Eloqua Security & Privacy Security, Transparency, and Trust



Similar documents
Security Policy JUNE 1, SalesNOW. Security Policy v v

Security & Infra-Structure Overview

A GUIDE TO SECURITY AND PRIVACY IN A HOSTED EXCHANGE ENVIRONMENT TECHNICAL DOCUMENT

Las Vegas Datacenter Overview. Product Overview and Data Sheet. Created on 6/18/2014 3:49:00 PM

Altus UC Security Overview

Fax

Achieving PCI-Compliance through Cyberoam

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

GiftWrap 4.0 Security FAQ

Retention & Destruction

Securing Internet Facing. Applications. Technical White Paper. configuration drift, in which IT members open up ports or make small, supposedly

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Privacy + Security + Integrity

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

Tenzing Security Services and Best Practices

BOLDCHAT ARCHITECTURE & APPLICATION CONTROL

GoodData Corporation Security White Paper

Secure, Scalable and Reliable Cloud Analytics from FusionOps

LIVE CHAT CLOUD SECURITY Everything you need to know about live chat and communicating with your customers securely

FormFire Application and IT Security. White Paper

Birst Security and Reliability

Enterprise level security, the Huddle way.

Passing PCI Compliance How to Address the Application Security Mandates

Steps for Basic Configuration

A Decision Maker s Guide to Securing an IT Infrastructure

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Collaborate on your projects in a secure environment. Physical security. World-class datacenters. Uptime over 99%

Security & Infrastructure White Paper

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

Security Management. Keeping the IT Security Administrator Busy

Symantec Messaging Gateway 10.6

ProjectManager.com Security White Paper

Quick Heal Exchange Protection 4.0

SAS 70 Type II Audits

Clarizen Security White Paper

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

McAfee SECURE Technical White Paper

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

SonicWALL PCI 1.1 Implementation Guide

74% 96 Action Items. Compliance

SITECATALYST SECURITY

Client Security Risk Assessment Questionnaire

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

Understanding Sage CRM Cloud

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

CONTENTS. Security Policy

Symantec Messaging Gateway 10.5

Woodcock-Johnson and Woodcock-Muñoz Language Survey Revised Normative Update Technical and Data Security Overview

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

EmpLive Technical Overview

How To Secure Your Data Center From Hackers

Copyright 2011 Sophos Ltd. Copyright strictly reserved. These materials are not to be reproduced, either in whole or in part, without permissions.

IT Security & Compliance. On Time. On Budget. On Demand.

On-Site Computer Solutions values these technologies as part of an overall security plan:

SECURITY DOCUMENT. BetterTranslationTechnology

Did you know your security solution can help with PCI compliance too?

White Paper. McAfee Web Security Service Technical White Paper

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER

Symantec Enterprise Firewalls. From the Internet Thomas Jerry Scott

GE Measurement & Control. Cyber Security for NEI 08-09

Firewall Environments. Name

AND SERVER SECURITY

Cloud Management. Overview. Cloud Managed Networks

AND SERVER SECURITY

SaaS Security for the Confirmit CustomerSat Software

RSA SecurID Ready Implementation Guide

The data which you put into our systems is yours, and we believe it should stay that way. We think that means three key things.

TOP SECRETS OF CLOUD SECURITY

Unified Security Anywhere SOX COMPLIANCE ACHIEVING SOX COMPLIANCE WITH MASERGY SECURITY PROFESSIONAL SERVICES

FISMA / NIST REVISION 3 COMPLIANCE

Jort Kollerie SonicWALL

Blue Jeans Network Security Features

FileRunner Security Overview. An overview of the security protocols associated with the FileRunner file delivery application

Security Solution Architecture for VDI

CALNET 3 Category 7 Network Based Management Security. Table of Contents

Managed Security Services for Data

BEST PRACTICES RESEARCH

10 Potential Risk Facing Your IT Department: Multi-layered Security & Network Protection. September 2011

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

End-to-end Secure Cloud Services a Pertino whitepaper

Protecting Your Organisation from Targeted Cyber Intrusion

Attacks from the Inside

Secure Data Hosting. Your data is our top priority.

White Paper How Noah Mobile uses Microsoft Azure Core Services

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

Global ediscovery Client Data Security. Managed technology for the global legal profession

Remote Services. Managing Open Systems with Remote Services

SESSION 507 Thursday, March 26, 11:15 AM - 12:15 PM Track: Desktop Support

Egnyte Security Architecture

MultiSite Manager. Setup Guide

Section 12 MUST BE COMPLETED BY: 4/22

Implementation Guide

DATA SECURITY POLICY. Data Security Policy

Hosted Managed by Specialists

U06 IT Infrastructure Policy

Hosted Exchange. Security Overview. Learn More: Call us at

WHITE PAPER. GoToMyPC. Citrix GoToMyPC Corporate Security FAQs. Common security questions about Citrix GoToMyPC Corporate.

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

QuickBooks Online: Security & Infrastructure

Transcription:

Introduction... 2 People, Policies, and Expertise... 3 Privacy Policy... 3 Security in the Data Center... 5 A. Data Center Security... 5 B. Server Security... 5 C. Application Security... 6 D. System Monitoring... 6 E. Network Security... 7 Security at the Desktop... 7 Benefits Summary... 8 Eloqua Security & Privacy Security, Transparency, and Trust Eloqua prides itself on providing the highest standards for security and privacy, ensuring best-inclass levels of service for its customers. Eloqua is able to deliver enterprise-grade security to all customers large and small through a combination of leading edge technology, internal expertise, and leading third-party technology and certification partners.

> Security & Privacy 2 Introduction A revenue performance management platform is an investment in a critical element of an enterprise rise technology portfolio. Because every interaction with your customers and prospects can have a significant business impact, there is no room for risk. This overview outlines how Eloqua delivers an enterprise-class business platform that is both secure and reliable. To date, Eloqua maintains a record of zero known back-end security breaches. As a Software-as-a-Service Service provider, Eloqua takes on the onus of most of the system, data, and application security. To ensure the highest levels of service, Eloqua has implemented several key mechanisms and best practices to meet or exceed the security requirements of small and large enterprises. Best practices are embedded in the design and configuration of the network and product. Industry-leading partners and products help ensure a secure, reliable platform. A comprehensive Defense in Depth strategy represents a multi-faceted security approach that ensures data is protected from creation to final disposal. Eloqua also believes that transparency is critical to maintaining trust. To establish complete transparency, system performance and reliability information are published regularly at trust.eloqua.com.. Here you can find up to date information on system availability, deliverability performance and transaction volumes.

> Security & Privacy 3 People, Policies, and Expertise Security begins with people. Eloqua puts a significant emphasis on policies, procedures and expertise as vital elements in the security framework. This includes not only the team that administers and provisions the platform, but the security policies and governance under which that team operates. Eloqua s security team is headed by industry veteran Dennis Dayman, who serves as the Chief Privacy and Security Officer for the organization s privacy program. Dennis has more than 17 years of experience combating spam and security issues, as well as improving email delivery through industry policy, ISP relations and technical cal solutions. In his current role, Dennis applies his experience and industry connections to help Eloqua's customers maximize their delivery rates and compliance. Previously, Dayman worked for StrongMail Systems as Director of Deliverability, Privacy, and Standards. He served in the Internet Security and Legal compliance division for Verizon Online as a senior consultant at Mail Abuse Prevention Systems (MAPS) after starting his career as Director of Policy and Legal External Affairs for Southwestern Bell l Global (now AT&T). Dennis also serves as a longstanding member of several boards within the messaging industry, including the Board of Director s Messaging Anti-Abuse Abuse Working Group (MAAWG), Coalition Against Unsolicited Commercial Email (CAUCE), International Association of Privacy Professional (IAPP) educational board, Email Sender and Provider Coalition (ESPC), and Email Experience Council (EEC). Dayman is actively involved in creating current Internet and telephony regulations, privacy policies and anti-spam legislation laws for state and federal governments. Privacy Policy Data privacy is another cornerstone of the security policy. Eloqua s privacy policy is publicly available and can be found at eloqua.com/about/privacy. To augment this policy Eloqua has forged partnerships and completed certifications from some of the leading organizations on the subject of privacy. These include:

> Security & Privacy 4 SAS 70 TYPE II: Eloqua has successfully completed both the Type I and Type II Statement of Auditing Standards (SAS) 70 audits. The resulting Independent Service Auditor s Report concluded that Eloqua had instituted ituted the effective operational controls within these areas. In addition, all of Eloqua s customer data is hosted with Verizon Business, a fully SAS 70 Type II audited data center. Eloqua is the only marketing automation provider to boast both a SAS 70 Type II audited software platform a SAS 70 Type II audited hosting facility. TRUSTe: Eloqua is a participant in the TRUSTe Privacy Seal Program. TRUSTe is an independent organization whose mission is to advance privacy and trust in the networked world. TRUSTe monitors Eloqua s privacy practices for compliance with their rigorous standards. Safe Harbor Privacy Framework: Eloqua participates in the EU Safe Harbor Privacy Framework as set forth by the United States Department of Commerce. As part of the participation in the safe harbor, Eloqua has agreed to TRUSTe dispute resolution for disputes relating to our compliance with the Safe Harbor Privacy Framework. This agreement allows companies in the EU to safely and legally transport data to Eloqua s data centers. Messaging Anti-Abuse Abuse Working Group (MAAWG): Eloqua recommends that anyone using email either through its services or anywhere else should adopt the Messaging Anti-Abuse Abuse Working Group (MAAWG) Sender Best Communications Practices (BCP). With collaborative input from both volume senders and Internet Service Providers, the new best practices recommend sender email technologies and subscription methods to improve deliverability rates for newsletters and permission-based email marketing. The complete Sender Best Communications Practices document is available at the organization s website at http://www.maawg.org/about/publisheddocuments.

> Security & Privacy 5 Security in the Data Center Eloqua has constructed a comprehensive security policy that addresses all the critical touch-points of the application and its infrastructure from the data center to the end-user. A. Data Center Security Eloqua partners with Verizon Business Canada to deliver its platform from a secure, reliable datacenter in Toronto. Verizon s datacenter boasts an array of security protections that include: Physical Security: Verizon s business datacenter is protected by video surveillance, with video feeds recorded and stored offsite. Two independent biometric fingerprint scans and an electronic key with PIN code are required to access Eloqua s secure equipment cage. Environmental Security: The data center includes a FM200 Fire suppression system and Redundant HVAC and Backup power including both UPS and redundant diesel generators. Network Security: The network is part of Verizon s AS701 Autonomous System, one of only 10 Tier 1 networks in the world. All portions of this network are redundant. B. Server Security Eloqua builds its servers using a secure build process that removes unneeded services and locks down the file system using access control lists. These servers are further secured through the implementation of Group Policies. The servers secure posture is maintained through Eloqua s operating system and firmware patching regimen. Eloqua s patching process for Windows hot fixes and software updates allows for a test period on the development, quality assurance and staging environments before being promoted to the production environment. To confirm the security posture of all network devices, Eloqua uses third-party vulnerability scanning services from Qualys. These scans confirm that all required patches have been applied and that any security-affecting configuration changes have been made. The network perimeter is scanned remotely from Qualys network and the internal network is scanned from within using a QualysGuard security appliance. Both scans are run weekly. Over time, Qualys continues to update its vulnerability checklist to provide fast detection and allow quick remediation of any new network vulnerabilities.

> Security & Privacy 6 C. Application Security Customer data within the Eloqua system is secured by partitioning each tenant into its own separate database with access tightly controlled by the login process. Eloqua s network is divided along a functional 3-tier boundary common to many web applications (web, application and database). Within the network, the systems are divided into four functional groups: mail servers, web and application servers, database servers and management servers. This segmentation allows for very specific control over the type of traffic that passes between each layer, isolating potential issues and preventing the spread of any threats. Traffic is controlled using tight security access control lists. In addition, Eloqua embeds security in the software development process itself. Application scans: The development team uses Portswigger s BurpSuite product to scan and detect any security vulnerabilities in the platform. These can be patched before this code is released for production use. Secure Libraries: Eloqua uses standard libraries to scan for, and block, Cross-Site Scripting and other dangerous data. D. System Monitoring In addition to preventative strategies, Eloqua also uses a number of tools to proactively monitor the system for problems that could affect security, performance or reliability. Industry standard protocols such as SNMP, WMI and SQL are used to ensure the operations team has full visibility into the state of the platform at all times. In the event of a problem with a particular subsystem, or an abnormal amount or type of traffic being directed at a client, Eloqua is able to selectively exclude specific traffic types to avoid a denial of service. Monitoring: In addition to internal tools, Eloqua confirms the security and reliability of the Eloqua platform using Gomez ExperienceFirst to measure application uptime and response time. Alerting: A number of tools, including Microsoft s System Center Operations Manager (for Windows and SQL monitoring), Dell s IT Assistant (for hardware monitoring) are used to detect and alert on any critical events in the system.

> Security & Privacy 7 E. Network Security Customers log into Eloqua using a 128-bit SSL-encrypted browser session - the same secure browsing technology used by financial institutions and leading e-commerce sites. Eloqua provides additional feedback to the user through Verisign s Extended Validation SSL certificates to assist in preventing phishing attacks. In most browsers such as Microsoft Internet Explorer, Mozilla FireFox, and Google Chrome the use of an Extended Validation certificate turns the address bar green to acknowledge that the site is being accessed in a secure manner. This same SSL-based security is used when synchronizing Eloqua with customer third-party CRM systems. If the customer website is partially insecure, Eloqua can seamlessly move between security levels. This allows the user to experience the website at the required security level without concern. Eloqua employs two firewalls in an Active/Passive cluster to provide traffic filtering and Intrusion Prevention services. To prevent worms and other network-based attacks from accessing other ports and protocols, only 3 ports are open to inbound traffic: HTTP, HTTPS and SMTP. Eloqua also employs intrusion prevention rules that are built into the firewall cluster in as well as other intrusion detection devices in the network to monitor for problems. The production network, which manages customer data and transactions, is entirely separate from Eloqua s corporate network. Security at the Desktop Security does not end with the Eloqua data center. Access to the Eloqua platform is controlled by the forms authentication method provided by the underlying Microsoft.NET platform. All users access the application using a Company Name, Username and Password which are then encrypted with SSL while they are in transmission. An encrypted session ID cookie is used to uniquely identify each user. For closed-loop security, this cookie only persists for the duration of the session and only contains the user s unique ID. Once authenticated, the user is granted an access level based on that user s designated group membership. At the highest level, the application provides separate security rights to normal users, client-level level administrators and application-wide administrators. For normal users, there are a number of standard access roles that map onto job functions (such as sales user, basic marketing user, and advanced marketing user). At the most granular level, administrators can control read/edit/delete access to individual marketing assets within the application. Each customer instance of Eloqua can have its own security settings that allow these login details to be customized.

> Security & Privacy 8 To ensure the highest possible security to the user s desktop, Eloqua also suggests additional best-practices for customers to adopt within the four walls of their organization. For example, Eloqua suggests the following customer best practices for all subscribers: Set IP range restrictions to allow users to access Eloqua only from a corporate network or VPN, thus providing a second factor of authentication. Educate employees not to open suspect emails and to be vigilant in guarding against phishing attempts. Use security solutions from leading vendors such as Symantec to deploy spam filtering and malware protection. Designate a security contact within your organization so that Eloqua can more effectively direct security-related communications. Consider using two-factor authentication techniques such as RSA tokens to restrict access to the network. Benefits Summary Eloqua is committed to providing best in class security technologies and policies to allow customers to rest assured that their data is safe at all times. Through a combination of policies, platform and customer security, Eloqua is able to maintain a best-in-class software security infrastructure as evidenced by its impeccable track record. Organizational culture built around security and privacy SAS 70 Type II audited software platform hosted in a SAS 70 Type II audited facility Physical, environmental, and network security through Verizon Business Datacenter Reliance on third party tools ols and standards bodies for continuous improvement and thought leadership Best practices to improve security at the customer site

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information