Security considerations (SaaS, place in DMZ/internal secure zones) for a Teammate server (used by auditors)

sunhux
sunhux used Ask the Experts™
on
Our Internal Audit is setting up a Teammate server (data & reports) plus a separate license
server (this license server needs to be authenticated by Teammate/ACL periodically).

Teammate will host financial data for auditors to analyse/review (using ACL, CAATS)
 for frauds so it's considered sensitive data.

Q1:
Is it appropriate for both the license server as well as Teammate server to be SaaS
(like O365) or just the license server or it's best that they must not be SaaS?  For sure
if they're in cloud, the VM must be located in our country due to cross-border restrictions

Q2:
Do we place the license server in DMZ & Teammate in the internal secure backend zone?

Q3:
What other security design considerations to take into account?
Restrict license server to Teammate/ACL/CAATS sites only & the Teammate server
to be accessible to Internal Auditors'  subnet only?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
Max 5 users only so management prefers to go SaaS rather than a Capex for a physical server
bbaoIT Consultant

Commented:
Q1: i don't see it is not appropriate as long as the license and user data can be kept safe in the cloud and the polices are applied (such as VM must be region restricted)

Q2: it really depends, as long as the resource in DMZ or backend zones are in control and trusted. that's the first priority, then choose the most economic solution. commonly, leaving the server in DMZ needs less effort in development but more effort in management

Q3: it depends again. if the internal policy requires data to kept on a separated zone with firewall and access control in place, then a separated subnet is required.
Exec Consultant
Distinguished Expert 2018
Commented:
1:
The question is what are the residual risk if the company opt for SaaS and will the management accept the residual risk for a full fledged SaaS. Data sovereignty is just one of it and it is only possible to be restricted to only these jurisdiction below and if you stay out of this boundaries then the data outflow is inevitable. There is still decent assurance to retain data movement within the region hosted but not more. The data remain encrypted and there is no commingled data used in TeamCloud (hosted service for Teammate).

There is also no access by the Team mate staff on your encrypted data. TeamMate Support, Development, and Quality Assurance teams have no access to TeamCloud servers or infrastructure. That said, it is always possible even if the risk is low as such hosted site will still need to be accessed by TeamCloud operations staff in other locations to provide maintenance and support. Thought it is reasonable for a managed service but the risk has to be accepted and note they will not reveal the infrastructure log for privacy and security since there are other clients.
Americas
• Dallas, Texas, USA, provided by Rackspace (DFW1)
• Toronto, Ontario, Canada, provided by CenturyLink (TR3)
• Washington D.C. Area, USA, provided by Datapipe (FedRAMP faculty)

Europe
• London, United Kingdom, provided by Rackspace (LON3)
• Q2/Q3 2017 we plan to have a Data Center in Germany

AsiaPac
• Sydney Australia, provided by Rackspace (SYD1)
Since it is only 5 pax and the management is opting for a managed service then you would minimally consider level up the mitigation approach

  • a) IP Address Restrictions - For an additional cost, access to your TeamCloud can be restricted to select IP addresses or ranges.
  • b) Database Encryption of Data at Rest - For an additional cost, TeamCloud offers full database encryption at rest using Microsoft SQL TDE.
  • c) Enhanced Disaster Recovery - Discuss with vendor for more extensive recovery options may be available with custom contract terms.
  • d) Account management - Identify your audit champion and they need to be accountable for the role not simply as a user only. One who has access to the TeamMate Application can be performed by your designated champions within your audit department. Thereafter, TeamMate user account additions, removal, and password resets within your TeamMate instance will all be managed by your designated TeamMate champions or System Administrators. Do not have it delegated to vendor and have proper backup and hand over SOP for change of role of these designates..
  • e) Certified reports - Check out these documentation. Copies of the vendor data center vendors SSAE16 / ISAE 3402 Type II SOC 2 reports are available upon request. But do note they are issued along with a confidentiality statement that must be accepted by the customer receiving the report and cannot be re-distributed.
  • f) Development restriction - Have them to assure you that your data is not permitted to be in the development or QA environments without express permission from your company and establish a mutually agreed upon sanitation procedure.

But let say if you are still considering the on premise which is much more secure, your company is responsible for the day to day operational maintenance and security. Including the below minimally
  • a) Timely patch implementation. Security patch done up in all replica and instance to leave no vulnerabilities unaddressed.
  • b) Cater sufficient bandwidth for availability e.g. creation of a replica should be done at a location with a good connection to the internet.
  • c) Cater sufficient speed for real time access e.g. creation and transfer of the data on premise depend on available bandwidth and latency.
  • d) Cater sufficient storage as capacity scale up e.g. size of the data growth will affect the local store as well as (b) and (c) as data increase in size, you will be expecting to increase also the available bandwidth for faster files transfer.

2:
As already mentioned it is SaaS or on premise totally, there is no hybrid. A note is that any form of SSO or Federated Identities, teammate cannot support such interface with clients Active Directory or single sign on systems (SSO). That itself will pose accountability issue for hybrid. That said if the SaaS is adopted, the license server if required should not be exposed directly to internet. Client machine will remotely access securely into the SaaS (RDS gateway) and internal networking will handle the request and check accordingly (transparently). On premise, you then need to separate a untrusted zone to ensure VPN is done up to reach the servers - where the licence server is placed depends on the application check workflow - better to consult the vendor. The security is taken care already with VPN enforced.


3:
I suggest you take a look at the security documentation of Teammate TeamCloud. That is what should be provided by your team if you need to do on premise - non-trivial efforts and operationally challenging and may not be optimal to sustain for long run for just 5 pax
https://pubext.dir.texas.gov/portal/internal/resources/DocumentLibrary/TeamCloud%20Tech%20Security%20Overview%20AM.PDF
Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

Author

Commented:
a bit of historical background on this new server:
currently our Audit dept shares/uses our parent company's Teammate server.  however, parent company's internal audit requires us to have a separate server as we are a separate entity and due to the sensitivity of the data
btanExec Consultant
Distinguished Expert 2018
Commented:
Take a risk measured approach to avoid connecting server to the Internet directly which is why VPN may be worth considering.  Another point is even without use of VPN, you can still consider cloud security services like cloudflare or AWS cloudshield if using teamcloud. But this is better discussed with the vendor tech support.  Rule is avoid unnecessary exposure and if the system is to be compromised leading to data leakage then Internet exposure and data sovereignty are concern first to address.

Author

Commented:
thanks very much for the PDF which shows the only AsiaPac TeamCloud DC is in Sydney.  As we dont want data to be in another country, we can hv the data/DB sits in a VM is a Cloud service provider in our country while running the SAAS Teamcloud fr Sydney?  seems complicated

Author

Commented:
that Pdf mentions TeamCloud SQL database so I reckon the db will hv to sit inside a VM in Sydney?   any chance that the db and data at rest are within our country?  or can we run without Teamcloud  using AWS in our country?
btanExec Consultant
Distinguished Expert 2018

Commented:
Unlikely in the change in the jurisdiction availability zones but as mentioned go through your contact to get latest updates.

Author

Commented:
ok will liaise with Teammate account manager.

in the event Teamcloud DC is not available in Spore, guess we hv to go with IAAS with a cloud provider tt has a presence in Spore, right?
btanExec Consultant
Distinguished Expert 2018
Commented:
I would have think so even if there is risk acceptance  as the first thing is to make sure compliance with regulation is not being implicated. AWS, Google and Azure have Spore AZs but the specific services would be better to engage them and confirm on requirements.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial