WALKME SOLUTION ARCHITECTURAL WHITE PAPER
WHAT IS WALKME FOR SALESFORCE? WalkMe enables Salesforce to build and overlay interactive Walk-Thrus that intuitively guide users to self-task successfully with even the most complex processes. Walk-Thrus are a sequence of tip balloons that are displayed onscreen based on what the user needs to do, his actions and the context he is in. WalkMe s technology focuses the users' attention on the screen and takes them step-by-step as they progress through the task in real time. SALESFORCE WILL SEE A MASSIVE IMPACT WITHIN DAYS Using WalkMe requires no integration or changes to the underlying software. WalkMe is a proven solution with 100 s of customers and by utilizing it Salesforce will increase conversions, speed up orientation of new prospects and users, increase the efficiency of current customers and slash the training costs they require. WalkMe is perfect for: Onboarding & orientation of new users Be there with your customers when they start testing and using Salesforce, to make sure they are driven, know and act in the way you know is best. Helping with migration of enterprise customers Remove the barriers of entry for enterprise customers using other CRM systems by slashing the need for training, ease employee agony over changes in their daily routine and cut the learning curve. Improving efficiency of existing customers Help the Salesforce users reach their maximum potential of using Salesforce software by ensuring proper usage, letting the users focus on the job at hand instead of how to operate the software and reduce help desk costs. Upselling to current customers base Use rule based usage analytics to automatically introduce new features and premium features to users who need them. Supporting non-native English speakers
Walk-Thrus can be displayed in any language based on user selection or as defined by rules. WALKME S BACKGROUND WalkMe s idea from the get-go was to make the web experience as easy as possible for every person clarifying the ease of any task for any website and thus reinventing the learning curve for any website, online service or software. WalkMe is a user-friendly and easy-to-use tool that requires no modification to underlying software where "Walk-Thrus" can be created in seconds without any previous technical skills. Walk- Thrus have reinvented the learning curve! Users are now able to intuitively use any system and be an expert within days. TECHNOLOGY WalkMe offers a secure, reliable, and scalable platform. The company culture believes in going out of the way to make clients comfortable and secure in the product especially when incorporating WalkMe in their services. As a pure software-as-a-service (SaaS) company, all of WalkMe's servers, data bases, and storage are located in a top tier and secure cloud network. WalkMe values providing dependability and availability to customers with its service and partnerships. In order to provide customers with the greatest flexibility, WalkMe utilizes Amazon Web Services (AWS). Because of WalkMe's advanced and scalable architecture, clients can be confident knowing that their end users will have zero effect on their website performance and user experience. WALKME IS COMPRISED OF THREE MODULES WalkMe Editor The WalkMe Editor is a simple and easy-to-use tool for creating and editing Walk-Thrus.
WalkMe Player The WalkMe Player is a discreet on-screen widget that allows end-users to control the visual experience and look of Walk-Thrus. The Player is made available to end-users as part of the website itself and does not require any configuration or installation. WalkMe Analytics WalkMe Analytics is a sophisticated analytical tool used to review the efficiency of Walk-Thru playback data. A DEEPER LOOK INTO THE THREE WALKME MODULES WalkMe Editor The WalkMe Editor is a Firefox extension that enables website and application owners to create Walk-Thrus for their websites. The WalkMe Editor requires no technical knowledge and allows users to point and click on the website elements to create a unified guidance flow Walk-Thrus. The Walk-Thrus are then saved onto database servers and stored there as personal drafts. During the creation process of the Walk-Thrus, they are not visibly seen or available to any of the end-users until publication and activation. The process to publish and activate Walk-Thrus involves two simple actions. Step 1: A One Time Implementation of the WalkMe Snippet In order to display the Player on your website or application, the WalkMe snippet must be added to the header of all of the HTML pages on which you wish to enable the Walk-Thrus. It's only required once for the entire life cycle of your partnership with WalkMe. This process is similar to the process of adding Google Analytics to a website. This snippet code is actually the connection between the original website content and WalkMe. Once the website HTML loads onto the end users browser, the browser activates the snippet code, which begins the downloading of WalkMe's data. Step 2: Publishing Walk-Thrus When the Walk-Thrus are ready to be launched and seen by end users on the website or application, the owner clicks on the "publish" button in the WalkMe Editor. This action changes the status of the selected Walk-Thrus from draft to published status, converting the Walk-Thrus to public and visible to all end-users. Changing or editing a Walk-Thru is made simple with the availability of more extensive editing options in the Editor. When the user publishes a new Walk-Thru, a flat file is generated with the Walk-Thru data and is deployed on Amazon's Cloudfront CDN.
SECURITY ASPECTS OF THE EDITOR Login Policy User Authentication and Authorization All users and administrators of WalkMe's platform are assigned a unique user account and authorization level. Password Policy All users authenticate to WalkMe with an email and password of at least eight characters. Authentication is established over a 128bit SSL V3 HTTPS encrypted protocol where passwords are subsequently stored in databases encrypted with a hash algorithm. Password and Operator Lock-Out To prevent brute force attacks, WalkMe accounts are locked after multiple failed login attempts. After a short period of time, the account is unlocked and the user can log in again. Users have the capability to change their password upon request if they forgot their username or password. They are sent confidential emails that were provided upon their original signup. WALKME PLAYER The WalkMe Player is responsible for playback of all published Walk-Thrus. The WalkMe player is displayed in the form of a widget on top of the website pages. Once the original
website page content is loaded completely in the end users' browser, the WalkMe Player quickly communicates and downloads the WalkMe files from Amazon Cloudfront CDN into the browser's cache. These files, with a total size of 200-300 KB, contain all the data that is needed in order to play the entire Walk-Thrus. Once downloaded, the WalkMe Player is displayed to the end-user. The Walk-Thru data will only be downloaded again if changes were made to any of the Walk-Thrus. The datatransfer process from the end users browser to WalkMe's web servers are done using the protocol of the webpage (HTTP OR HTTPS) and is determined by the website owner according to their specific needs. Because the request for WalkMe files from the servers are only made after the website page has been completely loaded, no lag or negative effect to the website performance is experienced or seen. PLAYER SECURITY ASPECTS The WalkMe architecture offers the following security advantages: 1) End-user browsers download static files from Amazon CloudFront CDN making no demands on CPU. In addition, no database queries are made.
2) End users have no need to download or use any special protocols as the entire system and communication are based on standard HTTP (80) and HTTPS (443) protocols and ports. a. No direct connections between the customers company servers and their endusers are required. All communications are handled and intermediated by WalkMe s web servers on Amazon EC2. b. In HTTPS mode, data is transferred in encrypted form with 128 bit SSL V3 using a trusted public certificate authority to ensure the authenticity of WalkMe s server to both parties. WALKME ANALYTICS WalkMe Analytics is a comprehensive statistics panel that provides rich, detailed information on Walk-Thru usage in the website or application. The data includes the number of Walk- Thrus performed and at which steps the end-users dropped from the Walk-Thrus. This enables the website/application owner to understand the problematic points of their current business process or Walk-Thru flow. Furthermore, the Analytics system enables the user to add mail-generated rules that let them instantly know of any high or low usage of Walk-Thrus and to determine any problems that might have occurred during the Walk-Thru playback process. The option for advanced users to send website related information that can be aggregated with the analytics data is available for even higher resolution data analysis. The call between the browser and the server is being done using an a-synchronized AJAX call, which has zero effect on user performance or the browser state. The request sent is encrypted with 128 bit SSL V3 using a trusted public certificate authority to ensure the authenticity of WalkMe s server to both parties.
IMPLEMENTATION MODELS WalkMe On-Premises Model For companies that require high security standards, which cannot be achieved using the SaaS Model, WalkMe offers the On-Premises Model, in which the entire WalkMe platform is installed locally on the client servers. Unlike the Self-Hosted Model above, where the Walk-Thru generated files are saved on the client servers during the editing process and the Analytics data are being stored on WalkMe Cloud, the entire creation-process and the Analytics will be saved on WalkMe servers that will be installed locally on the client servers, in the On-Premises Model. This way, the entire WalkMe solution is stored in-house on the client servers, and the endusers entire communication as well as the entire Walk-Thru-creation process will be performed against the client servers.
WalkMe On-Premises Model Enterprise Web Servers Enterprise LAN WalkMe Analytics Server Customer Web Servers (hosting WalkMe static files) Publish Process WalkMe Editor Server WalkMe Static files Walk-Thru Data Original Website content Walk-Thru Analytics Data Customer content owner End Users WEB VULNERABILITIES, PRIVACY AND DATA RETENTION WalkMe was built as a third-party application to seamlessly work inside websites and Webapplications. Therefore, WalkMe implemented a multi-tiered approach in providing the highest security services possible by both developing the platform itself in the highest security standards and utilizing Amazon's Web Services security. Content Filtering Since the Walk-Thru balloons contain user generated data, a real need to prevent any attempts of Cross Site Scripting (XSS) exists. This is a form of attack that injects malicious content
into the balloons and thereafter to the users browser. WalkMe prevents these kinds of attacks by having implemented an advanced content-filtering mechanism that is embedded in WalkMe's content servers. Therefore any attempts to insert scripts are automatically blocked within the server side before publishing any of the Walk-Thrus. Audit Trail and Logs in the WalkMe Editor User-activity within the WalkMe Editor is monitored and logged, enabling login & publishing data to be traced and attributed to a specific user, IP address, date, and time. This enables WalkMe customers to extend their control and auditing policies in the WalkMe platform. Data Collected by the WalkMe Player Application Even though WalkMe is a layer on top of the website itself, it does not collect any information regarding the end-users actions or data. Furthermore, it does not collect any information from the website itself. In order to deliver the highest quality statistics to the website owner, a summarized table of information about the overall usage of their Walk-Thru data is presented of only Walk-Thru progress details. For example, if an end-user plays a Walk-Thru that directs them in how to perform a procedure in their bank account on the bank's website, the only information that will be sent from the browser to WalkMe's servers are the Walk-Thru balloon steps that have been played as part of the Walk-Thru, along with the user IP address, domain, operating system, browser type, and the time of each balloon appearance. Secure Storage Even though the only information that is stored on WalkMe's servers is the Walk-Thru text, HTML parameters for identifying the correct location to place the balloons, and the progress of the Walk-Thru is kept private and safe by WalkMe s efforts and assurance to maintain all data confidential. All balloon text, images, and statistical information gathered from the WalkMe Player are stored within WalkMe s database servers, secured by a firewall. Every WalkMe customer is assigned a unique user ID with access control mechanisms embedded in the application and in the database that prevents unauthorized access. Although data may be stored on shared database servers, the data is strictly protected and segregated in a way that ensures that only authorized entities can have access to it.
WalkMe Cookies Like other Web-based applications, WalkMe uses first-party cookies to identify the progress of the Walk-Thrus. WalkMe uses cookies only for authentication purposes and for the successful compilation of Walk-Thru playback and Analytics. The cookies are saved only for 60 seconds and then are automatically deleted. No personal data is saved and no information about user usage of the website is monitored. INFRASTRUCTURE SECURITY WalkMe's network infrastructure and architecture works and communicates with Amazon AWS, Amazon EC2, Amazon S3, Amazon Cloudfront, and Amazon RDS. Amazon Web Services (AWS) deliver a highly scalable cloud computing platform with high availability and reliability. In order to provide end-to-end security and privacy, AWS has built its services in accordance with the best security practices providing appropriate security features and documents in how to best utilize them. WalkMe used those features and best practices to create a highly secure application environment that ensures confidentiality, integrity, and availability of its data, such as what Amazon RDS provides to maintain trust and confidence. Below is relevant information gathered from the Amazon website to highlight relevant security certifications and accreditations that WalkMe has incorporated. AWS Certifications and Accreditations SOC 1/SSAE 16/ISAE 3402 Amazon Web Services now publishes a Service Organization Controls 1 (SOC 1), Type 2 report. The audit for this report is conducted in accordance with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402) professional standards. This dual-standard report can meet a broad range of auditing requirements for U.S. and international auditing bodies. The SOC 1 report audit attests that AWS control objectives are appropriately designed and that the individual controls defined to safeguard customer data are operating effectively. Our commitment to the SOC 1 report is on-going and we plan to continue our process of periodic audits. This audit is the replacement of the Statement on Auditing Standards No. 70 (SAS 70) Type II report. FISMA Moderate AWS enables U.S. government agency customers to achieve and sustain compliance with the Federal Information Security Management Act (FISMA). FISMA requires federal
agencies to develop, document, and implement an information security system for its data and infrastructure based on the National Institute of Standards and Technology Special Publication 800-53, Revision 3 standard. FISMA Moderate Authorization and Accreditation requires AWS to implement and operate an extensive set of security configurations and controls. This includes documenting the management, operational, and technical processes used to secure the physical and virtual infrastructure, as well as the third-party audit of the established processes and controls. AWS has received a three-year FISMA Moderate authorization for Infrastructure as a Service from the General Services Administration. AWS has also successfully achieved other ATOs at the FISMA Moderate level by working with government agencies to certify their applications and workloads. PCI DSS Level 1 AWS has achieved Level 1 PCI compliance. We have been successfully validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). Merchants and other service providers can now run their applications on our PCI-compliant technology infrastructure for storing, processing, and transmitting credit card information in the cloud. Other enterprises can also benefit by running their applications on other PCIcompliant technology infrastructure. PCI validated services include Amazon Elastic Compute Cloud (EC2), Amazon Simple Storage Service (S3), Amazon Elastic Block Storage (EBS) and Amazon Virtual Private Cloud (VPC), Amazon Relational Database Service (RDS), Amazon Elastic Load Balancing (ELB), Amazon Identity and Access Management (IAM), and the underlying physical infrastructure and the AWS Management Environment. For more information please visit our PCI DSS Level 1 FAQs. ISO 27001 AWS has achieved ISO 27001 certification of our Information Security Management System (ISMS) covering our infrastructure, data centers, and services including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3) and Amazon Virtual Private Cloud (Amazon VPC). ISO 27001/27002 is a widely-adopted global security standard that sets out requirements and best practices for a systematic approach to managing company and customer information that s based on periodic risk assessments. In
order to achieve the certification, a company must show it has a systematic and ongoing approach to managing information security risks that affect the confidentiality, integrity, and availability of company and customer information. This certification reinforces Amazon s commitment to providing transparency into our security controls and practices. AWS s ISO 27001 certification includes all AWS data centers in all regions worldwide and AWS has established a formal program to maintain the certification. A copy of our ISO certificate, available to AWS customers, describes the ISMS services and geographic scope. International Traffic In Arms Compliance The AWS GovCloud (US) region supports US International Traffic in Arms Regulations (ITAR) compliance. As a part of managing a comprehensive ITAR compliance program, companies subject to ITAR export regulations must control unintended exports by restricting access to protected data to US Persons and restricting physical location of that data to US land. AWS GovCloud (US) provides an environment physically located in the US and where access by AWS Personnel is limited to US Persons, thereby allowing qualified companies to transmit, process, and store protected articles and data under ITAR. The AWS GovCloud (US) environment has been audited by an independent third party to validate the proper controls are in place to support customer export compliance programs for this requirement. FIPS 140-2 The Federal Information Processing Standard (FIPS) Publication 140-2 is a US government security standard that specifies the security requirements for cryptographic modules protecting sensitive information. To support customers with FIPS 140-2 requirements, the Amazon Virtual Private Cloud VPN endpoints and SSL-terminating load balancers in AWS GovCloud (US) operate using FIPS 140-2 validated hardware. AWS works with AWS GovCloud (US) customers to provide the information they need to help manage compliance when using the AWS GovCloud (US) environment. OTHER COMPLIANCE INITIATIVES The flexibility and customer control that the AWS platform provides permits the deployment of solutions that meet industry-specific compliance requirements. HIPAA
Customers have built healthcare applications compliant with HIPAA s Security and Privacy Rules on AWS. AWS provides the security controls customers can use to help to secure electronic health records. CSA AWS has completed the Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire. This questionnaire published by the CSA provides a way to reference and document what security controls exist in AWS s Infrastructure as a Service offerings. The questionnaire (CAIQ) provides a set of over 140 questions a cloud consumer and cloud auditor may wish to ask of a cloud provider. More information regarding Amazon Web Services can be found at http://aws.amazon.com/security/ OPERATIONS Penetration Testing WalkMe's application and network are tested for security vulnerabilities by independent security experts as part of the secure development lifecycle. The tests include an array of penetration scenarios regardless of one that is tested independently by Amazon AWS, which tests its services frequently. In addition, WalkMe's security team makes sure to ensure that all aspects of security adhere to the highest standards. UPTIME, BUSINESS CONTINUITY AND DISASTER RECOVERY Capacity and Uptime WalkMe's architecture was designed with the appropriate mindset to manage large scale traffic and CPS (connections per second) in order to provide high quality speed, availability, and service for our customers. The massive usage by users requesting Walk-Thru data is achieved against Amazon Cloudfront, which has a service commitment of a Monthly Uptime Percentage (defined below) of at least 99.9%. http://aws.amazon.com/ec2-sla/ http://aws.amazon.com/s3-sla/ Disaster Recovery and BCP
WalkMe's disaster recovery plan, which resides on Amazon's disaster recovery plans, ensures that customers experience no interruption of service in the event of a loss of data occurring at Amazon's data centers. WalkMe's primary and most crucial services are the Walk-Thrus themselves, which are stored on Amazon's Cloudfront CDN, supporting the most advanced methods of DRP. WalkMe's other and less crucial components are the WalkMe Editor and WalkMe Analytics which resides on Amazon EC2 and Amazon RDS, and are both supported by the most advanced methods of DRP. CONCLUSION WalkMe strives to provide the highest security possible for its customers by utilizing top-tier technology and products to provide the best user and customer experience possible. By emphasizing security and responsible planning for expected future growth with our partners and users, WalkMe has established the building blocks to provide the best step-by-step guidance tool on the internet to help millions of people around the world perform complicated tasks with ease. DISCLAMIER This document is for informational purposes only. WalkMe LTD. PROVIDES THIS DOCUMENT AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. No part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), without the prior written permission of WalkMe, LTD. except as otherwise permitted by law. Prior to publication, reasonable effort was made to validate this information. Actual savings or results achieved may be different than those outlined in the document. This document could include technical inaccuracies or typographical errors. Contact: WalkMe LTD. www.walkme.com US Toll Free: 1-855-4WALKME (1-855-492-5563) info@walkme.com