Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Saba Cloud Security
2Saba Cloud Security
The Saba Cloud Platform The Saba Cloud Platform is highly scalable and exceeds industry security and
compliance standards. Its powerful, standardsbased architecture can address the
common and distinct needs of large customers in a global implementation as well as
those of mid-sized enterprises in a cloud environment. This document is designed to
answer most of the questions you may have about Saba’s security infrastructure and
standard operating procedures, as well as the support that ensures reliable and secure
delivery of your Saba Cloud services.
This commitment to security is carried throughout the application design process. The
Saba Security Program implements a multibusiness review process that focuses on
meeting and exceeding industry-accepted practices.
In addition to embedding security throughout the System Development Life Cycle,
Saba adheres to privacy requirements that provide controls that address secure
handling, retention/deletion, and transference of personally identifiable information in
accordance with customer privacy requirements.
3Saba Cloud Security
Security Design Principals Cloud Security Governance and Management
Security Council: The Security Council provides
a consensus-based forum to support the Vice
President of Information Services and Chief
Information Security officer to collaborate on:
1. Identifying high-priority security and identity-
management initiatives and;
2. Developing recommendations for policies,
procedures and standards to address
those initiatives that enhance the security
posture and protection afforded to Saba
and its customer networks, information and
information systems.
Cloud Management: Saba has deployed a layered
data protection and security framework. Saba’s
in-depth defense approach involves the use of
strict physical, procedural and network security
controls. Saba controls are designed to assure the
confidentiality, integrity and availability of client
data and services. Saba’s Cloud governance
framework is supported by policies, procedures
and standards. Cloud security controls and
operations-management practices are based on
internationally accepted practice and draw upon
delivery frameworks such as Information Security
Management System (ISMS) based on the ISO/IEC
27000 family of standards.
Systems Hardening Saba systems are security-hardened to reduce
vulnerabilities consistent with industry best
practices. Hardening standards draw upon
benchmarks defined by the Center for Internet
Security (CIS) and National Institute of Standards
and Technology, with additional guidance from
Computer Emergency Response Team (CERT) and
vendor-recommended best practices.
System and Data Access Control Saba’s security model restricts access to
both systems and data according to defined
Segregation of Duties (SoD), operational roles and
responsibilities (RACI), and “need to know.” Logical
access to Saba Cloud systems is
restricted by security policies and procedures,
two-factor authentication with unique usernames/
passwords, and restrictive local host “permissions.”
Direct access to system administrative accounts
(e.g. root) is prohibited, and these can only be
accessed using predefined “alias” accounts. Data
classification standards require that client data may
only be accessed using Saba-authorized systems.
Application and Data All client data is logically segregated. Logical
segregation is achieved via the use of unique
usernames, complex passwords, database
connection strings, and dedicated database
schemas. Client access requests are restricted to
Secure Socket Layer (SSL) communication and at
least 128-bit encryption. Enduser and administrator
access to the application requires authentication
and is restricted according to preconfigured
rolebased access controls (RBAC). All data flowing
in and out of the environment is subjected to deep-
packet inspection by Saba firewalls and Intrusion
Detection Systems (IDS).
4Saba Cloud Security
Network Security Network security is achieved through the use of layered firewalls, advanced network design, and network
segmentation. Highavailability firewalls are used to filter traffic between the web, application, and data
tiers. Firewalls support deep-packet stateful inspection, dropping of anomalous packets, denial of service
protection, spoofing monitoring and anti-virus filtering. Saba networks have been designed to support
vLAN and subnet segmentation, port restrictions, access control lists, and address and port translation.
All physical data connections are configured in a high-availability mesh topology, with each system and
service having no less than two routes for communications. Saba’s network communications mesh assures
integrity and uninterrupted flow of data across our networks. Saba firewalls are configured consistent
with National Institute of Standards and Technology (NIST) standards, and connections to all end-points
reinforce our “least permissive” policy. All security devices and firewalls are monitored 24/7/365. Monitors
are defined to trigger alerts when predefined thresholds are exceeded.
5Saba Cloud Security
Data Center Overview Saba’s Cloud solutions are hosted in highly secure,
SSAE–16/AT 101 Type II Audited Data Centers that
meet or exceed the highest standards for a cloud
infrastructure security worldwide. Our data centers
are hardened using multiple layers of physical and
logical security. Access is controlled by two-factor
authentication using biometric and key/token
access.
All data centers are supported 24/7/365 with
security personnel and technical support engineers.
Environmental controls such as fire, cooling and
power systems are fully redundant and scaled
to accommodate component failure. Internet
connectivity is assured with no less than three Tier 1
backbone carriers per data center.
Global Locations
North America
• Dulles, Virginia, United States
• Phoenix, Arizona, United States
• Philadelphia, Pennsylvania, United States
• Billings, Montana, United States
• Boston, Massachusetts, United States
• Toronto, Ontario, Canada
• San Francisco, California, United States
EMEA
• Amsterdam, The Netherlands
• London, United Kingdom
Asia Pacific
• Sydney, Australia
Environmental Safeguards
Redundant Power Supply: All data centers are
equipped with redundant and high density power
systems, with automated and monitored facility
controls. Power generators at all data centers are
tested regularly and supported by multiple fuel
suppliers to ensure continuous operations in the
event of a disaster.
Temperature Control and Fire Suppression: Each
data center is equipped with carrier-diverse fiber
connections to ensure redundant connectivity with
at least 100 mbps – 1 Gbps of available bandwidth
capacity. Each customer system is provided with
burstable bandwidth to accommodate peak usage.
Physical SecurityPhysical access to Saba data centers is tightly
controlled, with access restricted to pre-authorized
personnel and layered identity management
systems. Individual access to the facilities, interior
vault, and cage areas is managed by card-
key and biometric identification systems with
mandatory pre-approved customer lists and sign-in/
sign-out procedures enforced. All servers and
infrastructures are protected within locked racks.
Only authorized personnel have access to the Saba
Cloud servers.
Professional CertificationsThe Saba team consists of Certified Systems
Engineers, Cisco Certified Network Associates
(CCNA), Certified Information Systems Security
Professional (CISSP), and technicians certified and/
or trained on various infrastructure and operating
system software products.
6Saba Cloud Security
Certifications and AssessmentsData CentersSaba Cloud data centers in North America and
EMEA are SSAE–16/AT101 Type II audited, Safe
Harbor certified, and either FISMA-Moderate or
ISO 270001 certified. Our Asia Pacific data center
is AS/NZS 7799.2:2003 accredited. Additional
capabilities are available to meet strict regulatory
requirements.
ApplicationAs part of Saba System Development Lifecycle,
Saba incorporates an initial scan utilizing Qualys
Web Application Scan (WAS) and then validates that
through a third-party solution, Veracode. Veracode
performs dynamic and static code analysis.
The following is a sample list of what both Qualys
and Veracode scan for:
• Cross-site scripting
• SQL injection
• Session management
• OS command injection
• Directory traversal
Validated EnvironmentSaba Validated Environment Managed Services
(VEMS) combines the power and efficiency of the
Saba Enterprise Cloud (SEC) with services toward
Validated Application Environment sustenance
efforts for our regulated customers. VEMS is
designed to facilitate our customers’ regulatory
compliance requirements.
Third-Party Penetration TestSaba engages with a third party to perform a black-
box security assessment of our main domain and
associated hosts. This includes a Software Quality
Assurance (SQA) scan of the Saba web application
as well as a network penetration test.
Complying with Demanding Cloud Security StandardsAs part of Saba’s commitment to security, Saba
engages with several third-party experts to conduct
exhaustive reviews and performs rigorous ongoing
testing to continually monitor and validate the
security of Saba services.
Every company says they want to engage, motivate and inspire their people. As we see it, the problem is not that they can’t – it’s that they don’t have the environment that really enables their top talent to thrive. Saba creates that environment, with talent development solutions that put people and teams in the driver’s seat of their own experience, while staying aligned to your business goals. And delivering deep performance insights that connect people to business success, like no one else can. Saba. The Talent Development Company.
© 2018 Saba Software Inc. All rights reserved. Saba, the Saba logo, and the marks relating to Saba products and services referenced herein are either trademarks or registered trademarks of Saba Software, Inc. or its affiliates. All other trademarks are the property of their respective owners.
(+1) 877.SABA.101 | www.saba.com 11/18
Your success starts here!
24/7 customer support
Collaborative online customer community
Value-added strategic services
Regular user group meetings
Standard or customized implementation services
Dedicated customer success rep
Workforce Planning Learning EngagementPerformance Recruiting
The Saba Experience:
SABA. THE TALENT DEVELOPMENT COMPANY.
Put Your People in the Driver’s Seat of their
Development ExperienceTransform Your Talent Management Programs to Create Value
for Your People and Your Business.