Click here to load reader
Upload
vothuan
View
213
Download
1
Embed Size (px)
Citation preview
Informatica Cloud Architecture and Security OverviewIndependent Analysis of the Architecture and Security Features of Informatica Cloud
executive Summary and OverviewThis report details the Informatica® Cloud™ solution from an architecture and security
perspective. Middleware as a service (MaaS) or Cloud Integration links together multiple
applications – both on-premise and cloud-based. Highly confi dential data can be
transmitted and, in most cases, saved in software as a service (SaaS) applications such
as Salesforce CRM and Force.com. Corporate IT departments need to verify that their
cloud-based software vendors can safeguard this data with high levels of security.
When addressing security in cloud-based applications, there are many architectural
layers to consider. From the physical data center to networking to databases and
data transmission, the enterprise’s data has the potential to be compromised. In the
companion white paper—“Securing Your Cloud-Based Data Integration – A Best
Practices Checklist”—Mercury Consulting provided a list of security-related issues that IT
managers must address when developing a cloud-based integration strategy. This checklist
spans different layers in the cloud architecture. Table 1 indicates how Informatica Cloud
addresses the checklist for each layer. This list appears in the far right column in Table 1.
This paper describes the support which Informatica provides for each architectural layer
and security issue.
LAyeR DeFINITION CHeCkLIST COveRAge
Physical Facility Represents the actual data center facility where the cloud application runs. Includes the computer hardware, storage devices, security access systems, backup media storage, and power supplies
Audit Compliance
Networking The local area network and Internet service provider networking necessary to link together physical machines and external devices
Data Transmission, Data Standards and Connectivity
Operating System Both the real and virtual operating systems that contain the cloud application set
Data Governance,Audit Compliance
Database Data management system that persists any data stored by the cloud application (including meta data)
Data Governance, Data Standards and Connectivity, Audit Compliance
Application The actual cloud software application. In this document, the application equals Informatica Cloud.
Data Governance, Data Transmission, Data Standards and Connectivity, Audit Compliance
Data Transmission In-transit data as information moves between data sources and targets
Data Transmission
Table 1. Informatica Cloud architecture layers, defi nitions and coverage
WHITE PAPER
Prepared by Mercury
Consulting, a leader
in “Ground to Cloud
Integration.” Mercury
removes the fog around
cloud computing by
providing clients with
detailed independent
research on cloud
applications.
[ 2 ]
Informatica Cloud – Secure at All LayersIt is common to depict SaaS applications in a nice puffy cloud. But that cloud shape
contains an architectural stack ranging from physical hardware to networks to operating
systems and end user applications. Figure 1 represents the typical layers found in cloud-
based services. Cloud integration could be viewed as a specific example of platform as a
service (PaaS). Informatica Cloud connects SaaS applications such as Salesforce CRM and
NetSuite.
The different colors in the diagram represent the different “owners” of the layers. So the
supporting (IT) infrastructure is usually maintained by an IaaS provider (such as Amazon or
Microsoft), while the cloud-specific infrastructure is managed by Informatica. The service
customer is responsible for providing user-level access control security, which is ultimately
maintained by the corporate IT department.
Level 1: Physical Facility Layer
Controlling and monitoring physical access to the hardware is a high priority, and
surveillance should at least include closed-circuit cameras and patrolling security guards.
Informatica facility partners follow best practices in separation of privileges, least privilege,
access control systems, alarm systems, administrator logging, two-factor authentication,
codes of conduct, confidentiality agreements, background checks, and monitoring visitor
access. Specifically, access to the physical infrastructure is allowed only on a need-to-access
basis. All physical access to the infrastructure is logged and monitored.
User
Service customer
SaaS
PaaS
IaaS
Cloud-speci�cinfrastructure
Supporting (IT)infrastructure
Cloud (Web) applications
Cloud software environment
Cloud software infrastructure
Front End
Network
Kernal (OS/apps)
Prov
ider
Serv
ices
& A
PIs
Man
agem
ent A
cces
s
Hardware
Facilities
Computationalresources
Storage Communication
Figure 1. Cloud layers
[ 3 ]
As part of a comprehensive continuity-of-operations plan, Informatica employs two
separate data centers managed by different providers. Each data center acts as a failover
in case of a failure at the other. The switch to a different data center is transparent to
the Informatica customer. Informatica transfers control to the alternate data center by
rerouting DNS entries within the Internet backbone. Once the physical IP addresses
point to the secondary data center, the Internet will propagate this change through the
DNS environment. Very quickly, the secondary data center will be managing all of the
Informatica Cloud integration communications worldwide.
Data retention is another important factor. Here is the Informatica Cloud backup schedule:
1. On-site incremental disk based backups are saved on-line four times per day.
2. Full backups are performed on a weekly and monthly basis.
3. The data retention period is for six months.
Note that only integration metadata is saved in the cloud application. Customer data is
never stored during transit.
Ideally, the cloud provider’s data centers should be geographically distributed around the
world. As of 2011, Informatica data centers are located on the U.S. East Coast and West
Coast. There are plans for non-US based data center targeted for 2012, which will provide
more global coverage and redundancy.
Level 2: Networking Layer
The most visible attack vector in a cloud integration environment is the network layer. All
cloud-based data integration occurs on proprietary networks and on the public Internet.
Firewalls, dynamic firewalls, intrusion detection systems (IDSs), intrusion prevention
systems (IPSs), and network proxies are the basic network devices for protecting the
network border. Specifically, Informatica provides the following network-based security
controls:
• Firewall-relatedprotectionsincludethesefeatures:
• Segmentnetworkstoensureinfrastructureaccesssecurity.SeparateDMZ from all back-end processes through firewalls.
• Loadbalancerandfirewallpolicieslimitthetypeofaccessallowedtoeach network segment.
• FirewallimposesNetworkAddressTranslationtounpublishedaddresses.
• FirewalldisablesInternetControlMessagingProtocol(ICMP)andtelnet.
• Firewallenablesonlysoftware-relatedTCPports.
• InstallationofsplitDNSprotectsserverexposuretotheInternet.
• Two-layerpasswordprotectionisavailableonallnetworkequipment.
• SSLencryptionisenforcedtoallsecurity-relatedpages,includingloginpage.
• IPS/IDSareimplementedtofendoffpotentialattacksfromtheInternet.TheCloudapplication is constantly monitored and if any breach is detected, the affected parties would be contacted as soon as possible through the contact mechanisms registered with the service.
[ 4 ]
Informatica hires independent security analysts to perform annual penetration tests
throughoutmultiplelevelsofthenetwork.Ifadetectedscan/probe/attackoccurs,the
address is blocked at the border routers and alerts are sent within one hour. If the attack
is successful, this event is classified as a “security incident”. Incident response begins, which
involves immediate investigation and mitigation with all the appropriate parties.
Level 3: Operating System Layer
Because the customer interacts only with a virtualized environment, the provider is
responsible for maintaining and monitoring the hardware. The provider should audit
hardware configurations to verify that nothing has tampered with them. Otherwise, the
provider is concerned primarily with availability and should document and report as with
the facility layer. Informatica technology ensures that the hardened operating systems’
images have not been tampered with. Informatica users do not have the ability to execute
arbitrary code, so no intentional attempts to compromise the OS are possible. Through
Informatica data center partners, the following security measures have been taken:
• Eachsystemandapplicationhasanintegratedsecuritysystem.Administrationaccess to each server requires security token and password authentication.
• Thepasswordischangedonaregularbasis.
• Securedshell(SSH)accesstoallserversisavailable.
•Operatingsystems,servers,routers,firewalls,anddatabasesarepatchedwiththe most current security releases.
•Allunnecessaryportsandservicesaredisabled.
Level 4: Database Layer
Cloud integration applications are inherently database driven. Data is extracted from and
inserted into databases. And data transformation rules – so-called metadata – are saved
within a DBMS. This white paper does not address on-premise source and target database
security. We assume that corporate-level data policies protect these data sources. In
the case of accessing cloud-based SaaS products, such as Salesforce CRM, Informatica
Cloud complies with the Web services security implemented by them. Ideally, the cloud
integration provider will not store any customer data within its database. Only metadata
should be saved. Informatica Cloud implements this best practice. And this metadata is
separated from other users of the service.
As Figure 2 shows, the Informatica Cloud repository stores metadata—such as mappings,
application connection information, and transformation rules. This data resides in a
true multitenant database model. Informatica Cloud provides user access controls to
securely manage user’s metadata and to separate client data. During the annual network
penetrationandapplicationassessmenttests,InformaticaCloudchecksforSQLinjection
attacks and cross-client data access. (It does this via a prepared statement with named
parameters;itdoesnotallowuser-definedSQLqueries.)Databaseserversarenot
accessible to the public Internet.
[ 5 ]
Level 5: Informatica Cloud Application Layer
The Informatica Cloud Secure Agent is a small footprint application that enables secure
communication across the firewall between the client organization and Informatica
Cloud. It is a functionally equivalent, run-time version of the enterprise-class Informatica
PowerCenter® execution component (about 90 Mbytes in size). All Informatica Cloud data
integration services use the Informatica Cloud Secure Agent to get through the firewall to
access application, relational database and file sources and targets in the client’s local area
network. The Secure Agent consists of a data integration engine and various connectors
to external data sources.
Secure AgentRuns on Windows and/or Linux server
(all connections are initiatedby the secure agent outbound)
Internet Internal
Local PC with Web Access
Salesforce.com
SalesforceData
naX.Salesforce.com
Informatica Cloud
WS/SaaS front-end
ICS RepositoryMappingsSFDC MetadataDB MetadataDB and SFDC conn auth info (encrypted)
Local Databaseor File System
Informatica Cloud ServicesSQL SELECT, ALTER, INSERT UPDATE, DELETE
Metadata(schema changes,
schedule info){SSL}
Business Data{HTTPS/SOAP}
Administration and DesignCon�guration & Maintenance
{HTTPS}
Figure 2. Overview of Informatica Cloud’s Secure Agent facilitating data integration between a local database and Salesforce CRM and/or Force.com.
Figure 3. The Informatica Cloud Secure Agent manages data transfer and is run locally behind the firewall or can be hosted in the cloud. No data resides on Informatica servers.
[ 6 ]
The Informatica Cloud Secure Agent works as follows:
•CorporateITdownloadstheSecureAgentandinstallsitasasecureWindowsservice(orLinuxprocess).TheSecureAgentinheritstheaccessprivilegesoftheuseraccountthat was used for installation.
• TheSecureAgentcommunicatestoInformaticaCloudthroughhttpsprotocolthroughport 443. All communication initiated by Secure Agent is outbound, so no firewall rules need to be changed. Built-in health check mechanisms ensure persistent connectivity to Informatica Cloud.
• TheSecureAgentdownloadstheintegrationjobcontrolinformationinanencryptedformatandexecutesthejob.
• TheSecureAgentthenlaunchestheenginetoexecutetheintegrationjob
•DatatransferhappensdirectlyfromsourcesystemtotargetsystemandisnotstagedinInformatica Cloud. This is an important feature of Informatica Cloud from a data security perspective. All data resides behind the corporate firewall until it is transmitted securely to the target.
• TheSecureAgenttransmitsloggingandmonitoringinformationabouttheintegrationjobtoInformaticaCloud.
Informatica Cloud records entitlement changes and user transactions in audit logs,
including username, date, and nature of change. The audit logs are pruned on a quarterly
basis. These logs are always available to customers in the browser UI under administration
section.
Customer Perspective
Informatica Cloud provides layered security based on organizations, licenses, users, and
roles:
•Organizations. Users connect to Informatica Cloud as members of an organization.
•Licenses.TheyalloworganizationstoaccessInformaticaCloudfunctionality.LicensesaregrantedbyInformaticaoperationstoorganizations.Licensescanexpireatregularintervals.
•Organization Administrator. Each organization has at least one user designated as the administrator. The administrator creates and manages the Informatica Cloud account for the organization. The organization administrator is responsible for creating each user and setting up access rights to Informatica Cloud functionality based on the user requirements.
•User logins. The organization administrator defines the password policy, including minimum password length, minimum character mix, password reuse duration, password expiration duration, and two-factor authentication scheme.
•User sessions. User sessions time out after 30 minutes of session inactivity.
•Roles. Role definitions allow users to access Informatica Cloud functionality. The administrator grants roles for an organization.
[ 7 ]
This role-based security exemplifies best practices on implementing least privilege access
at a very granular level. IT organizations will feel comfortable when setting up Informatica
Cloud because it is similar to other enterprise-class security systems. With respect to
other SaaS applications, such as Salesforce CRM, the user access credentials are stored
in encrypted format. So when the Secure Agent executes, it is able to log in to the SaaS
applicationwithcredentialsasdefinedbytheenterprise(itdoesnotrequireroot/SA
access).
Informatica Upgrade Policies
One of the benefits of SaaS is that the end customer receives product updates on
a regular basis. All customers stay on the same code base, which the cloud vendor
maintains. With some cloud services, a possibility exists that malicious code or “spyware”
couldbeinjectedintothecodelinethroughtheupgradeprocess.Thecloudprovider
needs to ensure that special care is taken to restrict access to source code and to
monitor the upgrade. Informatica Cloud restricts organization access to source code. The
operations employees involved in the upgrade must pass background checks and have
elevated data export classifications.
Informatica Cloud is typically updated multiple times per year. Upgrade notices are
posted on user community sites and emailed to customers at least five business days
prior to the implementation - scheduled maintenance windows are 7:00 – 11:00 p.m.
Eastern Time. Security-related hot fixes are evaluated for their applicability to the
production environment on a regular basis. Critical patches are applied immediately and
other patches are updated monthly. The Informatica Quality Assurance (QA) group will
verify all code check in. The code is certified as a release to operations build. Software is
delivered to the staging site (which is a replica of the production environment). Then QA
performs infrastructure, networking, and functional testing for at least 48 hours. After
successful testing, the software migrates to the production environment, with full rollback
procedures. The Informatica operations group communicates to the customer base
throughout the process. As of 2011, Informatica Cloud has not incurred any production
delays due to an upgrade. Nor has it had to roll back to a previous version.
Updates to the Secure Agent are also managed from the cloud. The stateless nature of
theInformaticaCloudSecureAgentmeansthatitcanbereplaced/upgradedatanytime,
without disrupting operations. The Secure Agent checks for upgrades during the polling
process. Available updates are then automatically downloaded and installed.
[ 8 ]
Level 6: Data Transmission LayerTransmitting data is where the rubber meets the road for a cloud integration solution.
During transmission, many things can go wrong, such as application unavailability, DBMS
issues,networkfailure,networkcongestion,andpotential“maninthemiddle”/sniffer
attacks. Fortunately, the Informatica Cloud service addresses these points of weakness.
The Secure Agent checks for application, DBMS, and network availability, when initiating
connections. Availability checking is part of the overall Informatica PowerCenter execution
capability. The Secure Agent also has built-in network resiliency checks for congestion.
If there are any issues, full audit logs are published from the Secure Agent back to the
Informatica Cloud repository.
The primary defense against man in the middle or sniffing attacks depends on ensuring
transport encryption, integrity, and authentication of the communication channel. For
example, message security authentication implies signing and verifying a message (using
XMLSignature),ensuringintegrity(usingXMLhashmessages),andimplementingmessage-
levelencryption(usingXMLEncryption).InformaticaCloudusesSSL(with128bit
certificates), SSH, and IPSec protocols for data transmission and remote access over public
networks. Data transmission implements AES encryption.
Secure Agent to Informatica Cloud Communication: The Secure Agent starts
a power channel listener on premise. When the Secure Agent communicates anything to
Informatica Cloud, it is done through the power channel connection. The Secure Agent
code sets up a virtual socket connection port and when the agent sends something on this
connection, the power channel listener encrypts it with 128 bit encryption and sends it
over port 443 to a power channel server running Informatica Cloud, which then sends it to
the Web application. The Secure Agent moves data directly among sources, local system,
and targets. No data passes through or resides on Informatica servers.
Cloud to Cloud Integration
As more and more enterprises adopt SaaS to run mission-critical applications, integration
between these services will be required. In this case, the Secure Agent will execute within
a virtual environment generated by Informatica Cloud. The virtual environment will “spin
up” the Secure Agent, which then downloads integration instructions (similar to the
on-premiseversion).TheSecureAgentexecutestheseinstructionstoread/writedata
between cloud applications. Again, encryption safeguards in-transit data. And no data is
saved within the Secure Agent.
[ 9 ]
SummaryThis report detailed how Informatica Cloud addresses cloud integration from a security
perspective. Cloud integration can be implemented in a variety of ways. Informatica Cloud
seeks to minimize the exposure of corporate data, allowing IT departments to have high
confidence that proprietary data will not be exposed on the Internet. At all levels of
the solution, from data center to data transmission, Informatica Cloud implements best
practices that achieve a secure integration experience. The Secure Agent connects directly
from source to target systems – customer data is never staged or stored in Informatica
Cloud. The operations manager provides both line-of-business and IT departments
withsecureaccesstointegrationjobs.Thisaccessfurnishesaflexibleandcontrolled
environmenttomanageintegrationscenarios.Lastly,dataisencryptedduringtransmission
and is resilient against Internet-based attacks. Data security ranks as one of the biggest
challenges when moving to the cloud. The need to integrate disparate systems is not
disappearing. So the savvy IT department needs to deploy a secure cloud integration
solution to meet today’s business challenges. Informatica delivers such a secure integration
solution.
About Informatica
Informatica Corporation (NASDAQ: INFA) is the world’s number one independent
provider of data integration software. Organizations around the world rely on Informatica
to gain a competitive advantage with timely, relevant and trustworthy data for their top
business imperatives. Worldwide, over 4,440 enterprises depend on Informatica for
data integration, data quality and big data solutions to access, integrate and trust their
information assets residing on-premise and in the Cloud. For more information, call +1
888 345 4639 in in the U.S., or visit www.InformaticaCloud.com. Connect with Informatica
athttp://www.facebook.com/InformaticaCorporation,http://www.linkedin.com/company/
informaticaandhttp://twitter.com/InformaticaCorp.
About Mercury Consulting
Mercury(http://www.mercuryinthecloud.com/)isyourtrustedcloudtechnologyadvisor,
specializing in integration services. We make your adoption of cloud services easier
by bringing our deep expertise to design your cloud enterprise and provide unbiased
guidance on cloud vendors and their SaaS solutions.
[ 10 ]
Appendix – Service-Level Agreements and Audit ReportsService-level agreements have become one of the important factors to consider when
evaluating cloud service providers. In some cases they can be rather toothless or not
provide much compensation in case of failure.
Informatica Cloud Audit Findings
SeCURITy AReA OF RevIew evALUATION
A1. Invalidated Input
Information from Web requests is not validated before being used by a Web application. Attackerscanusetheseflawstoattackback-endcomponentsthroughaWebapplication.
Meets
No Exceptions were found.
A2. Broken Access Control
Restrictions on what authenticated users are allowed to do are not properly enforced. Attackerscanexploittheseflawstoaccessotherusers’accounts,viewsensitivefiles,oruseunauthorized functions.
Meets
No Exceptions were found.
A3. Broken Authentication and Session Management
Account credentials and session tokens are not properly protected. Attackers who can compromise passwords, keys, sessions, cookies, or other tokens can defeat authentication restrictions and assume other users’ identities.
Meets
No Exceptions were found.
A4. Cross-Site Scripting
The Web application can be used as a mechanism to transport an attack to an end user’s browser. A successful attack can disclose the end user’s session token, attack the local machine, or spoof content to fool the user.
Meets
No Exceptions were found.
A5. Buffer Overflow
Web application components that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and Web application server components.
Meets
No Exceptions were found.
A6. Injection Flaws
Webapplicationspassparameterswhentheyaccessexternal/perimetersystemsorthelocal operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the Web application.
Meets
No Exceptions were found.
A7. Improper error Handling
Error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur consistently, he or she can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server.
Meets
No Exceptions were found.
A8. Insecure Storage and Transport
Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them are difficult to implement properly, frequently resulting in weak protection.
Meets
No Exceptions were found.
A9. Application Denial of Service
Attackers can consume Web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail.
Meets
No Exceptions were found.
A10. Insecure Configuration Management
Having a strong server configuration standard is critical to a secure Web application. These servers have many configuration options that affect security and are not secure out of the box.
Meets
No Exceptions were found.
vULNeRABILITy DeSCRIPTION
BUSINeSS RISk
LIkeLIHOOD OF exPLOITATION
LeveL OF exPeRTISe ReqUIReD
ReCOMMeNDeD ReMeDIATION
None None None None None
[ 11 ]
Informatica Cloud Customer Service and Support DetailsOf course, there may come a time when the IT department needs to call for help from
its cloud integration provider. Just as in other outsourcing decisions, understanding
support parameters is key to success. Support can be measured in terms of availability,
response time, and escalation process. For example, the Informatica Cloud Help Desk is
available 12x5 for noncritical issues, and 24x7 for critical issues. The hours of operation for
noncritical issues are 6:00 a.m. to 6:00 p.m. Pacific Time, Monday through Friday, excluding
Informatica Cloud holidays. Informatica Cloud will respond within four hours for critical
incidents and one business day for noncritical. When Informatica Cloud becomes aware
ofanoutage,theimpactedenterpriseswillbecontacted.Likewise,whenInformatica
Cloud needs assistance diagnosing on-premise connectivity, Informatica Cloud will need to
contact individuals at the enterprise site. For example, if an enterprise reports inability to
access the Informatica Cloud login page, yet Informatica Cloud can confirm that the login
page can be reached from other external sites on the Internet at large, Informatica Cloud
willcommunicatewiththeenterprise’sdesktopand/ornetworkadministrators.
In case a problem is not resolved via level 1 help desk support, Informatica Cloud posts
the following escalation process (among others):
SeveRITy-1 Production site is down.
IMPACT Customers lost connectivity to Informatica Cloud production site, and no workaround is immediately available.
TARgeT SeRvICeS ReSTORATION 30minutesfrominitialalert/report
RePORT TO INTeRNAL SUPPORT/weB SITe
Immediate
RePORT TO exTeRNAL SUPPORT/TRUST SITe
10 minutes after service is restored
TIMeFRAMe INTeRNAL eSCALATION CUSTOMeR eSCALATION
Immediate •SalesEngineering/Sales•Operations/Engineeringcontact
•GlobalCustomerSupport•CustomerSuccessManagement
1 hour •VPofEngineering •VPofCustomerSupport
4 hours •GeneralMangerofInformaticaCloud
[ 12 ]
©2011NetspectiveCommunicationsLLC 52304(10/14/2011)