You are on page 1of 12

WHITE PAPER

Informatica Cloud Architecture and Security Overview


Independent Analysis of the Architecture and Security Features of Informatica Cloud

Executive Summary and Overview


Prepared by Mercury Consulting, a leader in Ground to Cloud Integration. Mercury removes the fog around cloud computing by providing clients with detailed independent research on cloud applications. This report details the Informatica Cloud solution from an architecture and security perspective. Middleware as a service (MaaS) or Cloud Integration links together multiple applications both on-premise and cloud-based. Highly confidential data can be transmitted and, in most cases, saved in software as a service (SaaS) applications such as Salesforce CRM and Force.com. Corporate IT departments need to verify that their cloud-based software vendors can safeguard this data with high levels of security. When addressing security in cloud-based applications, there are many architectural layers to consider. From the physical data center to networking to databases and data transmission, the enterprises data has the potential to be compromised. In the companion white paperSecuring Your Cloud-Based Data Integration A Best Practices ChecklistMercury Consulting provided a list of security-related issues that IT managers must address when developing a cloud-based integration strategy. This checklist spans different layers in the cloud architecture. Table 1 indicates how Informatica Cloud addresses the checklist for each layer. This list appears in the far right column in Table 1. This paper describes the support which Informatica provides for each architectural layer and security issue.
LAYER DEFINITION CHECKLIST COVERAGE

Physical Facility

Represents the actual data center facility where the cloud application runs. Includes the computer hardware, storage devices, security access systems, backup media storage, and power supplies The local area network and Internet service provider networking necessary to link together physical machines and external devices Both the real and virtual operating systems that contain the cloud application set Data management system that persists any data stored by the cloud application (including meta data) The actual cloud software application. In this document, the application equals Informatica Cloud. In-transit data as information moves between data sources and targets

Audit Compliance

Networking

Data Transmission, Data Standards and Connectivity Data Governance, Audit Compliance Data Governance, Data Standards and Connectivity, Audit Compliance Data Governance, Data Transmission, Data Standards and Connectivity, Audit Compliance Data Transmission

Operating System Database

Application

Data Transmission

Table 1. Informatica Cloud architecture layers, definitions and coverage

Informatica Cloud Secure at All Layers


It is common to depict SaaS applications in a nice puffy cloud. But that cloud shape contains an architectural stack ranging from physical hardware to networks to operating systems and end user applications. Figure 1 represents the typical layers found in cloudbased services. Cloud integration could be viewed as a specific example of platform as a service (PaaS). Informatica Cloud connects SaaS applications such as Salesforce CRM and NetSuite.

User Front End Network Management Access


SaaS PaaS

Cloud (Web) applications Cloud software environment Computational resources Storage Communication Services & APIs

IaaS

Cloud software infrastructure Kernal (OS/apps) Hardware Facilities Service customer Cloud-specific infrastructure

Supporting (IT) infrastructure

Figure 1. Cloud layers

The different colors in the diagram represent the different owners of the layers. So the supporting (IT) infrastructure is usually maintained by an IaaS provider (such as Amazon or Microsoft), while the cloud-specific infrastructure is managed by Informatica. The service customer is responsible for providing user-level access control security, which is ultimately maintained by the corporate IT department.

Level 1: Physical Facility Layer


Controlling and monitoring physical access to the hardware is a high priority, and surveillance should at least include closed-circuit cameras and patrolling security guards. Informatica facility partners follow best practices in separation of privileges, least privilege, access control systems, alarm systems, administrator logging, two-factor authentication, codes of conduct, confidentiality agreements, background checks, and monitoring visitor access. Specifically, access to the physical infrastructure is allowed only on a need-to-access basis. All physical access to the infrastructure is logged and monitored.

[2]

Provider

As part of a comprehensive continuity-of-operations plan, Informatica employs two separate data centers managed by different providers. Each data center acts as a failover in case of a failure at the other. The switch to a different data center is transparent to the Informatica customer. Informatica transfers control to the alternate data center by rerouting DNS entries within the Internet backbone. Once the physical IP addresses point to the secondary data center, the Internet will propagate this change through the DNS environment. Very quickly, the secondary data center will be managing all of the Informatica Cloud integration communications worldwide. Data retention is another important factor. Here is the Informatica Cloud backup schedule: 1. On-site incremental disk based backups are saved on-line four times per day. 2. Full backups are performed on a weekly and monthly basis. 3. The data retention period is for six months. Note that only integration metadata is saved in the cloud application. Customer data is never stored during transit. Ideally, the cloud providers data centers should be geographically distributed around the world. As of 2011, Informatica data centers are located on the U.S. East Coast and West Coast. There are plans for non-US based data center targeted for 2012, which will provide more global coverage and redundancy.

Level 2: Networking Layer


The most visible attack vector in a cloud integration environment is the network layer. All cloud-based data integration occurs on proprietary networks and on the public Internet. Firewalls, dynamic firewalls, intrusion detection systems (IDSs), intrusion prevention systems (IPSs), and network proxies are the basic network devices for protecting the network border. Specifically, Informatica provides the following network-based security controls: Firewall-related protections include these features: Segment networks to ensure infrastructure access security. Separate DMZ from all back-end processes through firewalls. Load balancer and firewall policies limit the type of access allowed to each network segment. Firewall imposes Network Address Translation to unpublished addresses. Firewall disables Internet Control Messaging Protocol (ICMP) and telnet. Firewall enables only software-related TCP ports. Installation of split DNS protects server exposure to the Internet. Two-layer password protection is available on all network equipment. SSL encryption is enforced to all security-related pages, including login page. IPS/IDS are implemented to fend off potential attacks from the Internet. The Cloud application is constantly monitored and if any breach is detected, the affected parties would be contacted as soon as possible through the contact mechanisms registered with the service.
[3]

Informatica hires independent security analysts to perform annual penetration tests throughout multiple levels of the network. If a detected scan/probe/attack occurs, the address is blocked at the border routers and alerts are sent within one hour. If the attack is successful, this event is classified as a security incident. Incident response begins, which involves immediate investigation and mitigation with all the appropriate parties.

Level 3: Operating System Layer


Because the customer interacts only with a virtualized environment, the provider is responsible for maintaining and monitoring the hardware. The provider should audit hardware configurations to verify that nothing has tampered with them. Otherwise, the provider is concerned primarily with availability and should document and report as with the facility layer. Informatica technology ensures that the hardened operating systems images have not been tampered with. Informatica users do not have the ability to execute arbitrary code, so no intentional attempts to compromise the OS are possible. Through Informatica data center partners, the following security measures have been taken: Each system and application has an integrated security system. Administration access to each server requires security token and password authentication. The password is changed on a regular basis. Secured shell (SSH) access to all servers is available. Operating systems, servers, routers, firewalls, and databases are patched with the most current security releases. All unnecessary ports and services are disabled.

Level 4: Database Layer


Cloud integration applications are inherently database driven. Data is extracted from and inserted into databases. And data transformation rules so-called metadata are saved within a DBMS. This white paper does not address on-premise source and target database security. We assume that corporate-level data policies protect these data sources. In the case of accessing cloud-based SaaS products, such as Salesforce CRM, Informatica Cloud complies with the Web services security implemented by them. Ideally, the cloud integration provider will not store any customer data within its database. Only metadata should be saved. Informatica Cloud implements this best practice. And this metadata is separated from other users of the service. As Figure 2 shows, the Informatica Cloud repository stores metadatasuch as mappings, application connection information, and transformation rules. This data resides in a true multitenant database model. Informatica Cloud provides user access controls to securely manage users metadata and to separate client data. During the annual network penetration and application assessment tests, Informatica Cloud checks for SQL injection attacks and cross-client data access. (It does this via a prepared statement with named parameters; it does not allow user-defined SQL queries.) Database servers are not accessible to the public Internet.

[4]

Salesforce.com
Salesforce Data

Runs on Windows and/or Linux server (all connections are initiated by the secure agent outbound)

Secure Agent

Business Data
{HTTPS/SOAP}

naX.Salesforce.com

SQL SELECT, ALTER, INSERT UPDATE, DELETE (schema changes, schedule info) {SSL}

Informatica Cloud Services

Metadata

Local Database or File System

Informatica Cloud
ICS Repository
Mappings SFDC Metadata DB Metadata DB and SFDC conn auth info (encrypted)

Administration and Design


Configuration & Maintenance {HTTPS}

Local PC with Web Access

WS/SaaS front-end

Internet

Internal

Figure 2. Overview of Informatica Clouds Secure Agent facilitating data integration between a local database and Salesforce CRM and/or Force.com.

Level 5: Informatica Cloud Application Layer


The Informatica Cloud Secure Agent is a small footprint application that enables secure communication across the firewall between the client organization and Informatica Cloud. It is a functionally equivalent, run-time version of the enterprise-class Informatica PowerCenter execution component (about 90 Mbytes in size). All Informatica Cloud data integration services use the Informatica Cloud Secure Agent to get through the firewall to access application, relational database and file sources and targets in the clients local area network. The Secure Agent consists of a data integration engine and various connectors to external data sources.

Figure 3. The Informatica Cloud Secure Agent manages data transfer and is run locally behind the firewall or can be hosted in the cloud. No data resides on Informatica servers.

[5]

The Informatica Cloud Secure Agent works as follows: Corporate IT downloads the Secure Agent and installs it as a secure Windows service (or Linux process). The Secure Agent inherits the access privileges of the user account that was used for installation. The Secure Agent communicates to Informatica Cloud through https protocol through port 443. All communication initiated by Secure Agent is outbound, so no firewall rules need to be changed. Built-in health check mechanisms ensure persistent connectivity to Informatica Cloud. The Secure Agent downloads the integration job control information in an encrypted format and executes the job. The Secure Agent then launches the engine to execute the integration job Data transfer happens directly from source system to target system and is not staged in Informatica Cloud. This is an important feature of Informatica Cloud from a data security perspective. All data resides behind the corporate firewall until it is transmitted securely to the target. The Secure Agent transmits logging and monitoring information about the integration job to Informatica Cloud. Informatica Cloud records entitlement changes and user transactions in audit logs, including username, date, and nature of change. The audit logs are pruned on a quarterly basis. These logs are always available to customers in the browser UI under administration section.

Customer Perspective
Informatica Cloud provides layered security based on organizations, licenses, users, and roles: Organizations. Users connect to Informatica Cloud as members of an organization. Licenses. They allow organizations to access Informatica Cloud functionality. Licenses are granted by Informatica operations to organizations. Licenses can expire at regular intervals. Organization Administrator. Each organization has at least one user designated as the administrator. The administrator creates and manages the Informatica Cloud account for the organization. The organization administrator is responsible for creating each user and setting up access rights to Informatica Cloud functionality based on the user requirements. User logins. The organization administrator defines the password policy, including minimum password length, minimum character mix, password reuse duration, password expiration duration, and two-factor authentication scheme. User sessions. User sessions time out after 30 minutes of session inactivity. Roles. Role definitions allow users to access Informatica Cloud functionality. The administrator grants roles for an organization.

[6]

This role-based security exemplifies best practices on implementing least privilege access at a very granular level. IT organizations will feel comfortable when setting up Informatica Cloud because it is similar to other enterprise-class security systems. With respect to other SaaS applications, such as Salesforce CRM, the user access credentials are stored in encrypted format. So when the Secure Agent executes, it is able to log in to the SaaS application with credentials as defined by the enterprise (it does not require root/SA access).

Informatica Upgrade Policies


One of the benefits of SaaS is that the end customer receives product updates on a regular basis. All customers stay on the same code base, which the cloud vendor maintains. With some cloud services, a possibility exists that malicious code or spyware could be injected into the code line through the upgrade process. The cloud provider needs to ensure that special care is taken to restrict access to source code and to monitor the upgrade. Informatica Cloud restricts organization access to source code. The operations employees involved in the upgrade must pass background checks and have elevated data export classifications. Informatica Cloud is typically updated multiple times per year. Upgrade notices are posted on user community sites and emailed to customers at least five business days prior to the implementation - scheduled maintenance windows are 7:00 11:00 p.m. Eastern Time. Security-related hot fixes are evaluated for their applicability to the production environment on a regular basis. Critical patches are applied immediately and other patches are updated monthly. The Informatica Quality Assurance (QA) group will verify all code check in. The code is certified as a release to operations build. Software is delivered to the staging site (which is a replica of the production environment). Then QA performs infrastructure, networking, and functional testing for at least 48 hours. After successful testing, the software migrates to the production environment, with full rollback procedures. The Informatica operations group communicates to the customer base throughout the process. As of 2011, Informatica Cloud has not incurred any production delays due to an upgrade. Nor has it had to roll back to a previous version. Updates to the Secure Agent are also managed from the cloud. The stateless nature of the Informatica Cloud Secure Agent means that it can be replaced/upgraded at any time, without disrupting operations. The Secure Agent checks for upgrades during the polling process. Available updates are then automatically downloaded and installed.

[7]

Level 6: Data Transmission Layer


Transmitting data is where the rubber meets the road for a cloud integration solution. During transmission, many things can go wrong, such as application unavailability, DBMS issues, network failure, network congestion, and potential man in the middle/sniffer attacks. Fortunately, the Informatica Cloud service addresses these points of weakness. The Secure Agent checks for application, DBMS, and network availability, when initiating connections. Availability checking is part of the overall Informatica PowerCenter execution capability. The Secure Agent also has built-in network resiliency checks for congestion. If there are any issues, full audit logs are published from the Secure Agent back to the Informatica Cloud repository. The primary defense against man in the middle or sniffing attacks depends on ensuring transport encryption, integrity, and authentication of the communication channel. For example, message security authentication implies signing and verifying a message (using XML Signature), ensuring integrity (using XML hash messages), and implementing messagelevel encryption (using XML Encryption). Informatica Cloud uses SSL (with 128 bit certificates), SSH, and IPSec protocols for data transmission and remote access over public networks. Data transmission implements AES encryption. Secure Agent to Informatica Cloud Communication: The Secure Agent starts a power channel listener on premise. When the Secure Agent communicates anything to Informatica Cloud, it is done through the power channel connection. The Secure Agent code sets up a virtual socket connection port and when the agent sends something on this connection, the power channel listener encrypts it with 128 bit encryption and sends it over port 443 to a power channel server running Informatica Cloud, which then sends it to the Web application. The Secure Agent moves data directly among sources, local system, and targets. No data passes through or resides on Informatica servers.

Cloud to Cloud Integration


As more and more enterprises adopt SaaS to run mission-critical applications, integration between these services will be required. In this case, the Secure Agent will execute within a virtual environment generated by Informatica Cloud. The virtual environment will spin up the Secure Agent, which then downloads integration instructions (similar to the on-premise version). The Secure Agent executes these instructions to read/write data between cloud applications. Again, encryption safeguards in-transit data. And no data is saved within the Secure Agent.

[8]

Summary
This report detailed how Informatica Cloud addresses cloud integration from a security perspective. Cloud integration can be implemented in a variety of ways. Informatica Cloud seeks to minimize the exposure of corporate data, allowing IT departments to have high confidence that proprietary data will not be exposed on the Internet. At all levels of the solution, from data center to data transmission, Informatica Cloud implements best practices that achieve a secure integration experience. The Secure Agent connects directly from source to target systems customer data is never staged or stored in Informatica Cloud. The operations manager provides both line-of-business and IT departments with secure access to integration jobs. This access furnishes a flexible and controlled environment to manage integration scenarios. Lastly, data is encrypted during transmission and is resilient against Internet-based attacks. Data security ranks as one of the biggest challenges when moving to the cloud. The need to integrate disparate systems is not disappearing. So the savvy IT department needs to deploy a secure cloud integration solution to meet todays business challenges. Informatica delivers such a secure integration solution.

About Informatica
Informatica Corporation (NASDAQ: INFA) is the worlds number one independent provider of data integration software. Organizations around the world rely on Informatica to gain a competitive advantage with timely, relevant and trustworthy data for their top business imperatives. Worldwide, over 4,440 enterprises depend on Informatica for data integration, data quality and big data solutions to access, integrate and trust their information assets residing on-premise and in the Cloud. For more information, call +1 888 345 4639 in in the U.S., or visit www.InformaticaCloud.com. Connect with Informatica at http://www.facebook.com/InformaticaCorporation, http://www.linkedin.com/company/ informatica and http://twitter.com/InformaticaCorp.

About Mercury Consulting


Mercury (http://www.mercuryinthecloud.com/) is your trusted cloud technology advisor, specializing in integration services. We make your adoption of cloud services easier by bringing our deep expertise to design your cloud enterprise and provide unbiased guidance on cloud vendors and their SaaS solutions.

[9]

Appendix Service-Level Agreements and Audit Reports


Service-level agreements have become one of the important factors to consider when evaluating cloud service providers. In some cases they can be rather toothless or not provide much compensation in case of failure.

Informatica Cloud Audit Findings


SEcuritY ArEa of REViEW EValuation

A1. Invalidated Input Information from Web requests is not validated before being used by a Web application. Attackers can use these flaws to attack back-end components through a Web application. A2. Broken Access Control Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access other users accounts, view sensitive files, or use unauthorized functions. A3. Broken Authentication and Session Management Account credentials and session tokens are not properly protected. Attackers who can compromise passwords, keys, sessions, cookies, or other tokens can defeat authentication restrictions and assume other users identities. A4. Cross-Site Scripting The Web application can be used as a mechanism to transport an attack to an end users browser. A successful attack can disclose the end users session token, attack the local machine, or spoof content to fool the user. A5. Buffer Overflow Web application components that do not properly validate input can be crashed and, in some cases, used to take control of a process. These components can include CGI, libraries, drivers, and Web application server components. A6. Injection Flaws Web applications pass parameters when they access external/perimeter systems or the local operating system. If an attacker can embed malicious commands in these parameters, the external system may execute those commands on behalf of the Web application. A7. Improper Error Handling Error conditions that occur during normal operation are not handled properly. If an attacker can cause errors to occur consistently, he or she can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server. A8. Insecure Storage and Transport Web applications frequently use cryptographic functions to protect information and credentials. These functions and the code to integrate them are difficult to implement properly, frequently resulting in weak protection. A9. Application Denial of Service Attackers can consume Web application resources to a point where other legitimate users can no longer access or use the application. Attackers can also lock users out of their accounts or even cause the entire application to fail. A10. Insecure Configuration Management Having a strong server configuration standard is critical to a secure Web application. These servers have many configuration options that affect security and are not secure out of the box.
VulnErabilitY DEscription BusinEss RisK LiKElihood of EXploitation LEVEl of EXpErtisE REQuirEd

Meets No Exceptions were found. Meets No Exceptions were found. Meets No Exceptions were found. Meets No Exceptions were found. Meets No Exceptions were found. Meets No Exceptions were found. Meets No Exceptions were found. Meets No Exceptions were found. Meets No Exceptions were found. Meets No Exceptions were found.

REcommEndEd REmEdiation

None

None

None

None

None

[ 10 ]

Informatica Cloud Customer Service and Support Details


Of course, there may come a time when the IT department needs to call for help from its cloud integration provider. Just as in other outsourcing decisions, understanding support parameters is key to success. Support can be measured in terms of availability, response time, and escalation process. For example, the Informatica Cloud Help Desk is available 12x5 for noncritical issues, and 24x7 for critical issues. The hours of operation for noncritical issues are 6:00 a.m. to 6:00 p.m. Pacific Time, Monday through Friday, excluding Informatica Cloud holidays. Informatica Cloud will respond within four hours for critical incidents and one business day for noncritical. When Informatica Cloud becomes aware of an outage, the impacted enterprises will be contacted. Likewise, when Informatica Cloud needs assistance diagnosing on-premise connectivity, Informatica Cloud will need to contact individuals at the enterprise site. For example, if an enterprise reports inability to access the Informatica Cloud login page, yet Informatica Cloud can confirm that the login page can be reached from other external sites on the Internet at large, Informatica Cloud will communicate with the enterprises desktop and/or network administrators. In case a problem is not resolved via level 1 help desk support, Informatica Cloud posts the following escalation process (among others):
SEVEritY-1 Impact TarGEt SErVicEs REstoration REport to IntErnal Support/ WEb SitE REport to EXtErnal Support/ Trust SitE TimEframE

Production site is down. Customers lost connectivity to Informatica Cloud production site, and no workaround is immediately available. 30 minutes from initial alert/report Immediate 10 minutes after service is restored

IntErnal Escalation

CustomEr Escalation

Immediate 1 hour 4 hours

Sales Engineering / Sales Operations / Engineering contact VP of Engineering General Manger of Informatica Cloud

Global Customer Support Customer Success Management VP of Customer Support

[ 11 ]

2011 Netspective Communications LLC

52304 (10/14/2011)

[ 12 ]