Answering the Security Question for Yammer

advertisement
Answering the Security
Question
Audience
The information in this deck is geared towards IT security
personnel, system administrators, and chief information officers
(CIO). However, anyone with IT experience will find it helpful in
explaining security at Yammer.
2
Topics and Learning Objectives
This deck covers the following topics about Yammer’s security:
•
•
•
The different practices that Yammer has instituted to maintain security
The technical aspects of Yammer’s security features
The security tools that Yammer provides customers to help them administer security
After completing this course, you will be able to:
•
•
•
3
Discuss Yammer’s security and privacy policies
Describe Yammer’s user access and content controls
Articulate Yammer security to CIOs and other security professionals
What Do CIOs Want To
Hear?
Yammer is Private and Secure
Yammer is Private
•
•
•
All customer data in a Yammer network is fully owned
and managed by the customers that input their data.
The information shared through Yammer is private and
restricted to employees within your organization.
Preserving the confidentiality and integrity of your
information is a top priority at Yammer.
Yammer is Secure
•
•
5
Yammer’s deep culture of security is engrained into its
product development and practices.
Yammer takes an iterative approach in designing
security procedures and controls. We continuously
analyze our controls, policies, and software designs to
ensure users are protected.
Yammer Takes Compliance Seriously
Yammer takes third-party compliance seriously. To meet industry standards and
keep our customers secure, our Security Engineering Leadership has charted a
roadmap that includes:
6
•
Compliance with the American Institute of
CPAs (AICPA) SSAE 16-SOC1
attestation for its production data center.
•
Pursuit of the International Organization
for Standardization’s 27001 Information
security management standard.
•
Preparation for the Federal Risk and
Authorization Management Program
(FedRamp) security authorization.
Yammer’s Secure
Foundation
Secure Connections and Applications
Yammer takes steps to secure network traffic and in-transit customer data:
•
•
•
•
•
Connections are secured via HTTPS. Attempts over HTTP are always redirected to
HTTPS.
Transport-layer security (TLS) certificates are enabled with a minimum 1024-bit
asymmetric key.
Yammer maintains deny access control lists (ACL) at all Internet ingress
connections.
Security context verification is enabled to verify the source and destination of
customer data.
Yammer uses a mix of third-party firms to conduct quarterly penetration tests and
provides test results to customers.
Yammer makes application security a priority:
•
•
8
•
Yammer is tested against the Open Web Application Security Project (OWASP) Top
Ten Vulnerabilities Project, which includes:
SQL injection and cross-site scripting (XSS) attacks.
Broken authentication and session management bugs.
A Modern and Secure Infrastructure
Yammer’s infrastructure is secured through:
•
•
•
•
Strict personnel access controls including biometric and PIN-based locks.
Detailed visitor entry logs and video surveillance all day, every day.
Linux servers hardened using industry standard configuration scripts developed by the Center
for Internet Security.
Physical and logical separation between the web, application, and data storage servers.
Yammer’s infrastructure is compliant:
•
•
•
•
9
Security and compliance are a top priority for Yammer’s security team.
Yammer’s data center is offsite and Tier IV SSAE 16 SOC1 compliant.
Weekly access audits are performed to ensure data center access is limited appropriately.
Yammer is migrating to Microsoft's Global Foundation Services (GFS) data centers in the next
year. GFS has a host of compliance certifications, including ISO27001.
Robust Backup and Recovery
Yammer’s disaster recovery plan ensures
that your data is safe and secure, even
when the unthinkable happens.
•
•
•
10
Backups of the database are taken daily,
and sometimes multiple times a day.
Backups are encrypted with AES128 after
completion and replicated securely offsite.
Yammer can redeploy its infrastructure in
the cloud quickly and securely if its data
center is affected by a natural disaster.
Yammer’s Security Tools
Easy and Powerful User Provisioning
Yammer’s user provisioning tools take the work out of user
access control:
•
•
Yammer’s administration panel gives the customer’s
verified administrator the ability to manage user details
individually or in bulk using comma-separated values.
Beyond its own user access tools, Yammer supports Active
Directory integration giving the customer easy access to
streamlined user management.
Yammer makes it easy to support Single Sign-on (SSO):
•
•
12
User
Yammer’s SSO module lets you easily access Yammer in
just one click from an SSO portal, where all your enterprise
applications are already located.
Yammer’s SSO server connects to your existing SAMLbased SSO server to automatically log in your users based
on your authentication mechanisms.
SAML SSO
Server
SSO
Portal
Passwords, Sessions, and Keywords
Yammer makes it simple to manage password policies for every user.
•
•
•
•
Through the Yammer Admin Console, verified administrators can control:
Password strength.
Password length.
Password expiry.
Yammer allows users and administrators to manage their sessions.
•
•
Verified administrators can log users out using the Yammer Admin Console.
Users are able to manage their own specific sessions.
Using keyword monitoring Yammer puts you in control of your content.
•
•
•
13
Verified administrators can monitor keywords and regular expression strings.
Administrators and community managers are notified of banned keyword entries.
Administrators may remove the post in question from the Yammer UI.
Learning Review and
Additional Resources
Learning Review
In this deck, we provided information covering:
•
•
•
How to position Yammer’s security to CIOs.
The tools Yammer provides to help you manage users
and security.
Yammer’s security layers and commitment to
compliance.
With this information, you should be able to:
•
•
•
15
Discuss Yammer’s security and privacy policies.
Describe Yammer’s user access and content controls.
Articulate Yammer’s security to CIOs and other
security professionals.
Additional Resources
The following resources can provide you with additional
information about Yammer’s security practices and
tools:
The Security Information page at the Yammer Success
Center contains the latest security information and
overview document.
For a information about the security of Yammer and
Office 365, visit the Office 365 Trust Center.
16
Questions?
Download