THE BLUENOSE SECURITY FRAMEWORK

Similar documents
Anypoint Platform Cloud Security and Compliance. Whitepaper

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

OCTOBER 2015 TAULIA SUPPLIER ARCHITECTURE OVERVIEW TAULIA 201 MISSION STREET SAN FRANCISCO CA 94105

Security Controls for the Autodesk 360 Managed Services

White Paper How Noah Mobile uses Microsoft Azure Core Services

PATCH MANAGER what does it do?

The Education Fellowship Finance Centralisation IT Security Strategy

Security Issues in Cloud Computing

Cloud Security and Managing Use Risks

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

SAP Product and Cloud Security Strategy

CLOUD FRAMEWORK & SECURITY OVERVIEW

Building Energy Security Framework

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

GoodData Corporation Security White Paper

Patch and Vulnerability Management Program

HIPAA Compliant Infrastructure Services. Real Security Outcomes. Delivered.

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Woodcock-Johnson and Woodcock-Muñoz Language Survey Revised Normative Update Technical and Data Security Overview

TONAQUINT DATA CENTER, INC. CLOUD SECURITY POLICY & PROCEDURES. Tonaquint Data Center, Inc Cloud Security Policy & Procedures 1

Autodesk PLM 360 Security Whitepaper

SANS Top 20 Critical Controls for Effective Cyber Defense

Live Guide System Architecture and Security TECHNICAL ARTICLE

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

KeyLock Solutions Security and Privacy Protection Practices

AWS Security. Security is Job Zero! CJ Moses Deputy Chief Information Security Officer. AWS Gov Cloud Summit II

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

BMC s Security Strategy for ITSM in the SaaS Environment

Implementing Software- Defined Security with CloudPassage Halo

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

Using AWS in the context of Australian Privacy Considerations October 2015

Secure, Scalable and Reliable Cloud Analytics from FusionOps

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Securing Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits

Cloud Assurance: Ensuring Security and Compliance for your IT Environment

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Security aspects of e-tailing. Chapter 7

Famly ApS: Overview of Security Processes

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Stephen Coty Director, Threat Research

Pega as a Service. Kim Singletary, Dir. Product Marketing Cloud Matt Yanchyshyn, Sr. Mgr., AWS Solutions Architect

Enterprise level security, the Huddle way.

Security & Infra-Structure Overview

The Protection Mission a constant endeavor

Securing the Service Desk in the Cloud

Intel Enhanced Data Security Assessment Form

RE Think. IT & Business. Invent. IBM SmartCloud Security. Dr. Khaled Negm, SMIEEE, ACM Fellow IBM SW Global Competency Center Leader GCC

Microsoft s cybersecurity commitment

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System

Solving the Online File-Sharing Problem Replacing Rogue Tools with the Right Tools

Addressing Cloud Computing Security Considerations

WORKDAY CONCEPT: EMPLOYEE SELF SERVICE

Caretower s SIEM Managed Security Services

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

How To Achieve Pca Compliance With Redhat Enterprise Linux

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

INCIDENT RESPONSE CHECKLIST

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

twilio cloud communications SECURITY ARCHITECTURE

QuickBooks Online: Security & Infrastructure

Cloud Security Trust Cisco to Protect Your Data

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Blue Jeans Network Security Features

F G F O A A N N U A L C O N F E R E N C E

Commercial Software Licensing

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Security Assessment Report

Dooblo SurveyToGo: Security Overview

SECURITY RISK MANAGEMENT

WALKME WHITEPAPER. WalkMe Architecture

Five keys to a more secure data environment

SaaS Security for the Confirmit CustomerSat Software

Security Information & Policies

Seven Things To Consider When Evaluating Privileged Account Security Solutions

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Central Agency for Information Technology

The Elephant in the Room

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

Securing Content: The Core Currency of Your Business. Brian Davis President, Net Generation

Digi Device Cloud: Security You Can Trust

Strengthen security with intelligent identity and access management

Itron Cloud Services Offering

Cloud Computing Governance & Security. Security Risks in the Cloud

Transcription:

THE BLUENOSE SECURITY FRAMEWORK Bluenose Analytics, Inc. All rights reserved

TABLE OF CONTENTS Bluenose Analytics, Inc. Security Whitepaper ISO 27001/27002 / 1 The Four Pillars of Our Security Program / 3 Secure Development Lifecycle ("SDLC") / 3 Product Security Features / 3 Secure Deployment Architecture on Amazon Web Services / 4 Corporate Security / 5 IT Security / 5 Physical Security / 6

Bluenose Analytics, Inc. Security Whitepaper Bluenose Analytics is in the business of helping you understand your customer relationships. By loading your customer data into our application, we give you tools to aggregate and analyze this data to spot at-risk customers and opportunities to increase revenue with existing customers. We fully understand the importance of protecting your data and the implications of data security on our application. Simply put, our aim is to protect your data in a way that exceeds your expectations. In this document we will outline our overall security framework, and how we implement it across four major areas. ISO 27001/27002 is our Management & Controls Framework ISO 27001/27002 ( ISO ) is industry best practice. Virtually every other security, privacy and regulatory framework has been cross-referenced in full to it. ISO has stood the test of time. ISO 27001 is our information security management system that states our control objectives. Control objectives are high-level statements of policy that guide the selection and implementation of actual procedures and controls. We can share with you the specifics of our 27001 implementation: our 1

objectives, policies and how we approach the process of selecting, implementing and managing specific security policies, standards, procedures and controls. Note: Much of the rest of this document describes our control objectives at a high level. ISO 27002 is our means of selecting and implementing policies, standards, procedures & controls as a means to satisfy our control objectives. We select and implement specific policies, procedures & controls described in 27002 based on their relevance to Bluenose operations and their ability to reduce risk. Our portfolio of controls is comprised of both primary and compensating controls, based on what s practical for you and us. Our controls are administrative, technical, management and legal in nature. Because our implementation of ISO 27001 is improving continuously - and it s highly confidential - it makes sense to talk to us live to get a current picture of our implementation under NDA. To assist your due diligence and to ensure our capabilities, we seek to obtain and maintain third-party certifications. To that end, we have completed a SSAE 16 SOC2 Type 1 examination. The examination period was as of January 31, 2014 and the report on its results was issued in May, 2014. We will seek a SSAE 16 SOC2 Type 2 examination later in 2014 to demonstrate our ability to sustain our security practices. Over time, we expect to achieve various certifications that are enabled by our ISO implementation, such as ISO 27001 certification, Cloud Security Alliance, etc. 2

THE FOUR PILLARS OF OUR SECURITY PROGRAM Our security program has four pillars. Secure Development Lifecycle ( SDLC ) We believe that the best way to achieve security is to design it in. Therefore, we train each of our developers on a multi-day curriculum developed by experts in this domain. This approach minimizes the likelihood that vulnerabilities are introduced into our product in the first place. Our SDLC training includes the Threat Modeling approach: Review designs using threat modeling Find the weaknesses in an application architecture Document how the weaknesses can be exploited Decide what and how to mitigate the weaknesses Product Security Features Our product contains numerous security features that affect how you experience it as a customer: Multi-factor authentication Encrypted transports (HTTPS is required) Role-based access model with fine-grained controls at the field level Password complexity policies 3

AWS Secure Deployment Architecture on Amazon Web Services ( AWS ) Our product runs on AWS. AWS operates on a shared responsibility principle, wherein AWS accepts responsibility for lower-level security: Facilities Network (that supports their infrastructure) Hardware Host OS Details on AWS model can be found here: http://media.amazonwebservices.com/pdf/aws_security_whitepaper.pdf Bluenose is responsible for securing everything that runs on this stack, including Guest OS, application software, and various security controls such as access control at the network, application and data layers, encryption, secure configuration, etc. Our implementation on AWS includes the following approaches: Data segregation: each customer s data is logically segregated in full Application instance isolation: each customer gets their own application instance IP-based access: access between software tiers is controlled at the firewall / IP level (for example, between the web application and the database) Updated and validated machine images, patches and configurations before deployment Logging, auditing & alerting: instances are monitored for performance and security 4

Corporate Security Our approach to corporate security is a combination of IT security and physical security. i. IT Security Security Awareness Training Every employee must pass a security awareness training course. We provide supplemental training and assistance on an ongoing basis as threats evolve and our practices change. Supported Devices We maintain strict control over the types of devices that can access our internal network and the configuration settings of those devices. Our Network We operate a minimal amount of network infrastructure. As a result, we simplify network security. We monitor our networks for ingress and egress patterns, in order to ensure that the connection between our end-points and cloud-based accounts is secure. No Servers We do not own or operate any servers on our premises, which we believe reduces our security risk in many ways: Simplified network security Avoidance of management challenges related to installed software: patch management, vulnerability scanning, etc. Increased physical security 5

Cloud-Based Business Applications We run our business on a portfolio of cloud-based business applications, many of which you probably use, too. This includes financial accounting, customer relationship management, project management, etc. We manage this portfolio in the following way: We conduct due diligence on application vendors based on their security features and security management practices. We maintain an inventory of our applications and authorized users of each application, as well as the privilege level for each user, carefully restricting administrative privilege to only those with a need for it. We continuously manage the provisioning and de-provisioning processes. We manage access to these systems, including multi-factor authentication (such as tokens, SMS, etc.), password complexity policies, role-based access management with least-privilege provisioning, device fingerprinting, audit logging etc. ii. Physical Security Bluenose provides a robust set of physical security measures: We minimize the risk of physical security by minimizing our own infrastructure. We also minimize security risk by having a take-home policy for end-point devices. Because our workforce is highly mobile, we take associated measures such as device encryption, access control at the OS and application level, remote wipe, etc. Each of our facilities is protected by continuous video surveillance and recording, electronic access control systems, alarm monitoring systems and visitor registration systems. 6

TM MAKE YOUR CUSTOMERS LAST A LIFETIME ABOUT BLUENOSE Bluenose is a customer success platform that empowers SaaS businesses to proactively manage customers through complete visibility, a robust early warning system, and built-in playbooks. For more information, visit www.bluenose.com. Contact Us Bluenose Analytics 517 York Street San Francisco, CA 94110 415-354-4905 info@bluenose.com www.bluenose.com http://www.twitter.com/bluenoseinc http://www.facebook.com/bluenoseanalytics https://www.linkedin.com/company/bluenose-analytics-inc-

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information