Documente Academic
Documente Profesional
Documente Cultură
November 14
Ariba Cloud Infrastructure
Average
organizational
cost of data
breach is
$5.85 million
in the US, and
$4.74 million
in Germany1.
Data Protection
Ariba Cloud and Network services are designed to provide extremely secure
solutions for our customers. The protection of customer data entrusted to Ariba is
achieved by applying a comprehensive multi layered security approach, which
encompasses secure facilities, data storage, retrieval, and presentation.
Physical Site
Businesses need speed, security, and high availability. Ariba deploys its Cloud
solutions in highly secure and controlled SAP-operated data centers, and partners
with world-class colocation hosting data centers in North America, Europe, and
around the world. Each facility deploys a comprehensive array of security
technology, techniques, and procedures to control, monitor, and record access to
the facility, including customer cage areas. All areas of the data center are
monitored, activities recorded using CCTV, and all access points are controlled. Highsensitivity areas require authentication by means of biometric scans. All of the data
centers are certified on a regular basis for security process and procedures.
Firewalls
Cisco Secure Firewall is a dedicated firewall appliance that delivers strong security
and performance and creates almost no network performance impact. The product
enforces secure access between an internal network and Internet, extranet, or
intranet links.
Specifically, Firewall servers are used in each level of data communication within
Ariba:
Between the Internet and web servers
Between the web servers and the application servers
Between the application servers and the database servers
These Firewall servers allow Ariba Operations to rigorously protect the Ariba Cloud
from unauthorized access, providing full firewall security protection. For more
information, please visit Cisco's website at http://www.cisco.com in their Cisco
Secure product section.
Application
Malicious
cyber activity
costs an
estimated
$300 billion to
$1 trillion
globally.2
Application security governs end-user access to the online services and information
on Ariba. Ariba uses unique user IDs and passwords as the primary means of user
authentication and access control.
Passwords are case-sensitive and encrypted in motion and at rest. Required
password policies can be implemented as part of the project depending on the
package.
Center for Strategic and International Studies The economic impact of cybercrime and cyber espionage, July 2013
Cookies
Ariba utilizes cookies to maintain user sessions after a user logs in. The cookies used
by Ariba Cloud Services are secure session cookies, and depending on the
authentication functionality of the implementation, the cookies used may be
mandatory for the application to function properly. The encrypted session cookie
lasts only for the duration of the interaction with Ariba applications. HTTPS cookies
are based on industry standards and provide a secure method of session
management.
Ariba only utilizes cookies for the extent of providing the service and never uses
cookies for marketing purposes. For more information on how Ariba uses cookies,
please see the Ariba Data Policy and Ariba Privacy Statement on trust.ariba.com.
Session Timeout
Ariba provides a 30-minute session timeout for idle user sessions. Ariba also
provides an alert feature where the user is notified of a pending timeout and given an
opportunity to cancel the timeout. If the user does not cancel the timeout, then their
work is saved and they are logged out of the system.
Web Services
Ariba provides wide support for web services to facilitate the integration of Ariba
Cloud Services and Network with systems in use by our customers in their
landscape. Integration points are available for Aribas customers to synchronize
master data or integrate transactional data (such as purchase orders, order
confirmations, invoices, etc.).
Ariba supports highly secure authentication mechanisms for its web services. HTTPS
and WS- Security protocol are utilized to ensure privacy and integrity of all web
service calls. WS-Security is the premier mechanism, and the protocol provides the
means to secure the web services above and beyond transport level protocols such
as HTTPS. The WS-Security standard provides rich functionality such as message
encryption, message signing, and management of public keys, to name a few.
Database
Ariba databases are configured on multiple instances deployed on high-availability
clusters of servers using Veritas Cluster Server. The database servers use industry
standard vendors for fault-tolerant disk storage. Ariba has deployed enterprise-grade
storage technology from HP (3PAR Inserv and EMC Symmetrix) to ensure high
availability, excellent performance, and fault tolerance. The storage systems provide
performance, connectivity, and functionality for consolidation and application
storage management. Information stored in the database is behind three layers of
firewall protection and intrusion detection system monitoring traffic for anomalous
behavior. The database servers are hardened and accessible only to specifically
verified and designated operations personnel.
Certifications
Ariba audits and certifications include the following:
SSAE16 SOC1 (formerly SAS 70), SOC2 and SOC3
PCI (Payment Card Industry) - DSS (Data Security Standard)
Safe Harbor (US Dept. of Commerce in consultation with the European
Commission)
Since 2001, Ariba has maintained rigorous re-certification every six months focusing
on four areas: availability, confidentiality, processing integrity, and security under
WebTrust (now SSAE 16). Further information about Ariba WebTrust certification
can be found at: https://cert.webtrust.org/ViewSeal?id=781. In addition, the Equinix
infrastructure is covered by SSAE16 SOC1 (formerly SAS 70) certification.
Encryption
The use of strong encryption techniques is the most optimal solution for protecting
sensitive information and enforcing personal data privacy. Financial, healthcare,
pharmaceutical, and public sector organizations must comply with industry
compliance standards, such as HIPAA, Gramm-Leach-Bliley Act (GLBA), SOX, the EU
Data Protection Act, etc.
Aribas approach is to provide an end-to-end encryption paradigm to achieve
security and regulatory compliance. This comprehensive approach means that data
is encrypted from the moment it is posted from the users machine to the database
or backup storage at the Cloud provider.
Use of strong
encryption
techniques is
the most
optimal
solution for
protecting
sensitive
information
and enforcing
personal data
privacy
Encryption of data at rest is a separate and critical component where data stored on
physical media such as databases, data warehouses, and disk-based storage is
protected. Aribas approach is multi-faceted, 360-degree encryption across all of the
devices where a customers data is stored.
Data in Databases and Data warehouses: Sensitive data is encrypted using
256-bit AES, including fields identified as personal data. Ariba is also rolling
out full encryption for all customer data.
Data on Backup, Storage and DR/Secondary Servers: Data on various
servers is encrypted.
Data on Device: Encrypt all data stored locally on individual desktop and
laptop systems, tablets, or smartphones for offline usage.
Key Vault
Keys remain in a protected key vault at all times, and a healthy gap is maintained
between the threat vectors that have direct access to the data and the threat vectors
that have direct access to the keys. The key vault solution also passes the Federal
Information Processing Standards (FIPS) 140-2 Level 3 certification testing.
Importantly, the key vault sustains clear segregation and separation of customer
keys and certificates.
Key Management
Keys are deemed to be interoperable, integrated, and unified. Key management also
involves a comprehensive a lifecycle which details the various states that a key
moves through during its life. The lifecycle specifies when a key can no longer be
used for encryption, and when a key can no longer be used for decryption. Key
rotation is an integral key management strategy, and keys are expired or revoked
after a reasonable time period.
10
Ariba Network
The Ariba Network provides global commerce capability for Aribas customers. Ariba
Cloud applications run in regional data centers, where data is stored, and
communicate over the Ariba Network, which is deployed in a data center in North
America and adheres to the highest standards to ensure data security and integrity.
The data flow between regional data centers and the Ariba Network is carried over
secure encrypted connection. To learn more about this and the overall infrastructure
and security aspects, please refer to the latest Ariba Cloud Services Technical
Infrastructure White Paper at https://connect.ariba.com/ACgo2/1,,139285,00.html
for detailed information.
The Ariba Network does not allow modification of personal data that flows through
the Ariba Network in the exchange of documents among trading partners. This
means that the users personal data information being maintained in any regional
data center is administered at the source and only sent out of the regional data center
in connection with exchange of documents using the Ariba Network and purposes set
forth in the Ariba Data Policy and Privacy Statement.
11
Conclusion
Ariba is committed to the protection of personal data and sensitive information and
to complying with the data protection laws around the world relevant to the Ariba
Cloud Services. As new regulations are ratified, Ariba evaluates the requirements
and works to evolve its data privacy and protection practices to stay in full
compliance. There may be cases where a new law emerges which Ariba is unable to
immediately comply with in its current role or with existing functionality. In such rare
instances, Ariba will be transparent with customers about the circumstance and
work with customers to consider alternatives.
Ariba respects the rights of users and works diligently with customers, in a shared
responsibility, to protect and maintain user personal data privacy. In keeping with
Aribas experience and reputation as a Cloud application provider, we consider data
privacy and security with utmost importance, and will continue to do so through all
future enhancements and service offerings.
12