Upload
trinhanh
View
216
Download
0
Embed Size (px)
Citation preview
1© 2017 ServiceNow, Inc. All Rights ReservedConfidential© 2017 ServiceNow, Inc. All Rights ReservedConfidential
Build your wings before jumping into the cloud
2© 2017 ServiceNow, Inc. All Rights ReservedConfidential
SECURITY & COMPLIANCENOW ON NOW AVAILABILITY OPERATIONS
3© 2017 ServiceNow, Inc. All Rights ReservedConfidential
SECURITY & COMPLIANCENOW ON NOW AVAILABILITY OPERATIONS
4© 2017 ServiceNow, Inc. All Rights ReservedConfidential
ServiceNow Is A Fast-Growing, Global Company
~4,800 Employees
Major SitesSilicon Valley, San Diego, Seattle
Amsterdam, London Sydney, Tel Aviv, Hyderabad
$28M $64M$128M
$683M
$1B
’16
$1.38B*
‘09
$244M
$425M
* Wall Street Consensus Estimates For Full Year 2016 Revenue As Of 1/22/17
$1+ Billion In Annual Revenue
‘10 ‘11 ‘12 ‘13 ‘14 ‘15
5© 2017 ServiceNow, Inc. All Rights ReservedConfidential© 2017 ServiceNow All Rights Reserved
Cloud Infrastructure
BUSINESS APPSIT SECURITY HRCUSTOMER SERVICE
Create Your Lightspeed Enterprise™ With ServiceNow
Platform
WorkflowEngine
SingleDatabase
ContextualCollaboration
ServiceCatalog
ServicePortal
Subscription & Notification
KnowledgeBase
DeveloperTools
Intelligent Automation
Machine IntelligenceBenchmarks Analytics
. .. .....
... .....
.
.. .. ....
.... .....
.
..... ..
. .. ..........
. .. .....
... .....
.
..... .. . .. ..
Secure & Compliant ScalableMulti-Instance
6© 2017 ServiceNow, Inc. All Rights ReservedConfidential
Global Enterprises In Every Industry Rely on ServiceNow
Construction Federal Financial Services Healthcare Higher Education Insurance IT Services Manufacturing Media MSPs Oil and Gas Retail Services Technology
7© 2017 ServiceNow, Inc. All Rights ReservedConfidential
Three Tenets of Cloud ArchitectureAvailability
• Distributed paired data centers
• Load balanced application tier
• Separated tiers
• High availability
• Disaster Recovery
Ensure measureable redundancy and failover capabilities
Integrity
• Centralized logging and event monitoring
• Intrusion detection system (IDS)
• Continuous monitoring
• Open source intelligence
• Independent auditing
Maintain trustworthiness of systems and data
Confidentiality
• Multi-tenant architecture vssingle tenant architecture
• Customer-level isolation
• Strong encryption to protect data while in transit and at rest
• ACL engine built into platform
Protect information from disclosure to unauthorized parties
8© 2017 ServiceNow, Inc. All Rights ReservedConfidential
SECURITY & COMPLIANCENOW ON NOW AVAILABILITY OPERATIONS
9© 2017 ServiceNow, Inc. All Rights ReservedConfidential
DevelopersEnterprise
Department
ConsumerEntertainmentShopping
Sales Human Resources
Enterprise IT Infrastructure
The world has changed just in the last 2 years – clouds everywhere
Finance
Communications
10© 2017 ServiceNow, Inc. All Rights ReservedConfidential
Availability
• Availability numbers can be misleading
• What is planned uptime?• Planned maintenance?• What is the definition of an outage?
• Recovery Point Objective (RPO)?
• Recovery Time Objective (RTO)?
• How is availability monitored?
• What is real availability?
Demand Transparency
11© 2017 ServiceNow, Inc. All Rights ReservedConfidential
Data CenterLocations
Redundant Pair
USCanadaEuropeSwitzerlandAustraliaAsiaBrazilUS-FISMA
USJapan
USEurope
US USEuropeJapanBrazilUS-FISMA
USEurope
US
Defining Availability Standards
Average Uptime % 99.995% 99.800% 99.500% 99.960% 99.950% 99.000% 99.900%
Planned Maintenance Per Quarter 6 hours 68 hours 182 hours 14 hours 6.5 hours 65 hours 39 hours
Total Availability % 99.720% 96.686% 91.167% 99.304% 99.652% 96.024% 98.114%
Recovery Time Objective (RTO) 2 hours 12 hours 12 hours Not Published Not Published Not Published Not Published
Recovery Point Objective (RPO) 1 hour 4 hours 1 hour Not Published Not Published Not Published Not Published
12© 2017 ServiceNow, Inc. All Rights ReservedConfidential
Definition of availability - Is this System Up?
13© 2017 ServiceNow, Inc. All Rights ReservedConfidential
Cloud Availability & Real Availability
Uptime %
SaaS provider failurenetwork or hardware
SaaS provider failureserious software defect
3rd Partyissue
Customer Createdissue
Real AvailabilityAll issues that make a cloud offering unusable
14© 2017 ServiceNow, Inc. All Rights ReservedConfidential
What type of transparency do you have into availability?
prod1
prod2
training
test
dev
15© 2017 ServiceNow, Inc. All Rights ReservedConfidential
Additional Availability Questions?• Ask for application and infrastructure documentation• Don’t get hung up on versions of software, etc• High availability architecture?• Definition of high availability?• Disaster recovery?
– Definition of disaster– Datacenter?– Core router?– POD?
• How often DR/high availability tested?• Can you test DR with cloud service provider?
16© 2017 ServiceNow, Inc. All Rights ReservedConfidential
SECURITY & COMPLIANCENOW ON NOW AVAILABILITY OPERATIONS
17© 2017 ServiceNow, Inc. All Rights ReservedConfidential
Security Excellence is NOT Optional
18© 2017 ServiceNow, Inc. All Rights ReservedConfidential
Look for Investments in ComplianceComprehensive compliance strategy delivers confidence, reduces audit burden
ServiceNow Certifications Date Achieved
SSAE 16 / SOC 1 Type 1 October 2012
PCI DSS Level 2 October 2012
ISO 27001 December 2012
SSAE 16 / SOC 1 Type 2 October 2013
SOC 2 Type 2 October 2013
FISMA Moderate Government-wide Authorization (ATO) March 2013
FedRAMP February 2015
19© 2017 ServiceNow, Inc. All Rights ReservedConfidential
Customer data isolationTenancy Model:• Logically single-tenant
– Customer-specific Application instance– Customer-dedicated Database instance
• Physically “multi-instance”– Server hardware and infrastructure are multi-
tenant
Dedicated Hardware Option?:• Physically separated (i.e. dedicated)
hardware for a single customer
20© 2017 ServiceNow, Inc. All Rights ReservedConfidential
ISO 27001
FISMA
SSAE16 / SOC 1
Independent Audits
SOC 2
Nightly Build Security Testing
Code Analysis
Code Reviews and Training
Product Features
3rd Party Penetration Testing
3rd Party Code Inspection
Security Event Monitoring
Vulnerability Scanning
Perimeter Countermeasures
Security is an integral part of . . .
Operations3rd Party Audits
ReleaseDevelopment
Cloud Security Program
21© 2017 ServiceNow, Inc. All Rights ReservedConfidential
Resolve Real Security Threats FastAlign security & IT to resolve security threats on a single platform
Prioritize incidents by business impact
Automatically integrate threat intelligence
Hand off tasks between security & IT
Speed remediation with orchestration
22© 2017 ServiceNow, Inc. All Rights ReservedConfidential
Resolve Real Security Threats FastIntegrate Your
Security Products
Automatically Prioritize Security Incidents
Utilize Threat Intelligence
Determine Response Action
Remediate Threats Fast
1 3
4
5
6
Review Post Incident Reports
!
2
23© 2017 ServiceNow, Inc. All Rights ReservedConfidential
Expect security transparency
Internal pen-testing
3rd party pen-testing Every release! Annual Annual *Unknown Annual Annual Annual
Customer pen-testing *
Continuous DR testing
Customer DR testing
24© 2017 ServiceNow, Inc. All Rights ReservedConfidential
SECURITY & COMPLIANCENOW ON NOW AVAILABILITY OPERATIONS
25© 2017 ServiceNow, Inc. All Rights ReservedConfidential
Operations• How are upgrades applied?• Patch management process
– Operational impact
• Change management– What percentage of changes are automated?
• Backups– Media– 3rd party
26© 2017 ServiceNow, Inc. All Rights ReservedConfidential© 2017 ServiceNow All Rights Reserved
www.servicenow.com/sec-ops