Saba Cloud Security

2Saba Cloud Security

The Saba Cloud Platform The Saba Cloud Platform is highly scalable and exceeds industry security and

compliance standards. Its powerful, standardsbased architecture can address the

common and distinct needs of large customers in a global implementation as well as

those of mid-sized enterprises in a cloud environment. This document is designed to

answer most of the questions you may have about Saba’s security infrastructure and

standard operating procedures, as well as the support that ensures reliable and secure

delivery of your Saba Cloud services.

This commitment to security is carried throughout the application design process. The

Saba Security Program implements a multibusiness review process that focuses on

meeting and exceeding industry-accepted practices.

In addition to embedding security throughout the System Development Life Cycle,

Saba adheres to privacy requirements that provide controls that address secure

handling, retention/deletion, and transference of personally identifiable information in

accordance with customer privacy requirements.

3Saba Cloud Security

Security Design Principals Cloud Security Governance and Management

Security Council: The Security Council provides

a consensus-based forum to support the Vice

President of Information Services and Chief

Information Security officer to collaborate on:

1. Identifying high-priority security and identity-

management initiatives and;

2. Developing recommendations for policies,

procedures and standards to address

those initiatives that enhance the security

posture and protection afforded to Saba

and its customer networks, information and

information systems.

Cloud Management: Saba has deployed a layered

data protection and security framework. Saba’s

in-depth defense approach involves the use of

strict physical, procedural and network security

controls. Saba controls are designed to assure the

confidentiality, integrity and availability of client

data and services. Saba’s Cloud governance

framework is supported by policies, procedures

and standards. Cloud security controls and

operations-management practices are based on

internationally accepted practice and draw upon

delivery frameworks such as Information Security

Management System (ISMS) based on the ISO/IEC

27000 family of standards.

Systems Hardening Saba systems are security-hardened to reduce

vulnerabilities consistent with industry best

practices. Hardening standards draw upon

benchmarks defined by the Center for Internet

Security (CIS) and National Institute of Standards

and Technology, with additional guidance from

Computer Emergency Response Team (CERT) and

vendor-recommended best practices.

System and Data Access Control Saba’s security model restricts access to

both systems and data according to defined

Segregation of Duties (SoD), operational roles and

responsibilities (RACI), and “need to know.” Logical

access to Saba Cloud systems is

restricted by security policies and procedures,

two-factor authentication with unique usernames/

passwords, and restrictive local host “permissions.”

Direct access to system administrative accounts

(e.g. root) is prohibited, and these can only be

accessed using predefined “alias” accounts. Data

classification standards require that client data may

only be accessed using Saba-authorized systems.

Application and Data All client data is logically segregated. Logical

segregation is achieved via the use of unique

usernames, complex passwords, database

connection strings, and dedicated database

schemas. Client access requests are restricted to

Secure Socket Layer (SSL) communication and at

least 128-bit encryption. Enduser and administrator

access to the application requires authentication

and is restricted according to preconfigured

rolebased access controls (RBAC). All data flowing

in and out of the environment is subjected to deep-

packet inspection by Saba firewalls and Intrusion

Detection Systems (IDS).

4Saba Cloud Security

Network Security Network security is achieved through the use of layered firewalls, advanced network design, and network

segmentation. Highavailability firewalls are used to filter traffic between the web, application, and data

tiers. Firewalls support deep-packet stateful inspection, dropping of anomalous packets, denial of service

protection, spoofing monitoring and anti-virus filtering. Saba networks have been designed to support

vLAN and subnet segmentation, port restrictions, access control lists, and address and port translation.

All physical data connections are configured in a high-availability mesh topology, with each system and

service having no less than two routes for communications. Saba’s network communications mesh assures

integrity and uninterrupted flow of data across our networks. Saba firewalls are configured consistent

with National Institute of Standards and Technology (NIST) standards, and connections to all end-points

reinforce our “least permissive” policy. All security devices and firewalls are monitored 24/7/365. Monitors

are defined to trigger alerts when predefined thresholds are exceeded.

5Saba Cloud Security

Data Center Overview Saba’s Cloud solutions are hosted in highly secure,

SSAE–16/AT 101 Type II Audited Data Centers that

meet or exceed the highest standards for a cloud

infrastructure security worldwide. Our data centers

are hardened using multiple layers of physical and

logical security. Access is controlled by two-factor

authentication using biometric and key/token

access.

All data centers are supported 24/7/365 with

security personnel and technical support engineers.

Environmental controls such as fire, cooling and

power systems are fully redundant and scaled

to accommodate component failure. Internet

connectivity is assured with no less than three Tier 1

backbone carriers per data center.

Global Locations

North America

• Dulles, Virginia, United States

• Phoenix, Arizona, United States

• Philadelphia, Pennsylvania, United States

• Billings, Montana, United States

• Boston, Massachusetts, United States

• Toronto, Ontario, Canada

• San Francisco, California, United States

EMEA

• Amsterdam, The Netherlands

• London, United Kingdom

Asia Pacific

• Sydney, Australia

Environmental Safeguards

Redundant Power Supply: All data centers are

equipped with redundant and high density power

systems, with automated and monitored facility

controls. Power generators at all data centers are

tested regularly and supported by multiple fuel

suppliers to ensure continuous operations in the

event of a disaster.

Temperature Control and Fire Suppression: Each

data center is equipped with carrier-diverse fiber

connections to ensure redundant connectivity with

at least 100 mbps – 1 Gbps of available bandwidth

capacity. Each customer system is provided with

burstable bandwidth to accommodate peak usage.

Physical SecurityPhysical access to Saba data centers is tightly

controlled, with access restricted to pre-authorized

personnel and layered identity management

systems. Individual access to the facilities, interior

vault, and cage areas is managed by card-

key and biometric identification systems with

mandatory pre-approved customer lists and sign-in/

sign-out procedures enforced. All servers and

infrastructures are protected within locked racks.

Only authorized personnel have access to the Saba

Cloud servers.

Professional CertificationsThe Saba team consists of Certified Systems

Engineers, Cisco Certified Network Associates

(CCNA), Certified Information Systems Security

Professional (CISSP), and technicians certified and/

or trained on various infrastructure and operating

system software products.

6Saba Cloud Security

Certifications and AssessmentsData CentersSaba Cloud data centers in North America and

EMEA are SSAE–16/AT101 Type II audited, Safe

Harbor certified, and either FISMA-Moderate or

ISO 270001 certified. Our Asia Pacific data center

is AS/NZS 7799.2:2003 accredited. Additional

capabilities are available to meet strict regulatory

requirements.

ApplicationAs part of Saba System Development Lifecycle,

Saba incorporates an initial scan utilizing Qualys

Web Application Scan (WAS) and then validates that

through a third-party solution, Veracode. Veracode

performs dynamic and static code analysis.

The following is a sample list of what both Qualys

and Veracode scan for:

• Cross-site scripting

• SQL injection

• Session management

• OS command injection

• Directory traversal

Validated EnvironmentSaba Validated Environment Managed Services

(VEMS) combines the power and efficiency of the

Saba Enterprise Cloud (SEC) with services toward

Validated Application Environment sustenance

efforts for our regulated customers. VEMS is

designed to facilitate our customers’ regulatory

compliance requirements.

Third-Party Penetration TestSaba engages with a third party to perform a black-

box security assessment of our main domain and

associated hosts. This includes a Software Quality

Assurance (SQA) scan of the Saba web application

as well as a network penetration test.

Complying with Demanding Cloud Security StandardsAs part of Saba’s commitment to security, Saba

engages with several third-party experts to conduct

exhaustive reviews and performs rigorous ongoing

testing to continually monitor and validate the

security of Saba services.

Every company says they want to engage, motivate and inspire their people. As we see it, the problem is not that they can’t – it’s that they don’t have the environment that really enables their top talent to thrive. Saba creates that environment, with talent development solutions that put people and teams in the driver’s seat of their own experience, while staying aligned to your business goals. And delivering deep performance insights that connect people to business success, like no one else can. Saba. The Talent Development Company.

© 2018 Saba Software Inc. All rights reserved. Saba, the Saba logo, and the marks relating to Saba products and services referenced herein are either trademarks or registered trademarks of Saba Software, Inc. or its affiliates. All other trademarks are the property of their respective owners.

(+1) 877.SABA.101 | www.saba.com 11/18

Your success starts here!

24/7 customer support

Collaborative online customer community

Value-added strategic services

Regular user group meetings

Standard or customized implementation services

Dedicated customer success rep

Workforce Planning Learning EngagementPerformance Recruiting

The Saba Experience:

SABA. THE TALENT DEVELOPMENT COMPANY.

Put Your People in the Driver’s Seat of their

Development ExperienceTransform Your Talent Management Programs to Create Value

for Your People and Your Business.