• No results found

SERENA SOFTWARE Serena Service Manager Security

N/A
N/A
Info
Download
Protected

Academic year: 2022

Share "SERENA SOFTWARE Serena Service Manager Security"

Copied!
6
0
0

Loading.... (view fulltext now)

Download now ( 6 Page )

Full text

(1)

SERENA SOFTWARE

Serena Service Manager Security

2014-09-08

(2)

Table of Contents

Who Should Read This Paper? ... 3

Overview... 3

Security Aspects ... 3

Reference ... 6

(3)

Who Should Read This Paper?

This document describes security aspects of Serena Service Manager (SSM). The intended audience for this white paper includes:

• Technical decision makers who are considering Serena Service Manager as their new IT Service Management application.

• IT Analysts and IT Managers who are interested in understanding the security aspects of SSM.

Overview

Service Manager is a highly flexible IT service management (ITSM) offering that delivers highly available, secure, and scalable applications. Service Manager leverages the Serena®Business Manager (SBM) platform to provide a secure, reliable, and highly adaptable ITSM solution. Service Manager is designed to automate the complete service delivery process, provide a simple yet powerful role-based experience to all service desk users, and deliver complete visibility into the status of issues across the service lifecycle through rich reports and dashboards. It also aids with ITIL compliance while providing a foundation that can be extended to streamline other core IT processes.

Security Aspects

This section describes aspects of security that are provided by the SBM platform, which powers Serena Service Manager.

SBM provides confidentiality, integrity, and availability of customer data. SSM applications and data are secured from various types of threats via the security layers illustrated below:

O

PERATIONAL

S

ECURITY

(O

N

-D

EMAND

O

NLY

)

The day-to-day operational security of SBM on-demand includes adherence to the following:

• Policy

Operational Security (On-Demand Only)

(4)

The operational security policy defines the responsibilities and authorization of the IT team that manages SBM in the cloud.

• Change management process

The IT team has defined precise processes that control how changes to the network, hardware, and software are executed. The state of the hardware, operating system, and configurations are monitored and all changes are logged and executed in a controlled way. The logs are evaluated and checked for potential mis-configurations.

• Access control

There is very restricted access to the network devices and hardware where SBM runs. All log in attempts are tracked for security purposes.

• Patch management

All operating system and anti-virus software updates are implemented on-time via automated

processes. The automation process helps to run the update software with no human interaction, while ensuring updates arrive on time to reduce the risk of new threats and vulnerabilities.

N

ETWORK

S

ECURITY

SBM is designed to ensure that all data traveling in the network is secured to prevent any leakage of sensitive information. This involves the use of strong network traffic encryption techniques such as Secure Socket Layer (SSL), multi-layer security services, and the most advanced state-of-the-art tools like Intrusion Detection and Prevention Systems (IDPS) to detect any malicious activities.

A

PPLICATION

S

ECURITY

With each release, Serena performs extensive black-box and white-box testing to ensure there is no data leakage. The solutions are also checked against possible security vulnerabilities by using strong encryption techniques for data security and fine-grained authorization to control access to data.

Serena uses the following methods and practices to ensure application and data security:

• Confidentiality

Confidentiality ensures that a customer's data is only accessible by authorized entities. SBM provides confidentiality via the following mechanisms:

▪ Identity and Access Management

Designed to ensure that only authenticated entities are allowed to access the system.

▪ Encryption

SBM encrypts critical data in the database.

▪ SmartCard Authentication

Provides a secure and reliable authentication method that allows users who have a current Smart Card (containing valid certificates and identity information) to gain access to a Smart Card-enabled SBM system once the proper PIN is provided.

• Identity and Access Management

The strongest security controls have no protection against an attacker who gains unauthorized access to credentials or keys. Strong security not only requires running the system in a secure mode; it also requires policies that govern exactly who, what, when, how, and from what location users can access specific IT systems and data (in addition to related auditing requirements).

SBM provides Single Sign-On (SSO) authentication out-of-the-box, while interacting with components at run time and design time. It also provides a complete audit trail of all interactions and changes that are performed by either humans or applications during a session.

• SBM-API Authentication Security Aspects

(5)

The SBM API provides Web services via the Simple Object Access Protocol (SOAP) protocol, which enables integrations with external systems. The protocol can be configured to run over SSL using customer credentials for authentication. Additionally, all interaction is controlled by the role of the authenticated user, which provides additional security such that unsolicited users cannot access restricted data in SBM.

• SSL Authentication for Internet Traffic

For on-premise customers, all communication between SBM and end users or external systems can be protected with SSL. (SSL is enabled for on-demand customers automatically).

• Client Certificate Authentication

On-premise customers can also enable bi-directional (or two-way SSL authentication) between the components in SBM. Client certificate authentication provides tighter security for your entire SBM installation because once trust is established, each machine can reliably identify itself and provide assurance of its identity to the server.

• Application Vulnerability Assessment

Internet applications are always vulnerable to attacks by various malicious users, abusive bots, and crawlers that can exploit weaknesses in the data security model to gain unauthorized access to important data. SBM is scanned for Web application security as part of the certification process upon each release, and it is thoroughly tested using the following assessments to validate the security of the enterprise data that is stored in the database.

▪ Cross site scripting (XSS)

▪ Access control weaknesses

▪ OS and SQL injection flaws

▪ Cross site request forgery (CSRF)

▪ Cookie manipulation

▪ Hidden field manipulation

▪ Insecure storage

▪ Insecure configuration

Serena understands that any vulnerability that is detected during these tests can be exploited to gain access to sensitive enterprise data and ultimately lead to financial loss. Our development and quality assurance organizations endeavor to expose and resolve these types of potential vulnerabilities during each testing cycle. Serena takes security seriously. We strive to aggressively enhance SBM to

safeguard against any new vulnerabilities that are discovered.

S

ECURITY IN THE

O

N

-D

EMAND

(SAAS) E

NVIRONMENT

The software industry has changed dramatically over the last few years. With the popularity of cloud- computing platforms, companies are looking for packaged business applications that are available on- demand. Companies are taking advantage of the Software-as-a Service (SAAS) model to reduce IT costs normally associated with traditional on-premise applications (such as managing hardware requests, patches, and IT services). The popularity of SAAS-based business applications increases the provider’s responsibility to provide a cloud-based platform that offers outstanding service delivery and security.

For SSM on-demand, the security layers and techniques described above are implemented and managed by a team of trained, experienced, and certified security professionals.

Confidentiality is ensured for on-demand customers. The data for each customer is isolated—data from one customer is not visible to any other customer (or “tenant” in the multi-tenant environment).

SSL is enabled for end users by default for SSM on-demand. To improve performance, all internal communication is performed using HTTP, but it is protected by firewall. The SSL certificates are procured from approved providers such that end user browsers can fully trust the certificate authenticity while accessing the application.

Security in the On-Demand (SAAS) Environment

(6)

SSM on-demand also provides enterprise-level data protection. The data is regularly backed up to facilitate quick recovery in case of disaster. Full data back-ups are taken weekly; daily incremental back-ups and transaction logs are taken every four hours. The hosting provider has been certified by PCI Council DSS 1.2 for data protection.

Reference

____

A

BOUT

S

ERENA

Serena Software, Inc. provides Orchestrated IT solutions to the Global 2000. Serena's core purpose is to advance the business value of IT. Our 4,000 active enterprise customers, encompassing almost one million users worldwide, have made Serena the largest independent ALM vendor and the only one that orchestrates DevOps, the processes that bring together application development and operations.

Headquartered in Silicon Valley, Serena serves enterprise customers from 29 offices in 14 countries. Serena is a portfolio company of HGGC.

C

ONTACT

Web site:http://www.serena.com/company/contact-us.html

Copyright © 2014 Serena Software, Inc. All rights reserved. Serena, TeamTrack, ChangeMan, PVCS, StarTool, Collage, and Comparex are registered trademarks of Serena Software, Inc. Change Governance, Command Center, Dimensions, Mover and Composer are trademarks of Serena Software, Inc. All other product or company names are used for identification purposes only, and may be trademarks of their respective owners.

Reference

References

Download now ( PDF - 6 Page - 100.31 KB )

Related documents

CFD Model of a Spinning Disk Reactor for Nanoparticle Production

The so produced nanoparticles were successively applied in several processes with success (Vaiano et al, 2014), such as those reported in some works concerning the photocatalysis

Rotary Drum Vacuum Filters for Production of Wallboard-Grade Gypsum

The operating performance results of the rotary drum vacuum filters at Coleson Cove are presented, proving the capability to produce wallboard quality gypsum filter cake with

Ole Jonny Klakegg. Governance of Major Public Investment Projects In Pursuit of Relevance and Sustainability

(attitudes, communication, and knowledge) and structure (process, roles, methods, and control). This is also necessary to achieve the intended improvement. Thus far the

The degrees of freedom of partial least squares regression

For the latter infor- mation criterion, we use our Degrees of Freedom estimate and the naive approach that defines the Degrees of Freedom of PLSR via the number of components..

Lessons learned from measuring safety culture: An Australian case study

In an effort to understand whether measuring and examining the safety culture using both surveys and interviews was a practical method which could help improve patient safety in

lecture 6 handouts

A country has a comparative advantage in a good if it produces the good at lower opportunity cost than other countries. Countries can gain from trade if each exports the goods

The Destruction of Cultural Property in Timbuktu: Challenging the ICC War Crime Paradigm

It is clear that the reparations order focused intently on the damage and harm done to the population of Mali and to humanity in general as a result of the destruction of the

The spine, or vertebral column,

The erect lateral image can be used to assess the patient for any exaggeration of the normal lumbar lordosis or thoracic kyphosis, which sometimes accompanies