Technical Proposition. Security

Transcription

1 Technical Proposition

2 ADAM Software NV The global provider of media workflow and marketing technology software ADAM Software NV adamsoftware.net

3 Why Read this Technical Proposition? When you turn on the personal computer that you have in your home office or family room, you re probably launching several software applications that are specifically designed to protect your system against malicious attacks. You almost certainly have anti-virus software, and you may also have firewall and anti-spyware software. If your computer is relatively new, you probably have to provide a password, even if you re the only person who uses your system. All of these programs exist to protect a single home computer. Now consider the marketing information system you use at work. You re probably one of hundreds or even thousands of people who access and use the system. If you work for a large organization with operations spread across the globe, your marketing software is probably used around-the-clock. Plus, your marketing information system contains data that is confidential and highly valuable to your company. Compared to your home computer, the security stakes are much higher. ADAM Software NV adamsoftware.net [email protected] iii

4 Read this Technical Proposition to learn: º º Why software security has become a strategic business issue º º What the four critical dimensions of information security are and why all are essential º º How the software solution provided by ADAM Software provides world-class information security ADAM Software NV adamsoftware.net [email protected] iv

5 Contents Why Software Matters? The continuing evolution of marketing software systems is elevating security from an administrative task to an issue with major strategic implications. Fundamentals of Information Information security can be defined as the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. of the ADAM Software Platform The software solution provided by ADAM Software (the ADAM Platform) is designed to meet the demanding information security requirements of large enterprises, particularly those that operate internationally. ADAM Software NV adamsoftware.net [email protected]

6 Why Software Matters? The continuing evolution of marketing software systems is elevating security from an administrative task to an issue with major strategic implications. Until recently, the software tools used by most marketing organizations consisted primarily of stand-alone point solutions, each of which served a relatively small number of users with similar needs and job responsibilities. Today, software applications touch almost every aspect of the marketing function, and they have become as vital to effective marketing operations as ERP systems are to the overall enterprise. The growing importance of marketing software has driven changes, both in the nature of the software itself and in how marketers use software to maximize marketing performance. º º Many enterprises are transitioning from stand-alone applications to software platforms that include multiple distinct but integrated capabilities. º º To make software available across the entire enterprise, companies now routinely provide remote users access via the Internet. º º To streamline the entire marketing supply chain, enterprises are increasingly providing access to external business partners. Software applications are as vital to effective marketing operations as ERP systems are to the overall enterprise ADAM Software NV adamsoftware.net [email protected] 1

7 Why Software Matters? Continued These changes have produced conditions that make the security of software platforms both essential and challenging. º º More than ever before, software now contains information that is proprietary or confidential and highly valuable to the enterprise. º º The number of individuals who need access to software platforms is larger than ever before, and the access needs of users vary significantly. º º Remote access makes software platforms more vulnerable to external attacks. The consequences of flawed or inadequate security can be significant. Consider a few examples: 1 A global provider of computer games sells into a country that requires mature games to include a specific warning label on the packaging. The same game is sold elsewhere with no labeling requirement. The packaging designs are identical except for the warning label. A marketing employee in the affected country has access to all versions of the game s packaging designs and inadvertently orders packaging without the required label. As a result, the company sells thousands of copies of the game without the warning label, thus incurring significant legal liabilities. 2 A major manufacturer of telecom equipment sells primarily through wireless service providers. The manufacturer is involved in highly confidential negotiations to create a special version of one of its products for one of its resellers. The manufacturer s marketing department creates several content assets for the special product, but access to these marketing assets is not sufficiently restricted. As a result, other resellers learn about the special offering, and two of those resellers decide to end their relationship with the manufacturer. 3 An insurance company based in Paris licenses a photograph for use in its marketing materials. Under the terms of the license, the company obtains the right to use the photograph only in France. The photograph is included in the company s marketing asset database, but the image is not tagged with the use restriction. A marketing employee includes the image in marketing materials that are distributed in Italy and Spain, thus exposing the company to legal liabilities for violating the terms of the license. ADAM Software NV adamsoftware.net [email protected] 2

8 Why Software Matters? Continued 4 A global manufacturer of medical equipment based in the US introduces a new product that it intends to sell only in the US during a ramp-up period. Marketing assets and materials relating to this product are included in the company s marketing content database, but access to these assets/materials is not restricted to US employees. As a result, several salespeople based outside the US download product brochures and begin to include the product in their presentations to non-us prospective clients. These examples illustrate the importance of using secure marketing software solutions. When selecting such solutions, marketing leaders must understand what security capabilities are needed and how each prospective solution provides those capabilities. Remote access makes software platforms more vulnerable to external attacks ADAM Software NV adamsoftware.net [email protected] 3

9 Fundamentals of Information Information security can be defined as the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. There are three core dimensions of information security - Confidentiality, Integrity, and Availability. professionals refer to these three essential elements as the CIA Triad. Confidentiality In the information security context, confidentiality means that only authorized individuals or systems can access an information system or the data it contains. To use a phrase often found in spy novels, confidentiality means that only those with an authorized need to know can obtain access to an information system or the data it houses. Confidentiality requires data to be protected while in use, in storage, and in transit. The primary mechanisms for protecting confidentiality are user access controls and data encryption. ADAM Software NV adamsoftware.net [email protected] 4

10 Fundamentals of Information Continued Integrity Integrity refers to the correctness of information and the prevention of unauthorized modification of data or other system components. There are three basic requirements for achieving integrity. º º Unauthorized individuals or systems must be prevented from making any modifications. º º Authorized individuals or systems must be prevented from making unauthorized modifications (whether intentional or accidental). º º Data and other system components must be maintained in a consistent state. For example, a power outage should not cause a change in either data or other system components. The primary mechanism for protecting integrity is an access control system that prevents unauthorized modifications. Availability Availability means that an information system and the data it contains are readily accessible to authorized users. Systems and data can become unavailable because of accidental occurrences (natural disasters, power outages, etc.) and because of intentional attacks. Malicious attacks against availability are known as denial of service attacks. Maintaining availability requires a wide variety of measures. For example, using redundant hardware components and having an effective disaster recovery plan can minimize the effects of hardware failures and natural disasters. The primary mechanisms for dealing with denial of service attacks typically include a combination of attack detection, traffic classification, and response tools. Accountability Some security professionals add the concept of accountability to the CIA Triad. In this context, accountability refers to the ability to trace the events, actions, and activities that occur in an information system back in time to the users, systems, or processes that performed them. The objective is to establish responsibility for actions or omissions that impair information security. The primary mechanisms for providing accountability are the system and application log files created and maintained by the information system. ADAM Software NV adamsoftware.net [email protected] 5

11 Fundamentals of Information Continued Built-In An important key to protecting information security is to use software whose programming code and architecture are free of vulnerabilities. IT security professionals now recognize that it is far more effective to design and engineer software with built-in security than it is to protect vulnerable software after it is in use. Developing secure software applications requires software providers to use a development process that encourages and supports the consideration and evaluation of security issues at every step of the development life cycle. The field of software security defined as the process of designing, building, and testing software for security is still relatively new, but best practices have begun to emerge. When evaluating software applications, you should always insist that prospective vendors provide detailed information regarding the processes they use to assure the security of their software solution. Below are some of the more important questions you should ask potential vendors: º º Do you review security issues at each phase of the software development life cycle? º º What methodologies do you use for security testing? More specifically, do you use automated tools for security testing and/or code review? º º What training does your development team receive specifically regarding application security? Information security can be defined as the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. ADAM Software NV adamsoftware.net [email protected] 6

12 of the ADAM Software Platform The software solution provided by ADAM Software (the ADAM Platform) is designed to meet the demanding information security requirements of large enterprises, particularly those that operate internationally. The ADAM Platform utilizes a variety of architectural features and functional capabilities to enhance confidentiality, integrity, availability, and accountability, including: º º A highly configurable identity and access management system º º A multi-tier architecture that prevents direct user access to system data º º Extensive data encryption capabilities º º Robust capabilities for monitoring activity in the ADAM Platform º º Scalability capabilities that support software and hardware redundancy and enhance availability In addition to these architectural features and capabilities, the security of the ADAM Platform is supported by a software development process that places information security at the forefront during each stage of the software development life cycle. ADAM Software NV adamsoftware.net [email protected] 7

13 of the ADAM Software Platform Continued Granular Access Control The ADAM Platform provides a highly configurable role-based access control system for managing user access and privileges. With a role-based access control approach, access to a software system is based on roles defined in the system that align to actual job functions. Specific permissions or privileges are assigned to these roles, and individual users are also assigned to these roles. Role-based access control systems enable access to be managed at the necessary level of granularity, while simultaneously reducing the time required to administer the identity and access management system. The diagram below depicts a high-level view of the identity and access management system used in the ADAM Platform. General Sites Individual User Organizations Roles Languages Field Group Permissions Filetype Permissions User Groups Classification Permissions Record Permissions As this diagram shows, user groups provide the primary basis for managing user access and privileges. ADAM Software NV adamsoftware.net [email protected] 8

14 of the ADAM Software Platform Continued The user hierarchy in the ADAM Platform has four primary components. º º Individual Users Each individual user has a unique user account for the ADAM Platform. The user account contains basic identity credentials (user name and password) as well as user profile information such as an address, a photo, and the language that will be used for the individual s user interface. For enterprises that use Microsoft s Active Directory for user authentication, the ADAM Platform can be configured to integrate with Active Directory. With integration, Activity Directory will be used as a central datastore for user authentication and authorization, and user roles from Active Directory are mapped to user groups in the ADAM Platform. The ADAM Platform user repository can be used in combination with Active Directory integration if an organization has external users that it does not want to store in its domain repository. º º User Groups Each individual user is assigned to one or more user groups. A user group is composed of individuals who have the same or similar job functions and require the same level of access to the ADAM Platform to effectively perform their job responsibilities. Therefore, user groups in the ADAM Platform will typically reflect the functional organization of the enterprise. º º Organizations Each user group is assigned to an organization. Many enterprises will only require one organization in their ADAM Platform. However, the ADAM Platform enables an enterprise to define multiple organizations, which can be useful when the enterprise operates through subsidiaries or independent business units. Multiple organizations allow enterprises to manage user groups on a per organization basis and to delegate security management responsibilities to administrators in each organization. º º Sites The ADAM Platform also enables an enterprise to create multiple sites within one ADAM environment. Sites allow an enterprise to have different settings for each ADAM application server that uses the same database. For example, if an enterprise has an internal website and a website outside its firewall and both websites connect to the same ADAM database, these websites may need to connect with different SMTP servers for sending out notifications. To address this issue, the enterprise can create two sites in the ADAM Platform and assign each to a different SMTP server. The ability to create and use multiple sites is particularly useful for enterprises that use the ADAM Platform to provide SaaS solutions to their customers. ADAM Software NV adamsoftware.net [email protected] 9

15 of the ADAM Software Platform Continued In the ADAM Platform, access rights and permissions are usually granted to user groups. Individual users inherit their access rights and permissions by virtue of their membership in one or more user groups. There is no limit to the number of user groups that can be created in the ADAM Platform, which enables an enterprise to manage user access and privileges at a granular level. This approach also significantly streamlines access management by eliminating the need for administrators to assign permissions to individual users. For example, the ADAM Platform in a large enterprise might have 10,000 individual users, but only 50 user groups. As the above diagram shows, the ADAM Platform does enable access rights and permissions to be granted directly to individual users, but we suggest that this capability should be used sparingly in order to gain the administrative benefits of a role-based access system. The access rights and permissions granted to user groups fall into two categories. º º Roles Roles give or deny the right to perform specific actions in the ADAM Platform. For example, roles are used to grant access to specific application Studios (Asset Studio, DocMaker, etc.) and to allow or prohibit actions such as changing passwords, accessing previews, and managing maintenance jobs. The ADAM Platform provides up to 150+ specific roles (depending on the Platform components installed), and it enables enterprises to create additional roles. The ability to utilize highly specific permissions is another feature of the ADAM Platform that enables enterprises to manage user privileges at a granular level. º º Record-based permissions Record-based permissions control who can do what to the marketing assets (images, documents, etc.) contained in the records that are managed in the ADAM Platform. Individual asset records are linked to freely-configurable asset classifications, and access rights are granted to user groups on a per classification basis. Administrators can grant access rights to the classification itself and/or the asset records linked to that classification. The ADAM Platform further supports granular access control by enabling administrators to choose from eleven different access levels for each asset classification. (See the following page for a description of these eleven access levels.) The ADAM Platform provides extensive watermarking and metadata capabilities, as well as release and expiry dates ADAM Software NV adamsoftware.net [email protected] 10

16 of the ADAM Software Platform Continued ADAM Permissions None No access specified. The access level is determined via inheritance, using the security of the Parent Classification Read The user is only allowed to see the Classification or its Records and open the details page. He cannot modify or delete it. Classify Read + the user can link and unlink the Record in this Classification Modify Classify + the user can modify the Classification or its Record details and is allowed to create new sub-classifications in this Classification Delete Modify + the user can delete the Classification and/or its Records Full Control Delete + the user can change the Classification s security settings Delete + Deny Full Control Delete access with explicit denial of the rights to change security Modify + Deny Delete Modify access with explicit denial of the rights to delete Classifications or Records Classify + Deny Modify Classify access with explicit denial of the rights to modify Classification or Record details Read + Deny Classify Read access with explicit denial of the rights to classify Records in this Classification Deny Read The user is explicitly denied access to this Classification and/or its Records In addition to the primary access control system, the ADAM Platform provides a variety of other mechanisms that enable and support robust access management. º º Metadata fields can be used to set both release and expiration dates at the individual asset level, and these dates can be used in conjunction with the primary access control system to manage access rights. º º Metadata fields can also be used to describe any use limitations associated with rights managed marketing assets. For example, if a photographic image is licensed under terms that permit use only in specified geographic areas or types of media, or with ADAM Software NV adamsoftware.net [email protected] 11

17 of the ADAM Software Platform Continued certain attribution requirements, metadata fields can be used to tag the image with these restrictions. º º The ADAM Platform provides extensive watermarking capabilities. A watermark assures that users only see a corrupted version of a marketing asset (an image, a document, etc.). Watermarks can be assigned globally, per user group, per individual user, and even per file or file version. Therefore, watermarking provides a practical way to discourage the improper use of marketing assets. Multi-Tier Architecture The ADAM Platform uses a multi-tier architecture to support and enhance both performance and security. In the ADAM Platform, presentation, application processing, and data management are logically separate processes, and they exist on three distinct architectural tiers. From a security perspective, the use of a multi-tier architecture means that end users do not and cannot directly access the records residing in the ADAM database or the asset files associated with those records. Access to database records and asset files is provided only by way of a specific ADAM application Studio. This approach supports and enhances information confidentiality and integrity by enabling user identity and permissions to the authenticated and validated before access is provided. Data Encryption The ADAM Platform enables and supports robust data encryption. Because the ADAM Platform uses FTP and HTTP protocols, it can also use SFTP and HTTPS protocols for encrypting datastreams. Therefore, sensitive data can be stored in the ADAM Platform database in encrypted form, and all communications between users and the ADAM Platform and between applications within the ADAM Platform can also be encrypted. Robust Activity Monitoring As noted earlier, accountability is a key element of information security. The primary mechanism for providing accountability is the activity logs created and maintained in a software application. The ADAM Platform automatically generates and maintains detailed logs of all application and database activity that occurs in the Platform. These log files capture and store all actions taken by ADAM Software NV adamsoftware.net [email protected] 12

18 of the ADAM Software Platform Continued users within the Platform. Therefore, enterprise managers can audit these activity logs to identify the source of any events, actions, or activities that impact information security. Availability Through Scalability The ADAM Platform is highly scalable, and this scalability can be used to provide authorized users reliable access to Platform resources. The various components of the ADAM Platform can be separated and hosted on multiple hardware servers, which enables an enterprise to construct an environment that contains both hardware and software redundancy. For more information regarding the scalability of the ADAM Platform, please refer to our Technical Proposition titled, Scalability. You can download Scalability at: Built-In The software development process used by ADAM Software is designed to ensure that the ADAM Platform has security built-in to its architecture and programming code. ADAM Software applies the same rigorous security process to all development activities related to the ADAM Platform, including major Platform updates (new releases) and the addition of new application features and functionality. -related aspects of the ADAM Platform software development process include, but are not limited to: º º requirements are identified and documented and are included in the specifications for all development projects. º º Risk analysis (threat assessment) is an integral part of the design stage of all development projects. º º Programming languages, components, and development tools are evaluated for their ability to avoid software vulnerabilities. º º Code review and code testing are performed at multiple stages of the development process. ADAM Software NV adamsoftware.net 13

19 of the ADAM Software Platform Continued The security of the ADAM Platform has been recognized in two ways by Microsoft: º º ADAM Software has earned the Certified for Windows Server 2008 R2 certification, and Microsoft audited the security aspects of the ADAM Platform in connection with awarding this certification. º º Because Microsoft is an ADAM Software customer, the ADAM Platform underwent a rigorous security evaluation (and was approved) by Microsoft s Application Consulting & Engineering (ACE) team. The ADAM Platform is designed with enterprise-level security built-in to its architecture and programming code ADAM Software NV adamsoftware.net [email protected] 14

20 ADAM Software Technical Proposition Contact ADAM Software Kortrijksesteenweg 1108A 9051 Gent Belgium P: F: ADAM Software US Inc 1515 Broadway New York, NY United States P: [email protected] Web: adamsoftware.net About ADAM Software ADAM Software is a global provider of media workflow and marketing technology software. We offer enterprises the ability to manage, structure and deliver media between people, processes and systems. Working with our partners enables us to implement our software globally while providing workflow solutions to all types of enterprises. What drives us is a passion to organize media intelligently, making it easier and more accessible to everyone. ADAM Software NV adamsoftware.net [email protected] 15