GoodData GoodData deploys industry-standard security practices in its GoodData Open Analytics Platform and extends them to data storage in a hardened cloud environment.
GoodData Security Overview GoodData is proven security. GE, Comcast, Target, and Time Warner Cable are a few of the companies that trust GoodData. This paper describes the security features of the GoodData platform and the operational controls put into place to ensure the security of your data. Security has been integrated into the architecture, policies, and procedures of the GoodData platform. In this paper, you will learn about the design, credentials, change management, and other security mechanisms of the GoodData platform. This paper covers the following topics: GoodData Platform Security Overview An overview of the platform architecture GoodData Security Certification and Accreditation Certifications and accreditations earned by the GoodData platform. Application-Level Security GoodData has implemented features to secure users and operations within the web application. Data Security An overview of security features implemented to ensure that your data is safer with GoodData. Rackspace Security Implementation An overview of security implementation across multiple layers (physical, virtual infrastructure, software infrastructure security, and more) and application and administrative security features. 2
Organizational Security and Change Management Processes A description of GoodData s operational security practices, including organizational security and change management processes, data backup and disaster recovery, and compliance with industry regulations. Note Additional details are available in the GoodData Security White Paper, which is available under NDA. For more information, please contact your GoodData representative. 3
GoodData Platform Internal communications are managed over SSL, except for internal cluster communications, which are protected by firewall and need non-ssl communications for performance reasons. The GoodData platform is designed to organize functional and security aspects into well-defined, multi-tenant layers: presentation, analytical engine, datamart, data warehouse, and extract, transform, and load (ETL) (see Figure 1). Figure 1 Presentation Analytical Engine Datamart Data Warehouse Extract, Transform, & Load On-prem Cloud Big Data This architecture provides robust data processing capabilities while ensuring the privacy and security of your enterprise data. The platform also accommodates a large number of customers without requiring a separate instance for each customer. Currently, more than 35,000 companies use GoodData, with 28,000 users at one customer alone. The foundation of this flexible and secure data solution lies within the architecture of the individual layers of the platform. User authentication and authorization on the web API layer Verifies that a valid identity is attached to each request and is authorized for access to required resources. Logical security controls Logical security measures and relationships between individual users, projects, data stores, and the meta-model are configured within the control layer. Multiple authentication providers can be integrated with your solution to support authentication, including optional Single Sign-On (SSO). Client access Access to operational tools over your projects is restricted to a single project at a time. Client requests are managed 4
individually by the Relational Online Analytical Processing (ROLAP) engine, so that each client request is separated into a set of tasks that are executed independently without sharing contextual or other information. Data store security The meta-model and data are logically separated in each project, and each project is an individual physical entity. Connection to the data store is restricted through access credentials configured and stored within the control layer. Encryption Input and output are protected by SSL encryption technology, and all data at rest is encrypted as well. 5
GoodData Security Certification and Accreditation GoodData participates in and complies with relevant industry certification and accreditation programs to provide you the highest level of assurance regarding GoodData operations, infrastructures, and controls in place. When it comes to regulatory compliance, GoodData knows that its customers often operate within a complex statutory environment that governs the retention and management of customer data. As safe and secure management of data becomes a global issue, GoodData keeps up with international security compliance mandates, and continues to monitor and improve compliance with the specific regulatory requirements in customer industries and locales. There s Safety In Numbers, Says Forrester 1 Cloud service providers employ a multitenancy model, which means that multiple customers are served by a single instance of software. By employing this model, cloud services are inherently more secure, according to Forrester, which says there are four supporting reasons for making them even more secure than the typical enterprise. Why? There s safety in numbers: Cloud services have more to lose if their operations aren t secure. Providing cloud services is their business. If they get a reputation for lacking security, they won t survive in a tough marketplace. You ask clouds for transparency. Cloud service providers tend to be much more transparent about availability, uptime, security incidents than enterprise IT shops. Why? Their customers demand it. They need to do this to assure you that they are taking all the steps possible to protect your data. Focus gives clouds an edge. They only have one service to secure and one version of that service, which lets their security teams really focus. [1] Understanding Cloud s Multitenancy, by James Staten and John R. Rymer, Forrester, March 15, 2012. 6
Security comes through obfuscation. If hackers targeted your company, it would be simple for them to focus on your data center or internet domain than get at your data through a cloud provider s security mechanisms and multitenant environment. GoodData possesses the following certifications: Service Organization Control (SOC) 2 Report under SSAE 16 A licensee of the TRUSTe Privacy Program Salesforce.com AppExchange Security Review for GoodData AppExchange Apps Abides by the EU Safe Harbor Framework as outlined by the U.S. Department of Commerce and the European Union GoodData also provides a range of technology tools and measures to assist you in meeting your security requirements. These features include data and transport encryption technologies, data access application program interfaces (APIs), and administrative controls. For data archiving, information managed by the GoodData infrastructure can be retrieved by customers using the GoodData APIs. These APIs can be used to export data, including collaboration data, on a periodic basis. Additionally, all data can be encrypted in transit to meet certain regulations, and API tokens have time to live (TTL). Finally, GoodData has attained the following independent web application security certifications: TRUSTe Symantec salesforce.com 7
Rackspace Security Implementation For more information on Rackspace, see www.rackspace.com GoodData s open analytics platform is built and hosted on top of enterprise-ready collocation services from Rackspace, Inc. A scalable, distributed computing infrastructure is used to host and manage GoodData applications. Rackspace provides a robust suite of security features, which the GoodData platform automatically inherits. These features are augmented by specific GoodData features and policies around securing the platform and its data. Physical Infrastructure The GoodData infrastructure, including network switches, load balancers, servers, and shared storage devices, is managed and configured by GoodData personnel, in conjunction with the Rackspace support team. Rackspace is one of the top providers of managed collocation services and has achieved a high standard regarding its security certifications. All GoodData services are configured for high availability with automatic failover capabilities. 8
Rackspace administrators do not have access to a server s virtual images and cannot login to GoodData server instances. By using this enterprise-level infrastructure, GoodData can: Deploy the GoodData platform across multiple geographical regions to ensure redundancy and high availability. Replicate the infrastructure setup to any datacenter. Optimize the infrastructure for different levels of regulatory and performance compliance. Maintain complete control of hardware configurations. Virtual Environment Security The private cloud deployment provides a cloud-based infrastructure for the hosted GoodData platform. The OpenStack technology used for the private cloud includes several security measures of specific use to the GoodData platform: Separation of user roles for manipulating the virtual hosts Network security model for strict separation of virtual hosts, with different roles on L2 network layer Security groups for TCP/IP and Ethernet levels of traffic control Authentication, Authorization, and Single Sign On GoodData architecture relies on a centralized authentication and authorization security framework to control access to services. The security framework enables the enforcement of security policy by ensuring password strength algorithms to set minimum password length and complexity and CAPTCHA filters that use human-readable images to reduce the risk of automated attacks against customer data. For communications between virtual servers, GoodData relies on an additional set of authentication mechanisms and protocols to control access to customer data. For example, access to any customer database is only permitted by a specified set of front-end servers. This restriction is intended to prevent unauthorized services or systems from accidentally or maliciously retrieving or modifying customer data. 9
Backups are archived for at least one year. Data Replication, Backup, and Archiving For disk backup, GoodData has implemented functionality in the private cloud environment similar to the Amazon Elastic Block Storage (EBS) data store. The private cloud storage layer provides basic level of redundancy. When changes are detected in a particular data set, a backup is created on Amazon Simple Storage Service (S3) as well. Backups are stored on Amazon S3 systems. They are encrypted with GnuPGP protection, using 128-bit AES encryption and at least 64 bytes-long randomly generated passphrases (Gnome Password Generator). 10
The Hardware Security Layer The GoodData infrastructure which includes network switches, load balancers, servers, and shared storage devices is managed and configured by GoodData personnel in conjunction with the Rackspace support team. All devices are protected by an industry-grade hardware firewall appliance, and all GoodData services are configured for high availability with automatic failover capabilities. In addition, GoodData applies additional security measures to further safeguard the environment. Dedicated network and hardware is secured by an industry-grade firewall and network security zones All data transfers, passwords, data at rest, and backups are encrypted using SSL protocol and SHA-2 or AES algorithm. For data at rest, encryption is managed at the hypervisor (VMM) level All devices used by the instance are automatically encrypted, and all data access is audited The hardware servers hosting the virtual hosts are managed by GoodData. All Linux operating system deployments are under GoodData control. As part of general security reviews, regular patch management is performed. Patches are periodically reviewed for security vulnerability by a third party. All these maintenance procedures on operating system images, patch management, and security hot-fixes are subjected to GoodData s defined change management process. All network switches are managed by GoodData personnel. The firewall is managed primarily by GoodData personnel, although Rackspace is available for on-site maintenance tasks upon explicit request. The switches and firewalls configurations are automatically backed up, and any change in configuration is tracked and reviewed by the GoodData team. Data in the Rackspace private cloud is typically stored on two primary devices local disk and shared storage except for backups and information with longer retention, which are encrypted and stored in Amazon s S3 service. This works as follows: On local disks Used mostly for data warehousing Whole disk strong encryption (AES256) is used to implement data at rest encryption RAID setup for improved reliability Optimized hardware setup for performance 11
Using shared storage Primarily used for moving the data between virtual hosts Hardware encryption appliances provide AES256 data at rest encryption High-availability setup Designed for high-performance data sharing Rackspace Virtual Environment Security GoodData s private cloud deployment on Rackspace provides a cloud-based infrastructure for the hosted GoodData platform. The OpenStack technology used for this private cloud includes several security measures of specific use to the GoodData platform, including separation of user roles for manipulating the virtual hosts; network security model for strict separation of virtual hosts, with different roles on L2 network layer; and security groups for TCP/IP and Ethernet levels of traffic control. At Rackspace, the GoodData OpenStack cloud implementation is based on kernel-based virtual machine (KVM) virtualization. To provide the same level of security on the virtualization level, it uses the same processes and architecture that are used in the AWS cloud to access the virtual hosts. All network access to the virtual hosts is protected by a multi-layered firewall operating in a deny-all mode. Internet access is only permitted on explicitly opened ports for explicitly listed and limited number of virtual hosts. To reduce the network attack surface, GoodData virtual servers operate an enterprise version of Linux with a minimum subset of services. At the network level, the Intrusion Detection System is managed by the Rackspace network team. Private Cloud Data Replication, Backup, and Archiving For disk backup, GoodData has implemented functionality in the private cloud environment similar to the EBS data store. The private cloud storage layer provides a basic level of redundancy. When changes are detected in a particular data set, a backup is created on Amazon S3 for the private cloud deployment, too. 12
Application-Level Security Dashboards can be filtered by date or by attribute value to limit access to data by user, region, or other criterion. The GoodData platform provides a range of application-level security mechanisms that allow you to fine-tune your GoodData solution to meet specific requirements. Each granular action in the platform can be controlled by a customer-managed permission. Permissions are grouped to roles and are always global. Security and privacy are enforced at the GoodData project level. A project contains a data warehouse and its users. Users in a project can never see into other projects, and each project has database instance affinity. User roles inside projects are either Admin, Editor, or Viewer. And because the GoodData Platform is built as a self-service Web 2.0 application, users can administer their own accounts and easily collaborate with the other users of the platform. The following activities are completely self-service in the GoodData Platform: Account registration and activation Password reset Project (data mart) creation and administration Project invitations and sharing (project owner and certain roles only) Suspending user access to projects (project owner and certain roles only) In the GoodData platform, you can apply date and attribute filters to your dashboards to limit the data that is displayed in them. This data access control is especially useful for publishing dashboards to Embedded Dashboard Only users. The combination of data filter and dashboard only access provides the finest-grain of control over data access in the GoodData Platform. 13
Data Security Platform architectural patterns are strategically selected around data confidentiality, integrity and availability. These patterns include data segregation, consistency checks (MD5), and log management. The GoodData platform features active monitoring using situational awareness algorithms. Strict process separation (sealed) is a built-in design feature of all GoodData software development and operational lifecycles. The deployed multi-tenant security patterns provide effective isolation and sealing of data and metadata, even while sharing the same physical storage grids. Continuous monitoring and situational awareness enable analysis and logging of known data movements and quickly surfaces anomalies and outliers for immediate response. Data transport and long-term storage are protected using industry standard methods of encryption (SSL/TLS, strong symmetric-key cryptography). The GoodData platform is independent of specific database technologies, since users are interacting with a logical data model (LDM) to define attributes, facts and their relationships, which are built in a proprietary application instead of the physical data layer (PDM). All metrics and reports are defined at the LDM layer and correlate to the underlying physical data model. Data visibility can be restricted using mandatory filters and via metadata security. For example, queries for a user or group can be restricted to a specific region, and access to sensitive datasets may be restricted. This level of abstraction enables continuous improvements and changes to the PDM, including support at the PDM layer for new database technologies. Optionally, administrators can configure expressions to filter data access for project members. These expressions are configured as part of all internal queries, so that users are exposed only to the report data appropriate to their roles. If a customer chooses to end its relationship with with GoodData, GoodData maintains its backups and archives for a period of time, as defined by the customer s service plan effective at the date of termination. Customers may request complete and permanent deletion of their data by contacting GoodData support. The unit on which data destruction is applied is an entire project (a data mart). GoodData support does not provide data deletion on the individual report- or data-load level. 14
Organizational Security and Change Management Processes The Director of Operations monitors the revoking of access to employees who become inactive or change job roles. On the GoodData platform, secure operations extend beyond putting the right systems and technologies in place. Our effective security infrastructure is also embedded into our organizational culture and everyday business processes. GoodData has deployed several layers of operational security to eliminate the risks associated with human activities. All employees with access to customer data are thoroughly screened, and access to the production environment is only permitted through a secure gateway from a predefined set of locations. Through the gateway, administrators invoke platform functions; they are not permitted to directly interact with the platform components. GoodData policy is to provide system access only to appropriately trained staff, who require a specific level of access to perform authorized tasks. Internal systems enforce unique user IDs and strong passwords and limit password reuse. To manage access, GoodData relies on industry- standard security systems and standards including LDAP, Kerberos, and RSA. There is physical security that requires individuals to show badges and input access codes at all company buildings and hosting sites, and only authorized users can gain access to servers, logs, customer information, and system configuration information. Logical access to the production environment by GoodData employees is limited to the core operational personnel only. All access keys are stored within an encrypted credentials vault. Access requests, grants, and revocations are periodically reviewed. And all changes to access rights are logged and are based on roles and job responsibilities. The approval process maintains audit records of all changes. Access to the production infrastructure servers for the platform is restricted at the network level. Each server is accessible only from one access node, which can be accessed only by authorized GoodData operations personnel. A specific set of credentials is required for authentication from the access node; access to the access node server does not automatically enable access to production servers. 15
Change management also is a critical aspect of GoodData s security profile. At GoodData, software design is a two-phase process. First, the requirements-analysis phase assembles both functional and nonfunctional requirements into a document. Next, the technical analysis phase results in a detailed technical specification document. Both documents require a three-way sign-off between Product Management, Engineering, and Operations. During both phases, the engineering and delivery teams carefully consider the impact of the newly introduced features or changes on GoodData Platform security. For development and test stages, all source code and other artifacts that are part of the product are subject to version control and are managed in centralized version repositories. When code for a feature has been completed, the new code artifacts need to pass multiple quality controls before they are allowed into the main product code base. The main product branch is then subject to continuous integration (automated testing) so that any regressions not captured by the other quality controls are discovered and corrected as soon as possible. The continuous integration process includes the full cycle product build, packaging, and deployment in order to simulate the actual production deployment as closely as possible. The development cycle reaches the QA phase when all features approved for the upcoming release have reached the main product code base. One or more release candidates are subsequently built from the main product code base and are subject to extensive manual testing. Each release candidate test cycle has its own test plan, and a written record of passed and failed test cases linked to the defect tracking system is generated and retained. The release candidate that reaches QA acceptance is subsequently scheduled for a production release. If the result of the test upgrade passes all of the prescribed tests and validations routines, the release is subsequently applied to the production environment. A deployment plan and a deployment log are kept for each production deployment, and the GoodData delivery team is required to comment on and to explain all manual steps taken during the deployment that are specific to that particular release. GoodData then proactively monitors the platform for security incidents, including alert notifications generated by GoodData systems, alerts generated by Amazon and Rackspace, open source and industry alerts, and community alerts. 16
GoodData does not release information about customers or customer data to third parties. When an alert is raised, the risk level is assessed first. Based on this assessment, the prescribed response process is chosen and launched. Documented escalation procedures and communication protocols clarify when and how an escalation takes place, and who is notified. GoodData maintains a strong privacy policy to protect customer data. GoodData is obligated to protect access to customer information while also abiding by the law. Information can only be obtained from GoodData through a valid legal process, such as a search warrant, court order, or subpoena. If legally permitted, GoodData notifies the organization whose information is being sought and allows them 21 days to respond. GoodData hiring practices ensure that all staff are qualified for their functional responsibilities and hold appropriate certifications or accreditation, if required. At a minimum, these practices include verification of the individual s education and previous employment, as well as a reference check. Based on the statutory environment and the employee s position, additional background checks may be performed. The employee on-boarding process includes a mandatory security orientation session during which new employees are instructed about security policies and procedures. All employment contracts include a clause clarifying the staff member s responsibility to communicate significant issues to GoodData s management team. 17
Conclusion To ensure effective information security, GoodData has implemented the people, processes, and technical protection measures demanded of a leading-edge enterprise solution. All external messaging is managed over SSL. HTTPS communications feature a two-level authentication mechanism for additional security. GoodData has designed the GoodData platform to ensure the security of its customers data and analytics. The GoodData platform is hosted ion Rackspace, consistently rated among the top-line collocation service providers. The base security features offered by Rackspace are augmented by applying select technologies, such as key-based authentication, data encryption, platform monitoring, and firewall configuration, as well as policies for change and incident management. Additionally, wherever possible, the GoodData security model is designed to be open and pluggable to accommodate customer-specific requirements, such as third-party authentication, user account management, or primary storage encryption. GoodData has designed the GoodData platform to ensure the security of its customer s data and analytics. By partnering with Rackspace, GoodData enables implementation across multiple layers--including physical, virtual infrastructure, software and infrastructure security. It also delivers other application and administrative security features, as well as a completely encrypted environment. GoodData ensures security at both the application and data levels, and has implemented rigorous change-management processes as a critical part of its security profile. 18