Sage CRM Cloud
Security Features Whitepaper
Alan Leahy Manager, Sage CRM Cloud Product and Operations
Table of Contents Introduction .......................................................................................... 1 Essentials and Professional Editions ................................................... 1 Securing User Access ......................................................................... 2 Setting up Field Level Security............................................................. 3 Defining Security Profiles ..................................................................... 4 Segmenting Data Access..................................................................... 5 Running Workflows .............................................................................. 6
Š Copyright 2012 Sage Technologies Limited, publisher of this work. All rights reserved. No part of this documentation may be copied, photocopied, reproduced, translated, microfilmed, or otherwise duplicated on any medium without prior written consent of Sage Technologies Limited. Use of the software programs described herein and this documentation is subject to the End User Licence Agreement enclosed in the software package, or accepted during system signup. Sage, and the Sage logo are registered trademarks or trademarks of The Sage Group PLC. All other marks are trademarks or registered trademarks of their respective owners.
Document version code: CLO-SEF-ENG-122-1.0
Sage CRM Cloud Security Features Whitepaper
Introduction Establishing a secure Sage CRM system is paramount to safeguarding your return on investment. Sage realises the importance of data security and takes this responsibility extremely serious. We utilise some of the most advanced technology for Internet security available today including the use of industry standard Secure Socket Layer (SSL) technology to ensure all communications to and from the Sage CRM Cloud platform is encrypted. This whitepaper reviews the built-in features of Sage CRM which support the wide range of security requirements which our customers demand in the Cloud. All aspects of platform security are built in for Cloud customers. Please refer to the Data centre & Platform Security Whitepaper for more information.
Essentials and Professional Editions Sage CRM applies safeguards on multiple fronts within the application. The Essentials edition provides a solid set of security features aimed to comprehensively meet the demands of any organization operating in the Cloud: •
•
Securing user access. User authentication and password setup, company team restrictions, and differentiated levels of Administration access all ensure secure user access to Sage CRM. Field Level Security. Set up field-by-field read/write access.
The Professional edition provides all the security features included in the Essentials edition and more advanced data segmentation and workflow capabilities often required by larger organizations: • • •
Defining security profiles. Security profiles can be defined for View/Insert/Update/Delete rights across primary entities. Segmenting data access. Segment data access with hierarchical territory management. Running workflows. Guide users through pre-defined access points with detailed automated change tracking.
FURTHER READING Links to further information
Scalability and Security in the Cloud, read the Rackspace Hybrid Hosting case study. Data centre & Platform Security Whitepaper available on http://trust.sagecrm.com Sage CRM Editions Matrix
Sage CRM Cloud Security Features Whitepaper
page 1
Securing User Access A user requires a logon ID and password to access the system. User authentication and password setup
User setup
A user's password is encrypted both within the system and in the database for maximum security. The System Administrator can change, but not view, a user's existing password. Company Team restrictions
Rights to view “sensitive” tabs, such as Opportunities and Cases, can be restricted for individual users depending on company team membership. This means that if you have not been assigned to work on an account via the Company Team tab, you may not view or update information in “sensitive” tabs.
Differentiated levels of Administration access
User Administration rights can be set to differentiated levels of complexity. There are three basic levels: No Admin Rights, Info Manager, and System Admin. The Info Manager level can be allocated further specific rights. For example, in larger organizations, a number of power users can be given the ability to perform some specific system administration tasks – such as uploading templates, or maintaining currency conversion rates – without opening up the whole of the Administration area to them. Info Managers also embody a more general concept of a power user. For example, setting the Administration field on a user to Info Manager automatically gives a user access to Marketing, and lets them edit Interactive Dashboard templates. FURTHER READING
Links to further information
Company Team related field descriptions in Security Fields help topic Levels of Administration access (Info Manager) help topic
Sage CRM Cloud Security Features Whitepaper
page 2
Setting up Field Level Security Field security allows System Administrators to define how users can access the fields associated with a screen. For example, it is possible to make a field invisible to some users, allow others to view the contents of the field but not to change them, and to grant others both read and write access. In addition, it is also possible to make it mandatory for the user to enter a value in the field before submitting the form.
Field Level Security
This field security can be supplemented by System Administrators with JavaScript skills, who can add code in the scripting boxes available through the Screens tab when customizing an entity. Field Security can be set for Everyone (all users), an individual user, a team, a security profile, or a combination of these security types. FURTHER READING Links to further information
Field Level Security help topic
Sage CRM Cloud Security Features Whitepaper
page 3
Defining Security Profiles A security profile is a way of grouping users when defining access rights (View, Update, Insert, Delete).
Security Profile
For example, you can create a profile called Sales. Within the profile you define the rights to View, Update, and Insert Companies, People, Communications and Opportunities, but View-only rights to Cases. This profile can then be assigned to all sales users, rather than setting up individual rights per user. Any changes that need to be made to the profile will automatically apply to all users assigned to the Sales profile. FURTHER READING Links to further information
Security Profiles help topic
Sage CRM Cloud Security Features Whitepaper
page 4
Segmenting Data Access Territory Management
In addition to security profiles, you can also further divide user rights by territory. For example, you may want users in the Europe territory to view all Opportunities within the USA territory, but not to be able to update them.
Territory Management
Territories act as a silent filter over existing security profiles. In other words, if you do not have View access rights to Opportunities in your profile, you do not see any Opportunities, no matter what territory they are in. The "silent filter" of territories influences all areas of CRM. This includes, searching, reporting, and groups generation. Security Policies
Complex inter-territory security rights and exception handling are also catered for using Security Policies.
Security Policies
Sage CRM Cloud Security Features Whitepaper
page 5
Security Policies allow the System Administrator to set up additional security rights. When settings within the Security Policies page are enabled, additional options are available in the Security Profiles page. The security policies act as logical "OR"s to the existing Profile and Default Territory settings. FURTHER READING Links to further information
Territory Management help topic Security Policies help topic
Running Workflows The workflow functionality gives a user with system administrator rights to set up predefined rules and actions to suit your organization's business processes.
Defining a Workflow
For example, a workflow rule can be applied to opportunities automatically generate a follow-up call for the user every time quotation is sent out. Or, a workflow rule can be applied to cases send an e-mail to the customer service supervisor if a case remains a stage of "Investigating" for more than twenty-four hours. Pre-defined workflow actions
to a to at
If you have already been working with leads, opportunities, cases, and solutions without workflow, you will have used the Progress button to manually "progress" the entity to the next stage within the lead, sales,
Sage CRM Cloud Security Features Whitepaper
page 6
or customer service cycle. Once workflow is activated, this button is no longer available. It is replaced with bullets appearing under a common heading Actions.
Workflow Actions
These actions are set up by the system administrator to steer the user through the predefined business processes. Selecting one of these actions can prompt the user to perform an activity, such as gathering further information. It can also trigger events not immediately apparent to the user, for example, sending an SMS notification to the Account Manager. Automated workflow tracking
Every change or progression to a record through the workflow process is recorded in the Tracking tab.
Workflow Tracking tab
The Duration column shows how long, for example, the opportunity has spent at each stage of the qualification process. The duration takes into account the business calendar defined by the System Administrator. FURTHER READING Links to further information
Workflow Customization help topic
Sage CRM Cloud Security Features Whitepaper
page 7
Understanding Sage CRM Cloud Data centre & Platform Security Whitepaper Document version 2.6
Alan Leahy Manager, Sage CRM Cloud Product and Operations
Table of Contents Site location
3
Infrastructure – Electrical power
3
Infrastructure – Heating, ventilation, air conditioning
3
Infrastructure – Fire suppression and detection
3
Infrastructure - Physical security
4
Infrastructure – Monitoring
4
Infrastructure – Network
5
External firewalls
6
Intrusion and malicious software detection
6
Secure systems management
6
Secure data connectivity utilising SSL certificates
6
Restricted access
6
Identity management
6
User authorisation
6
Real-time application monitoring
6
Vulnerability audits
7
Data Centre certification
7
Understanding Sage CRM Cloud: Data centre & Platform Security Whitepaper
Page 1 of 9
Introduction Ensuring the availability, reliability, security and performance of mission-critical applications is a growing challenge for today’s organisations. This is particularly important to small and medium businesses with limited IT resources. As a result, an increasing number of companies are turning to software-as-a-service or cloud providers to minimise the infrastructural complexity and overhead associated with these applications. As such, the use of on-demand CRM, such as Sage CRM Cloud, has become widely adopted, particularly for companies looking to implement a Customer Relationship Management (CRM) solution for the first time. While most companies will focus on functionality and subscription charges when comparing cloudbased CRM providers, the potential supplier’s data centre facilities are generally overlooked. Security, availability and performance are considered to be givens. This however, is a precarious assumption to make. In reality, there is significant variance between potential suppliers in this area and companies should give careful consideration to the facilities and provisions that have been put in place to protect their data and ensure suitable performance and availability for their business. This document is aimed at providing public releasable information about the leading-edge data centre facilities that underpin the security, performance and availability of the Sage CRM Cloud Platform through our global data centre partner Rackspace Limited. This document will provide an overview of the data centre infrastructure, platform security and the independent audits and reviews employed by Sage and Rackspace to ensure that the risk of compromise is kept to a minimum at all times.
Understanding Sage CRM Cloud: Data centre & Platform Security Whitepaper
Page 2 of 9
Sage CRM Cloud Data centre Infrastructure Site location The Sage CRM Cloud platform is currently hosted with our data centre partner, Rackspace Limited., across two of their data centre facilities, located in the United States and the United Kingdom. These data centre locations were chosen due to the fact that there are no major geographic risk based FEMA criteria; the area is not prone to seismic activity, floods, tornadoes or hurricanes. The data centre is located in an area where the risk of man-made disasters is low. Rackspace personnel are on duty 24 hours a day, 7 days a week at all of Rackspace’s data centre facilities.
Infrastructure – Electrical power The data centres are equipped with Uninterruptible Power Supplies (UPS) to mitigate the risk of short-term utility power failures and fluctuations. The UPS power subsystems are N+1 redundant with instantaneous failover in the event of a primary UPS failure. The UPS systems are inspected at least twice annually. Both data centre facilities are equipped with diesel generators to mitigate the risk of long-term utility power failures and fluctuations. Generators are regularly tested and maintained to provide assurance of appropriate operability in the event of an emergency.
Infrastructure – Heating, ventilation, air conditioning The data centres feature N+1 redundant Heating Ventilation Air Conditioning (HVAC) units, which provide consistent temperature and humidity within the raised floor area. HVAC systems and chillers are inspected regularly (at least quarterly) and air filters are changed periodically. Redundant lines of communication to telecommunication providers provide Rackspace customers with failover communication paths in the event of data communications interruption.
Infrastructure – Fire suppression and detection The data centres are equipped with sensors, including smoke detectors, and floor water detectors, to ensure the detection of environmental hazards. In addition to this, the data centre facilities are equipped with raised flooring to protect hardware and communications equipment from water damage. The data centres are also equipped with fire detection and suppression systems and fire extinguishers, all of which are inspected at least twice annually.
Understanding Sage CRM Cloud: Data centre & Platform Security Whitepaper
Page 3 of 9
Infrastructure - Physical security The security of the data centre is considered paramount; best practice procedures are in place to ensure the highest levels of security for customer data. Two-factor authentication is required to gain access to the data centre facilities and electromechanical locks are controlled by biometric authentication and a key-card/badge. Access to secure sub-areas is allocated on a role specific basis and only authorised data centre personnel have access to data halls. Rackspace employees utilise proximity badges and access cards to enter the building. Only employees with a business need for access to the server floor or other secure data centre areas are provided such access. Employee entry access is controlled by two-factor authentication (biometric authentication and proximity access cards). Rackspace policy strictly prohibits employees from tailgating at the data centres. Additionally, visitors must be escorted at all times and are strictly forbidden from accessing the data halls themselves. All entrance points, on the interior and exterior of the buildings housing data centres are secured with 24/7 monitored closed circuit video surveillance. Cameras support data retention for 90 days and are monitored 24/7 by on-site security personnel. Sensitive equipment such as plant and information processing facilities, including customer servers, are housed in secure sub areas within the secure perimeter and are subject to additional controls. Centralised Security Management Systems are deployed at all data centres to control the Electronic Access Control Systems and CCTV networks. The data centres maintain 24/7/365 monitored CCTV coverage, with CCTV/DVRs supporting data retention for 90 days due to PCI compliance requirements. Visitor access to the data centres must be granted by appointed authorised approvers before the scheduled visit meaning unauthorised visitors are not permitted access to the data centres. When commencing a visit to the data centre, all visitors must present photographic ID when logging in and are strictly escorted at all times. All visitor access is logged, this policy applies equally to Rackspace employees not assigned to the data centre in question. Visitors, including customers, are strictly forbidden from accessing the data halls themselves and other secure sub areas. Appropriate additional perimeter defence measures, such as walls, fencing, gates and anti-vehicle controls are in place at Rackspace data centre locations. The delivery and loading bays at all data centres are separate areas secured by defined procedures and security controls.
Infrastructure – Monitoring The Rackspace Network Operations Centres (NOCs) continually monitor the health and performance of the data centres on a 24/7/365 basis. The data centres are also monitored 24/7 by Building Management Systems and dedicated engineering teams.
Understanding Sage CRM Cloud: Data centre & Platform Security Whitepaper
Page 4 of 9
Infrastructure – Network The data centre network has been engineered from the ground up to accommodate the high availability demands of outsourced solutions. The Rackspace NOC continually monitor the health and performance of the network and add capacity as required.
Understanding Sage CRM Cloud: Data centre & Platform Security Whitepaper
Page 5 of 9
Sage CRM Cloud Platform Security External firewalls A redundant pair of Stateful Inspection Firewalls is used to provide controlled access to the Sage CRM Cloud Platform. These firewalls provide the initial and essential network security functions by applying security policies to all inbound and outbound traffic. These firewall policies have peer review audits conducted monthly, as well as bimonthly external validation from vulnerability audits.
Intrusion and malicious software detection In addition to the secure firewall architecture, Rackspace monitor their internal networks and have security systems in place to identify incidents of network intrusion or malicious software. All servers have enterprise class anti-virus and malware protection installed, monitored and regularly updated.
Secure systems management Each server is scanned daily and swept for virus patterns ensuring infected files are automatically cleaned, quarantined or deleted. Notifications of the detection, cleansing or deletion are sent to the NOC where they are recorded.
Secure data connectivity utilising SSL certificates By utilising Secure Sockets Layer (SSL) certificates, all transfers of customer data from the customer to the Sage CRM Cloud Platform are encrypted using SSL. The secure connection between the client and our services is encrypted using 2048bit key and certificates.
Restricted access There is a strict access policy that prevents unauthorised access to the Sage CRM Cloud Platform. Access to the operating system, application and data storage is limited to the Sage CRM Cloud and Rackspace Operations Teams. There is a strict no access policy given to individuals outside of these teams.
Identity management Administrative changes to the application may only be carried out by the authorised administrator, whereby their email address has been registered in the application. This prevents unauthorised access to the application configuration and prevents an unauthorised backup of the customer’s database being taken.
User authorisation Access to the Sage CRM Cloud application is controlled by a username and password. This only gives access to the customer’s Sage CRM Cloud account. User rights, once in the application, are dependent upon the level of security set by the customer’s CRM administrator.
Real-time application monitoring Application and platform monitoring is carried out 24/7. This is automated and provides notification of a failure or impending failure of the application or component of the infrastructure.
Understanding Sage CRM Cloud: Data centre & Platform Security Whitepaper
Page 6 of 9
Verification Vulnerability audits The security of the data centre is validated by Rackspace, with an external network vulnerability audit carried out on a regular basis. In addition to this, Sage CRM carries out ad-hoc security checks against its own platform, exclusive of any Rackspace testing. This security review includes validating the Sage CRM Cloud application and platform against the Open Web Application Security Project (OWASP) top ten application security risks, as well as other important and confidential security aspects. The results of these audits are confidential and are not shared outside of the Sage CRM management team.
Data centre certification Rackspace data centres have been audited and certified to leading industry standards. Further details of these accreditations can be found below. For more detailed information on the Rackspace data centre accreditations please visit the Rackspace website (www.rackspace.co.uk/aboutus/accreditations/).
ISO 27001:2005 (Information Security) This standard provides a framework for managing a business’ security responsibilities and provides external assurance for customers as to the scope and scale of the Rackspace secure environment via Rackspace Business Security Management System. It is subject to on-going external assessment by Certification Europe with a full re-assessment every three years. ISAE 3402 Type II Service Organisation Control Rackspace utilises this globally recognised standard for reporting on service organisation controls to demonstrate that selected Rackspace processes, procedures and controls have been formally evaluated and tested by an independent accounting and auditing company (service auditor) for their managed hosting customers, cloud servers & cloud files customers and all of their data centres. The examination includes controls relating to security monitoring, change management, service delivery, support services, back-up, environmental controls, logical and physical access and provides a detailed description of Rackspace controls and the effectiveness of those controls. Rackspace has worked with the service auditor to have the report issued with a joint opinion that satisfies the requirements of both the ISAE 3402 and the SSAE 16 (created by AICPA (American Institute of Certified Public Accountants) for use in the US mirroring ISAE 3402). This is a rigorous audit repeated on an annual basis for each reporting period and is carried out by external auditors on behalf of Rackspace.
Understanding Sage CRM Cloud: Data centre & Platform Security Whitepaper
Page 7 of 9
ISO 14001:2004 (Environmental Management) Rackspace takes its environmental responsibilities seriously, from ensuring they provide a safe and healthy working environment to their commitments to the wider world, legally and morally. In support of this, the Rackspace UK data centre and head offices are certified to the international environmental management standard, ISO 14001, which provides a framework for managing environmental responsibilities, including energy and waste management It is subject to on-going external assessment by the certification body, BSI (British Standards Institution), with a full re-assessment every three years.
For further information on the information contained within this document, please contact your local Sage office.
About Sage CRM
Sage CRM is used by over 12,000 organisations in 70 countries worldwide to manage their critical sales, marketing and customer service activities every day. Award-winning Sage CRM equips businesses with the tools they need to find new customers, close sales faster and build lasting, more profitable relationships across all channels. Regardless of how, when or where customers, partners and prospects choose to interact with your business, Sage CRM provides a decisive advantage by delivering a comprehensive, easy-to-use system to successfully manage these relationships. Thanks to its ERP integration capabilities, the Sage CRM front-office is powered by data from the back-office to give sales, marketing, customer service and other front-office staff a true 360 degree view of customers across front- and back-office functions, differentiating it from many other CRM solutions in the market today.
See for yourself the difference that Sage CRM could make to your business. Visit www.sagecrm.com and start your free 30 day trial of Sage CRM now.
Find us on Facebook
Follow us on Twitter
Join our LinkedIn group
Watch our YouTube channel
Understanding Sage CRM Cloud: Data centre & Platform Security Whitepaper
Page 8 of 9