Embed Size (px)
Citation preview
© 2007 RightNow Technologies, Inc.
Information Security atRightNow
November 8, 2007
Ben Nelson, Corporate Security Manager
Outline
• On Demand/SaaS Overview
• Data Centers – Global Reach, High Availability
• Security at RightNow
• Application Security
• Security Operations
• Security Monitoring
• Security Response
• Compliance
• Questions
© 2007 RightNow Technologies, Inc.
SaaS / On Demand Overview
SaaS Defined
Dictionary.com Unabridged (v 1.1)
SaaS
-noun
1. Software deployed as a hosted service and accessed over the Internet
2. Alleviated the complexity, initial high cost, and ongoing expertise required to operate it internally
3. Greatly improves total cost of ownership (TCO)
“Software as a Service”
A Bit about SaaS
• What are important SaaS Principles?
– Business Model Change
o Shift ownership, responsibility, cost
– Transferring IT & Security Responsibilities
o From heavy hardware, monitoring, patching, operations, configuration to software service costs
– Leveraging Economies of Scale
o Multi-tenancy and volume buying
– Providing (receiving) key services
o UI customization, workflow, custom business rules, security, etc.
– The customer still “owns” the data
On Demand Delivery
Eliminates over 80% of
ownership costs
Deploymentup to
5 times faster
© 2007 RightNow Technologies, Inc.
Data CentersGlobal Reach and High Availability
Hosting Architecture
• Load Balanced Web Servers
• Redundant NFS service via clustered Network Appliance
• Mirrored database disk via RAIDed Storage Area Network
• Multiple geographically and network backbone separated data centers, each with UPS, on-site backup generators, and controlled access.
• Separate database, web, utility, and live servers for increased performance and reliability.
• Proactive performance tuning.
• Daily external vulnerability scanning
• Redundant inbound email virus and SPAM filtering
• Load Balanced Web Servers
• Redundant NFS service via clustered Network Appliance
• Mirrored database disk via RAIDed Storage Area Network
• Multiple geographically and network backbone separated data centers, each with UPS, on-site backup generators, and controlled access.
• Separate database, web, utility, and live servers for increased performance and reliability.
• Proactive performance tuning.
• Daily external vulnerability scanning
• Redundant inbound email virus and SPAM filtering
Maturity – Disaster Recovery
• Full scale duplicate of production in geographically diverse carrier class data center based in Chicago
• Combination of continuous data replication and periodic storagesnapshots maintain currency of customer data
• Fully integrated into the RightNow Hosting Management System
Production CA ODBC CA DR Chicago
dbca01a dbca01b replicateca01 dbch01
Database Replication
between pods
Web Pool
NFS
Load Balancer
NFS Web Pool
Load Balancer
• Cisco switches and firewalls for industry leading security
• Two tier load balanced architecture for performance
• Network Appliance data storage for data reliability
• Dell / Rackable servers running RedHat Linux, MySQL
• SourceFire intrusion detection
• Qualys vulnerability monitoring
Enterprise Class Infrastructure Providers
© 2007 RightNow Technologies, Inc.
Security at RightNow
Security: Part of the RightNow DNA
• Corporate Security Manager with broad authority in:– Product direction
– Development
– Hosting practices
– Corporate security practices and culture
• Dedicated security team– Every member is certified in various areas of the
information security career field
• Corporate Security Committee– This committee is chaired by the corporate
security manager
– Includes members from every major functional area within RightNow
– Executive support, sponsorship and attendance
RightNow’s Philosophy on Security
• Physical security
• Server security and hardening
• Network security and monitoring
• Storage & backup control
• Application security defense
• Procedural security operations
• Personnel security
Defense in depth: No single technique or approach is sufficient.
Detailed security policies and cross-discipline leadership direct our approach to all aspects of security, including:
© 2007 RightNow Technologies, Inc.
Application Security
Product Security Direction
• The Product Management group takes input from:
– The Corporate Security Committee
– The Corporate Security Group
– The field
o Includes direct customer input
o Also includes research on new features/enhancements
– Internal innovation
• Security features and enhancements are prioritized along with non-security related features.
• Current focus on compliance-related features
Secure Product Development
• Product development at RightNow has staff dedicated to application security
• Dedicated application security staff are utilized for:
– Educating development staff on secure coding practices
– Investigating and fixing product vulnerabilities
– Conducting internal product vulnerability assessment
• When new features are to be implemented that may impact security, development staff will consult:
– Product security lead
– Corporate Security Group
Product Vulnerability Assessment
• A 3rd party (Security Innovation) conducts application vulnerability assessment
• These 3rd party assessments are conducted on every release of RightNow software
• Assessments are conducted as part of the RightNow QA process, prior to product release
• Any vulnerabilities rated as ‘High’ risk will be fixed prior to release.
• These reports are available to customers and prospective customers who are under NDA.
© 2007 RightNow Technologies, Inc.
Security Operations
Security Operations
• Cisco PIX Firewall Deployment
• Utilization of Internal IPs
• “Bastion” hosts– Create a single point of entry into the network
• Regular network vulnerability assessment– Daily external vulnerability assessment by
QualysGuard
– Quarterly external vulnerability assessment by Digital Defense
• Intrusion Detection– Intrusion detection by SourceFire at all
network ‘choke points’
• Secure access for customers available via SSL or VPN
Network
Security
Security Operations
• Single point of entry to hosting area, cages or walls separate customer servers
• All building access points are monitored or controlled by surveillance cameras, man-traps, biometric scanners, and guards.
• Access validation with identity check for physical access.
• Access only to persons on RightNow approved access list.
Physical
Security
Security Operations
• Remote log-in only via ssh to a bastion server only from specific IP addresses
• Prior to shell access grants, users are educated on the infrastructure and their responsibility to keep it secure
• All shell access for users is documented and approved by management and the security group
• All US RightNow personnel with shell access have passed criminal background investigations
Personnel
Security
Security Operations
• All host administration is performed via SSH or SSL
• Access to applications and supporting systems is logged
– Logs are retained for 1 year
• Strong randomized password selection with regular password changes enforced
• Segmented user access
• All hosts are kickstarted from a known secure (and minimal) OS image
• All patch management is performed via RedHat’s Satellite server system
Host
Security
© 2007 RightNow Technologies, Inc.
Security Monitoring
Security Monitoring and Support
• Security of servers monitored 24x7 with multiple monitoring tools
• SourceFire network intrusion detection on all hosted networks
• Alerts from IDS systems are sent directly to Security staff for investigation/remediation
• All system logs are sent to a centralized log server
– Analyzed in real-time
– Alerting is performed
• Support
– 24x7 security monitoring and paging notifications
– A full, on-call, 24x7 security team
© 2007 RightNow Technologies, Inc.
Security Response
Infrastructure Security Response
• Well established Security Incident Handling Plan exists
– Plan is reviewed annually
• Incident Response team is lead by Corporate Security Manager
– GIAC certified Incident Handler (GCIH)
o (GIAC = Global Information Assurance Certification)
• Support personnel are noted in policy and on call
– May be called when resources outside of the security group are necessary
Application Security Response
• Separate Policy/Plan for handling product vulnerabilities
• Plan is well documented and reviewed regularly
• Vulnerabilities are ranked on:
– Level of information exposure
– Skill required to exploit
• ‘High’ risk vulnerabilities are addressed immediately
– Patches will be developed and tested
– Customer base will be notified of patch availability
© 2007 RightNow Technologies, Inc.
Compliance
Security Compliance at RightNow
• Security compliance at RightNow has become very important in the last year
– To demonstrate the level of our security to our customers
– To improve our own internal documentation
– To improve our own internal processes
• We’ve hired a full time compliance specialist
– Background in federal government Information Assurance
• We’re creating a compliance framework based on the ISO 27000 series
RightNow’s Security Compliance Program
Knowing the controls overlap, our approach is to use ISO 27002, arguably the most comprehensive framework, as a base for our compliance program.
ISO 27002NIST/FISMA/
DIACAP
PCI-
DSSHIPAA
SOX
Layering various other frameworks in on top,
and mapping their controls to the ISO framework
RightNow’s Plan Through 2008
Through 2008, the plan for achieving compliance with the many mandatory standards will include:
• Working toward compliance with ISO 27002� Rewriting policies, standards, and procedures
� Rewriting corporate security training and awareness program
� Emphasis on ISO controls which map to PCI controls
RightNow’s Compliance Goals for 2008
• PCIDSS audit and certification- This is a frequent customer request, due to:
– the high number of customers we have who process card payments
– pressure and visibility in the industry increasing as penalties begin to be enforced
• SAS 70 Type II audit
– also a frequent request among our customers
– is neither a mandatory standard nor voluntary framework
– less emphasis on testing specific controls, focuses on maturity of documentation and processes, and the consistency with which they are implemented/followed
Positive Side-effects of our 2008 Compliance Goals
• Achieving PCIDSS compliance and completing a SAS 70 Type II audit will:
– Bring us closer to compliance with *all* security standards
– Improve visibility into our current security capabilities
• Mapping all standards to ISO 27002 means that:
– We’ll know where we stand against any standard that we’ve mapped against the ISO framework
o Including NIST SP 800 series
Wrap Up
At RightNow security truly is about the journey, not a destination.
We‘re constantly looking at ways to improve ourselves and are always open to comments.
