Advanced SaaS Security Measures

Transcription

1 BlueTie Business White Paper Advanced SaaS Security Measures Overview f BlueTie Security

2 BlueTie, Inc. 220 Kenneth Drive Rchester, NY USA (800) BLUE TIE TABLE OF CONTENTS Abstract... 3 Backgrund: BlueTie Business The Prblem... 4 The BlueTie Clud... 4 Physical Security... 4 Netwrk Security... 5 System Security... 7 Data Strage... 7 Availability and Disaster Recvery... 7 Security Plicy... 8 Cnclusin

3 Abstract The unique ability fr SaaS cmpanies t deliver mre data, t mre places via mre access methds has had a prfund impact n the ability fr businesses t cmmunicate, cllabrate, and achieve tasks. Businesses can nw access data that nce resided slely behind the crprate firewall and required users t be physically at the ffice r accessing systems thrugh cmplex VPN systems. As the cmputing landscape evlves, cmpanies are leveraging this evlutin t expse mre access methds t data and are entrusting the services f SaaS prviders t prvide this gateway. Cmpanies are demanding access t data in ways never befre imagined, while enlisting prviders t maintain the highest f security measures t prtect their sensitive data. SaaS cmpanies are tasked with the respnsibility f nt nly prtecting data as it mves int and ut f varius web based accessible systems, but are als charged with prtecting that data thrughut its life in the clud. Security threats tday range frm simplistic credential breaches, t mre sphisticated applicatin, prfiling, abuse, hacking and denial f service attacks. This paper fcuses n the security measures that allw BlueTie t prvide secure envirnment fr yur cnfidential data. BlueTie s multi layered and multi faceted apprach t security is designed t nt nly prtect yur data in transit, but t prtect it while at rest in the clud. Backgrund: BlueTie Business BlueTie is an industry leading SaaS based Business service which prvides webbased services t thusands f businesses and millins f users wrldwide. Our infrastructure prcesses several billin messages per mnth, systematically mnitring fr, detecting and managing based security threats fr ur end users. Our prducts and services are designed t eliminate the hassles, cst and management verhead assciated with internal IT Departments by leveraging BlueTie s expertise in the cmmunicatin and cllabratin industry. Our team cnsists f highly skilled messaging experts wrking in cnjunctin with several f the wrld s leading prviders f security slutins t ensure yur services remain available. 3

4 The Prblem The cmprmise f data culd mean the lss f trust and reputatin fr yur business by yur current and future custmers. It culd mean the lss f trade secrets, identity theft, r even wrse, the dwnfall f an entire business. Security threats have mved frm what were primarily netwrk based attacks t sphisticated website and applicatin vulnerability prfiling and eventual explitatin f thse vulnerabilities. Wrse yet undergrund cmmunities and massive btnets are being utilized t launch large scale denial f service attacks against prviders, crippling infrastructure fr hurs and even weeks, leaving custmers unable t access data. N single slutin exists tday t identify, prevent r mitigate these security issues. Instead prviders f clud based services must rely n a multi faceted apprach t security fr bth the physical and lgical architectures f the slutin prvided t end users. Technlgy can assist in the preventin f these attacks, hwever, the rigidity f plicies and prcedures are ften the mst critical pieces t security. The BlueTie Clud BlueTie s clud is perated ut f several facilities in the United States. Here a high perfrmance netwrk infrastructure cnnects BlueTie t the Internet and its end users. These facilities prvide the framewrk fr BlueTie s physical security which is cnsidered equally if nt mre imprtant than netwrk and system security plicies. Physical Security Physical security cnsists f the measures in place t prtect direct, physical access t the pwer, HVAC, netwrk and server infrastructure that perate web based applicatins. Each facility selected t perate a prtin f BlueTie s clud must underg stringent analysis fr the presence, implementatin and nging administratin f physical security infrastructure. BlueTie nly perates its clud infrastructure in facilities which have been audited by industry leading firms fr SAS70 Type II cmpliance. As such, each facility has demnstrated cntrl and accunting measures in place fr physical security and maintains strict security plicies and practices. 4

5 The physical lcatin and design f these facilities assist in the preventin and mitigatin f bth natural and man made assaults. Facilities have been selected based n natural disaster scenari risk assessment, as well as fld plain screening and evaluatin. T further enhance the security f the infrastructure, n identifiable markings, r signage is visible frm the exterir. All pwer and cling systems are secured behind gated fences and are limited t authrized persnnel. Each facility is equipped with slid blck exterir perimeters and ramming bllards t mitigate ptential damage t the infrastructure frm exterir surces. Security persnnel cntrl access t and frm, including the mnitring f individuals within the facilities. Access t ur facilities is limited t specific individuals fr the purpses f maintaining and managing the infrastructure. Under n circumstances are unauthrized individuals granted privileges t enter. Prtins f BlueTie s data centers utilize state f the art bimetric scanning equipment fr access t highly sensitive and restricted areas. These systems permit nly authrized individuals int these areas, and lg and reprt all access fr histrical reference and review purpses. BlueTie s facilities perate high reslutin, cntinuus surveillance security cameras which mnitr the mvement f individuals thrughut the facilities. These cameras are mnitred by security persnnel and als recrd all feeds t DVR systems which are maintained fr histrical reference and review purpses. BlueTie s physical infrastructure equipment is always segregated frm the cllcatin ppulatin with security cages. These cages require physical key access which is nly prvided t individuals authrized t access these areas. Inside each caged area, several surveillance cameras mnitr the activity and actins within. Netwrk Security Netwrk security cnsists f the measures in place t prtect netwrk based access including unauthrized access t netwrk r system infrastructure, abuse f resurces and r denial f service attacks. The nature f the web has pushed netwrk security further frm just the perimeter f the infrastructure physically running and string data. Netwrk security nw starts at the DNS layer. DNS serves as the telephne directry f the internet. This directry is the first place a client brwser lks when accessing a site. As such, this infrastructure must be heavily prtected and extremely rbust in rder t service brwser requests. Denial f service attacks at the DNS layer are cmmn and if successful, can cause significant utages and slw access t sites. 5

6 BlueTie has partnered with an industry leading DNS prvider t handle the prcessing f these requests and the security surrunding this infrastructure. The DNS platfrm is currently deplyed n tp f a glbal IP netwrk, cnsisting f 12 facilities and cnnectivity frm a variety f Tier 1 Internet Service Prviders. The DNS platfrm perates n tw diverse Anycast cnstellatins which prvide active active failver between cnstellatins and glbal traffic distributin between data centers. This glbal distributin and massively scalable cnnectivity t the DNS infrastructure guards against denial f service attacks. BlueTie s perimeter is secured utilizing industry leading firewall technlgy frm Juniper Netwrks. T prtect against netwrk level attacks, these systems analyze all incming and utging transmissins using a dynamic packet filtering methd knwn as stateful inspectin. Varius infrmatin is cllected frm incming transmissins and analyzed against the respnding transmissins t ensure the cmmunicatin streams match. This analysis is dne under the cntext f a cnnectin and nt as a cllectin f varius packets, which prvides security at the packet level rather than the cnnectin level. Unmatched transmissins are cnsidered malicius and are drpped. The firewall systems cntinuusly mnitr and reprt these security incidents t ur NOC. In additin t alerts, fr which BlueTie may take actin, all security histry is lgged fr histrical tracking and reference purpses. BlueTie s internal netwrk infrastructure is segmented int VLANs. Each VLAN limits the access and cmmunicatin between systems thrugh a series f ACLs (Access Cntrl Lists) allwing granular cntrl f the cmmunicatin between VLANs. Sensitive systems are placed int VLANs in which nly authrized systems may cmmunicate with them, further enhancing the security f BlueTie s netwrk. Custmers are als permitted t access BlueTie s web based, mbile and desktp client slutins via standard security prtcls including 2048 Bit SSL and TLS. An ptinal parameter set by the user, r enfrced by the administratr f the Custmer s accunt ensures all cmmunicatin transmitted t and frm BlueTie remains secure at all times. In accrdance with BlueTie s Security Plicies, BlueTie emplys granular access cntrls fr administratin which prvide separatin f duties with regards t system management and netwrk security. 6

7 System Security BlueTie perates primarily n the Linux Operating System. Each system deplyed fr use in ur prductin facilities is imaged t cntain nly the necessary sftware required t perate the BlueTie platfrm. This practice, knwn as hst hardening, reduces the likelihd f hst explits by limiting the sftware, prcesses and pen prts enabled n each system. Peridically, these systems underg an evaluatin f sftware, patches and recmmended updates t ensure prper functin and t patch any security threats. Access t these prcessing systems a limited by BlueTie s Security Plicies and is granted nly t thse which require it fr purpses f administratin and maintenance f the system. Data Strage User data is stred in a finite number f systems within the BlueTie clud. User data is rganized in a hierarchal fashin which tiers and separates data int lgical partitins acrss an array f strage systems. Other infrmatin, such as cntacts, calendar and tasks data are stred in a similar frmat inside enterprise class databases. T ensure the utmst security as it relates t custmer accunt and credit card infrmatin, data is stred in enterprise grade databases utilizing an encryptin algrithm that stres card data. This data can nly be unencrypted by BlueTie s billing systems which are nt lcated in any publically accessible facilities and d nt have access t the internet. Access t these strage systems is limited by BlueTie s Security Plicies and is granted nly t thse which required it fr purpses f administratin and maintenance f the system. BlueTie s finance and billing department maintains sle cntrl f decryptin keys fr custmer credit card data. These keys are nt accessible t any ther staff within BlueTie. Availability and Disaster Recvery Availability and disaster recvery are an imprtant cnsideratin when selecting a SaaS prvider. Extended utages, dwntime, r data lss can be cstly and damaging fr a business. BlueTie s architecture is built upn a highly available infrastructure designed t withstand the cmmn causes f utages tday. 7

8 Each layer f BlueTie s netwrk infrastructure perates n active/active r active/passive equipment, meaning the failure f a cmpnent within any piece f this equipment, r the failure f an entire system shuld nt disrupt service fr end users. Latent capacity built int the infrastructure allws fr full failver t redundant systems in the event f a netwrk failure. BlueTie s stateless prcessing systems are gruped int clusters f systems which are managed by intelligent lad balancers. These lad balancers mnitr the state and health f each prcessing system. Systems that fail r are nt perfrming well are autmatically remved, while seamlessly transferring cnnectins t anther prcessing system. This prcess reduces the chance fr custmer impact in the event f a system issue r utage. BlueTie s databases cntain specific accunt infrmatin such as cntacts, calendars, tasks and ther data stred by BlueTie fr its end users. Each database is replicated t a standby unit which will assume respnsibility if the primary unit shuld fail. Databases are mnitred at all times fr integrity, synchrnizatin, and respnsiveness by ur NOC (Netwrk Operatins Center). Daily encrypted snapshts f these databases are stred lcally t the facility and are als transprted ff site t an alternate facility fr disaster recvery purpses. is maintained in mail strage systems cnsisting f clusters f stateless accessr systems which access mail frm redundant strage devices. These devices are cnstantly mnitred fr perfrmance and utilizatin by ur NOC. Strage systems are prtected by RAID level disk redundancy, as well as daily snapshts. data can be restred t the last knwn snapsht in the event f a strage system failure r accidental deletin by a user. Security Plicy BlueTie has develped internal security plicies specifically designed t address physical, netwrk, system, and data security. These plicies include, but are nt limited t: Access Cntrl (Physical, System, Netwrk and Hardcpy) Centralized Desktp and Laptp Antivirus & Malware Prtectin Desktp and Laptp security plicies which enfrce rules surrunding: 8

9 Sftware Installatin and Usage Netwrk Accessibility Peridic Passwrd Resets Credential Failure Lckut Idle Screen Lcking Separatin f Respnsibilities (IT and Netwrk Security) Emplyee Backgrund Checks and Drug Screening Emplyee Custmer Data Cnfidentiality Agreements Cnclusin As businesses mve sensitive data t the Clud, SaaS prviders are faced with the grwing challenges assciated with keeping this data safe. Data breach, netwrk intrusin, r denial f service threats are cnstantly evlving and require experienced security prfessinals. BlueTie s multi faceted apprach t security, backed by stringent security plicies, industry leading threat prtectin, and mitigatin slutin deplyments help keep yur data private and safe BlueTie, Inc. All rights reserved. BlueTie and the BlueTie lg are trademarks f BlueTie, Inc. Prducts r brand names referenced in this dcument are trademarks r registered trademarks f their respective wners. 9