Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security
Uploaded by Zoltan Adam Szabadi

TOPdesk-Security

advertisement 
Security
Secure hosting
We only allow secure connections to TOPdesk SaaS environments. HSTS preloading is used to ensure all
common browsers force users to a secured connection. The strength of our SSL certi cate (used to
encrypt the connection) is evaluated on a regular basis and currently has an A+ score from Qualys SSL
labs.
TOPdesk uses a Content Delivery Network (CDN) for worldwide fast availability of TOPdesk environments,
for (D)DOS protection, and to block known threats. A Security Information and Event Management (SIEM)
system is used to detect attacks against our network in an early stage. These systems are monitored 24/7
by a Security Operations Center with certi ed security experts.
Click the image for details.
Additionally, you can use your own intrusion detection system and link this to the TOPdesk (access) logs.
It's also easy to set up an IP restriction for your TOPdesk SaaS environment, so only your colleagues can
access your TOPdesk environment.
Antivirus and malware definitions are updated daily. File scans during upload, and regular full storage
scans, ensure your users can safely work with attachments.
Servers are hardened by only allowing predefined connections, setting all relevant security settings and
monitoring these settings against a desired state. TOPdesk will also ensure all relevant updates are
installed in a timely fashion (see Server management and Always up to date).
Management access is limited to a small group of TOPdesk SaaS administrators and is only possible using
a personal account and via a multi-factor authentication gateway (see Access management). Separate
servers are configured for management access, which are hardened and closely monitored.
Data separation
Your data is stored separate from other customers' data. Customer specific files (like attachments) are
stored in a folder which can only be accessed by your dedicated TOPdesk environment. Folder and file
permissions ensure that only the TOPdesk environment that created a file can access it.
This design also ensures that malware can't spread within our SaaS network. Only your TOPdesk
environment can access your files and doesn't have permissions to execute something, or to access files
outside your folder, preventing viruses from spreading.
A similar design is used for databases; your TOPdesk environment can only connect to it's dedicated
database, and database permissions ensure that no application but your TOPdesk environment is
allowed to access the data. This dual layer of security ensures that data remains segregated from other
customers, and can never be accessed by unauthorized users.
Secure software development
Secure coding guidelines ensure our software is of high quality and safe to use. Our measures include:
An extensive internal 'Definition of Done' which defines minimum standards for all software that is
developed. These standards include topics like; accessibility, privacy, security, error handling, API
usage, and much more.
Using pair programming and code reviews to ensure adherence to our standards and code quality.
Following secure coding guidelines and continuously testing on topics mentioned in the OWASP list.
Using standard frameworks and methods to prevent vulnerabilities resulting from programming
errors.
Employing security-specialized developers who initiate knowledge sharing and peer reviews at our
Development department.
Actively keeping track of security issues with external methods used by TOPdesk. This way, we can
take follow-up action if such an issue is found.
Combining automated and manual tests during development and delivery phases.
Getting external parties to evaluate all our versions before they go live on your production
environments.
Penetration tests
During development all software components and dependencies are scanned for known vulnerabilities. If
no problems are found, the software is compiled and automatically tested. When all tests are successful,
the software is deployed on a live environment which is scanned (black-box) for vulnerabilities on a daily
basis. A daily automated penetration test verifies if common or previously found issues can be exploited.
These tests include known threats and OWASP vulnerabilities.
The daily automated vulnerability scans and penetration tests are executed by an external auditor. To
verify the scan results, improve future scans, and detect new issues specific to the TOPdesk software, a
certified independent security expert performs a security test at least every 3 months. If the security test,
penetration test, or vulnerability scan results in any actionable findings, TOPdesk will resolve these with
the highest priority.
You can also execute your own penetration test or vulnerability scan, but please inform us beforehand.
These efforts have led to an SOC 2 audit report (see certification), which you can request to verify the
security of our procedures and processes.
Availability & Continuity
We aim to keep all TOPdesk SaaS environments online 24/7. Our target uptime in the standard SLA for
TOPdesk SaaS environments is 99.9%. The average uptime of all TOPdesk SaaS production environments
(24/7, excluding scheduled maintenance) in Q3 2023 was 99.96%.
Several measures ensure the availability of TOPdesk SaaS environments:
Our redundant infrastructure ensures that a failing part does not affect availability.
TOPdesk is installed on virtual machines that can be instantly transferred to another server, should
a server fail.
The TOPdesk database has a primary and secondary database server, ensuring availability in case of
a database server failure.
Several proxy servers in a load balancing set-up ensure heavy traffic does not cause your TOPdesk
environment to become unreachable.
Automated deployment of servers from a CMDB ensures failing servers can be quickly recreated.
Monitoring and incident response
TOPdesk has a 24/7 monitoring system on all TOPdesk SaaS environments and servers. The monitoring
system verifies health metrics for every TOPdesk environment, like the (internal and external) availability,
database connection, and search index availability. Servers are also tested on relevant metrics, like
availability, CPU usage, memory usage, and available disk space. To ensure our back-up system works as
expected, we also monitor the last back-up restore test for database servers.
Should the monitoring system detect a problem, TOPdesk operators are immediately notified. During the
night, a 24/7 stand-by shift ensures issues are quickly resolved. Issues affecting multiple TOPdesk
environments are published on our status page and via the Self-Service Portal. You can also verify the
monitoring results for your environment(s) on our portal, and (if desired) immediately schedule follow-up
actions like a restart of your TOPdesk environment, or submit a ticket for our Support team.
Back-up procedures
Back-up procedures ensure we can continue to operate in the unlikely event that data becomes
unreachable:
Continuous database transaction logs ensure that we can recover data from any point in time for the
past 30 days.
Daily off-site attachment back-ups ensure your uploaded documents also remain available, even in
case of a data center failure.
You can also download your own data (uploaded files) from TOPdesk, in case you want a separate
back-up at your own location. This download can also be automated.
If you'd like to store a local copy of your database, you can easily request an export of your data using
our customer portal.
Back-up and restore procedures are tested at least monthly. A monitoring system ensures the last restore
test for each site was no longer than 30 days ago. As servers are deployed automatically, recovering from
a data center loss is hardly different from day to day operations.
Disaster recovery procedures
Our disaster recovery procedures and back-up systems ensure quick recovery times. In over 75% of all
cases we are able to restore all services within 15 minutes.
In case of serious failures within a site, redundancy and fail over procedures ensure:
Recovery Time Objective (RTO): 1 hour.
Recovery Point Objective (RPO): up to 60 minutes. In most cases less than 1 minute, using Point in
Time restore possibilities.
In the unlikely event of a total site failure (datacenter is lost):
Recovery Time Objective (RTO): services are fully operational for all customers of the lost site, within
5 days.
Recovery Point Objective (RPO): a maximum data loss of 24 hours is possible.
You can always stay up-to-date regarding the availability of TOPdesk SaaS environments by checking the
availability of your environment on our customer portal (My.TOPdesk.com) and by visiting our SaaS
Status blog.
Access management
Access for users
TOPdesk can link to many identity providers. This means you can easily control who has access to your
TOPdesk environment, without setting up a separate login system. Simply link TOPdesk to your existing
identity provider (via ADFS, SAML, LDAPS, etc.) and you can log in using Single Sign On (SSO). Our
consultants will help you to create a secure link between both systems.
TOPdesk allows for role based interfaces and authorizations. Access is adjustable on a granular level. You
can choose which services each user (or user group) has access to, and whether the use has read, write,
or advanced permissions. Roles and permission groups can be easily defined and changed in the
interface, by selecting the appropriate permissions through tickboxes.
From our customer portal (My.TOPdesk.com) you control your TOPdesk SaaS environment. You can
manage which users are allowed to request changes to the environment, schedule actions, and request
changes. TOPdesk will only execute changes requested by contacts that have previously been registered
as 'SaaS main contact' person in our system, to prevent unauthorized changes.
Access for TOPdesk
TOPdesk employees can only access your TOPdesk SaaS environment when you have requested them to
do so, for instance when you’ve asked our Support team for help.
All TOPdesk Support staff that might be granted access to your environment will have:
a certificate of conduct
a confidentiality agreement in their contract
completed an extensive training program regarding the TOPdesk products, and hosting related topics
such as handling confidential data and security awareness.
You can even determine whether TOPdesk employees can access your TOPdesk environment. You can
find the settings for this at 'Functional settings > Login settings > General'.
TOPdesk won't store any passwords for your environment. TOPdesk employees will only have access
using a personal account from a secure TOPdesk authentication server.
Access controls
You can (automatically) download the access logs for your environment to verify who accessed the
environment, and at what time. Access logs include all login attempts and information to identify the
source, like IP addresses. As the access logs can be accessed automatically, you can link them to your own
Intrusion Detection System.
TOPdesk stores access logs for half a year. If you'd like to store the logs for a longer period, you can
download a copy.
You can also request to make the full TOPdesk logs available for automated access. This allows you to
review all activity in your TOPdesk environment, including settings changes, permissions changes, and
new accounts. The full TOPdesk logs will be available for up to 3 days, but you can store a local copy if you
need them longer.
It's possible to limit the availability of your TOPdesk environment to a certain IP range for additional
security. To request an IP whitelist, please use the form on our customer portal.
Also see our privacy policy and the Security section of this page.
Encryption
Encryption of stored data protects against data theft by someone with direct access to the disks on which
the data is stored. TOPdesk has covered this risk in several ways.
The following steps have been taken to prevent theft of data:
Our AU1 (Australia), (BR1) Brazil, CA1 (Canada), EU1 (Europe) and NO1 (Norway) datacenters only use
encrypted disks, both for customer files, database back-ups, and TOPdesk databases. On our NL3, UK1
and US1 datacenter all customer files and database back-ups are stored on encrypted disks. TOPdesk
will continue to expand the available encryption options.
Database encryption has been enabled from the beginning by default on all our Azure hosting
locations. It is enabled for the other hosting locations as well during the implementation of the new
Microsoft SQL Version except for our NL3 hosting location. Our NL3 hosting location is scheduled to
get database encryption with the planned update to the new Microsoft SQL Version.
TOPdesk and its hosting providers will ensure that all disks that have contained unencrypted customer
data will be overwritten using DBAN before reuse, or the disk will be destroyed to make future use
impossible.
TOPdesk only uses well-protected data centers to host customer data. 24/7 security guards are
present in the data centers and only previously announced persons with a valid ID are allowed in.
There is continuous camera surveillance and all server racks have their own lock. This makes it
impossible for unauthorized users to acquire the servers or the data stored thereon.
Data is distributed over multiple disk drives. This ensures that an error on a disk does not cause loss of
data, but also ensures that a stolen disk contains only fragments of files and hardly any readable data.
TOPdesk has a monitoring system that verifies the available disk space on servers. If disks disappear
unexpectedly, this monitoring system reports the change to TOPdesk operators who can contact the
data center to check for anomalies.
TOPdesk has data processing agreements with all used data centers. Data center operators are not
allowed to handle customer data, and control procedures are in place. The effectiveness of these
procedures is regularly audited, and TOPdesk reviews the audit results.
Encrypted connections
A related risk to theft of stored data, is interception of data before it is stored. This risk is covered by only
allowing encrypted connections (HTTPS) with TOPdesk SaaS environments. HSTS preloading ensures all
connections are automatically started using HTTPS by all common browsers.
Regular checks determine whether there are known errors in used communication protocols, after which
unsafe protocols are disabled as soon as possible. These measures resulted in an A+ score for the
TOPdesk SaaS SSL certificate on Qualys SSL Labs, an independent party that assesses the strength of
secure connections.
Exit strategy
Data saved in your TOPdesk environment remains your property. We offer a default and easy way to
retrieve your data from our software, when you terminate your contract with us for example. You can, at
any time, download all your uploaded attachments via your TOPdesk environment.
After terminating your contract, we keep your data for a maximum of 90 days and remove it
automatically after this period. To ensure that your data is completely deleted, we have an automatic
system with built-in control mechanism for the deletion. We also have a monitoring system that actively
scans folders, databases and live environments for data that should have been removed.
If you have not already downloaded your data before your contract ended, one of your SaaS Main
Contacts can contact TOPdesk Support to request a copy of your data from the backup. Upon this
request, we’ll send you the data as soon as possible through a secure connection. All data comes in a
regular file format.
Related documents
Master Thesis Initial Interview Questions TMrozek
Master Thesis Initial Interview Questions TMrozek
free-cv-template-13
free-cv-template-13
Emergence of on demand solutions in the context of enterprise services
Emergence of on demand solutions in the context of enterprise services
Do You Have the Right Accounting Software?
Do You Have the Right Accounting Software?
SaaS UI Kit Documentation - SaaS Design
SaaS UI Kit Documentation - SaaS Design
Download
advertisement