bmc's security strategy for itsm in the saas - bmc software
TRANSCRIPT
BMC OnDemand Security A Defense in Depth Strategy
Page | 2
BMC ONDEMAND SECURITY- A DEFENSE IN DEPTH STRATEGY
INTRODUCTION
Today’s constantly evolving security threats make it more difficult than ever to ensure the safety of your data. Changing regulations, across industry and geographical locations add an additional level of compliance complexity to your security controls.
BMC understands that the confidentiality, integrity and availability of your operational information are vital to your organization. We use a multi-layered approach to protect your data, constantly monitoring and improving applications, systems, and processes. To provide the highest quality of support to our customers, BMC Remedy OnDemand is developed to function and operate securely. Our Security Operations Center (SOC) and Network Operations Center (NOC) teams work 24x7x365 to ensure the continuous and secure operation of your service.
THE BMC SOLUTION
BMC’s OnDemand Offerings are designed based upon NIST (National Institute of Standards & Technology) controls in order to provide enterprise grade security for our customers. BMC utilizes a defense in depth methodology that focuses on redundant controls to prevent and mitigate impacts to the confidentiality, availability, and integrity of customer data and services.
GOVERNANCE
The Governance layer wraps all other controls and includes Policies, Procedures, and Awareness related activities. The focus of this layer is on governance, organization information security awareness, and external validation of the effectiveness of controls. Key features of this layer include:
• Policies and Procedures • Quality Management System • Architecture and Design • Threat Intelligence • Risk Analysis and
Management • Pen Testing and Vulnerability
Assessments • Security Awareness Training • Security Technology
Assessment/Evaluation
PHYSICAL
BMC’s OnDemand physical platform is provided by top tier datacenter providers. These datacenters include fully redundant power, cooling and battery backup systems. A robust physical layer ensures continuous and safe operation of the service. Key features of this layer include:
Page | 3
BMC ONDEMAND SECURITY- A DEFENSE IN DEPTH STRATEGY
• Public Sector FISMA-ready and IL3 capabilities • Leading data center partners provide geographically diverse Tier-3 data centers • Secure non-descript facilities • On-site security 24x7x365 with CCTV monitoring • Automatic and manual inspections of access points • Secure access to all facilities requiring two-factor building access with key card, PIN/biometrics
PERIMETER
The Perimeter layer focuses on ensuring Data-In-Motion (DIM) is encrypted, as well as ensuring that access into the environment is restricted to the minimum access required. Key features of this layer include:
• Tiered Internet-facing web applications • Ports and protocols restricted to HTTPS • Industry-standard , fully redundant stateful firewalls • Intrusion prevention system (IPS) Monitors perimeter traffic with daily definition updates • SAML/SSO Integration • 256-bit SSL HTTPS • TLS for email and SFTP/FTPS for data file transmissions • SSL certificates (2048-bit) • Annual third-party network and application penetration tests
NETWORK
The Network layer focuses in segmenting and restricting internal communications. These controls increase the confidentiality and integrity of customer data. Key features of this layer include:
• Internal segmentation includes multi internal layer and network segments • Web content filtering • Restricted network access • Management layer with centralized administration and system monitoring • No public routable addresses on any of the data center servers
ENDPOINT
The Endpoint layer focuses on securing the systems that process sensitive customer information. Controls at this layer are restricted to services that are appropriate only for the systems function. Key features of this layer include:
• Host-based firewalls restrict ports and protocols for required services • Enterprise anti-virus and anti-malware protection with daily definition updates • Patch management with at-minimum monthly deployment schedule • Patch management compliance testing • Privileged access review for least privilege compliance
APPLICATION
The Application layer includes controls that are utilized by the customer, including role based access, as well as product development best practices. Key features of this layer include:
Page | 4
BMC ONDEMAND SECURITY- A DEFENSE IN DEPTH STRATEGY
• Features that protect data from unauthorized access • Rich permission structure based on role for access to data • Stored credentials are encrypted • A logical, multi-tier access control structure
DATA
The Data layer includes data at rest protection mechanisms. This ensures that information is unusable should it be removed from the environment. Key features of this layer include:
• Enforced requirements for complex passwords • Utilizing Microsoft SQL Server Transparent Data Encryption (TDE) for database encryption • Database Master Key is stored separately and accessible only by specific individuals • Secure storage-Backup data remains encrypted • AES 256-bit encryption applied to tape for long-term offline storage
Summary: Built from the ground up to ensure the confidentiality, integrity and availability of customer data, BMC’s OnDemand solution provides industry leading security. Every layer of our defense includes multiple overlapping controls to ensure maximum effectiveness. Customers can rest assured that their data is protected.
Business runs on IT. IT runs on BMC Software.
Business runs better when IT runs at its best. Tens of thousands of IT organizations around the world -- from small and mid-market businesses to the Global 100 -- rely on BMC Software to manage their business services and applications across distributed, mainframe, virtual and cloud environments. BMC helps customers cut costs, reduce risk and achieve business objectives with the broadest choice of IT management solutions, including industry-leading Business Service Management and Cloud Management offerings. For the four fiscal quarters ended March 31, 2013, BMC revenue was approximately $2.2 billion. www.bmc.com
BMC, BMC Software, and the BMC Software logo are the exclusive properties of BMC Software, Inc., are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other BMC trademarks, service marks, and logos may be registered or pending registration in the U.S. or in other countries. All other trademarks or registered trademarks are the property of their respective owners. © 2013 BMC Software, Inc. All rights reserved.