Saba Cloud Security · Network security is achieved through the use of layered firewalls, advanced network design, and network segmentation. High-availability firewalls are used to

Saba Cloud Security

The Saba Cloud PlatformThe Saba Cloud platform is highly scalable and meets and/or

exceeds industry security and compliance standards and industry-

accepted practices. Its powerful, standards-based architecture can

address the common and distinct needs of large customers in a

global implementation, as well as those of mid-sized enterprises in

a cloud environment. This document is designed to answer most

of the questions you may have about Saba’s security infrastructure

and standard operating procedures, as well as the support that

ensures reliable and secure delivery of your Saba Cloud services.

This commitment to security is carried throughout the application

design process. Saba’s Information Security Program implements

a comprehensive review process that focuses on meeting and/or

exceeding industry-accepted practices.

In addition to embedding security throughout the System

Development Life Cycle (SDLC), Saba adheres to privacy

requirements that provide controls to address secure handling,

retention/deletion, and transference of personally identifiable

information in accordance with customer privacy requirements.

Security Design Principles

Cloud Security Governance and Management

Systems Hardening

System and Data Access Control

Application and Data

Network Security

2

Cloud Security Governance and Management

Security Steering Committee: The IT Security &

Privacy Steering Committee provides governance to

ensure recognition of Saba’s top security risks and

compliance gaps with applicable policies, procedures,

laws and regulations. It also provides a consensus-

based forum to support the Chief Information Security

Officer (CISO) and collaborate on:

1. Identifying and aligning on high-priority

initiatives, and

2. Developing recommendations for policies, procedures and standards to address those initiatives that enhance the

security posture and protection afforded to Saba and its customer networks, information and information systems.

Cloud Management: Saba has deployed a layered data protection and security framework. Saba’s defense in depth

approach involves the use of appropriate physical, administrative and technical controls. Saba controls are designed

to assure the confidentiality, integrity and availability of client data and services. Saba’s cloud governance framework is

supported by policies, standards and procedures and standards which are reviewed annually. Cloud security controls

and operations management practices – which comprise Saba’s Information Security Management System (ISMS) –

are based on internationally accepted practices and draw upon delivery frameworks such as the ISO/IEC 27000 family

of standards.

Systems Hardening

Saba systems are security hardened to reduce vulnerabilities consistent with industry best practices. Hardening

standards draw upon benchmarks defined by the Center for Internet Security (CIS) and National Institute of

Standards and Technology (NIST), with additional guidance from Computer Emergency Response Team (CERT)

and vendor-recommended best practices.

System and Data Access Control

Saba’s security model restricts access to both systems and data according to defined Segregation of Duties

(SoD), operational roles and responsibilities (RACI), and “need to know.” Logical access to Saba Cloud systems is

restricted by security policies and procedures, two-factor authentication with unique usernames and passwords,

and restrictive local host permissions. Direct access to system administrative accounts (e.g. root) is prohibited,

and these can only be accessed using predefined “alias” accounts. Data classification standards require that

client data may only be accessed using Saba-authorized systems.

Application and Data

All client data is logically segregated. Logical segregation is achieved via the use of unique usernames,

complex passwords, database connection strings, and dedicated database schemas. Client access requests

are restricted to Transport Layer Security (TLS) communication and at least AES 256-bit encryption. End-user

and administrator access to the application requires authentication and is restricted according to preconfigured,

role-based access controls (RBAC). All data flowing in and out of the environment is subjected to deep-packet

stateful inspection by Saba firewalls and Intrusion Prevention Systems (IPS).

3

Saba’s cloud solutions are hosted in highly secure,

SSAE–18 (AT-C 205) SOC 2 Type 2 audited data

centers that meet and/or exceed the highest

standards for cloud infrastructure security

worldwide. Our data centers are hardened using

multiple layers of physical and logical security.

Access is controlled by two-factor authentication

using biometric and key/token access.

All data centers are supported 24/7/365 with

security personnel and technical support

engineers. Environmental controls such as fire,

cooling and power systems are fully redundant

and scaled to accommodate component failure.

Internet connectivity is assured with no less than

three Tier 1 backbone carriers per data center.

Global Locations

Network Security

Network security is achieved through the use of layered firewalls, advanced network design, and network

segmentation. High-availability firewalls are used to filter traffic between the web, application, and data tiers.

Firewalls support deep-packet stateful inspection, dropping of anomalous packets, denial of service protection,

spoofing monitoring and anti-virus filtering. Saba networks have been designed to support VLAN and subnet

segmentation, port restrictions, access control lists, and address and port translation. All physical data

connections are configured in a high-availability mesh topology, with each system and service having no less

than two routes for communications. Saba’s network communications mesh assures integrity and uninterrupted

flow of data across our networks. Saba firewalls are configured consistent with National Institute of Standards

and Technology (NIST) standards, and connections to all end-points reinforce our “least permissive” policy. All

security devices and firewalls are monitored 24/7/365. Monitors are defined to trigger alerts when predefined

thresholds are exceeded.

Data Center Overview

North America

Boston, Massachusetts,

United States

Toronto, Ontario,

Canada

Sacramento, California,

United States

Asia Pacific

Sydney, Australia

EMEA

Amsterdam, The

Netherlands

London, United Kingdom

Frankfurt, Germany

4

Environmental Safeguards

Redundant Power Supply: All data centers are equipped with redundant and high-density power systems, as

well as automated and monitored facility controls. Power generators at all data centers are tested regularly and

supported by multiple fuel suppliers to ensure continuous operations in the event of a disaster.

Temperature Control and Fire Suppression: Each data center is equipped with carrier-diverse fiber

connections to ensure redundant connectivity with at least 100 Mbps – 1 Gbps of available bandwidth capacity.

Each customer system is provided with burstable bandwidth to accommodate peak usage.

Physical Security

Physical access to Saba data centers is tightly controlled, with access restricted to pre-authorized personnel

and layered identity management systems. Individual access to the facilities, interior vault, and cage areas is

managed by card-key and biometric identification systems, with mandatory pre-approved customer lists and

sign-in/sign-out procedures enforced. All servers and infrastructures are protected within locked racks. Only

authorized personnel have access to Saba’s dedicated cage.

Professional CertificationsSaba’s Information Security team members

maintain professional certifications that

demonstrate their knowledge and acumen in

their related field. Certifications include Certified

Systems Engineers, Cisco Certified Network

Associates (CCNA), Certified Information

Systems Security Professionals (CISSP), Certified

Information System Auditors (CISA), Certified

Information Security Managers (CISM), GIAC Web

Application Penetration Testers (GWAPT) and

Certified Information Privacy Professionals (CIPP).

In addition, our technicians are certified and/or

trained on various infrastructure and operating

system software products.

Certifications and Assessments

Data Centers

Saba Cloud data centers are SSAE 18 (AT-C 205) SOC 2 Type 2 audited and ISO 270001 certified. Additional

capabilities are available to meet strict regulatory requirements.

5

Application

As part of Saba System Development Lifecycle,

Saba incorporates Static Application Security

Testing (SAST), Dynamic Application Security

Testing (DAST), and third-party web application

security penetration testing against known security

vulnerabilities such as OWASP Top Ten.

The Saba Cloud platform is tested, at a minimum,

for the following categories of application

vulnerabilities:

Authentication

Authorization

Parameter tampering

Hidden field manipulation

Cross-site scripting

Cookie manipulation

Permissions escalation

Session management

Validated Environment

Saba Validated Environment Managed Services

(VEMS) combines the power and efficiency of

Saba Cloud (SC) with services toward Validated

Application Environment sustenance efforts for

our regulated customers. VEMS is designed to

facilitate our customers’ regulatory compliance

requirements with 21 CFR Part 11.

Third-Party Penetration Test

As part of our commitment to security, Saba

engages with third-party security experts to

conduct exhaustive reviews and perform rigorous

testing to continually monitor and validate the

security of Saba services. Saba engages with a

different third party at least annually to perform

a gray-box security penetration test of our

application and associated host.

At Saba, we know that every organization has the potential to be a great place to work, and no matter what your business does, or who you serve, or what you sell, success starts with your people. But in today’s diverse, mobile, social world, successful organizations must deliver an experience at work that’s more connected, and more personal than ever before. And the most successful do this with Saba. Because we combine the science of talent with intelligent technology to deliver a “just-for-me” talent experience for every individual - in the moments that matter most. With powerful tools and insights talent leaders need to prove the experience makes an impact on business success. So from attracting candidates who are the perfect fit, to designing paths for personal growth, to creating a culture that nurtures the unique talents of every individual, Saba helps you give your people and teams the message: Work to your strengths. Work like you envision. Work like it’s personal. Work like you.

© 2020 Saba Software Inc. All rights reserved. Saba, the Saba logo, and the marks relating to Saba products and services referenced herein are either trademarks or registered trademarks of Saba Software, Inc. or its affiliates. All other trademarks are the property of their respective owners.

(+1) 877.SABA.101 | www.saba.com 02/20

Your success starts here!

24/7 customer support

Collaborative online customer community

Value-added strategic services

Regular user group meetings

Standard or customized implementation services

Dedicated customer success rep

The Saba Experience:

Saba Partner Marketplace

Recruiting & Onboarding

Performance & Coaching

Learning & Skill Development

People Insight & Analytics

The penetration test is typically conducted against the Saba Cloud web application and network with the following primary objectives:

• Identification of vulnerabilities so that they can be remediated prior to being exploited by an attacker

• Direct observation of restricted services or data in the absence of expected access controls

• Compromise of an intermediary device used by privileged users to access secure network zones

• Compromise of the domain used by privileged users

• Sensitive data leakage or exfiltration

• Verification of application logic, session handling, and API security for web application using supplied

credentials

• Verification that only authorized services are exposed to the network perimeter

• Verification of network segmentation of non-privileged and privileged networks