Combines SolarWinds IP Address Manager and User Device Tracker to help detect IP conflicts, quickly identify affected systems, and help your team take near instantaneous action. Help improve visibility and enhance reliability with SolarWinds IP Control Bundle.
Security considerations (SaaS, place in DMZ/internal secure zones) for a Teammate server (used by auditors)
Our Internal Audit is setting up a Teammate server (data & reports) plus a separate license
server (this license server needs to be authenticated by Teammate/ACL periodically).
Teammate will host financial data for auditors to analyse/review (using ACL, CAATS)
for frauds so it's considered sensitive data.
Q1:
Is it appropriate for both the license server as well as Teammate server to be SaaS
(like O365) or just the license server or it's best that they must not be SaaS? For sure
if they're in cloud, the VM must be located in our country due to cross-border restrictions
Q2:
Do we place the license server in DMZ & Teammate in the internal secure backend zone?
Q3:
What other security design considerations to take into account?
Restrict license server to Teammate/ACL/CAATS sites only & the Teammate server
to be accessible to Internal Auditors' subnet only?
server (this license server needs to be authenticated by Teammate/ACL periodically).
Teammate will host financial data for auditors to analyse/review (using ACL, CAATS)
for frauds so it's considered sensitive data.
Q1:
Is it appropriate for both the license server as well as Teammate server to be SaaS
(like O365) or just the license server or it's best that they must not be SaaS? For sure
if they're in cloud, the VM must be located in our country due to cross-border restrictions
Q2:
Do we place the license server in DMZ & Teammate in the internal secure backend zone?
Q3:
What other security design considerations to take into account?
Restrict license server to Teammate/ACL/CAATS sites only & the Teammate server
to be accessible to Internal Auditors' subnet only?
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Q1: i don't see it is not appropriate as long as the license and user data can be kept safe in the cloud and the polices are applied (such as VM must be region restricted)
Q2: it really depends, as long as the resource in DMZ or backend zones are in control and trusted. that's the first priority, then choose the most economic solution. commonly, leaving the server in DMZ needs less effort in development but more effort in management
Q3: it depends again. if the internal policy requires data to kept on a separated zone with firewall and access control in place, then a separated subnet is required.
Q2: it really depends, as long as the resource in DMZ or backend zones are in control and trusted. that's the first priority, then choose the most economic solution. commonly, leaving the server in DMZ needs less effort in development but more effort in management
Q3: it depends again. if the internal policy requires data to kept on a separated zone with firewall and access control in place, then a separated subnet is required.
1:
The question is what are the residual risk if the company opt for SaaS and will the management accept the residual risk for a full fledged SaaS. Data sovereignty is just one of it and it is only possible to be restricted to only these jurisdiction below and if you stay out of this boundaries then the data outflow is inevitable. There is still decent assurance to retain data movement within the region hosted but not more. The data remain encrypted and there is no commingled data used in TeamCloud (hosted service for Teammate).
There is also no access by the Team mate staff on your encrypted data. TeamMate Support, Development, and Quality Assurance teams have no access to TeamCloud servers or infrastructure. That said, it is always possible even if the risk is low as such hosted site will still need to be accessed by TeamCloud operations staff in other locations to provide maintenance and support. Thought it is reasonable for a managed service but the risk has to be accepted and note they will not reveal the infrastructure log for privacy and security since there are other clients.
But let say if you are still considering the on premise which is much more secure, your company is responsible for the day to day operational maintenance and security. Including the below minimally
2:
As already mentioned it is SaaS or on premise totally, there is no hybrid. A note is that any form of SSO or Federated Identities, teammate cannot support such interface with clients Active Directory or single sign on systems (SSO). That itself will pose accountability issue for hybrid. That said if the SaaS is adopted, the license server if required should not be exposed directly to internet. Client machine will remotely access securely into the SaaS (RDS gateway) and internal networking will handle the request and check accordingly (transparently). On premise, you then need to separate a untrusted zone to ensure VPN is done up to reach the servers - where the licence server is placed depends on the application check workflow - better to consult the vendor. The security is taken care already with VPN enforced.
3:
I suggest you take a look at the security documentation of Teammate TeamCloud. That is what should be provided by your team if you need to do on premise - non-trivial efforts and operationally challenging and may not be optimal to sustain for long run for just 5 pax
https://pubext.dir.texas.gov/portal/internal/resources/DocumentLibrary/TeamCloud%20Tech%20Security%20Overview%20AM.PDF
The question is what are the residual risk if the company opt for SaaS and will the management accept the residual risk for a full fledged SaaS. Data sovereignty is just one of it and it is only possible to be restricted to only these jurisdiction below and if you stay out of this boundaries then the data outflow is inevitable. There is still decent assurance to retain data movement within the region hosted but not more. The data remain encrypted and there is no commingled data used in TeamCloud (hosted service for Teammate).
There is also no access by the Team mate staff on your encrypted data. TeamMate Support, Development, and Quality Assurance teams have no access to TeamCloud servers or infrastructure. That said, it is always possible even if the risk is low as such hosted site will still need to be accessed by TeamCloud operations staff in other locations to provide maintenance and support. Thought it is reasonable for a managed service but the risk has to be accepted and note they will not reveal the infrastructure log for privacy and security since there are other clients.
AmericasSince it is only 5 pax and the management is opting for a managed service then you would minimally consider level up the mitigation approach
• Dallas, Texas, USA, provided by Rackspace (DFW1)
• Toronto, Ontario, Canada, provided by CenturyLink (TR3)
• Washington D.C. Area, USA, provided by Datapipe (FedRAMP faculty)
Europe
• London, United Kingdom, provided by Rackspace (LON3)
• Q2/Q3 2017 we plan to have a Data Center in Germany
AsiaPac
• Sydney Australia, provided by Rackspace (SYD1)
- a) IP Address Restrictions - For an additional cost, access to your TeamCloud can be restricted to select IP addresses or ranges.
- b) Database Encryption of Data at Rest - For an additional cost, TeamCloud offers full database encryption at rest using Microsoft SQL TDE.
- c) Enhanced Disaster Recovery - Discuss with vendor for more extensive recovery options may be available with custom contract terms.
- d) Account management - Identify your audit champion and they need to be accountable for the role not simply as a user only. One who has access to the TeamMate Application can be performed by your designated champions within your audit department. Thereafter, TeamMate user account additions, removal, and password resets within your TeamMate instance will all be managed by your designated TeamMate champions or System Administrators. Do not have it delegated to vendor and have proper backup and hand over SOP for change of role of these designates..
- e) Certified reports - Check out these documentation. Copies of the vendor data center vendors SSAE16 / ISAE 3402 Type II SOC 2 reports are available upon request. But do note they are issued along with a confidentiality statement that must be accepted by the customer receiving the report and cannot be re-distributed.
- f) Development restriction - Have them to assure you that your data is not permitted to be in the development or QA environments without express permission from your company and establish a mutually agreed upon sanitation procedure.
But let say if you are still considering the on premise which is much more secure, your company is responsible for the day to day operational maintenance and security. Including the below minimally
- a) Timely patch implementation. Security patch done up in all replica and instance to leave no vulnerabilities unaddressed.
- b) Cater sufficient bandwidth for availability e.g. creation of a replica should be done at a location with a good connection to the internet.
- c) Cater sufficient speed for real time access e.g. creation and transfer of the data on premise depend on available bandwidth and latency.
- d) Cater sufficient storage as capacity scale up e.g. size of the data growth will affect the local store as well as (b) and (c) as data increase in size, you will be expecting to increase also the available bandwidth for faster files transfer.
2:
As already mentioned it is SaaS or on premise totally, there is no hybrid. A note is that any form of SSO or Federated Identities, teammate cannot support such interface with clients Active Directory or single sign on systems (SSO). That itself will pose accountability issue for hybrid. That said if the SaaS is adopted, the license server if required should not be exposed directly to internet. Client machine will remotely access securely into the SaaS (RDS gateway) and internal networking will handle the request and check accordingly (transparently). On premise, you then need to separate a untrusted zone to ensure VPN is done up to reach the servers - where the licence server is placed depends on the application check workflow - better to consult the vendor. The security is taken care already with VPN enforced.
3:
I suggest you take a look at the security documentation of Teammate TeamCloud. That is what should be provided by your team if you need to do on premise - non-trivial efforts and operationally challenging and may not be optimal to sustain for long run for just 5 pax
https://pubext.dir.texas.gov/portal/internal/resources/DocumentLibrary/TeamCloud%20Tech%20Security%20Overview%20AM.PDF
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
a bit of historical background on this new server:
currently our Audit dept shares/uses our parent company's Teammate server. however, parent company's internal audit requires us to have a separate server as we are a separate entity and due to the sensitivity of the data
currently our Audit dept shares/uses our parent company's Teammate server. however, parent company's internal audit requires us to have a separate server as we are a separate entity and due to the sensitivity of the data
Take a risk measured approach to avoid connecting server to the Internet directly which is why VPN may be worth considering. Another point is even without use of VPN, you can still consider cloud security services like cloudflare or AWS cloudshield if using teamcloud. But this is better discussed with the vendor tech support. Rule is avoid unnecessary exposure and if the system is to be compromised leading to data leakage then Internet exposure and data sovereignty are concern first to address.
thanks very much for the PDF which shows the only AsiaPac TeamCloud DC is in Sydney. As we dont want data to be in another country, we can hv the data/DB sits in a VM is a Cloud service provider in our country while running the SAAS Teamcloud fr Sydney? seems complicated
that Pdf mentions TeamCloud SQL database so I reckon the db will hv to sit inside a VM in Sydney? any chance that the db and data at rest are within our country? or can we run without Teamcloud using AWS in our country?
Unlikely in the change in the jurisdiction availability zones but as mentioned go through your contact to get latest updates.
ok will liaise with Teammate account manager.
in the event Teamcloud DC is not available in Spore, guess we hv to go with IAAS with a cloud provider tt has a presence in Spore, right?
in the event Teamcloud DC is not available in Spore, guess we hv to go with IAAS with a cloud provider tt has a presence in Spore, right?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Virtualization
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.