Last Updated: January 8th, 2013
This document presents Webtrends security practices when collecting and processing Customer data within the Webtrends SaaS Solutions (Webtrends Analytics®, Webtrends Segments®, Webtrends Streams™ and Webtrends Optimize® – collectively referred to as the “SaaS Solutions”). Webtrends uses ISO/IEC 27000 series of standards as its security guideline along with 10 years of experience of operating highly secure SaaS solutions to guide its security efforts.
Both within the development process and in the production environment, evaluating the probability and impact of all changes drives the risk management process to protect against activities such as spoofing, tampering, disclosure or denial of services which could expose the SaaS Solutions to attacks, compromise the privacy and confidentiality of customer data, or disrupt the availability of the SaaS Solutions.
Webtrends maintains and updates a general Information Security & Access Policy annually. This policy details employees’ responsibilities toward all types of assets, managements’ role, training, confidentiality of customer data and acceptable use of resources, etc. All staff must review and sign this policy at start of working at Webtrends. A compulsory annual security and privacy training requirement ensures employees refresh their knowledge and understanding.
Organization of Information Security
Webtrends Director of Security & Privacy coordinates all security and privacy activities with Product Development, SaaS Operations, HR, Legal, etc. This function reports into Webtrends VP, General Counsel.
All data collected by Webtrends on behalf of its customers remains the property of the respective customers and classified as confidential under Webtrends Information Classification policy. Access to customer data is restricted to legitimate business use only. Webtrends prohibits the use of its SaaS Solutions for the collection, processing and storage of sensitive information.
All data collected on behalf of customers is processed and stored in the United States, but may transit temporarily through data collection centers situated closer to the visitors’ location for optimal performance.
Human Resources Security
Webtrends employees are required to provide specific documents verifying identity and undergo federal and state criminal background check. An employee’s failure to cooperate fully in any background check and any dishonesty or omission of information pertaining to a background check by an employee precludes employment with Webtrends. All employees are required to sign a confidentiality agreement.
The Information Security & Access Policy is presented to all new employees as part of their onboarding, and must be reviewed and acknowledged annually. The product development staff receives further training specific to product development and deployment of secure applications.
Webtrends' SaaS Solutions infrastructure is divided into multiple, geographically dispersed facilities. Each facility is housed in a tier 3 or tier 4 data center, designed specifically for maximum security and availability. All locations employ industry best-practices, including badge and biometric access entry systems, redundant power sources, redundant air conditioning units and fire suppression systems. Security personnel and cameras monitor these locations 24 hours a day, 365 days a year. Only authorized personnel are allowed inside any Webtrends data center and all accesses are logged.
SaaS Operations Management
- Change Management - Webtrends maintains and follows formal change management processes. All changes to the production environment are risk assessed, logged, approved in a daily Change Management Meeting, and implemented by a dedicated team. All deploys to the production environment must be promoted through a pre-production test environment.
- Patch Management - Webtrends operates a commercial patch management solution to maintain all hardware system, OS and application level security patches.
- Separation of Development and Operational Facilities - The SaaS Solutions environment is separate from Development and QA environments and from corporate IT (each of these environments reside in a separate network domains and is managed by a separate team). Access to SaaS Operations resources is limited to SaaS Operations personnel and authentication requires a separate set of credentials.
- Malware - Webtrends utilizes commercial anti-malware and vulnerability software on all workstations and servers, both within its SaaS Solutions environment and on the corporate network. Updates are managed and pushed out via workstation/server policy management. Definitions are automatically updated.
- Backups - Webtrends SaaS Solutions store all customer data on fully redundant storage systems, and utilize a multi-tiered backup approach. Backups are stored in secure containers and transferred offsite weekly for storage in a secure, environmentally controlled, reputable third party data archive facility.
Only Webtrends SaaS Operations employees have access to backup media.
SaaS Network Security Management
With fault tolerance and redundancy as guiding principles, Webtrends deploys appropriate, modern, and warranty-backed servers to host the application and database environment for the SaaS Operations. In addition, Webtrends’ SaaS Solutions infrastructure includes redundant data storage arrays for storing customer data.
Webtrends SaaS Solutions’ robust multi-tier service architecture employs stateful firewalls. Network based intrusion detection systems (IDS) monitor network traffic and activity for intrusion and Webtrends Operations personnel leverage multiple network and application monitoring tools to continuously scan for errors or suspicious activities.
Data Retention & Disposal
- Webtrends deletes all customer data, other than copies held for disaster recovery and archival back-up purposes, following termination of contract.
- Destruction of all electronic media utilized in the Webtrends SaaS Solutions must comply with Webtrends Confidential Information Destruction Policy, which requires physical destruction of media, e.g. degaussing or DoD sanitizing, and maintaining records of destruction activity.
- All printed information concerning Webtrends SaaS SOlutions customers is disposed of in secure containers and shredded weekly.
Data Transmission & Storage
- All accesses to processed customer data use secure protocols such as HTTPS and SFTP.
- Webtrends prohibits copy or storage of any customer information on any device, including flash drives, hard drives, tapes or other media, other than for legitimate business purposes.
- Authentication and robust access controls ensure that all customers’ confidential information is secured against unauthorized access. No confidential information is transmitted across unsecured communication channels.
Monitoring and Alerting
24x7 monitoring and alerting is in place to notify Webtrends’ SaaS Operations team of any issue. An Enterprise Application Management solution maintains audit information and logs for all systems, trigger alerts based on event logs, and to facilitate alerting, trend analysis, and risk assessment. Escalation procedures exist to ensure the timely communication of security incidents through the management chain and ultimately to any affected customer.
- Employees are given appropriate accounts on systems to which they are authorized to access, following the principle of “least privilege”.
- Webtrends periodically reviews employee access to internal systems. Reviews ensure that employees access rights and access patterns are commensurate with their current positions.
- A formal termination notification process exists, which is initiated by the Human Resources department. Upon notification by HR, all physical and system accesses are immediately revoked.
- Network accounts are mapped directly to employees using a unique identifier; generic administrative accounts are not used.
- Access to customer data is limited to legitimate business need, including activities needed to support customer’s use of the SaaS Solutions.
- Webtrends requires the use of strong passwords, and requires employees to notify corporate IT immediately if they believe the security of their password has been compromised.
- Processes ensure that any production data used for testing (always with customer consent) is automatically deleted after 14 days.
Data Access by Customers
- Customer end users are authorized only to see what is in their account and may have additional privilege restrictions placed on their access to the account by their account administrator.
- Customer data is stored in separate logical directories. The data is protected by industry-standard security mechanisms to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction.
- Customer end users are identified with a user name and password. They authenticate to the system using a password over an HTTPS secured web page.
- Webtrends follows an agile development methodology, with security testing implemented throughout the entire software development lifecycle. Test areas include volume, stress, security, performance, resource usage, configuration, compatibility, installation and recovery testing. Security best practices are a mandated aspect of all development activities.
- Selective code review is included in the scope of testing. The internal quality assurance function also applies security checks–including testing for cross site scripting vulnerabilities–as part of their regular review.
Webtrends operates a formal Security Incident Response Process. Staff is available 24 x 7 to manage escalations. Monitoring systems automatically page on call personnel when a problem is detected.
Webtrends maintains essential disaster avoidance, readiness and recovery planning capabilities through the use of multiple geographically dispersed data centers, redundancy throughout the SaaS Solutions architecture (including networks, hardware, power providers, internet providers and utility providers), offsite backup media storage providers, and remote access capabilities.
Disaster Recovery Plan
All aspects of the environment are designed and built with redundancies throughout. Webtrends maintains continuous monitoring of each system, throughout the SaaS Solutions, and in each location where data transits, is processed or stored.
Webtrends SaaS Solutions data collection environment is architected for high availability with >N+1 resiliency. Webtrends leverages global load balancing and multiple data centers in North America, Europe and Asia to ensure uninterrupted data collection. Each data collection instance is independent and scaled to three times its daily average traffic. A failure of any data collection instance does not result in any data collection failure as the other data collection instances automatically adjust and are scaled to absorb the load from the failed instance(s).
Webtrends uses reasonable efforts to comply with applicable industry standards. Webtrends self-certifies Safe Harbor compliant with the Department of Commerce in accordance with EU privacy directives.
Third Party Security Audits
In addition to thorough internal quality assurance testing, Webtrends contracts annually with a reputable third party security firm to conduct a comprehensive security audit (penetration test and web application vulnerability tests) of Webtrends SaaS Solutions.
The primary objective of these audits is to gain independent third-party validation of Webtrends security stance and provide actionable recommendations for mitigation of any risks that may have been identified.
Right to audit and security tests
Webtrends SaaS Solutions are multi-tenant. Onsite operational/compliance audits, data center visits, penetration tests and vulnerability scans are highly disruptive to Webtrends business and support of customers, and Webtrends must focus its resources. As a consequence, Webtrends doesn’t allow such activity initiated by customers.
FOR MORE INFORMATION
If you have any questions or comments about this statement, Webtrends’ SaaS Solutions, or your experience with the SaaS Solutions, you can use the “Feedback” page, or write to Webtrends at: Webtrends Inc., 851 SW 6th Avenue, Suite 1600, Portland OR 97204 USA