specifications and pricing at any time without notice, and is not responsible for typographical or graphical errors that may appear in this document. © 2018 Autodesk, Inc. All rights reserved.

Follow

0 Comments

Please sign in to leave a comment.