Adobe Analytics Data Workbench Managed Service Security

Transcription

1 Adobe Marketing Cloud White Paper Adobe Analytics Data Workbench Managed Service Security Table of contents 1. Network Operations Personnel Security 2. Data Backup and Archival Services and Policies 3. Continuity of Business and Redundancy Options 4. Change Control Processes 5. Availability and Performance Rating 6. Managed Service Security Infrastructure 7. Data Retention Policies 8. Access to Offline Data 9. Remote Data Integration 10. Remote Application Administration 11. Physical Security For our Managed Service Option, Adobe provides Adobe Analytics Premium clients with an outsourced, high quality delivery of our analysis, reporting, and data collection applications. As part of the process of establishing this service for a client, we provision, configure, manage, and maintain our software applications, including the underlying supporting software and all related hardware components. Our Managed Services include the support of related server operating systems, any third-party software, and other components necessary for the management and monitoring of the Managed Services environment. For our Managed Service solutions, Adobe provides a dedicated environment for operating the Data workbench platform. This begins with the base server hardware, which consists of high performance computing and storage servers based on either the Intel or AMD X86 architecture in a configuration optimized for high performance data analytics. Adobe provisions the systems, builds the configurations, installs the Operating System software and data workbench server software, tests the systems and deploys it in our secure hosting facility. The servers are designed for performance and reliability, with each machine containing redundant power supplies connected to separate power sources and having storage subsystems that utilize high performance RAID controllers for data access speed and reliability. We maintain an onsite reserve of spare components and equipment to deal with any hardware problems. Once deployed, the system is monitored and managed by a skilled team of systems and network professionals utilizing an array of network, systems and application management tools. This monitoring information is communicated to our 24/7 Network Operations Center to ensure that all systems are running at peak performance. Through a robust access control facility, which may be configured by a client administrator, authentication to the access control system is managed by X.509 PKI. RC4 128bit encryption is used with 1024 bit keys. Stronger ciphers may be substituted. In addition, further authorization may be provided by challenge response authentication and supported integration with corporate LDAP authorization infrastructures. We maintain security through the use of firewalls, intrusion detection, proprietary monitoring and network policies and procedures. We provide services to the U.S. Federal Government, financial institutions with GLB compliance requirements, and VeriSign, among other clients with the need for best-of-breed security. Our Security Model is comprised of the following layers: Network Operations Personnel Security Network Operations Center personnel take security very seriously and have implemented multiple procedures and technologies to maintain the security of our clients information. Adobe closely adheres to a strict Information Security Policy, and routinely conducts reviews and assessments, as well as a yearly audit conducted by an independent third party. Adobe adheres to all applicable legal and regulatory requirements, but is not beholden to any one security standard. To ensure personnel security, which is vital to any secure managed infrastructure, Adobe uses a thorough process to hire its employees. A third-party hiring service (HireRight) performs a seven-year background check on the following items: National Criminal Database

2 Court Records SSN History If the employee will have direct access to customer data, Executive approval is required and the following additional checks are performed: Motor Vehicle Records (MVR/DMV) Credit History Prohibited Parties (i.e. state/federal registries) Data Backup and Archival Services And Policies Upon server deployment, Adobe installs a configurable software Client on each server that communicates with a central backup repository and simultaneously performs backups to a dedicated multi-terabyte network-attached disk- and tape-based backup system. The system is configured to backup targeted data directories on a daily basis. The data targeted for backup includes the raw data, typically in a.vsl format, the profile and other significant data workbench configuration data, and any available integration data. The destination of the backup is to a dedicated network attached storage system provisioned with a minimum of one Terabyte of disk storage. The system is capable of expanding to multiple terabytes as needed. Having the backups reside on a disk subsystem makes the process of recovering the data much simpler and faster. The network used to backup the data is Gigabit Ethernet, which, given the higher network throughput, serves to shorten the time necessary to backup and recover data. On a once monthly basis, data is archived from the primary backup storage to disk- or tape-based portable media and delivered to a secure secondary site storage facility. All data is stored for the entire life of the contract, and data may be requested by client at any time during that time span or upon contract completion. As an option, Adobe can configure a number of high availability services engineered to support Continuity of Business requirements for redundant data collection or application and server availability. This includes the ability to replicate data in near-real-time to a secondary facility and configuring of additional server hardware to support data analysis at the secondary facility in the case of loss of connectivity to the primary facility. Continuity of Business and Redundancy Options As an option, Adobe can configure a number of high availability services engineered to support Continuity of Business requirements for redundant data collection or application and server availability. This includes the ability to replicate data in near-real-time to a secondary facility and configuring of additional server hardware to support data analysis at the secondary facility in the case of loss of connectivity to the primary facility. Adobe would be pleased to provide a quote for these services given a set of Continuity of Business objectives. Change Control Processes All system updates, environment changes and changes to the data workbench server environment are managed through the Adobe Managed Services change control process. The process begins with a work request generated out of our Ticket Management system, which tracks events from inception to completion. We utilize a testing/staging environment for validation prior to content deployment. Content is monitored continuously and any content changes generate notifications to Network Operations Center personnel. Any changes to content require strict change control procedure involving deployment to testing/staging environment. Change control is essential in all environments, as a change in a staging or development environment that creates a design flaw will typically be replicated to the production environment. Availability and Performance Monitoring Availability and performance monitoring is accomplished by utilizing a multi-pronged approach to systems and application management and monitoring. This is essentially using a combination of active, automated system and application monitoring tools, and the data workbench applications facility for self-diagnosis. We have deployed tools in our data center that continuously perform health-checks against the systems in running in 2

3 deployment. This includes monitors for items such as CPU utilization, network availability, disk space utilization, memory utilization, HTTP port availability, service state and functionality, event log errors, system board and CPU temperature, and numerous other data points. The active tools are set to alarm when a threshold is reached and the personnel at the Network Operations Center are alerted when an issue exists. In addition, the data workbench Server application has the ability to generate alarms when abnormal behavior is detected. Also, all systems management personnel routinely perform data workbench and network inspections of the systems to verify system performance and availability. Managed Service Security Infrastructure With respect to security services, Adobe has gone to great lengths to ensure that servers in the Adobe data center are protected both electronically and physically. This section describes the physical security aspect of the Adobe facility, the redundancies in place to protect the network, and corporate practices to protect Client data. Network Security Adobe employs a combination of Intrusion Detection Software and Automated Vulnerability Remediation technologies to secure the network and the systems running on the network. This is deployed in conjunction with high-performance firewall technologies to enforce a custom set of network-access rules designed for maximum security of the reporting and analytics applications operating in the client s dedicated environment. These rules are regularly monitored and updated to maintain a secure, managed environment. data workbench currently incorporates the Juniper Networks firewall solutions in a redundant configuration; this high-performance hardware firewall is capable of sustaining high bandwidth and connection rates. Firewall Protection Adobe employs high-performance hardware firewall appliances for securing the network from external network-based threats. Data workbench utilizes the Netscreen Firewall from Juniper Networks deployed in a redundant configuration; this high-performance and secure hardware firewall is capable of sustaining high bandwidth and high connection rates. We use a custom set of firewall-access rules designed for maximum security of the reporting and analytics applications operating in Client dedicated environment. These rules are regularly monitored and updated to maintain a secure, managed environment. Intrusion Detection We utilize a Network Intrusion Detection system for network-based threat detection. The system is capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, and OS fingerprinting attempts. Intrusion attempts generate alerts to the 24x7 Network Operations Center who engage immediately to resolve the issue. Data workbench employs Automated Vulnerability Remediation technologies to secure the server systems running on the network. This serves to secure the server Operating System and prevent any damage to data or applications in the unlikely event of system compromise by rogue applications or malware. The system also provides notification when system is vulnerable to comprise and requires Operating System software updates. Transmission Encryption All transmission links between our software products that leave our secured network are encrypted using SSL. Data workbench sensor transmits data to data workbench server using a single persistent HTTPS connection from anywhere on the Internet; the same is true for data transmission from data workbench server to data workbench client user interface. If any firewalls reside between data workbench sensor and data workbench server, or data workbench server and data workbench client, then HTTPS must be permitted between them through the firewall. All data transmissions are encrypted by default using SSL, RC4 128bit encryption though larger keys and other ciphers may be used in special situations upon request. Authentication 3

4 The data workbench platform PKI uses X.509 digital certificates to authenticate software components and users. Every data workbench client and named user is issued a revocable personal digital certificate that is installed on their computer to enable communications with appropriate data workbench servers. This certificate is initially locked to their computer and will not then enable access from another computer. If a digital certificate is presented that is invalid or that has not been specifically given permission to access any data on a given data workbench server, that user will be denied access. Our Report Portal has a User ID and password based authentication system that may be configured appropriately. In addition, the Report Portal may be run in HTTPS mode and or the certificate security services in the users browsers may be configured to support further authentication by X.509 certificate issued by Verisign. Data Segregation Adobe makes it a practice to deploy only dedicated infrastructure for the support of our managed services clients. This includes devices such as servers, storage, and network load-balancing switches. As a result, data collected on behalf of Adobe clients are stored separately and apart from another client s data. This isolation benefits our clients by creating a level of security and also assures that one client s systems operation will in no way affect that of another. Data Access Control The data workbench access control system is situated within data workbench server, which allows the control of access to any Profile and Dataset on a read-only or read-write basis to any named user or other application process. Multiple levels of access control are provided and may be configured remotely by a system administrator with appropriate rights. Rights may be granted based on a role, an organization, an organizational unit or an individual. This operation is performed remotely by an administrative user using the data workbench client interface. The administrator modifies the Access Control component of the application to allow the users and groups the privileges required. This configuration is typically performed upon initial setup and deployment by the Technical Account team after the requirements are gathered around the access control required for project team members and end users. Data Retention Policies Our policy for customer data retention and ownership states that the client owns all the data that we collect on their behalf and that the data is retained for the life of the contract. The raw data, stored in.vsl format, will be housed at Adobe secure hosting facility and will be sent directly to client upon contract termination or earlier if requested. To obtain the data earlier, client will need to make a written request to the account manager assigned to the project and specify the range of data required. There will be a nominal cost incurred for storage media, data retrieval and transportation. You can receive any of the collected data from our managed service solution at any time, as needed, or on a regular schedule such as daily, or weekly using the application s ability for data export. Data retention rates will vary depending on the size of the overall system deployed in support of the client and the rate in which data grows. The target range is to have data online for twelve consecutive months for data analysis purposes. This will mean that the raw data will be available for processing, which is the term Adobe uses to describe the process of preparing data for analytical use. Data workbench employs a predictive, analytical model to best calculate for the rate and quantity of data that will be generated over the coming year and recommends a system appropriately sized to accommodate the growth. The raw data beyond the twelve month period will be stored on near-line storage and is readily accessible to be placed online for processing, as long as client has the infrastructure provisioned to accommodate for it. All that data will be kept indefinitely, until the end of the contract. Report data, data that is generated by data workbench report on an interval basis and typically used for general report distribution, either via or thorough the Report Portal will be stored indefinitely as well, until the end of the contract. 4

5 Access to Offline Data If client chooses to send Adobe their offline data, we are prepared to accept it in several manners. Network and disk storage facilities will be provisioned at project inception to accommodate for client external data and can be made available. FTP or some other file transfer mechanism access can be provisioned if Client prefers. If the quantity of data is sufficiently large, client may choose to transport the data using external storage media via overnight delivery. If client has a requirement to support a specific data transfer mechanism, then Adobe can structure a support arrangement around that specific need given that any third party or custom software required for the deployment of the solution is procured by client. Remote Data Integration Procedures Our capability for integrating external data with the Web channel data collected by Data workbench sensors is flexible and adaptable to a wide range of data integration requirements. Remote data integration procedures vary based on the nature of the data being integrated. Data workbench client users, if so permissioned, can load data directly to the data workbench servers at the Managed Services data center. FTP is supported for the transfer of files to and from the Managed Services data center. In addition, data workbench server and data workbench report support other types of point-to-point data transmission. In each case, a change management process is defined for handling updates to the associated lookup files or other integration data, depending upon its nature, in order to meet client business requirements. Updated files can be loaded and integrated into the dataset processing for data workbench based on the frequency and schedule defined by client. Remote Application Administration Data workbench supports the remote administration of data workbench server and its components by a user with proper permissions. Adobe is sometimes contracted by our clients to remotely administer their Server software applications in times when they do not have appropriate staffing levels or have undergone turnover. This option allows clients who do not have internal administration staff to take advantage of running the data workbench solution in-house where advanced data integration may be implemented more readily. Physical Security Our data center facilities deliver multi-level physical security because mission-critical Internet operations require the highest-level of security. All areas of the center are monitored and recorded using CCTV, and all access points are controlled: All equipment arriving at the facility is checked by security personnel; All exterior entrances are equipped with silent alarms and the automatic notification of appropriate law enforcement officials; All exterior walls are bullet resistant; CCTV digital camera coverage of entire center with archival system; CCTV is integrated with access control and alarm system; Data center exteriors are fully anonymous and have no windows; Motion-detection is integrated with lighting and CCTV coverage; No keys are required all doors, including cages, are secured with biometric hand geometry readers; Perimeter is bounded by concrete bollards/planters; The facility is manned by onsite security on a 24x7x365 basis. Physical access to the data center facility is controlled by biometric hand geometry readers (manufactured by Recognition Systems) with a required pass code, and is restricted to authorized personnel only. The use of the hand geometry reader is required to: 5

6 Enter the man trap from the main entrance to the facility (data center can be entered only through this man trap); Leave the man trap and enter the main center; Enter the data center hosting area. Our data center facilities are also protected against any potential Environmental Security threats: Fire Suppression The Data Centers are protected with a dual-alarmed, dual-interlock multi- zoned, dry-pipe, water-based fire suppression system armed with sensory mechanisms (HSSD) to sample the air and give alarms prior to pressurization. Production area fire suppression is provided by a multi-zoned, pre-action, dry-pipe system. In order for the system to trip, multiple cross-linked events must occur. These include detection by ceiling mounted smoke heads and smoke sniffers located throughout the facility. Lastly a sprinkler head must trip in order for the dry- pipe system to activate. This requires a temperature of 140 degrees F at the head location. Fire suppression is localized at the event point only. Flood Control Data Center is built above sea-level, with no basements with tightly sealed conduits and moisture barriers on exterior walls. There are dedicated pump rooms, drainage/evacuation systems, and moisture detection sensors. Earthquakes Location-specific seismic compliance. Structural systems meet or exceed seismic design requirements of local building codes for lateral seismic design forces. In addition, equipment and nonstructural components, including cabinets, are anchored and braced in accordance with the requirements of the 1997 Uniform Building Code. Tornado The structural design will withstand any possible wind damage, although the facility was not specifically designed in accordance to any standards to withstand tornado damage, as tornados are a rare occurrence in Virginia. Electric Power Infrastructure Highly reliable power is imperative for critical client operations. The entire electrical system has built-in redundancy to guarantee continuous operation. The overall system is N+1 redundant, including each component within the parallel electrical systems: AC and DC raceways with 2N distribution; AC power delivery via distributed redundant UPS systems. Batteries with at least 7 minutes full load operation (diesel engine generators take roughly 8 seconds to synchronize and assume load); 48 hours worth of generator fuel; contracts with multiple fuel providers For more information Product details: Licensing inquiries: Contact information: Adobe Systems Incorporated 345 Park Avenue San Jose, CA USA Adobe, the Adobe logo, Acrobat, Acrobat Connect, ActionScript, Adobe Captivate, Authorware, Flash, and JRun are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Java is a trademark or registered trademark of Sun Microsystems, Inc. in the United States and other countries. All other trademarks are the property of their respective owners Adobe Systems Incorporated. All rights reserved. Printed in the USA /13 6