Tenzing Security Services and Best Practices



Similar documents
Tenzing Security Services and Best Practices

Payment Card Industry Data Security Standard

March

Achieving PCI Compliance Using F5 Products

KeyLock Solutions Security and Privacy Protection Practices

Five keys to a more secure data environment

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

A Decision Maker s Guide to Securing an IT Infrastructure

SECURITY IN A HOSTED EXCHANGE ENVIRONMENT

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

IBX Business Network Platform Information Security Controls Document Classification [Public]

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM

PCI Requirements Coverage Summary Table

StratusLIVE for Fundraisers Cloud Operations

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

Secure networks are crucial for IT systems and their

A GUIDE TO SECURITY AND PRIVACY IN A HOSTED EXCHANGE ENVIRONMENT TECHNICAL DOCUMENT

Security from a customer s perspective. Halogen s approach to security

PCI DSS Reporting WHITEPAPER

74% 96 Action Items. Compliance

Cisco Security Optimization Service

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Client Security Risk Assessment Questionnaire

PCI Requirements Coverage Summary Table

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

BMC s Security Strategy for ITSM in the SaaS Environment

Achieving Compliance with the PCI Data Security Standard

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

GFI White Paper PCI-DSS compliance and GFI Software products

Overcoming PCI Compliance Challenges

CHEAT SHEET: PCI DSS 3.1 COMPLIANCE

FormFire Application and IT Security. White Paper

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Injazat s Managed Services Portfolio

Information Security Services. Achieving PCI compliance with Dell SecureWorks security services

Managed Security Services for Data

University of Pittsburgh Security Assessment Questionnaire (v1.5)

PCI Compliance. Top 10 Questions & Answers

Secure, Scalable and Reliable Cloud Analytics from FusionOps

White Paper How Noah Mobile uses Microsoft Azure Core Services

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Security aspects of e-tailing. Chapter 7

Caretower s SIEM Managed Security Services

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

PCI Compliance Top 10 Questions and Answers

Trend Micro VMware Solution Guide Summary for Payment Card Industry Data Security Standard

Security Services. 30 years of experience in IT business

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

The Payment Card Industry (PCI) Data Security Standards (DSS) v1.2 Requirements:

LoadMaster Application Delivery Controller Security Overview

QuickBooks Online: Security & Infrastructure

Security Controls for the Autodesk 360 Managed Services

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

PCI Compliance in Multi-Site Retail Environments

Bendigo and Adelaide Bank Ltd Security Incident Response Procedure

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Securing the Service Desk in the Cloud

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Protecting the Palace: Cardholder Data Environments, PCI Standards and Wireless Security for Ecommerce Ecosystems

Achieving PCI-Compliance through Cyberoam

Becoming PCI Compliant

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

LogRhythm and PCI Compliance

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

GoodData Corporation Security White Paper

The Education Fellowship Finance Centralisation IT Security Strategy

Cloud Security Trust Cisco to Protect Your Data

SECURITY SOLUTIONS AND SERVICES

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Projectplace: A Secure Project Collaboration Solution

GiftWrap 4.0 Security FAQ

Redhawk Network Security, LLC Layton Ave., Suite One, Bend, OR

Extreme Networks Security Analytics G2 Vulnerability Manager

Cisco Advanced Services for Network Security

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

SECURITY OVERVIEW FOR MY.ENDNOTE.COM. In line with commercial industry standards, Thomson Reuters employs a dedicated security team to protect our

Endpoint Security More secure. Less complex. Less costs... More control.

PCI DSS Top 10 Reports March 2011

Networking for Caribbean Development

Unified Security Anywhere SOX COMPLIANCE ACHIEVING SOX COMPLIANCE WITH MASERGY SECURITY PROFESSIONAL SERVICES

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Privacy + Security + Integrity

DETECT AND RESPOND TO THREATS FROM THE DATA CENTER TO THE CLOUD

How To Protect A Web Application From Attack From A Trusted Environment

SoftLayer Fundamentals. Security / Firewalls. August, 2014

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Cloud Contact Center. Security White Paper

How To Secure Your Store Data With Fortinet

PCI DSS. Payment Card Industry Data Security Standard.

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

SANS Top 20 Critical Controls for Effective Cyber Defense

Transcription:

Tenzing Security Services and Best Practices

OVERVIEW Security is about managing risks and threats to your environment. The most basic security protection is achieved by pro-actively monitoring and intercepting various forms of attacks using antivirus software and network security measures. However, in order to completely assure yourself and your customers that your business, data and transactions are fully secured, a comprehensive approach to security is needed. This approach must cover process and human factors as well as direct technology threats. This is the only way that you can assure the Confidentiality, Integrity, and Availability (CIA) (Fig 1) of your online business and customer information, and be truly compliant with best practices and regulatory requirements. Tenzing is committed to mitigating the risks against the confidentiality, integrity, and availability of client information. As part of this commitment, continuous improvements are made to Tenzing s information security posture by adopting and incorporating best practices into critical aspects of processes and technologies. Tenzing believes in a multi-layered defense in depth approach to security and has a comprehensive suite of fully managed security services available to customers, including managed firewalls, VPNs, both network and host level intrusion detection and prevention services. When combined, these services provide a high level of confidence in the protection of systems and data, and assurances in addressing industry standards and compliance requirements, such as PCI-DSS Level 1, AT101 SOC 2 (previously known as SAS70 or SSAE16), CSAE3416 SOC1 and ISO27001. Tenzing s security services and policies are designed, maintained, and enforced by Tenzing s expert security and compliance team. The purpose of this document is to provide an inclusive summary of Tenzing s security processes and services. The full range of security processes are an integral part of Tenzing s core service and are designed to protect your operations and ensure that you fulfill your compliance commitments. Tenzing believes in a multi-layered defense in depth approach to security and has a comprehensive suite of fully managed services that provide a high level of confidence in the protection of systems and data. Information Confidentiality Integrity Availability Ensuring only those who ought to have access can do so Ensuring that information cannot be modified without detection Ensuring information can be accessed when needed Figure 1: Information Classes 2 Dallas Kelowna London Toronto Vancouver www.tenzing.com

Tenzing Security Compliance The challenging nature of regulatory and compliance requirements makes security compliance an exhaustive effort that requires full cooperation across the value chain of your online channel. As part of this value chain, Tenzing is compliant with a number of internationally recognized compliance regulations (see Fig. 2) as explained below: AT101 SOC Type 2 Network Security Server Security Critical Systems Protection Antivirus Logical Access PCI DSS IDS Firewall Data Security VPN SSL and Encryption Physical Access Figure 2: Tenzing Security System Access ISO 27000 PCI-DSS Tenzing is a Visa Level 1 PCI-DSS Compliant services provider and is listed as a third party services provider for MasterCard Worldwide and Visa Canada. Tenzing has completed the registration and validation processes for both the Mastercard and Visa program and has been certified for the highest level of transaction levels (Level 1). What this means is that Tenzing can host large volume, high value transaction sites and clients have less to worry about for PCI compliance. Tenzing s processes and policies fulfill a number of the operation related PCI control objectives for security. Tenzing uses a third party Qualified Security Assessor (QSA) to validate processes and security practices to ensure compliance with the relevant industry certifications. Tenzing successfully achieved the renewal of Attestation of Compliance (AOC) for PCI-DSS (Payment Card Industry-Data Security Standard, Service Providers) as well as a Report on Compliance (ROC) from its QSA. Furthermore, Tenzing is now recognized in its AOC as a PCI-compliant enterprise that provides Managed Services for Physical Security and the Management and Deployment of an Antivirus Solution. PCI Compliance is an integral component of online retailing and the security team at Tenzing has gone to great lengths to help clients achieve their PCI compliance objectives. 3 Dallas Kelowna London Toronto Vancouver www.tenzing.com

ISO 27001 Certification ISO/IEC 27001:2013 is a standard that brings information security under explicit management controls organized under an Information Security Management System (ISMS). An organization s ISMS outlines the restrictions and 114 controls that need to be in place across 14 domains in order to ensure the confidentiality, integrity and available of data (Fig 3). Tenzing is one of the few service providers in North America that validates its ISMS by performing an annual ISO 27001 audit. This audit further certifies that all of Tenzing s information security processes and procedures are up to the standard of industry best practices. Information Security Policy Organization of Information Security Human Resource Security Asset management Access control Cryptography Physical and environmental security Operations security Communications Security System acquisition, development and maintenance Supplier relationships Information security incident management Information security aspects of business continuity management Compliance Defines essential requirements for security. Intended to support management decisions and explain the organization s security and IP position. Ensures management support, security coordination, and security services are in alignment with business requirements and operations. Provides security communication, training and awareness for employees, contractors and other personnel. Includes background checks and other controls to assess human risks. Ensures that assets are accounted for and categorized by risk. Allows for the relevance of each business process to be evaluated and individual security requirements determined. Access to assets is modeled using appropriate access and business roles concepts. The appropriate technologies are then implemented to enforce the model. Defines the controls related to encryption and key management. Defines the controls required to protect assets from physical risks such as theft and damage. Defines the security of operations and information exchange between organizations and staff. Defines the security of information exchange and communication with external organizations. Defines the integration of security into the system development lifecycle. Includes security for change and configuration management. Defines the controls on what to include in supplier contracts and agreements as well as how to monitor the supplier. The establishment of people, process and technologies to ensure that security incidents are communicated in a manner allowing timely corrective action to be taken. Business Continuity Planning (BCP) aims at uncovering risks for the business process and defining emergency measures to enable the organization to resume normal operations. Identification and implementation of the appropriate actions necessary to ensure requirements from legal, regulatory, and other internal requirements are met. Figure 3: ISMS Domains Tenzing Security Services and Best Practices 4

AT101SOC 2 Type 2 and CSAE 3416 SOC 1 Type 2 (formerly SAS70) AT101 SOC 2 Type 2 is the authoritative guidance that allows service organizations to disclose their control activities and processes to customers and their customers auditors in a uniform reporting format. The issuance of a service auditor s report prepared in accordance with AT101 SOC 2 Type 2 signifies that a service organization has had its control objectives and control activities examined by an independent accounting and auditing firm. The service auditor s report, which includes the service auditor s opinion, is issued to the service organization at the conclusion of AT101 SOC 2 Type 2 examination. CSAE has been designed to provided the standards and guidance to an auditor who is reporting on the controls at a service organization. This is relevant to situations when the service (a specialized business task or function) being provided to customers (or user entities) impacts the user entity s financial reporting processes. In such situations, service organizations are subjected to the audits of these processes. (Please note that this audit report can only be applied to controls relevant to financial reporting.) These audits are very important as they validate that the security controls and processes that Tenzing has implemented are well designed, in place and under correct management. On top of external audits, Tenzing s information security team also conducts a number of internal audits that collect, assess and measure ongoing compliance with internal controls, industry best practices and the external audits mentioned earlier. Network Security Tenzing has implemented a variety of network security technologies to ensure the utmost level of security. Network security is the first line of defense from the outside world and it is intended to secure the information exchanged with the external world from malicious attacks as well as protect the security of your computing resources. Security is integrated into Tenzing s network services through its architecture as well as in the policies and procedures that govern its management. Tenzing employs a number of industry leading security measures including, but not limited to: separate physical network segments for public ( front-end ), private ( back-end ), and backup networks. Tenzing also uses vlans with firewalls in customer environments to segregate different types of customer traffic with encrypted access controls and default deny-all policies. Firewall Firewalls are installed at the perimeter of customer environments to protect and prevent un-authorized access, while at the same time isolating the web tier from the application and database tier. Tenzing uses carrier grade equipment for its firewall service, which are enterprise-class security appliances that provide network and application protection against Internet threats. This service is delivered using the latest Application Specific Integrated Circuit (ASIC) technology that enables wirespeeds for advanced security features such as Stateful Packet Inspection. VPN To provide a secure method of access to both clients and employees, Tenzing deploys redundant IPSEC VPN appliances that integrate seamlessly to provide secure VPN connectivity without the need to reconfigure the network or deploy additional hardware. Tenzing pro-actively manages the configuration and user administration, allowing clients direct, secure, and reliable remote and in-office connectivity to their managed infrastructure. 5 www.tenzing.com

Intrusion Detection Services (IDS) Tenzing s Intrusion Detection Services are designed to provide a critical layer of network defense against threats that easily bypass perimeter and endpoint defenses constantly protecting the internal network from worms, and other threats. Tenzing combines intrusion detection, vulnerability management and compliance reporting technology into a single integrated solution that offers both proactive and reactive protection from the latest threats. Tenzing s IDS encompasses a global view of security event trends to maintain accurate and relevant network security intelligence. Tenzing s Security Operations Center to quickly identify, escalate, contain and mitigate security breaches around the clock. Benefits of Tenzing IDS 24x7x365 monitoring for security events by Tenzing s Security Operations Center staffed with Certified Information Systems Security Professional (CISSP) and Global Information Assurance Certification (GIAC) certified experts via Intrusion Detection System (IDS) on Customer s edge network. IDS System configuration, maintenance and incident analysis from Tenzing s security team. Seven factor threat scenario modeling (Fig 4) to increase accuracy and reduce false alarms Figure 4: Network Threats DOS Assure Protection Service For many of Tenzing s clients, their online environment is a critical part of their business, their web properties generate revenue, reduce cost and gain efficiencies. For many clients a Distributed Denial of Service (DDoS) attack would bring business to a halt. Tenzing s DDOS protection service protects your site 24 x 7 from any DDoS attacks. The base configuration mitigates a wide number of incursions, including ICMP & UDP floods, Port Scans, SYN attack and Distributed Reflection DOS. Figure 5: DOS Assure Tenzing provides the following deployment options for DOS Assure: A proactive, Always-On service, where all traffic is filtered through the DDoS Assure Service. A hybrid service, where customers are pre-configured for DDoS Assure but require their DNS settings altered during the time of the attack to have the attack mitigated. An On-Demand emergency service, that can be deployed quickly to mitigate an attack Tenzing Security Services and Best Practices 6

Application Security Unfortunately, many web applications are shipped with undiscovered vulnerabilities. Without advanced security your web store is left exposed to attack. Tenzing s Web Application Firewall helps mitigate these risks by protecting your site and your revenue. Tenzing has partnered with ZENEDGE to create Tenzing Security Shield, a suite of cloud-based security services designed for ecommerce. The combination of DDoS mitigation, Web Application Firewall, and CDN services means that your site is well protected from malicious attacks and performance degradation. Tenzing Security Shield is an external layer of cyberdefense for web applications, web sites and networks. Security Sheild protects web applications and networks from malicious traffic, prevents hackers from penetrating our client s web servers and protect against large volumetric DDoS attacks. It acts by stopping malicious traffic (at application layer 7, or network layers 3 and 4) before the Internet traffic reaches the web application servers or networks of our clients. Figure 6: Tenzing Security Shield Figure 6 shows how the deployment of Tenzing Security Shield creates a protective shield around our clients security perimeter, adding a critical layer of web application and IP protection. Once deployed, all traffic flows through the ZENEDGE network prior to hitting the origin server infrastructure. Traffic is directed to the nearest ZENEDGE POP by means of data driven DNS. The lowest latency POP is chosen on a query-by-query basis to create a performance optimized application delivery network. 7 Dallas Kelowna London Toronto Vancouver www.tenzing.com

Security Testing At an average cost of $201 per customer record compromised, security breaches can inflict irreparable harm. Tenzing s Security Testing services help businesses identify security vulnerabilities before hackers do. The services range from basic external scans that meet PCI quarterly scan requirements, to in-depth penetration testing. Vulnerability Scan Vulnerability Assessment Penetration Testing Infrastructure Scan Web Application Scan Deep Application Analysis Web Services Analysis Risk Reconnaissance Business Logic Analysis PCI/NIST SP800-115 Compliant Methodology OWASP Testing Guide Compliant Methodology Simulated Attacker Exploitation Vulnerability Management Tenzing s vulnerability management program provides a means for clients to proactively address security issues. The program finds vulnerabilities in your environment using both external and internal scans. Any vulnerabilities discovered in the scans will be prioritized and built into a remediation plan. The team will ensure completion by creating and managing tickets for the vulnerabilities and recommended fixes. Tenzing s vulnerability management service is an annually recurring service that allows merchants to continuously improve the security of their environment and stay ahead of threats. Clients are able to proactively prevent breaches, ensure ongoing security and remediation and satisfy PCI Requirements 11, 6.1 & 6.5 - all without any capital expenditure or additional headcount. Patch Management To ensure all client environments are up to date and well protected, Tenzing provides patch management services to all clients on a quarterly basis. Tenzing has also built an emergency patching program in accordance with ITIL best practices that allows us to respond quickly and secure our clients in the event of large impact vulnerabilities. This process is critical during well publicized vulnerabilities like HEARTBLEED and FREAK. For HEARTBLEED it allowed the team to quickly respond and mitigate the threat, as well as communicate clearly with clients, resulting in all vulnerable devices being secured without any service disruptions, up to two days before other service providers. Tenzing Security Services and Best Practices 8

Host Level - Endpoint Protection End Point Protection Tenzing uses industry protection technology for the endpoint level layer of protection. Tenzing s Managed Anti-Virus service is PCI-DSS ready and satisfies the PCI-DSS requirement number 5. It protects servers against a wide range of viruses and malicious codes, including Zero-Day threats. The service desk is automatically alerted of any potential threats which are quickly resolved by Tenzing s Information Security team and vendor. With centralized management, Tenzing automatically updates Virus Signatures, thus ensuring servers are up to date with the latest malware protection. Critical System Protection Tenzing also implements a second layer of protection known as Critical System Protection allowing us to proactively safeguard heterogeneous server environments and the information they contain. This technology allows Tenzing to monitor and protect logical and virtual solutions using granular, policy-based controls, with a combination of host-based intrusion detection (HIDS), intrusion prevention (HIPS), and least privilege access control. Tenzing leverages granular policy-based controls to provide high security for virtual solutions, protecting against zero-day, targeted attacks, real-time control and visibility into compliance. Access Control Physical Access Tenzing s datacenters are protected by multi-layered physical security measures including 24x7x365 security personnel, dual-factor electronic and bio-metric authentication systems, surveillance cameras, and man-traps. Access to the datacenter floor is strictly limited to Tenzing s datacenter technicians and bonded facility maintenance engineers. Logical Access Tenzing utilizes a number of tools to monitor logical access controls for identification, authentication, authorization, and accountability to secure environments, including system logins. These tools enforce access control measures to systems, programs, processes, and information. In order to authenticate, authorize, and maintain accountability, a variety of methodologies are used including password protocols, devices coupled with protocols and software, encryption, and firewalls. These measures and others allow Tenzing to detect intruders, maintain security, reduce vulnerabilities and protect client data and systems from threats. Data Availability Data Security is the protection of data from destructive forces and the unwanted actions of unauthorized users. Tenzing s data security service uses a dedicated backup infrastructure, with comprehensive policies and procedures that are capable of backing up and restoring the most complex applications and system configurations. Tenzing can service all major file systems, databases and applications. Backup services from Tenzing include: Off-site Backups: Customers can have backups replicated to a data store at a geographical remote location for additional disaster recovery capabilities. Recovery Periods are equivalent to the policy maintained for local backups. Data Encryption: Customers can have their data encrypted both in transit and on the data store for maximum security. SSL certificate options are also available. Secure Access: Seamless VPN integration, without the need to reconfigure your network or deploy additional hardware. Tenzing manages the configuration and user administration, allowing authorized users direct, secure, and reliable connectivity to your managed infrastructure, wherever they are. 9 www.tenzing.com

Payment Security PCI Assure With PCI Assure, Tenzing utilizes the latest in transaction processing technology to get merchants PCI compliant quickly and painlessly and to keep them there. PCI Assure offers a complete, flexible, online checkout solution that integrates seamlessly into your environment keeping the customer checkout process seamless. Tenzing has partnered with Hosted PCI to deliver this service to customers. This service provides retailers with a Level 1 PCI-DSS compliant solution, and enables retailers to maintain complete control over the checkout process. PCI Assure provides the following benefits: Complete Indemnification against credit card breach. Simplified PCI-DSS Certification process.. Significant cost savings compared with in-house PCI-DSS Compliance. Predictable, timely implementation with several pre-built integrations. Flexible deployment allowing for seamless integration anywhere on the merchant website. Simple, All-In Cost/Transaction model that scales to millions of transactions. Payment processor independent tokens - No need to be locked into one payment processor or tokenization solution. PCI Assure Tokens are transferable between supported payment gateways and processors. Customization options for merchants who are required to pass credit card data to other Level 1 PCI Compliant entities, such as fulfillment providers. Fewer abandoned carts with the PCI Assure advantage. Keep customers on your site and keep abandonment rates low with PCI Assure IFRAME. CONCLUSION Tenzing believes that a great IT managed services company should do more than just keep infrastructure up and running. It should help your business succeed and grow. That s why Tenzing partners with its clients to deliver meaningful insights and impactful technologies that help them grow their online revenues. The success of Tenzing s clients has fueled it s own success. Since Tenzing first launched back in 1998, the company has been recognized 7 times by Profit Magazine as one of Canada s fastest growing companies. It has also been recognized by The Branham Group as a top information and communications technology company for five years running. The secret to Tenzing s success is a set of core values and industry-leading best practices designed to ensure the best outcomes for its clients. Tenzing s security services are integral to its core value. For more information, please reach out to Tenzing at 877-767-5577 or email us at sales@tenzing.com. Tenzing Security Services and Best Practices 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information