Introduction... 2 People, Policies, and Expertise... 3 Privacy Policy... 3 Security in the Data Center... 5 A. Data Center Security... 5 B. Server Security... 5 C. Application Security... 6 D. System Monitoring... 6 E. Network Security... 7 Security at the Desktop... 7 Benefits Summary... 8 Eloqua Security & Privacy Security, Transparency, and Trust Eloqua prides itself on providing the highest standards for security and privacy, ensuring best-inclass levels of service for its customers. Eloqua is able to deliver enterprise-grade security to all customers large and small through a combination of leading edge technology, internal expertise, and leading third-party technology and certification partners.
> Security & Privacy 2 Introduction A revenue performance management platform is an investment in a critical element of an enterprise rise technology portfolio. Because every interaction with your customers and prospects can have a significant business impact, there is no room for risk. This overview outlines how Eloqua delivers an enterprise-class business platform that is both secure and reliable. To date, Eloqua maintains a record of zero known back-end security breaches. As a Software-as-a-Service Service provider, Eloqua takes on the onus of most of the system, data, and application security. To ensure the highest levels of service, Eloqua has implemented several key mechanisms and best practices to meet or exceed the security requirements of small and large enterprises. Best practices are embedded in the design and configuration of the network and product. Industry-leading partners and products help ensure a secure, reliable platform. A comprehensive Defense in Depth strategy represents a multi-faceted security approach that ensures data is protected from creation to final disposal. Eloqua also believes that transparency is critical to maintaining trust. To establish complete transparency, system performance and reliability information are published regularly at trust.eloqua.com.. Here you can find up to date information on system availability, deliverability performance and transaction volumes.
> Security & Privacy 3 People, Policies, and Expertise Security begins with people. Eloqua puts a significant emphasis on policies, procedures and expertise as vital elements in the security framework. This includes not only the team that administers and provisions the platform, but the security policies and governance under which that team operates. Eloqua s security team is headed by industry veteran Dennis Dayman, who serves as the Chief Privacy and Security Officer for the organization s privacy program. Dennis has more than 17 years of experience combating spam and security issues, as well as improving email delivery through industry policy, ISP relations and technical cal solutions. In his current role, Dennis applies his experience and industry connections to help Eloqua's customers maximize their delivery rates and compliance. Previously, Dayman worked for StrongMail Systems as Director of Deliverability, Privacy, and Standards. He served in the Internet Security and Legal compliance division for Verizon Online as a senior consultant at Mail Abuse Prevention Systems (MAPS) after starting his career as Director of Policy and Legal External Affairs for Southwestern Bell l Global (now AT&T). Dennis also serves as a longstanding member of several boards within the messaging industry, including the Board of Director s Messaging Anti-Abuse Abuse Working Group (MAAWG), Coalition Against Unsolicited Commercial Email (CAUCE), International Association of Privacy Professional (IAPP) educational board, Email Sender and Provider Coalition (ESPC), and Email Experience Council (EEC). Dayman is actively involved in creating current Internet and telephony regulations, privacy policies and anti-spam legislation laws for state and federal governments. Privacy Policy Data privacy is another cornerstone of the security policy. Eloqua s privacy policy is publicly available and can be found at eloqua.com/about/privacy. To augment this policy Eloqua has forged partnerships and completed certifications from some of the leading organizations on the subject of privacy. These include:
> Security & Privacy 4 SAS 70 TYPE II: Eloqua has successfully completed both the Type I and Type II Statement of Auditing Standards (SAS) 70 audits. The resulting Independent Service Auditor s Report concluded that Eloqua had instituted ituted the effective operational controls within these areas. In addition, all of Eloqua s customer data is hosted with Verizon Business, a fully SAS 70 Type II audited data center. Eloqua is the only marketing automation provider to boast both a SAS 70 Type II audited software platform a SAS 70 Type II audited hosting facility. TRUSTe: Eloqua is a participant in the TRUSTe Privacy Seal Program. TRUSTe is an independent organization whose mission is to advance privacy and trust in the networked world. TRUSTe monitors Eloqua s privacy practices for compliance with their rigorous standards. Safe Harbor Privacy Framework: Eloqua participates in the EU Safe Harbor Privacy Framework as set forth by the United States Department of Commerce. As part of the participation in the safe harbor, Eloqua has agreed to TRUSTe dispute resolution for disputes relating to our compliance with the Safe Harbor Privacy Framework. This agreement allows companies in the EU to safely and legally transport data to Eloqua s data centers. Messaging Anti-Abuse Abuse Working Group (MAAWG): Eloqua recommends that anyone using email either through its services or anywhere else should adopt the Messaging Anti-Abuse Abuse Working Group (MAAWG) Sender Best Communications Practices (BCP). With collaborative input from both volume senders and Internet Service Providers, the new best practices recommend sender email technologies and subscription methods to improve deliverability rates for newsletters and permission-based email marketing. The complete Sender Best Communications Practices document is available at the organization s website at http://www.maawg.org/about/publisheddocuments.
> Security & Privacy 5 Security in the Data Center Eloqua has constructed a comprehensive security policy that addresses all the critical touch-points of the application and its infrastructure from the data center to the end-user. A. Data Center Security Eloqua partners with Verizon Business Canada to deliver its platform from a secure, reliable datacenter in Toronto. Verizon s datacenter boasts an array of security protections that include: Physical Security: Verizon s business datacenter is protected by video surveillance, with video feeds recorded and stored offsite. Two independent biometric fingerprint scans and an electronic key with PIN code are required to access Eloqua s secure equipment cage. Environmental Security: The data center includes a FM200 Fire suppression system and Redundant HVAC and Backup power including both UPS and redundant diesel generators. Network Security: The network is part of Verizon s AS701 Autonomous System, one of only 10 Tier 1 networks in the world. All portions of this network are redundant. B. Server Security Eloqua builds its servers using a secure build process that removes unneeded services and locks down the file system using access control lists. These servers are further secured through the implementation of Group Policies. The servers secure posture is maintained through Eloqua s operating system and firmware patching regimen. Eloqua s patching process for Windows hot fixes and software updates allows for a test period on the development, quality assurance and staging environments before being promoted to the production environment. To confirm the security posture of all network devices, Eloqua uses third-party vulnerability scanning services from Qualys. These scans confirm that all required patches have been applied and that any security-affecting configuration changes have been made. The network perimeter is scanned remotely from Qualys network and the internal network is scanned from within using a QualysGuard security appliance. Both scans are run weekly. Over time, Qualys continues to update its vulnerability checklist to provide fast detection and allow quick remediation of any new network vulnerabilities.
> Security & Privacy 6 C. Application Security Customer data within the Eloqua system is secured by partitioning each tenant into its own separate database with access tightly controlled by the login process. Eloqua s network is divided along a functional 3-tier boundary common to many web applications (web, application and database). Within the network, the systems are divided into four functional groups: mail servers, web and application servers, database servers and management servers. This segmentation allows for very specific control over the type of traffic that passes between each layer, isolating potential issues and preventing the spread of any threats. Traffic is controlled using tight security access control lists. In addition, Eloqua embeds security in the software development process itself. Application scans: The development team uses Portswigger s BurpSuite product to scan and detect any security vulnerabilities in the platform. These can be patched before this code is released for production use. Secure Libraries: Eloqua uses standard libraries to scan for, and block, Cross-Site Scripting and other dangerous data. D. System Monitoring In addition to preventative strategies, Eloqua also uses a number of tools to proactively monitor the system for problems that could affect security, performance or reliability. Industry standard protocols such as SNMP, WMI and SQL are used to ensure the operations team has full visibility into the state of the platform at all times. In the event of a problem with a particular subsystem, or an abnormal amount or type of traffic being directed at a client, Eloqua is able to selectively exclude specific traffic types to avoid a denial of service. Monitoring: In addition to internal tools, Eloqua confirms the security and reliability of the Eloqua platform using Gomez ExperienceFirst to measure application uptime and response time. Alerting: A number of tools, including Microsoft s System Center Operations Manager (for Windows and SQL monitoring), Dell s IT Assistant (for hardware monitoring) are used to detect and alert on any critical events in the system.
> Security & Privacy 7 E. Network Security Customers log into Eloqua using a 128-bit SSL-encrypted browser session - the same secure browsing technology used by financial institutions and leading e-commerce sites. Eloqua provides additional feedback to the user through Verisign s Extended Validation SSL certificates to assist in preventing phishing attacks. In most browsers such as Microsoft Internet Explorer, Mozilla FireFox, and Google Chrome the use of an Extended Validation certificate turns the address bar green to acknowledge that the site is being accessed in a secure manner. This same SSL-based security is used when synchronizing Eloqua with customer third-party CRM systems. If the customer website is partially insecure, Eloqua can seamlessly move between security levels. This allows the user to experience the website at the required security level without concern. Eloqua employs two firewalls in an Active/Passive cluster to provide traffic filtering and Intrusion Prevention services. To prevent worms and other network-based attacks from accessing other ports and protocols, only 3 ports are open to inbound traffic: HTTP, HTTPS and SMTP. Eloqua also employs intrusion prevention rules that are built into the firewall cluster in as well as other intrusion detection devices in the network to monitor for problems. The production network, which manages customer data and transactions, is entirely separate from Eloqua s corporate network. Security at the Desktop Security does not end with the Eloqua data center. Access to the Eloqua platform is controlled by the forms authentication method provided by the underlying Microsoft.NET platform. All users access the application using a Company Name, Username and Password which are then encrypted with SSL while they are in transmission. An encrypted session ID cookie is used to uniquely identify each user. For closed-loop security, this cookie only persists for the duration of the session and only contains the user s unique ID. Once authenticated, the user is granted an access level based on that user s designated group membership. At the highest level, the application provides separate security rights to normal users, client-level level administrators and application-wide administrators. For normal users, there are a number of standard access roles that map onto job functions (such as sales user, basic marketing user, and advanced marketing user). At the most granular level, administrators can control read/edit/delete access to individual marketing assets within the application. Each customer instance of Eloqua can have its own security settings that allow these login details to be customized.
> Security & Privacy 8 To ensure the highest possible security to the user s desktop, Eloqua also suggests additional best-practices for customers to adopt within the four walls of their organization. For example, Eloqua suggests the following customer best practices for all subscribers: Set IP range restrictions to allow users to access Eloqua only from a corporate network or VPN, thus providing a second factor of authentication. Educate employees not to open suspect emails and to be vigilant in guarding against phishing attempts. Use security solutions from leading vendors such as Symantec to deploy spam filtering and malware protection. Designate a security contact within your organization so that Eloqua can more effectively direct security-related communications. Consider using two-factor authentication techniques such as RSA tokens to restrict access to the network. Benefits Summary Eloqua is committed to providing best in class security technologies and policies to allow customers to rest assured that their data is safe at all times. Through a combination of policies, platform and customer security, Eloqua is able to maintain a best-in-class software security infrastructure as evidenced by its impeccable track record. Organizational culture built around security and privacy SAS 70 Type II audited software platform hosted in a SAS 70 Type II audited facility Physical, environmental, and network security through Verizon Business Datacenter Reliance on third party tools ols and standards bodies for continuous improvement and thought leadership Best practices to improve security at the customer site