SERENA SOFTWARE Serena Service Manager Security

Transcription

1 SERENA SOFTWARE Serena Service Manager Security

2 Table of Contents Who Should Read This Paper?... 3 Overview... 3 Security Aspects... 3 Reference Serena Software

3 Operational Security (On-Demand Only) Who Should Read This Paper? This document describes security aspects of Serena Service Manager (SSM). The intended audience for this white paper includes: Technical decision makers who are considering Serena Service Manager as their new IT Service Management application. IT Analysts and IT Managers who are interested in understanding the security aspects of SSM. Overview Service Manager is a highly flexible IT service management (ITSM) offering that delivers highly available, secure, and scalable applications. Service Manager leverages the Serena Business Manager (SBM) platform to provide a secure, reliable, and highly adaptable ITSM solution. Service Manager is designed to automate the complete service delivery process, provide a simple yet powerful role-based experience to all service desk users, and deliver complete visibility into the status of issues across the service lifecycle through rich reports and dashboards. It also aids with ITIL compliance while providing a foundation that can be extended to streamline other core IT processes. Security Aspects This section describes aspects of security that are provided by the SBM platform, which powers Serena Service Manager. SBM provides confidentiality, integrity, and availability of customer data. SSM applications and data are secured from various types of threats via the security layers illustrated below: OPERATIONAL SECURITY (ON-DEMAND ONLY) The day-to-day operational security of SBM on-demand includes adherence to the following: Policy Serena Service Manager Security 3

4 Security Aspects The operational security policy defines the responsibilities and authorization of the IT team that manages SBM in the cloud. Change management process The IT team has defined precise processes that control how changes to the network, hardware, and software are executed. The state of the hardware, operating system, and configurations are monitored and all changes are logged and executed in a controlled way. The logs are evaluated and checked for potential mis-configurations. Access control There is very restricted access to the network devices and hardware where SBM runs. All log in attempts are tracked for security purposes. Patch management All operating system and anti-virus software updates are implemented on-time via automated processes. The automation process helps to run the update software with no human interaction, while ensuring updates arrive on time to reduce the risk of new threats and vulnerabilities. NETWORK SECURITY SBM is designed to ensure that all data traveling in the network is secured to prevent any leakage of sensitive information. This involves the use of strong network traffic encryption techniques such as Secure Socket Layer (SSL), multi-layer security services, and the most advanced state-of-the-art tools like Intrusion Detection and Prevention Systems (IDPS) to detect any malicious activities. APPLICATION SECURITY With each release, Serena performs extensive black-box and white-box testing to ensure there is no data leakage. The solutions are also checked against possible security vulnerabilities by using strong encryption techniques for data security and fine-grained authorization to control access to data. Serena uses the following methods and practices to ensure application and data security: Confidentiality Confidentiality ensures that a customer's data is only accessible by authorized entities. SBM provides confidentiality via the following mechanisms: Identity and Access Management Designed to ensure that only authenticated entities are allowed to access the system. Encryption SBM encrypts critical data in the database. SmartCard Authentication Provides a secure and reliable authentication method that allows users who have a current Smart Card (containing valid certificates and identity information) to gain access to a Smart Card-enabled SBM system once the proper PIN is provided. Identity and Access Management The strongest security controls have no protection against an attacker who gains unauthorized access to credentials or keys. Strong security not only requires running the system in a secure mode; it also requires policies that govern exactly who, what, when, how, and from what location users can access specific IT systems and data (in addition to related auditing requirements). SBM provides Single Sign-On (SSO) authentication out-of-the-box, while interacting with components at run time and design time. It also provides a complete audit trail of all interactions and changes that are performed by either humans or applications during a session. SBM-API Authentication 4 Serena Software

5 Security in the On-Demand (SAAS) Environment The SBM API provides Web services via the Simple Object Access Protocol (SOAP) protocol, which enables integrations with external systems. The protocol can be configured to run over SSL using customer credentials for authentication. Additionally, all interaction is controlled by the role of the authenticated user, which provides additional security such that unsolicited users cannot access restricted data in SBM. SSL Authentication for Internet Traffic For on-premise customers, all communication between SBM and end users or external systems can be protected with SSL. (SSL is enabled for on-demand customers automatically). Client Certificate Authentication On-premise customers can also enable bi-directional (or two-way SSL authentication) between the components in SBM. Client certificate authentication provides tighter security for your entire SBM installation because once trust is established, each machine can reliably identify itself and provide assurance of its identity to the server. Application Vulnerability Assessment Internet applications are always vulnerable to attacks by various malicious users, abusive bots, and crawlers that can exploit weaknesses in the data security model to gain unauthorized access to important data. SBM is scanned for Web application security as part of the certification process upon each release, and it is thoroughly tested using the following assessments to validate the security of the enterprise data that is stored in the database. Cross site scripting (XSS) Access control weaknesses OS and SQL injection flaws Cross site request forgery (CSRF) Cookie manipulation Hidden field manipulation Insecure storage Insecure configuration Serena understands that any vulnerability that is detected during these tests can be exploited to gain access to sensitive enterprise data and ultimately lead to financial loss. Our development and quality assurance organizations endeavor to expose and resolve these types of potential vulnerabilities during each testing cycle. Serena takes security seriously. We strive to aggressively enhance SBM to safeguard against any new vulnerabilities that are discovered. SECURITY IN THE ON-DEMAND (SAAS) ENVIRONMENT The software industry has changed dramatically over the last few years. With the popularity of cloudcomputing platforms, companies are looking for packaged business applications that are available ondemand. Companies are taking advantage of the Software-as-a Service (SAAS) model to reduce IT costs normally associated with traditional on-premise applications (such as managing hardware requests, patches, and IT services). The popularity of SAAS-based business applications increases the provider s responsibility to provide a cloud-based platform that offers outstanding service delivery and security. For SSM on-demand, the security layers and techniques described above are implemented and managed by a team of trained, experienced, and certified security professionals. Confidentiality is ensured for on-demand customers. The data for each customer is isolated data from one customer is not visible to any other customer (or tenant in the multi-tenant environment). SSL is enabled for end users by default for SSM on-demand. To improve performance, all internal communication is performed using HTTP, but it is protected by firewall. The SSL certificates are procured from approved providers such that end user browsers can fully trust the certificate authenticity while accessing the application. Serena Service Manager Security 5

6 Reference SSM on-demand also provides enterprise-level data protection. The data is regularly backed up to facilitate quick recovery in case of disaster. Full data back-ups are taken weekly; daily incremental back-ups and transaction logs are taken every four hours. The hosting provider has been certified by PCI Council DSS 1.2 for data protection. Reference ABOUT SERENA Serena Software, Inc. provides Orchestrated IT solutions to the Global Serena's core purpose is to advance the business value of IT. Our 4,000 active enterprise customers, encompassing almost one million users worldwide, have made Serena the largest independent ALM vendor and the only one that orchestrates DevOps, the processes that bring together application development and operations. Headquartered in Silicon Valley, Serena serves enterprise customers from 29 offices in 14 countries. Serena is a portfolio company of HGGC. CONTACT Web site: Copyright 2014 Serena Software, Inc. All rights reserved. Serena, TeamTrack, ChangeMan, PVCS, StarTool, Collage, and Comparex are registered trademarks of Serena Software, Inc. Change Governance, Command Center, Dimensions, Mover and Composer are trademarks of Serena Software, Inc. All other product or company names are used for identification purposes only, and may be trademarks of their respective owners. 6 Serena Software