Products / On-Demand Security
Adaptive Planning partners with Savvis, a leading IT infrastructure services provider, to deliver an advanced on-demand security infrastructure that ensures customer data is never compromised.
World-Class Hosting Partner
Adaptive Planning has partnered with Savvis (www.savvis.net), an award winning and leading provider of IT Infrastructure services. Adaptive Planning manages the computer hardware, backups, releases, upgrades and database management, and Savvis provides the environment, secure cages, redundant power lines and high bandwidth solution access through the internet.
Savvis is an $800 million company with hosting locations across 46 countries. Adaptive Planning leverages their experience, best practices and support services to ensure the optimum experience for our customers. A recognized industry leader in the provision of hosting services (leading in Gartner’s “Magic Quadrant”), Savvis has over 6,000 other customers including Reuters, London Stock Exchange, New York Stock Exchange, the U.S. Federal Government, Google, Yahoo!, and Sony. Savvis has been SAS70 certified since 2005 and undergoes annual re-audits to ensure ongoing compliance. In addition to ongoing SAS70 compliance, Savvis completed their ISO27001 certification in 2007.
Data Security
Adaptive Planning and Savvis collaborate on all aspects of security. Both companies devote significant resources to the ongoing evaluation of emerging threats, and continuously deploy new technologies to ensure the most secure, scalable and private system for our customers. There are four primary considerations for data security:
- Security of the data as it is transmitted across the web from the hosting site to the customer.
- Preventing one customer from being able to view another customer’s information and preventing any other third party access.
- Ensuring every authorized user within a company’s user population has access to only the information and capabilities that have been specified by the budget manager, or the application administrator of the company.
- Physical security of the server location.
Secure Transmission of Customer Data
Adaptive Planning uses the strongest encryption products to protect customer data and communications, including 128-bit encryption over HTTPS with 1024-bit public keys. The web interface to the Adaptive Planning solution incorporates the Managed Desktop Service (MDS)/Secure Socket Layer (SSL) protocols.
The purpose of the protocols is to provide security for the data by encrypting it as it is transmitted between the Adaptive Planning Application Server and the browser hosted on users’ workstations. During use, the lock icon in the browser indicates that data is fully shielded from access while in transit.
SSL is the World Wide Web standard for protecting critical data and is used by banks, brokerages and others to protect their clients’ data. It is almost certainly used for our customers’ other communications security.
Prevention of Access of Customer Data by Another Customer or Third Party
Adaptive Planning engineers have developed the system such that it is not possible for one customer to see the data that belongs to another customer. The data that is stored within the Adaptive Planning application is highly proprietary and confidential information for each of our customers. As such, Adaptive Planning treats this information with great care and respect and provides the most secure environment possible by incorporating the following technologies and techniques.
- Perimeter Security - Adaptive Planning protects both the production and corporate network perimeter with Cisco advanced firewall technology and an intrusion detective device which are continuously monitored and managed by our in-house technical staff.
- Application Security and Database Tables - Adaptive Planning is designed to make it impossible for one customer to access another customer’s data. Adaptive Planning is a true multi-tenant system with one instance of the application and one instance of the database. However, unlike many other on-demand applications we do not co-mingle customer data. Therefore, each customer’s Adaptive Planning application utilizes a unique and separate set of tables within the database. It is not possible for one customer’s data to be accessed by anyone other than that customer’s authorized users. Even Adaptive Planning support staff cannot view your data without receiving explicit permission (via an ID login).
- Database Security - Adaptive Planning secures its production database by restricting the operating system and database connection levels, permitting a minimal number of access points (Port 443 – avoiding FTP, Telnet, external site access, etc.; Port 80 – sending help content to the browser) and by not sharing a master password database.
User Security
User ID and Password
Users access Adaptive Planning only with a valid username and password combination, which is encrypted via SSL for Internet transmission. An encrypted session ID cookie is used to uniquely identify each user and after 60 minutes of inactivity, the session will time out and a new session must be established in order to access data. At the time of implementation, each user is assigned a system wide unique User ID and password by the administrator. Upon login, each user may then change his/her password. The password is then encrypted using MD5 Hash and stored in the database. This ID is used to map each user to their specific company data.
User Access Control
Adaptive Planning gives the system administrator the ability to grant permission to users to access, view and interact with templates and reports. Each template can secured further at the “row” level (e.g. fields made “view only” or “hidden”). Each report will only render data relevant to the user’s security rights. Only authorized administrators have access to all of the information in the system, and the full range of administrative functions.
Adaptive Planning has incorporated the concept of role based access control (RBAC) which allows the customer administrator to grant permissions to roles and assign roles to users. The list of permissions includes: add users, edit budgets, view plans, view templates, access reports, etc.
Each user is assigned one or more roles. Only those capabilities that have been granted to the specific roles are made available to the users. Users that have not been assigned specific roles are not aware that the other capabilities even exist in the system.
Physical Security
The Savvis Data Center is physically secure to avoid tampering and unauthorized access.
Security precautions in place include:
- On-site security guards 24/7.
- Wire fencing.
- Biometric identification and validation of visitors/employees access privileges.
- Unique locked cages and cabinets for servers.
- Both Savvis and Adaptive Planning have rigorous employee screening and nondisclosure/confidentiality agreements in place.
Only five Adaptive Planning employees are authorized to have access permission to the site.
Note: In order to meet the diverse needs of clients, all editions of Adaptive Planning are available both on-demand and on-premise.