TOP SECRETS OF CLOUD SECURITY



Similar documents
HTTP connections can use transport-layer security (SSL or its successor, TLS) to provide data integrity

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Complying with PCI Data Security

Security Overview Enterprise-Class Secure Mobile File Sharing

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

FileCloud Security FAQ

Open Data Center Alliance Usage: Provider Assurance Rev. 1.1

White Paper How Noah Mobile uses Microsoft Azure Core Services

BMC s Security Strategy for ITSM in the SaaS Environment

How To Secure Your Data Center From Hackers

Security Controls for the Autodesk 360 Managed Services

FormFire Application and IT Security. White Paper

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

WHITE PAPER. GoToMyPC. Citrix GoToMyPC Corporate Security FAQs. Common security questions about Citrix GoToMyPC Corporate.

Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire

<cloud> Secure Hosting Services

Table of Contents. Page 1 of 6 (Last updated 30 July 2015)

BOWMAN SYSTEMS SECURING CLIENT DATA

Overview. SSL Cryptography Overview CHAPTER 1

The governance IT needs Easy user adoption Trusted Managed File Transfer solutions

GiftWrap 4.0 Security FAQ

Security from the Ground Up eblvd uses a hybrid-asp model designed expressly to ensure robust, secure operation.

Mobile Admin Security

Chapter 10. Cloud Security Mechanisms

The Security Behind Sticky Password

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

Cornerstones of Security

Dashlane Security Whitepaper

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

GE Measurement & Control. Cyber Security for NEI 08-09

Security Whitepaper. NetTec NSI Philosophy. Best Practices

Data Storage That Looks at Business the Way You Do. Up. cloud

KeyLock Solutions Security and Privacy Protection Practices

EmpLive Technical Overview

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

Secure, Scalable and Reliable Cloud Analytics from FusionOps

Mirantis OpenStack Express: Security White Paper

Locking down a Hitachi ID Suite server

Projectplace: A Secure Project Collaboration Solution

Payment Card Industry Data Security Standard

MIGRATIONWIZ SECURITY OVERVIEW

Copyright Telerad Tech RADSpa. HIPAA Compliance

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Vodafone Total Managed Mobility

Enterprise level security, the Huddle way.

Securing the Service Desk in the Cloud

Web Conferencing: Unleash the Power of Secure, Real-Time Collaboration

Alliance Key Manager Solution Brief

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Premier Services Program (PSP) Tools: Security Overview

Security Threat Risk Assessment: the final key piece of the PIA puzzle

Seven Key Issues to Consider Before Selecting a Cloud Hosting Provider

Druva Phoenix: Enterprise-Class. Data Security & Privacy in the Cloud

Our Key Security Features Are:

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

SaaS Security for the Confirmit CustomerSat Software

Blue Jeans Network Security Features

The silver lining: Getting value and mitigating risk in cloud computing

CBIO Security White Paper

Autodesk PLM 360 Security Whitepaper

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Data Security and Governance with Enterprise Enabler

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

The Education Fellowship Finance Centralisation IT Security Strategy

Building Energy Security Framework

HIPAA Privacy & Security White Paper

Data Collection and Analysis: Get End-to-End Security with Cisco Connected Analytics for Network Deployment

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Transition Networks White Paper. Network Security. Why Authentication Matters YOUR NETWORK. OUR CONNECTION.

Addressing Cloud Computing Security Considerations

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

QuickBooks Online: Security & Infrastructure

Security Architecture Whitepaper

Security. CLOUD VIDEO CONFERENCING AND CALLING Whitepaper. October Page 1 of 9

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Security Policy Revision Date: 23 April 2009

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

Symantec Enterprise Vault.cloud Overview

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Collaborate on your projects in a secure environment. Physical security. World-class datacenters. Uptime over 99%

SHARPCLOUD SECURITY STATEMENT

Hedge Funds & the Cloud: The Pros, Cons and Considerations

Overview - Using ADAMS With a Firewall

Security Considerations

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

BOLDCHAT ARCHITECTURE & APPLICATION CONTROL

IBX Business Network Platform Information Security Controls Document Classification [Public]

Unleashing the power of real-time collaboration:

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

GoToMyPC Corporate Security FAQs

Load Balancing for Microsoft Office Communication Server 2007 Release 2

F5 and Microsoft Exchange Security Solutions

Overview - Using ADAMS With a Firewall

Secure SSL, Fast SSL

E-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)

Transcription:

TOP SECRETS OF CLOUD SECURITY Protect Your Organization s Valuable Content Table of Contents Does the Cloud Pose Special Security Challenges?...2 Client Authentication...3 User Security Management...3 Transport Security...4 Data and Physical Security...5 Security Monitoring...4 Disaster Recovery...4 Compliance...5 Summary...5

DOES THE CLOUD POSE SPECIAL SECURITY CHALLENGES? Cloud adoption is highest in applications that support simplifi ed, common business processes or large, distributed virtual workforce teams, according to the analyst fi rm Gartner. Gartner reports that ease of use, rapid deployment, limited up-front investment in capital and staffi ng plus a reduction in software management responsibility all make cloud plaforms a desirable alternative to many on-premises solutions. These advantages will continue to act as drivers of growth. But does the cloud pose special challenges or risks to the organization? And what best practices can be put in place to resolve the challenges and reduce any risks? When you are dealing with your organizations valuable content (documents, contracts, employee documents, images, databases, etc.) executive management must be aware of what makes a credible cloud security strategy. As you evaluate content management, document sharing and collaboration platforms - the many consumer-focused applications as well as the enterpriseready solutions (such as SpringCM ), look for additional security engineered into the solution where other typical enterprise content management (ECM ) products cannot. The defi nition of Cloud (purpose-built Web technology) implies modularity. Because auditing and securing small modules is the cornerstone of many security architectures, a real business-ready cloud content management model provides customers with additional security benefi ts beyond the limits of most traditional applications. Client authentication provides a method to identify a user accessing a system and determines which actions are authorized. Through the use of cloud technology the solution should be more agile and better prepared to respond to new security requirements, customer demands and changes. The cloud model must be built upon industry-standard tools, protocols and frameworks such as Microsoft.NET that contain a wide variety of pre-existing security enhancements such as SSL, two-factor authentication and strong access control. The vendor should leverage, embrace and extend these existing security technologies to all customers, thereby dramatically increasing the overall security of your content. 2012 SpringCM SM 2

Data integrity extends beyond the transit of the data to include the data storage. CLIENT AUTHENTICATION Client authentication provides a method to identify a user accessing a system and determines which actions are authorized. SpringCM s client authentication uses Microsoft.NET s built-in authentication routines a proven method for effective and secure authentication. SpringCM doesn t store plain-text passwords and uses a one-way encryption algorithm coupled with a cryptographically random hash to guarantee that a customer s password is never decrypted. All authentications between the SpringCM and the customer s Web browser are encrypted via SSL. In addition to the authentication transport mechanism s security, a customer can select strong password requirements for all applicable users. This requirement forces users to create passwords comprising a minimum of eight characters that contain three of the following: one or more numeric characters, one or more uppercase characters and one or more symbols. Following our defense in-depth strategy, if SpringCM did incur a data breach, the complex passwords in addition to the secure authentication framework from Microsoft would severely limit the chance of a customer s password being compromised. SERVER AUTHENTICATION AND DATA INTEGRITY The most common way to provide data integrity during data transit within a hypertext transfer protocol (HTTP) environment is through SSL or its successor, Transport Layer Security (TLS). (TLS is the successor to SSL version 2 and addresses transport security with additional security features; however, TLS is not currently as widely supported by common client software.) Both SSL and TLS can secure any TCP connection. SpringCM supports both SSL versions because clients and servers can automatically negotiate the most secure shared version between them. SSL and TLS are almost always used for two purposes: To encrypt all traffic over the TCP connection in both directions. This method secures all data that is transferred from integrity attacks and protects the privacy of all data. To authenticate servers in order to certify that client systems are sending passwords and data only to the correct server. This method is commonly referred to as a man-inthe-middle attack. Data integrity extends beyond the transit of the data to include the data storage. We store all data on redundant file servers and database servers that are configured for automatic failover in case of a disaster. Our backend database technology is deployed within a clustered environment, enabling automatic failover, improved capacity and ease of logging. USER SECURITY MANAGEMENT Adding users to your SpringCM account is as easy as entering a few pieces of contact information and valid email addresses. Users can be anyone with email addresses, including vendors, contractors, consultants and others outside your organization. You can easily deliver documents to internal and remote users and include them in workflow and collaboration. A number of user roles that include different privileges for accessing and managing documents are available. Full subscribers the default choice for most team members enable users to view, edit and send documents, and to initiate workflow and collaboration. You can designate user administrators to manage and create users and to ensure that everyone in your SpringCM account has the internal support they need. The chief SpringCM overseer can serve as the super administrator to have access to all documents regardless of security settings, to unlock checked-out documents and more. All of these functions are available in an uncomplicated environment that won t require intervention from an outside programmer saving you time and money. Look for cloud applications that provide protection from denial-of-service attacks by using firewalls and load-balancing software to mitigate and spread the requests across their infrastructures. 2012 SpringCM SM 3

TRANSPORT SECURITY HTTP AND WEBDAV SECURITY CHARACTERISTICS SpringCM s data input servers interact with Web browsers and WebDAV clients using HTTP. Because WebDAV is an extension of HTTP, all the same security mechanisms apply: HTTP connections can use transport-layer security (SSL or its successor, TLS) to provide data integrity HTTP implementations must support both basic and digest authentication, two standard mechanisms for authenticating users via passwords Many HTTP implementations support advanced authentication mechanisms Further precautions include firewalls, reverse proxies and other advanced Web security techniques and software solutions. PROTECTION AGAINST DENIAL- OF-SERVICE AND OTHER ATTACKS Denial-of-service attacks typically attempt to debilitate a server by compromising its ability to respond to legitimate requests within a reasonable time. For example, on any Web server a denial-of-service attack may be a number of clients which all ask for the same large Web page at roughly the same time, thus hampering the server s ability to respond to legitimate requests. SpringCM provides protection from denial-of-service attacks by using firewalls and load-balancing software to mitigate and spread the requests across our infrastructure. Both the firewalls and load balancers can limit requests of certain file types or traffic from certain addresses. DATA AND PHYSICAL SECURITY SpringCM provides a secure environment for documents through use, transfer and storage. Strong passwords, access control, audit trails and data encryption ensure a high level of security at the application level. All web transactions use VeriSign secure, 128-bit RSA encryption (SSL) for secure data transfer. Main servers are monitored 24/7/365 and only accessible via biometric authentication. Access to a customer s data stored in the database is controlled through the SpringCM core application Web services and acts as a security middleman, ensuring complete confidentiality of information within our multitenant architecture. SpringCM follows a strict physical and virtual access control policy that limits access production servers and data. Authorized personnel must document each visit to the production systems and provide duration for their access. Each visit is monitored and correlated with our access control logging system. SECURITY MONITORING SpringCM s IT security program follows an underlying principle that if we cannot prevent it, we must detect it. This mantra forms the foundation for all security monitoring at SpringCM. Our IT staff monitors access of all servers, routers, switches and any other devices that interact with customer data. Our security team routinely reviews the centralized logging and analysis architecture. The security of SpringCM is just as critical as its infrastructure. Both undergo an annual in-depth assessment accompanied by quarterly audits of new functionality or areas of risk. Application assessment, penetration test and configuration assessment to analyze the strength of our system s configuration. DISASTER RECOVERY SpringCM has a structured disaster recovery plan to ensure all operations continue in case of a disaster and/or loss of key personnel. A portion of our disaster recovery procedures include our backup procedures. Backup procedures ensure regular and secure backup of data and software. They are essential in protecting against the loss of data and 2012 SpringCM SM 4

software and facilitating a rapid recovery from any failure. All backups conform to universal best practices procedures: All data, operating systems and utility files must be adequately and systematically backed up. Records of what is backed up and to where are maintained. At least three generations of backup data are retained at any one time. The backup media is precisely labeled, and accurate records are maintained of when backups are completed and to which back-up set they belong. Copies of the backup media, together with the backup record, are securely stored for one calendar year in a remote location a sufficient distance away from the main site that is provided by Iron Mountain. Regular testing of data and software restoration from the backup copies ensures all backup files can be relied upon for use in an emergency. COMPLIANCE SpringCM itself is not regulated by any specific laws or regulations, but many of our customers are. Therefore, we take great measures to ensure our security controls meet the compliance needs of our customers. Internally, all policies, processes and development follow a strict framework that adheres to ISO 27002 standards and the Control Objectives for Information and related Technology (COBIT) framework. Leveraging COBIT s success as an increasingly internationally accepted set of guidance materials for IT governance enables our products to meet our customer s various compliance requirements. For example, our access control policies map directly to HIPAA, GLBA and SOX requirements. In addition we use the IT Information Library (ITIL) service management framework to ensure continuous security monitoring and improvement. For specific compliance needs, please contact us. We are happy to work with you to make SpringCM meet your compliance requirements. SUMMARY SpringCM s investment in standardsbased security frameworks and implementation of security controls throughout the entire development and production environments process ensures our level of security will exceed that required by our customers. Our commitment to data confidentiality, integrity and availability starts at the network port and extends to the customer environment. We work with trusted third-party security vendors to verify and enhance our security program SpringCM, as the leader in mobilized business content, provides the freedom, power, and control businesses need to go beyond simple file storage and document sharing to connect teams and those they work with to powerful content management applications that make content available anytime, anywhere and from any mobile device with complete synchronicity and security. SpringCM unleashes the power of anytime, anywhere content to change the way you work. 2012 SpringCM All rights reserved www.springcm.com www.springcm.com 2012 SpringCM SM 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information