Datorama Platform Environment Introduction
Datorama is committed to the security of its Customers’ Data. We use a variety of industry-standard and state of the art security technologies and procedures to help protect our Customers’ information from unauthorized access, use, or disclosure. Datorama employs a public cloud deployment model using both physical and virtualized resources for its SaaS offering (the “Platform”).
Datorama is ISO/IEC 27001:2013 certified & SOC 2 Type II compliant. Additionally, Datorama employs industry-standard practices for security controls such as Firewalls, Intrusion Detection, Change Management and written security policies.
Datorama maintains up-to-date written Information security and access policies, which detail, among other things, employee responsibilities, Management’s roles, confidentiality of Customer Data, and acceptable use of resources. All Datorama employees must review and sign such policies upon commencement of employment.
Datorama manages Access Control Policies and Procedures for its Corporate Network and for the SaaS Production Network.
Administrative User Accounts, including network and Database, are mapped directly to employees using unique Personal Identifiers. Generic Administrative Accounts are not used. Upon employee termination, all physical and system access is immediately revoked from both the Datorama Corporate Network and the Datorama SaaS Solutions Production Network.
Employees are authorized by appropriate accounts, based on the “least privilege” and “need to know” principles.
SaaS Operations Security
The Datorama SaaS Solutions infrastructure is managed by a dedicated team, whose responsibilities are as follows:
- The enforcement and usage of Industry Best Practices, such as Default Deny Rules for Firewalls, Intrusion Detection Systems, Web Application Firewall (WAF) and Automated Patch Management.
- Maintain and follows formal change management processes – track all changes to the Production Environment (network, systems, platform, application, configuration, including physical changes such as equipment moves).
- Defining Proper Execution Processes and Continuous Personnel Training.
- Operation of Automated Code Deployment and Configuration Management Systems.
Both scheduled and emergency changes are tested in separate environments; reviewed and approved by Datorama’s SaaS Operations, Engineering and Technical Support before being deployed to the Production Environment.
Network-based Intrusion Detection Systems (IDS) monitor Network traffic and activity for intrusion, and the Datorama SaaS Information Technology Team leverages multiple Network and Application Monitoring Tools to continuously scan for errors or suspicious activities. The Datorama hosted environment is completely segregated from the Datorama Corporate Environment. Access is restricted to SaaS Operations Personnel, and authentication requires a separate set of Credentials.
Datorama Customers access the Datorama Platform via the public Internet. All Data transfers to and from the Platform take place in accordance with secure protocols.
The Datorama physical infrastructure is hosted on Top Tier Public Cloud Providers that continually manage risks and undergo recurring assessments to ensure compliance with Industry Standards.
Datorama stores all SaaS Production Environment Customer Data on fully redundant Storage Systems, utilizing a multi-tiered backup approach. All backups are encrypted with 256-bit AES encryption. Daily and intraday Data is backed up on a scheduled basis, in order to separate Storage Devices and Backup Media. Only Datorama SaaS Operations employees have access to Backup Media.
Logging and Monitoring
The Datorama Platform uses an Industry Standard Enterprise Application Management Solution to monitor systems, trigger alerts, track event logs, and perform Trend Analysis and Risk Assessment.
Use of an Intrusion Detection System (IDS) and Log Aggregation Systems to monitor Critical Network Events 24/7 provides Datorama with the ability to identify and address any unauthorized access. Alerts are set to notify the Datorama SaaS Operations Team of any issue.
Escalation Procedures exist to ensure the timely communication of significant Security Incidents through the Management Chain and ultimately, to the relevant Customer.
The Datorama Vulnerability Management Process is designed to remediate risks without Customer interaction or impact. Datorama is notified of vulnerabilities through internal and external assessments, system patch monitoring and third-party services. Each vulnerability is reviewed to determine whether it is applicable to the Datorama environment, ranked based on risk, and then, assigned to the appropriate team for resolution.
New systems are deployed with the latest Updates and Security Patches. As Customer Data is stored in isolated environments, it is unaffected by any System Update.
To further mitigate risk, each Component Type is assigned to a Unique Network Security Group. These Security Groups are designed to only allow access to the ports and protocols required for the specific Component Type.
Confidentiality ensures that Customer Data is only accessible by authorized Entities. The Datorama Platform provides confidentiality via the following mechanisms:
- Identity and Access Management – Ensures that only properly authenticated Entities are allowed access.
- Isolation – Minimizes interaction with Data by keeping containers logically or physically separate.
- Encryption – Used internally within the Datorama SaaS Solution in order to protect Control Channels and is provided optionally for Customers who require rigorous Data Protection capabilities.
Incident Response Process
Business Continuity and Disaster Recovery
Datorama’s Business Continuity Planning (BCP) and Disaster Recovery (DR) activities prioritize critical functions that support the delivery of its services to its Customers. The development and scope of the BCP and DR within each Business Function reflect the importance of each function and/or facility in order to maximize the effectiveness of these efforts.
A system-level failure, for any component in the Datorama Platform environment, is identified and resolved through the Datorama 24/7 SaaS Network Operations Center (“NOC”). Upon Failure Detection, failed systems are automatically removed from the Production Environment and the NOC Team is alerted to quickly resolve the issue at hand.
Datorama takes advantage of its Platform’s distributed architecture to exercise critical Disaster Recovery aspects routinely, whenever significant organizational or environmental changes are needed. Other, less critical aspects, such as events affecting Data Storage, are tested regularly as well. Disaster Recovery Failover Tests are performed semi-annually.