Securing the Service Desk in the Cloud



Similar documents
BMC s Security Strategy for ITSM in the SaaS Environment

The Power of BMC Remedy, the Simplicity of SaaS WHITE PAPER

The SMB IT Decision Maker s Guide: Choosing a SaaS Service Management Solution

BMC Remedy OnDemand. Product Overview

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Why you need an Automated Asset Management Solution

Automated IT Asset Management Maximize organizational value using BMC Track-It! WHITE PAPER

BMC BSM for PCI DSS Addressing PCI DSS File Integrity Monitoring SOLUTION WHITE PAPER

Does Company Size Matter? Sizing up SaaS for your IT Help Desk SOLUTION WHITE PAPER

BSM for IT Governance, Risk and Compliance: NERC CIP

Benefits of an ITIL Help Desk in the Cloud

Ellucian Cloud Services. Joe Street Cloud Services, Sr. Solution Consultant

Data Security and Privacy Principles for IBM SaaS How IBM Software as a Service is protected by IBM s security-driven culture

Best Practices For Department Server and Enterprise System Checklist

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

RSA SecurID Two-factor Authentication

Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire

Security Controls for the Autodesk 360 Managed Services

PCI Requirements Coverage Summary Table

Cloud Security Who do you trust?

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Improving PCI Compliance with Network Configuration Automation

Client Security Risk Assessment Questionnaire

BMC Cloud Management Functional Architecture Guide TECHNICAL WHITE PAPER

SECURITY OVERVIEW FOR MY.ENDNOTE.COM. In line with commercial industry standards, Thomson Reuters employs a dedicated security team to protect our

Atrium Discovery for Storage. solution white paper

Network Security Guidelines. e-governance

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

SUPPLIER SECURITY STANDARD

BEST PRACTICES WHITE PAPER. BMC BladeLogic Client Automation and Intel Core vpro Processors

solution white paper Patch Management The set-it-and-forget-it strategy

White Paper. BD Assurity Linc Software Security. Overview

Vistara Lifecycle Management

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

A Rackspace White Paper Spring 2010

Enterprise level security, the Huddle way.

BMC Control-M Workload Automation

Information Security: A Perspective for Higher Education

Secure, Scalable and Reliable Cloud Analytics from FusionOps

Enterprise Computing Solutions

Security Controls What Works. Southside Virginia Community College: Security Awareness

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

Oracle Maps Cloud Service Enterprise Hosting and Delivery Policies Effective Date: October 1, 2015 Version 1.0

PCI Requirements Coverage Summary Table

74% 96 Action Items. Compliance

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Payment Card Industry Data Security Standard

Managed Security Services for Data

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

IBX Business Network Platform Information Security Controls Document Classification [Public]

Five keys to a more secure data environment

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Achieving PCI-Compliance through Cyberoam

<cloud> Secure Hosting Services

SOLUTION WHITE PAPER. BMC Manages the Full Service Stack on Secure Multi-tenant Architecture

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

The Bomgar Appliance in the Network

MIGRATIONWIZ SECURITY OVERVIEW

Preemptive security solutions for healthcare

Security from a customer s perspective. Halogen s approach to security

Autodesk PLM 360 Security Whitepaper

Enterprise IT is complex. Today, IT infrastructure spans the physical, the virtual and applications, and crosses public, private and hybrid clouds.

Securing and Auditing Cloud Computing. Jason Alexander Chief Information Security Officer

Supplier Information Security Addendum for GE Restricted Data

Security Issues in Cloud Computing

PCI DSS Requirements - Security Controls and Processes

PRIVATE, TRUSTWORTHY AND SCALEABLE Providing Secure Remote Service and Support. white paper

Hengtian Information Security White Paper

Information Technology Branch Access Control Technical Standard

Projectplace: A Secure Project Collaboration Solution

Security, trust and assurance

KeyLock Solutions Security and Privacy Protection Practices

Security Policy for External Customers

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

Symantec Control Compliance Suite Standards Manager

ABB s approach concerning IS Security for Automation Systems

University of Pittsburgh Security Assessment Questionnaire (v1.5)

CloudCheck Compliance Certification Program

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two

Overcoming PCI Compliance Challenges

Enterprise Architecture Review Checklist

Cloud Security and Managing Use Risks

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

ProjectManager.com Security White Paper

Cybersecurity Health Check At A Glance

Cybersecurity and internal audit. August 15, 2014

Xerox Mobile Print Cloud

How To Ensure The C.E.A.S.A

Version 1.0. IT Service Management & IT Asset Management Services (ITSM & ITAM Services) Governance Process

GE Measurement & Control. Cyber Security for NEI 08-09

Transcription:

TECHNICAL WHITE PAPER Securing the Service Desk in the Cloud BMC s Security Strategy for ITSM in the SaaS Environment

Introduction Faced with a growing number of regulatory, corporate, and industry requirements, organizations must be absolutely sure their important applications and data are secure when deploying them through the software-asa-service (SaaS) model. This is as true for IT service management as for any other application. IT service management does the critical work of assuring IT applications, devices, and services are available to meet business needs. Juggling IT service management tasks such as help desk calls, requests for new servers, required security updates and changes in user access rights is difficult enough. Maintaining the hardware, software, and storage required to run the IT service management solution is, for some organizations, not a good use of staff, budget or time. Choosing a SaaS solution lets organizations reduce their management costs and focus on keeping applications running, passwords updated, servers patched, and employees productive rather than running the IT service management infrastructure. Yet IT service management applications may hold sensitive data about users and the business, ranging from the names of servers to changes in employee status. With its BMC Remedy OnDemand, BMC has built in the security tools and processes needed to provide the strongest possible protection for data. This means organizations can reduce the total cost of ownership of IT service management while securing their sensitive corporate and user information. This white paper examines the key security concerns facing organizations considering BMC Remedy OnDemand, and how BMC addresses these concerns. Data Security The data contained in IT service management systems ranges from ticket structures to the service tickets themselves to usage logs. Organizations must be assured this data is secure, both during the initial migration of IT service management data to the BMC data center and whenever they retrieve that data for reporting or other purposes. Connect via HTTPS internet or VPN Load Balancer Web Server Application Server Database Figure 1. BMC Remedy OnDemand three-tiered architecture, with the BMC Remedy system and the data safely in the internal zone 1 1

BMC maintains the security of the network infrastructure with a three-tiered architecture consisting of an external zone, a DMZ, and an internal zone. All are protected by firewalls and network monitoring devices, as well as intrusion prevention systems monitored 24x7 by a security operations center. (See Figure 1) All servers that access or store data are protected by antivirus software and are hardened at the operating system, database and application levels against attack through a series of defined policies and procedures. Any changes made to the operating system, database, or application configurations are monitored by change management processes to ensure that an accepted baseline is maintained. Security and other patches will be applied at least monthly, with critical security patches applied whenever available. All patches are tested in a staging environment before deployment to production servers. All data entering the BMC cloud is encrypted using IP SEC or a minimum of AES 256-bit encryption. BMC can comply with any authentication policies established by organizations for their own employees. (See Figure 2) Connect via HTTPS internet or VPN Load Balancer Web Server Application Server Database - IP SEC - AES 256-bit encryption Figure 2. Application server with data inside and protected 1 Secure Backup Sensitive data, such as that stored in IT service management systems, must be protected both while at rest in servers and on storage arrays, and while it is in transit, such as during backups. Backups that are done within the BMC data center are protected by its firewalls, network, and server protection policies. Backup to a remote location, if requested by an organization, is encrypted through a VPN with a minimum of AES 256-bit encryption. 2

Sensitive data must be protected both while at rest in servers and on storage arrays, and while in transit. If an organization requires the use of digital signatures to assure the authenticity of the sending or receiving device, BMC is prepared to adopt any PKI model that the organization requests. Administrative Access Given that many attacks on corporate data are carried out by insiders, it s critical that organizations can restrict which users have administrative access to their IT service management system (and thus can see all the tickets in process or even change the look and feel of the system) and which users can see only the tickets that they have submitted. BMC administrators must pass through a two-factor authentication system before accessing servers and network devices through a VPN. By default, all administrators are given the minimum access needed to do their jobs, and are granted greater privileges only as needed. The authentication system logs all transactions and user activity, allowing its use as not only a security tool, but also as a tool for auditing, accounting, and compliance. Patching Processes As new vulnerabilities are identified, software vendors respond with patches to remediate them and protect sensitive data. Applying regular patches is thus essential to maintaining security, but in a SaaS environment patching is up to the vendor. The organization using the SaaS service must also rely on the vendor to test patches to ensure they do not harm applications, and to have processes in place to roll back the patches if needed. As hackers roll out new attacks, applying regular patches is essential to maintaining security. BMC applies all required patches to its BMC Remedy OnDemand environment at least monthly, with critical patches applied as soon as they are available and have been tested. All patches are tested in a staging environment before being released to production to ensure system stability and performance. Security Certifications Security certifications are a critical indicator of the level of skill and commitment a SaaS provider brings to protecting data. BMC s data centers hold SAS 70 Type II certification, assuring their processes meet the ISO 27002 standards for physical security, control of restricted areas, management of human resources, data security and confidentiality, as well as business continuity, logical access control and other requirements. Penetration Tests Periodic penetration tests are essential to assuring that the proper security tools and processes are in place to meet ever-changing security threats. A SaaS vendor should rigorously perform such tests. 3

BMC maintains an internal white hat security penetration team that regularly conducts tests of the security of its BMC Remedy OnDemand environment. BMC s Web application monitoring teams continually monitor the results of such tests and remediate any vulnerability that is found. (See Figure 3) BMC also performs a weekly critical parameters audit and monthly operations review. An outside vendor conducts an external ISO 27001 audit and a penetration test every six months as well as an annual SAS 70 audit. Connect via HTTPS internet or VPN Load Balancer Web Server Application Server Database Figure 3. BMC employs proper protection from outside attacks to ensure data center is secure 1 Disaster Recovery/Business Continuity Being able to quickly resume operations in the wake of a natural or man-made disaster is critical in today s 24x7 economy. When organizations run their own data centers, they can control the nature, scope, and quality of their DR/BC efforts. But when deploying applications in a SaaS model, they must get assurances from the vendor that the proper steps are being taken to assure application uptime. BMC Remedy OnDemand environment uses industry-standard, high-capacity servers and a network infrastructure employing redundant switches and networks to avoid a single point of failure. The use of clustered servers and backup systems helps assure uninterrupted access to service desk functions even in the event of system failure. BMC also follows its own DR/BC policies, which are continuously updated and modified to reflect changes in the technical and business environments as well as its own regular mock drills and tests. Notification of Security Breaches Organizations that trust their data to a SaaS provider need to know if the vendor has suffered a security breach, both so that they can take the proper steps internally to safeguard their data and to make any legally required notifications. BMC has a formal incident response and reporting procedure which is tested regularly. 4

Summary In building its BMC Remedy OnDemand environment, BMC has taken into account the sensitivity of the information contained in organizations IT service management systems. BMC provides a rigorous, ISOcertified security environment that includes 24x7 monitoring of physical and logical systems, encryption of all sensitive data, continual Web application security monitoring, industry-leading authentication, access control, and password management. With BMC Remedy OnDemand, organizations can IT service management data is protected. With BMC Remedy OnDemand, customers can be assured their IT service management data is protected. In addition to its own stringent safeguards, BMC allows organizations to specify their own requirements in areas such as disaster planning, business continuity, and visibility into the results of ongoing security tests. With BMC Remedy OnDemand, organizations can be assured their IT service management data is protected, even as they take advantage of the cost and flexibility benefits of the SaaS model. Next Steps For more information or to register for a demo, please visit www.bmc.com/ondemand. 1 All diagrams are for general illustrative purposes only. Business runs on IT. IT runs on BMC Software. Business thrives when IT runs smarter, faster, and stronger. That s why the most demanding IT organizations in the world rely on BMC Software across both distributed and mainframe environments. Recognized as the leader in Business Service Management, BMC provides a comprehensive and unified platform that helps IT organizations cut cost, reduce risk, and drive business profit. For the four fiscal quarters ended March 31, 2010, BMC revenue was approximately $1.91 billion. BMC, BMC Software, and the BMC Software logo are the exclusive properties of BMC Software, Inc., are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other BMC trademarks, service marks, and logos may be registered or pending registration in the U.S. or in other countries. UNIX is the registered trademark of The Open Group in the US and other countries. Tivoli and IBM are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. IT Infrastructure Library is a registered trademark of the Office of Government Commerce and is used here by BMC Software, Inc., under license from and with the permission of OGC. ITIL is a registered trademark, and a registered community trademark of the Office of Government Commerce, and is registered in the U.S. Patent and Trademark Office, and is used here by BMC Software, Inc., under license from and with the permission of OGC. All other trademarks or registered trademarks are the property of their respective owners. 2010 BMC Software, Inc. All rights reserved. *124950*

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information