Informatica Cloud Security Architecture Overview · Informatica has stepped up to provide cohesive...

IT & DATA MANAGEMENT RESEARCH,INDUSTRY ANALYSIS & CONSULTING

Informatica Cloud Security Architecture OverviewAn ENTERPRISE MANAGEMENT ASSOCIATES® (EMA™) White Paper Written by David Monahan, Research Director, Risk and Security Management Prepared for Informatica

December 2015

Table of Contents

©2015 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.com

Informatica Cloud Security Architecture Overview

Executive Summary .......................................................................................................................... 1

Overview .......................................................................................................................................... 1

1. Physical Security ...................................................................................................................... 3

2. Network Security .................................................................................................................... 3

Data Transmission Security ................................................................................................ 3

3. Operating System Layer .......................................................................................................... 4

4. Database Layer Security .......................................................................................................... 4

5. Application Security ................................................................................................................ 4

User Access .......................................................................................................................... 4

Managing Metadata ............................................................................................................ 5

Security Certifications ........................................................................................................ 6

Informatica Secure Agent ........................................................................................................... 7

Managing Upgrades .................................................................................................................... 8

Encryption Types ........................................................................................................................ 8

Conclusion ....................................................................................................................................... 9

About the Author ............................................................................................................................. 9

http://www.enterprisemanagement.com

©2015 Enterprise Management Associates, Inc. All Rights Reserved. | www.enterprisemanagement.comPage 1


Executive SummaryToday’s cloud market is often a fragmented place where applications and data may each exist on multiple platforms anywhere in the world and where security is often perceived as a work in progress. IT teams are frequently supporting a mix of on-premises and cloud applications along with cloud integration services. Petabytes of confidential information are moving among these cloud applications and the security practices and safeguards for data are often suspect. Without the proper security programs in place by both the data owner and the cloud service provider, it is possible for data to be leaked or compromised at multiple points in the data lifecycle. Vulnerabilities can occur at any point as data moves from users and their endpoints to the servers in a hosted data center, across communication lines out to the cloud, within the cloud environment, or in return transmissions to users.

As organizations adopt and internally implement an ever-increasing number of cloud applications, Informatica has stepped up to provide cohesive security and protection required by CSOs to protect business-critical data. Informatica Cloud brings cloud, on-premises, relational, and big data together for better value and easier management. With its web-based application, Informatica provides thorough cloud security throughout the data lifecycle. Possible security challenges found throughout the infrastructure include data transmission, data standards and connectivity, data governance, and audit compliance. To address these challenges, Informatica has created a layered, holistic security structure that is resistant to attack and resilient against failure.

OverviewThe Informatica Cloud Architecture, which integrates existing public cloud, on-premises, and software as a service (SaaS) applications, takes all pieces of the infrastructure puzzle into account to best secure each component. The entire stack becomes secure for each customer, with partners and customers easily able to complement Informatica’s products and services. Informatica Cloud works with all sources and targets in the client’s network, extending to relational databases as well as big data analytics and other tools.

Informatica’s Integration Platform as a Service (iPaaS) combines application and data integration to allow the creation and management of integration workflows. The entire platform pulls in batch and real-time integration, connectivity capabilities, an API framework, master and test data management, and security for a complete solution. Both developers and business users can benefit from the Informatica Cloud iPaaS by using either visual tools or wizards.

Figure 1 captures all the pieces of Informatica’s cloud security domain and lays out the areas of data movement and potential security concern that exist in any cloud environment. Users can access Informatica Cloud services via the HTTPS protocol on the public Internet. The host contains the Informatica Cloud app that can be accessed by the user, while AES encryption protects the database containing metadata.


https://www.informatica.com/products/integration-platform-as-a-service.html



Each numbered section of this diagram corresponds to a section below with more detail.

Figure 1. Informatica iPaaS Architecture Overview

Informatica Cloud services include data synchronization, data replication, test data management, data quality, data management, and B2B capabilities. Other Informatica Cloud services are accessible through either visual tools or technical tools or as a self-service wizard. The Informatica Cloud Secure Agent application acts as gatekeeper for all data integration services. The Secure Agent, which contains a runtime engine, allows firewall access to sources and targets in a LAN using connectors.

Informatica Cloud’s security plans create a completely secured stack, with careful attention paid to securing each layer: physical, network, operating system, database, and application.




1. Physical SecurityIn a cloud-based world, the physical data centers hosting cloud apps are incredibly important to secure. Informatica maintains geographically separate failover data centers for hosting cloud applications. Informatica Cloud also maintains a strict backup schedule for data at those facilities.

These facility partners uphold very high security standards, following best practices in terms of separation of privileges, least privilege, access control and alarm systems, administrator logging, two-factor authentication, codes of conduct, confidentiality agreements, background checks, and monitoring of visitor access. That means that access to the physical infrastructure only happens on a need-to-access basis, and when it does happen, all access is logged and monitored.

2. Network SecurityThe network is an easy target for attackers, especially in cloud integration environments where data moves so frequently. Informatica Cloud employs a redundant and resilient security infrastructure that addresses potential weaknesses in the network. This includes industry-leading practices that protect the network from the outside in. First, network segmentation ensures undesired infrastructure overlap or access. Border routers are in place at the edge of the network; these, along with load balancers and web application firewalls (WAFs), facilitate both service availability and secure delivery. Core switches ensure customer network protection internally, as they work to designate traffic to various networks. In addition, an IDP device protects against Internet attacks, and split DNS protects servers from Internet exposure.

Informatica Cloud’s firewalls are designed to prevent and intercept common network attacks before they can get to the application, removing the need for customers to weaken firewall policies to use the Informatica agent. Firewalls apply network address translation to non-published addresses, and port address translation and port filtering also work to prevent events such as DNS attacks and Internet attacks. Load balancer and WAF policies limit access to each network segment. The firewall also disables telnet and Internet Control Messaging Protocol (ICMP) and enables only software-related TCP ports. Additionally, there is a separate DMZ present from back-end processes through to firewalls.

Informatica also employs TLS encryption for data in transport, which applies to all related pages, including the login page. In general, Informatica’s network security tools are embedded throughout each layer of the cloud services network. The company conducts yearly security audits, performed by independent auditors, and all network equipment uses two-factor authentication. Informatica also has an incident response plan in place for any contingencies.

Data Transmission Security A key piece of networking security is data transmission security, which is an essential part of a cloud integration service. Data transmission security protects against issues like network failure or congestion, sniffer attacks, unavailable apps, and DBMS issues. The Secure Agent can work with a security proxy or gateway set up by the customer. Informatica users can connect easily and safely to Salesforce or other cloud services with the assurance of safe data transmission.

Informatica Cloud maintains the most current industry standards and uses TLS with 128-bit certificates, SSH and IPsec protocols for data transmission and remote access over public networks, and AES encryption for transmission. Informatica’s move to TLS came on the heels of depreciating SSL, after version 3.0 was found to contain structural vulnerabilities.




3. Operating System LayerNetwork and physical security cover many typical cloud security challenges, but operating system (OS) administration is also a key piece of the Informatica cloud security plan. OS security starts with access, as Informatica users only see what they need to so arbitrary code cannot be executed, which protects the operating system.

In addition, Informatica technology makes sure the hardened OS images remain intact and protected. Two-factor authentication using a security token and password is required to access any server before remote management connections are allowed. Connections are secured via Secure Shell version 2 (SSH 2.0) only. Finally, user and administrator account controls restrict any unnecessary access.

4. Database Layer SecurityThe next security layer in the Informatica Cloud stack is the database tier. It is crucial to understand that the databases contain only the metadata defining the integration job that has been moved through the Informatica infrastructure. No client data is ever stored on Informatica servers. Database servers also are not accessible to the public Internet. For true cloud multitenancy, Informatica Cloud separates client data and implements user access controls for metadata management. Each user’s metadata is only accessible by that user via the multitenant controls. Encryption protects the user credentials and sensitive data.

To maintain a secure multitenant environment, Informatica also depends on AES 128-bit encryption at the persistence layer. Customer credentials are encrypted at rest in the database. This piece of the Informatica security plan also protects against SQL injection attacks. Informatica performs annual network tests to make sure that no SQL injection attacks have occurred and that client data has not been accessed by others.

5. Application SecurityInformatica Cloud offers deep security around the application layer, beginning with the company’s own app agent, the Secure Agent. Informatica maintains high security for the agent app through organizational and sub-organizational divisions, role, and permissions setup and fine-grained access controls. Informatica’s Secure Agent application consists of data and application integration engines and connectors to external data sources. It allows for secure communication across the firewall between the client and the cloud.

User AccessControlling user access can often prevent security problems and help pinpoint and analyze any issues that do arise. Informatica Cloud has the option for clients to leverage third-party SAML providers with external LDAP directories for user authentication and access control. Administrators using Informatica Cloud can perform extensive configurations, such as the SAML identification provider, the entity identification, single sign-on and single logout service URLs, signing certificates, encryption certificates, and many more. Two-factor authentication also enables stringent security.

Administrators can assign different rules to different users so that users can access only the aspects they need. That allows control over who does what so that some users are designing and mapping, some are running jobs, and so on.




The Informatica Cloud administrator can define what the Informatica Cloud organizational structure should look like, down to the user level. The administrator can create sub-organizations to more easily classify and group users; segregating users in this way makes it so different departments see only their relevant work. The administrator can also assign licenses for each organization, sub-organization, or user and control password setup. Customers of Informatica Cloud can also integrate the system easily with Active Directory and other forms of external authentication.

For governance reasons, every aspect of user activity is logged and can be audited.

Managing MetadataWithin the realm of database security considerations, there is metadata—the information about the data itself. The metadata within the Informatica repository can include such details as mappings, application connection details, and transformation rules. As a cloud best practice, Informatica stores only metadata—never actual customer data—in its databases. Sensitive metadata, such as user credentials, is always encrypted for storage.

User access controls are closely tied to metadata, which details user actions and information. Role-based controls, such as delegated administrator and master administrator, allow those users to be assigned access and specific functions. There are several categories of metadata:

• Organizational and User/Security Metadata – This information describes the structure of the organization; defines users and groups and their permissions, privileges, and license information; and tracks audit logs. These audit logs are extremely detailed, providing a total record of user logins sorted by time of day. One of the strongest security features is the use of a delegated administrator. This user is set up with controlled invocation to allow specified users to exercise administrator-like functions without giving them full administrative control or the ability to create or modify other users and controls not delegated/assigned.

• Design Metadata – This data defines integration tasks and processes, including data sync, data replication, mappings and templates, task flows, process definitions, and connectors.

• Runtime Metadata – This information contains agent definition data and other information crucial for runtime activities, like connection and schedule data and activity logs.

Figure 2 demonstrates the Informatica “delegated admin” function. The example shows the master organization defining policies for the environment, including authentication options, licenses and logging options, notification preferences, and job execution. The delegated admins can then be created and given control over each of their subordinate organizations, creating whatever additional policies they deem needed so long as they do not conflict with the core policies configured by the master administrator.




Figure 2. Informatica Delegated Admin Architecture Overview

Security Certifications Informatica’s cloud platform combines best practices and leading technology and incorporates industry features to secure its products. As part of this holistic security view, Informatica Cloud has earned industry-leading security certifications to ensure its platform meets exacting standards for a range of customers and industries. Informatica Cloud maintains a constantly updated site with information on security certifications and features implemented, service status, and how much data is being processed.1 Informatica conducts in-house vulnerability scans on all infrastructure, servers, databases, and applications, in addition to achieving the following certifications.

• SSAE 16 – This certification covers reporting on controls at a service organization and was designed to comply with the latest international service organization reporting standard.

• SOC Type I and II – These reports are for service organization controls that may impact their clients’ financial reporting (Type 1) or service organization controls that affect non-financial reporting.

• ISO-27001 – This standard provides requirements for an information security management system (ISMS), which includes people, processes, and technology.

• PCI-DSS – This standard is a set of requirements that ensure that any company that processes, stores, or transmits credit card information will have a secure environment.

• Salesforce.com AppExchange Certified – This standard requires that any application in the Salesforce.com ecosystem be periodically reviewed for security and have a business associate agreement (BAA) from a hosting vendor.

1 Visit Informatica Cloud’s Trust site to stay up to date on new certifications and view service status and how much data is being processed.


http://trust.informaticacloud.com/security

http://trust.informaticacloud.com/status

http://trust.informaticacloud.com/



Informatica Secure Agent In Informatica Cloud, the Secure Agent app plays a major role in securing applications and contains a number of security features. The Secure Agent employs two-factor authentication and maintains audit logs. It can also leverage Security Assertion Markup Language (SAML) and single sign-on for ease of use. The Secure Agent moves data among sources, local systems, and targets, and in any of those transmissions, data neither traverses nor lives on Informatica servers.

The Secure Agent is a high-function runtime version of Informatica’s PowerCenter execution component. It initiates communication with Informatica Cloud Services through a secure channel and supports various tokens, such as username, SAML, or X.509; algorithms, including symmetric data encryption key transport and signature; and identifiers like the direct binary reference, X509, and subject key identifier.

All cloud data integration services depend on the Secure Agent to access client application, relational database, and file sources and targets via the firewall, without requiring users to open a firewall port. Data-masking transformations also take place at the agent to protect sensitive data, though it is not required and can be set by the user. The Secure Agent pulls in the integration-related metadata from the host and executes it.

Customers can also save connection-related metadata to the agent, rather than the host, if they prefer to keep it inside the firewall.

It is also possible for Informatica Cloud customers to choose the Informatica Cloud Real Time (ICRT) service, which adds the embedded process engine to the Secure Agent. With ICRT, users can deploy processes to the cloud and on-premises to a process engine. ICRT offers process-governance tools to help with continuous operation, version management, exception management, process persistence policy setting, policy assertions for partner interactions, policy-based configurations, and more.

The Secure Agent itself is secured in various ways. The Secure Agent uses a power channel connection every time it communicates with Informatica Cloud. The Secure Agent gets ahead of trouble spots by checking for availability before connecting (as does the related PowerCenter execution tool). To defend against sniffer or man-in-the-middle attacks, that communication channel must be authenticated to maintain its integrity, as well as ensure transport encryption. The Secure Agent code creates a virtual socket connection port. When that port is used, it is encrypted with 128-bit encryption and sent via port 443 to a power channel server running Informatica Cloud, which send the data to the web app.

The Secure Agent also performs network resiliency checks and retains full audit logs to track any issues that may arise. The Secure Agent is downloaded by the customers and can then be placed in a location that best fits their requirements, such as an in-house server or a virtual machine on a public cloud service, such as AWS or Azure. Third-party authentication programs import the user ID without the password, then Secure Agent defines permissions and the external provider handles authentication.

Additionally, the Secure Agent can handle cloud-to-cloud integration for enterprises running many important applications in the cloud. The Secure Agent instance is created within a virtual environment generated by Informatica Cloud. The Secure Agent then downloads and executes instructions to integrate data and processes across cloud and on-premises applications. The data and communications are encrypted via HTTPS.




Managing UpgradesInformatica handles upgrades through a finely tuned SDLC process and specific guidelines around major release, off-cycle release, and patch or emergency implementations three to four times per year.

Within Informatica, the security release process draws on various teams’ expertise to ensure smooth upgrades. Informatica’s quality assurance team verifies releases before transferring to cloud operations experts who use a test site for functionality verification. Informatica Cloud’s hosting vendor receives releases through a TLS connection for more testing before the new features are scheduled for the next production release date. Off-cycle releases are scheduled monthly, with any emergency patches integrated into the release process.

Customers have software agents at their sites, and the usual strict data transmission protocol applies for any upgrade activities. Binary distribution management is planned carefully as well. The binaries sent to the customer’s software agent are signed and encrypted. This prevents any possibility of a man-in-the-middle attack.

Customer communications always accompany the three-phase upgrade process, including notifications for planning and scheduling any downtime. A key component of the upgrade process is allowing customers access to a prerelease environment to allow them time for compatibility testing prior to making upgrades to production systems.

Secure Agent updates also take place from the cloud. The agent can easily be replaced or upgraded at any time without disrupting operations. The Secure Agent checks for upgrades periodically, then automatically downloads and installs them.

Encryption TypesInformatica Cloud matches the right encryption to the right situation throughout the data and application lifecycles. The content of metadata is protected by AES 128-bit encryption. For data transmission, TLS 1.2 protocol protects data over the network, while SHA 256-bit key handles encryption. Each SSL certificate is 128-bit encrypted and pairs with the appropriate Cipher Suite. Symmetric keys also provide protection, while checksum ensures that the data that is downloaded is the data that is requested to avoid man-in-the-middle attacks.

Informatica Cloud embeds security in every layer of the infrastructure stack and into every aspect of the movement of cloud integration data. This complete approach eliminates any missed protection opportunities or security holes to secure even the most complex cloud environment.




ConclusionInformatica understands how critical information is to businesses today. In many cases, information is the crown jewel of the business. The leakage, corruption, or loss of data can be devastating to a business, and thus the utmost attention must be given to data preservation and security.

Informatica’s services meet many best practices and, at the time of this writing, current regulatory requirements including U.S. and EU privacy, HIPAA, PCI, and others. Informatica has achieved some of the most stringent certifications, including SSAE 16 and ISO-27001. The level of security provided for customers and their data is achieved not through a single control, but through multiple overlapping layers tightly integrated like bricks in a wall.

One or more security controls are placed at each layer of the OSI model starting at the physical layer with data center controls. At the data link layer, redundant access and load balancing are implemented to prevent congestion and impacts from component failure. TLS is used to secure communications between the cloud and the users while network segmentation and perimeter firewalls secure the network. Sessions are protected with multiple security controls, including multifactor authentication and session tokens that are destroyed at logout. For the presentation layer, data masking can be easily deployed so users who do not have a need to know will not. At the application layer, data encryption and granular role-based user controls, including the delegated admin, can be invoked.

These are just a few of the controls in place to protect the customer’s information while simultaneously providing a robust cloud service to meet even the most demanding needs.

About the AuthorDavid Monahan is a senior information security executive with several years of experience. He has organized and managed both physical and information security programs, including security and network operations (SOCs and NOCs) for organizations ranging from Fortune 100 companies to local government and small public and private companies. He has diverse audit and compliance and risk and privacy experience, such as providing strategic and tactical leadership to develop, architect, and deploy assurance controls; delivering process and policy documentation and training; and working on educational and technical solutions.

Prior to joining Enterprise Management Associates (EMA), David spent almost 10 years at AT&T Solutions focusing on the network security discipline. He was a key leader in organizing the operations of AT&T’s Managed Security Services where he ultimately supported over 700 customers globally. In 2004, he leveraged that experience to provide support to the SMB market, working internally to bolster struggling security organizations. Since then, he has been sought after by public and privately held companies and local government, including Network Appliance, McData, and Jefferson County, Colorado, to help them manage their information security, compliance privacy, and IT risk programs.

Aside from his full-time practice in the security field, David has been an adjunct faculty member for Capitol College in Laurel, Maryland since 2007, providing security instruction at the undergraduate and graduate levels.

David has presented briefings to numerous forums including SANSFire, Forrester, and the Colorado Digital Government Conference. He has contributed content to TechTarget, CSO, State Tech, and numerous other publications.

M.S., Network Security/Information Assurance, Capitol Technical UniversityB.S., Computer Science, North Carolina State University


About Enterprise Management Associates, Inc.Founded in 1996, Enterprise Management Associates (EMA) is a leading industry analyst firm that provides deep insight across the full spectrum of IT and data management technologies. EMA analysts leverage a unique combination of practical experience, insight into industry best practices, and in-depth knowledge of current and planned vendor solutions to help EMA’s clients achieve their goals. Learn more about EMA research, analysis, and consulting services for enterprise line of business users, IT professionals and IT vendors at www.enterprisemanagement.com or blogs.enterprisemanagement.com. You can also follow EMA on Twitter, Facebook or LinkedIn.

This report in whole or in part may not be duplicated, reproduced, stored in a retrieval system or retransmitted without prior written permission of Enterprise Management Associates, Inc. All opinions and estimates herein constitute our judgement as of this date and are subject to change without notice. Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. “EMA” and “Enterprise Management Associates” are trademarks of Enterprise Management Associates, Inc. in the United States and other countries.

©2015 Enterprise Management Associates, Inc. All Rights Reserved. EMA™, ENTERPRISE MANAGEMENT ASSOCIATES®, and the mobius symbol are registered trademarks or common-law trademarks of Enterprise Management Associates, Inc.

Corporate Headquarters: 1995 North 57th Court, Suite 120 Boulder, CO 80301 Phone: +1 303.543.9500 Fax: +1 303.543.7687 www.enterprisemanagement.com3292.120215


http://blogs.enterprisemanagement.com/

http://twitter.com/ema_research

https://www.facebook.com/enterprisemanagementassociates

http://www.linkedin.com/company/25620

Informatica Cloud Security Architecture Overview · Informatica has stepped up to provide cohesive...

Documents

Transcript of Informatica Cloud Security Architecture Overview · Informatica has stepped up to provide cohesive...