Webtrends SaaS Solutions Security Statement
Last Updated: September 10, 2020
1 Webtrends SaaS Production Environment
Webtrends employs a public cloud deployment model using virtualized resources for its software-as-a-service solutions (“SaaS Solutions”). All maintenance and configuration activities are conducted by Webtrends employees, primarily remotely from our corporate office.
Webtrends SaaS Solutions are multi-tenant and logical access controls using authentication and roles ensure the necessary separation between data from different clients. All infrastructure responsibilities rest with Webtrends, and clients are provided with functionality to manage their own users and roles at the application level.
Webtrends follows guidance from the ISO/IEC 27002:2013 standard. Additionally, Webtrends employs industry standard practices and relies on its 20 years of experience in operating highly secure SaaS solutions for security controls such as firewalls, intrusion detection, change management, automated source-controlled configuration management, and formal security policies and procedures.
Webtrends distributed architecture for data collection, processing and reporting allows it to scale horizontally as the number of clients and volume of traffic increase. Webtrends uses multiple monitoring processes and tools to continuously track network resources, operating systems, applications and capacity. Systems are load balanced and scaled up when predetermined capacity thresholds are reached.
1.2 SaaS Management
Webtrends SaaS operations team (“SaaS Operations”) is responsible for all aspects of the SaaS Solutions production environment. SaaS Operations is set up separately and independently from the software development team to ensure the necessary separation of duties.
2 Risk Management
Webtrends business continuity planning includes practices to assist management in identifying and managing risks that could affect the organization’s ability to provide reliable services to its clients (as further described below). These practices are used to identify significant risks for the organization, initiate the identification and/or implementation of appropriate risk mitigation measures, and assist management in monitoring risk and remediation activities.
Webtrends evaluates and manages risks related to its SaaS Solutions throughout their lifecycle, taking into considerations the consequences for our clients of loss of confidentiality or availability of the information we collect, process and store.
Webtrends maintains coverage to insure against major risks. Policies include errors and omissions liability, commercial general liability, auto liability, commercial umbrella liability, workers’ compensation and employer’s liability, fiduciary liability, directors’ and officers’ liability, and crime bond. Insurance companies, which management believes to be financially sound, provide coverage. Coverage is maintained at levels which Webtrends considers reasonable given the size and scope of its operations.
3 Security Policies & Organization of Information Security
Webtrends information security management system is based on ISO 27002. Webtrends maintains a general Information Security Policy, updated annually, that explicitly addresses the confidentiality, integrity and availability of client data and information technology resources, and details employee’s responsibilities and managements’ role.
Webtrends also maintains several internal policies that cover privacy of both client data as well as individual data, in compliance with the GDPR and the CCPA.
Policies are approved by senior management, communicated to all affected Personnel to whom the policies apply, and clearly state the consequences of non-compliance. All employees must review and sign Webtrends’ Information Security policies during onboarding. In addition, all employees receive mandatory security and privacy awareness training upon hire and annually thereafter.
3.2 Information and Communication
Webtrends utilizes various methods of communication, including email and the corporate intranet to update employees on current events and policies, and share information relevant to employees, such as corporate data, industry news, training and development materials, employee resources, and other corporate policies. SaaS Operations has dedicated intranet sections to publish information relevant to the SaaS production staff, such as technical materials, policies, procedures, and calendars.
Update of key documents such as policies require email notification to the affected staff.
3.3 Information Security Coordination
Webtrends CTO coordinates all security and privacy activities within Webtrends. Responsibilities of this position include:
- Driving security initiatives
- Policy review
- Security planning and program management
- Review effectiveness of the security program
- Coordinate Webtrends security incident response plan
- Perform annual security and privacy assessment and reviews
Implementation of security controls rests with the management of each relevant function. Webtrends CTO is responsible for policies and security implementation within the SaaS environment.
3.4 Segregation of Duties
Only authorized personnel can administer systems or perform security management and operational functions. Authorization for and implementation of changes are segregated responsibilities wherever appropriate to the organization.
4 Human Resources Security
4.1 Employee Screening
Webtrends has background checks performed on all employees at the time of hire (to the extent permitted by law), and requires that non-disclosure and/or confidentiality agreements are signed by all Personnel. Webtrends policy prohibits employees from using confidential information (including Client Data) other than for legitimate business purposes, such as providing technical support, and this obligation continues after their employment ends.
An employee’s failure to cooperate fully in any background check and any dishonesty or omission of information pertaining to a background check by an employee precludes employment with Webtrends.
Background checks are performed by a reputable third-party company for all full time and temporary employees.
Background checks differ by geography to account for local laws. In all cases, they include criminal checks, education and employment reports. All background checks for US employees comply with the Fair Credit Reporting Act.
4.2 Terms of Employment
Webtrends operates an onboarding process including at a minimum the following steps:
- Communication to the new employees of policies, code of conduct and behavioral standards.
- Employee signature of the employment agreement (which includes a confidentiality agreement) and Webtrends Information Security Policy.
- Background checks (subject to local laws).
- Security and Privacy Awareness training.
General information security responsibilities are documented in Webtrends Information Security Policy, which all employees must sign as part of their onboarding.
General information security training is provided to all new employees (both full time and temporary) as part of their onboarding. A compulsory annual security and privacy training requirement ensures employees refresh their knowledge and understanding.
Development and SaaS Operations staff receives further training specific to product development, deployment and management of secure applications. Additional security training is also provided to employees who handle client data.
4.4 Termination of Employment
Webtrends maintains a formal termination or change of employment process that, promptly upon termination or change of employment, requires return of all Webtrends and Client assets, disables or adjusts access rights, and reminds ex-employees of their remaining employment restrictions and contractual obligations. All access (logical and physical) are terminated on or before the termination date. Webtrends uses pre-defined checklists to help ensure the consistency and completeness of the termination process.
Access expiration dates are preset for all contractors, and may only be extended with appropriate management approval.
5 Asset management
All data collected by Webtrends on behalf of its clients is the property of the respective clients and classified as highly confidential under Webtrends information classification policy, which provides employees with the necessary guidance for the handling of all information according to its classification. Client data is logically separated from other clients. Access to client data is restricted to legitimate business use only.
Webtrends Terms of Subscription Service prohibit the use of the SaaS Solutions to collect, process and store sensitive data.
5.1 Client Data Location
All client data is processed and stored in the United States. By default, collected client data transits temporarily through Webtrends data collection centers in the United States and Europe for optimal performance based on the visitor’s location.
5.2 Media Handling
Webtrends Information Security Policy prohibits copying client data on removable media device, including flash drives, hard drives, tapes or other media, other than for legitimate business purposes and with the express authorization from the client.
All personnel who handle storage media used in the Webtrends SaaS solutions must comply with Webtrends SaaS Operations Data Handling Policy.
Webtrends’ decommissioning procedures are designed to prevent access to client data by unauthorized persons. Webtrends follows NIST Guidelines for Media Sanitization (Special Pub 800-88) to destroy data. All printed Confidential Information, including Client Data, is disposed of in secured containers for shredding.
Webtrends deletes all client data, other than backup copies held for disaster recovery purposes, on a scheduled basis following termination of contract.
6 Access Control & Physical Security
Webtrends CTO manages access control policies and procedures for the corporate network and access control policies and procedures for the SaaS production network. Webtrends SaaS Operations maintains a list of all staff authorized to access SaaS Operations data centers.
6.1 User Access Management
Accounts on Webtrends SaaS production network, including for network administrators and database administrators, are mapped directly to employees using unique identifiers based on employee names. Microsoft’s Active Directory enforces uniqueness. Generic administrative accounts are not used. Upon notification by HR as part of the formal termination notification process, all physical and system accesses are immediately adjusted to the new role or revoked.
All accesses to Webtrends SaaS Operations network must be submitted by the requestor’s manager to the change management meeting. After review and approval, the request is logged for implementation.
Password complexity rules and account lockouts are enforced in all environments to protect against brute force dictionary attacks or other passwords threats.
Webtrends periodically reviews employee access to internal systems. Reviews ensure that employees’ access rights and access patterns are commensurate with their current positions.
6.2 User responsibilities
Webtrends Information Security Policy requires employees to notify corporate IT immediately if they believe that the security of their password has been compromised. Employees must abide by all Webtrends policies, including all sections of the Information Security Policy.
6.3 System and Application Access Control
Authentication and robust access controls ensure that all clients’ confidential information is secured against unauthorized access. Users of Webtrends SaaS Solutions must be authenticated before they can access their data, and rights associated to their credentials control access to the logical structures containing their data.
Accesses to resources are controlled by explicit rights in all environments. Employees are given appropriate accounts on systems which they are authorized to access following the “least privilege” principle. Generally, access controls are provided by Microsoft’s Active Directory services and appropriate configuration of the operating system, file system and application settings.
Two-factor authentication is required for remote access and for access to production environments. Further, separate accounts are used to access production environments which are only provided to authorized personnel.
Access to client data is limited to legitimate business need, including activities required to support clients’ use of the SaaS Solutions. Employees may only access resources relevant to their work duties. Processes ensure that any production data used by Webtrends Technical Support for testing (always with client consent) is automatically deleted after 14 days.
6.3.1 Data Access by Clients
Client end users are authorized only to see data from their account and may have additional privilege restrictions placed on their access to the account by their account administrator.
Client end users are identified with a username and password. All passwords are securely hashed. They authenticate to the system over an HTTPS connection.
6.3.2 Access control to program source code
Write access to Webtrends SaaS production source code is limited to the engineering staff. Anti-malware scans are performed during all build processes.
7 Physical and Environmental Security
Webtrends SaaS Solutions utilize Amazon Web Services for production systems and Microsoft Azure for development and testing. Both AWS and Azure operate extremely secure data centers with strict physical security measures, including 24×7 security guards, electronic key systems, biometric access, and CCTV.
Webtrends corporate offices require electronic badges to enter are monitored by CCTV.
8 SaaS Operations Security
Webtrends SaaS Solutions infrastructure is managed by a team separate from development and employs industry best practices such as default deny rules for firewalls, intrusion detection systems and automated patch management.
8.1 Documented Procedures
Webtrends maintains documented procedures that include at a minimum:
- security control measures for all systems in the environment;
- hardening – disabling of all non-essential processes and ports, removing all default users;
- patches deployed promptly on all applicable systems per manufacturer recommendation, and no more than within 3 days for critical security patches;
- change management procedures; and
- incident detection and management.
8.2 Change Management
Webtrends maintains, communicates and follows formal change management processes. All changes to the production environment (network, systems, platform, application, configuration, including physical changes such as equipment moves) are tracked and implemented by a dedicated team. All key business owners such as Technical Support, Engineering, DevOps, Security, and SaaS Operations are represented at the daily change management meeting.
All deployments into production or change to the production environment (network, systems, platform, application, configuration, etc.) must be submitted to, reviewed and approved by the change management meeting team prior to implementation.
Webtrends relies on well-defined processes, disciplined execution and continual training of staff. Webtrends operates an automated code deployment and configuration management system for its SaaS Solutions infrastructure.
All critical decisions must be approved by Webtrends CTO.
Evaluating the probability and impact of all changes drives the risk management process to protect against activities such as spoofing, tampering, disclosure or denial of services which could expose the SaaS environment to attacks, compromise the privacy and confidentiality of client data, or disrupt the availability of the SaaS Solutions.
Both scheduled and emergency changes are tested in separate environments, reviewed and approved by SaaS Operations, Engineering and Technical Support before deployment to the production environment. Emergency changes must be peer reviewed and may be initially made without formal authorization. The Change Management process requires that all emergency changes must be documented and reviewed at the next Change Management meeting.
8.3 Capacity Management
Provisioning, configuration, and management software is used to maintain network configuration information and to catalog changes. Applications configuration is stored in a redundant location.
8.4 Separation of development, testing and operational facilities
All systems used for the Solutions are managed by the Webtrends SaaS Operations team, which is separate from corporate network resources. All access is limited to the least privilege needed and requires authentication. Access logs are reviewed at least quarterly.
Administrative access to SaaS Operations resources is limited to SaaS Operations personnel and authentication requires a separate set of credentials.
Promotion of code from engineering into production is controlled by the change management process, and the SaaS Operations team manages all deployments into the production environment. Testing, other than deployment validation, is prohibited in the production environment.
8.5 Protection against Malware
Webtrends deploys anti-malware software with automatic scanning and update on all workstations; installs anti-malware software on all Windows external-facing web servers with weekly scans; and scans all deployed code for malware.
Systems are scanned continuously. Updates are managed and pushed out via workstation/server policy management. Definitions are automatically updated. Employees cannot disable the solution. Where optimal performance precludes active scanning, anti-virus scans are scheduled weekly.
Webtrends uses a leading commercial solution for email security, including incoming and outgoing filtering for spam, phishing attacks and malware.
8.6 Data Backup
Webtrends stores all client data in the SaaS production environment on highly available and redundant storage systems, and utilizes either a multi-tiered backup approach or replication to a separate data center.
8.7 Logging and Monitoring
Webtrends maintains audit information and logs for all information technology resources, applications and network accesses, monitors these logs for abnormal pattern and unauthorized access attempts, and maintains defined processes for security alerting, escalation and remediation. Logs are centralized in a limited-access system that prevents deletion and changes.
24×7 monitoring of critical network events with intrusion detection system (IDS) and log aggregation with industry standard enterprise application management solution gives Webtrends SaaS Operations the ability to identify and address any unauthorized access to assets (including access to client data) within the SaaS production network, and perform trend analysis and risk assessment. This includes outside threats as well as internal users as the SaaS infrastructure is behind firewalls in both cases. Alerting is in place to notify Webtrends SaaS Operations team of any issue.
Escalation procedures exist to ensure the timely communication of significant security incidents through the management chain and ultimately to any affected client.
8.8 Technical Vulnerability Management
Webtrends subscribes to manufacturers and independent security notification services to monitor potential external threats.
Manual and automated vulnerability testing are performed during the development process. Webtrends engages an independent third-party security firm annually to conduct a vulnerability scan of all external-facing (public) infrastructure devices and application penetration test of its Solutions.
Vulnerabilities are logged as defects, resolved or mitigated, and verified fixed.
8.8.1 Hardening Controls
Webtrends SaaS Operations uses automated tools and documented procedures to build and configure all network equipment, systems and servers from predefined build configuration procedures in accordance with good industry practices such as those defined by NIST. All systems, platforms and applications are configured to minimize security risks. Specifically:
- Webtrends follows manufacturers hardening recommendations and documented standard operating procedures;
- Webtrends disables unnecessary ports, protocols, services and features;
- Only necessary components, scripts, drivers, web services are included and enabled;
- Only enable network ports that are required;
- All new systems are deployed with most recent patches;
- Password parameters are configured to comply with Webtrends standards;
- All systems are monitored and protected with anti-malware software; and
- Only support operating systems are used.
8.8.2 Patch Management
Webtrends operates a commercial patch management solution to maintain network device, system, OS and application level security patches. Reviews performed on a regular basis ensure patching is consistent and current based on industry standards. Webtrends deploys security patches released by the vendors as necessary to development, testing, and production systems after validation in pre-production environment.
Patches are applied on a monthly schedule, unless criticality demands a quicker response. Critical patches are evaluated and deployed as promptly as possible, based on Webtrends review of server/workstation vulnerabilities and the risks to any operating applications. Patch applicability and urgency is evaluated based on the zone of deployment (perimeter, DMZ, applications, storage), its relevance (i.e. is the service being patched enabled in the environment) and threat severity (likelihood x impact).
8.9 Encryption of Data
All data is encrypted in transfer and rest with industry standard protocols and cyphers. HTTPS is enforced on all sites and data collection endpoints. Webtrends client workstations, servers, and storage systems utilize full disk encryption.
9 Communications Security
9.1 SaaS Network Security Management
Network-based intrusion detection systems (IDS) monitor network traffic and activity for intrusion and Webtrends SaaS Operations personnel leverages multiple network and application monitoring tools to continuously scan for errors or suspicious activities. Webtrends hosted environment is segregated from Webtrends corporate environment. Access is restricted to SaaS Operations personnel, and authentication requires a separate set of credentials.
Comprehensive and centralized system and application logging and monitoring facilitate alerting, trend analysis, and risk assessment. A network configuration management tool tracks and catalog changes, which are reviewed. Escalation procedures exist to ensure the timely communication of security incidents through the management chain and ultimately to any affected client.
9.2 Segregation in Networks
Webtrends production infrastructure uses separate segments for the web and storage layers with a multi-perimeter stateful firewall configuration between the Internet and the demilitarized zone (DMZ). Data storage and processing servers have no externally exposed services.
9.3 Information Transfer
Webtrends clients access the Webtrends environment via the public Internet. All data transfers from Webtrends SaaS Solutions must use secure protocols; all data transfers to Webtrends SaaS Solutions require secure protocols.
9.4 Confidentiality and Non-Disclosure Agreements
All Webtrends employees must sign Webtrends confidentiality agreement at the time they join the organization. Upon termination, employees are provided another copy of their agreement.
Webtrends requires a non-disclosure agreement or confidentiality clauses in all contracts of third parties accessing computing facilities or information assets as well as prior to sharing or providing access to any confidential information outside of Webtrends, whether verbally or in writing.
10 System Acquisition, Development and Maintenance
10.1 Security Requirements
Webtrends development methodology uses security significant requirements and threat modeling to ensure security concerns are considered and addressed during design.
10.2 Security in Development and Support Process
Webtrends follows an agile development methodology in which products are deployed on an iterative, rapid release cycle. Security and security testing are implemented throughout the entire software development methodology.
Quality Assurance is involved at each phase of the lifecycle and security best practices are a mandated aspect of all development activities. Our main test areas include volume, stress, security, performance, resource usage, configuration, compatibility, installation, and recovery testing.
Webtrends uses defense in depth best practices and validates them using both internal and third-party security vulnerability scans.
Code reviews are part of the application development process. The internal quality assurance function also exhaustively tests all application end-points for vulnerabilities, including those identified in OWASP Top Ten.
The development process includes a review of all embedded third-party components to ensure that security updates are incorporated. Use of open source software is subject to technical and legal review and approval.
11 Supplier Relationships
Webtrends may use contractors for development and testing tasks. These individuals work under the direct supervision of Webtrends employees.
Webtrends doesn’t give suppliers direct access to client data or network/equipment management responsibility.
Webtrends uses reputable third-party suppliers that are evaluated against strict requirements (such as SOC2 reports and/or ISO certifications) to ensure adherence to industry standard security and operational requirements.
12 Incident Process
Webtrends has developed a robust Security Incident Response Process (SIRP) to address security and privacy related events in an efficient and timely manner. The SIRP framework describes how the team is deployed, documents the criteria for incident severity, defines the investigation and diagnosis workflow, details documentation and reporting requirements, and establishes contact information.
The SIRP core team is composed of senior employees with an executive sponsor reporting directly to Webtrends CEO. This team is deployed and disbanded for each event and meets periodically in the absence of events for training and process maintenance. The SIRP process identifies key roles to facilitate the effective coordination of Webtrends response to a security incident, and defines a secure methodology for the confidentiality of all information and communication.
Incidents are triaged in three impact categories, each with different response levels:
- Severity 1 – Critical incidents involving a successful breach trigger the immediate deployment of the process.
- Severity 2 – Significant incidents involving an unsuccessful breach attempt trigger the deployment of the process within business work hours.
- Severity 3 – Benign incidents such as probes not requiring change to systems do not trigger the deployment of the team, but are logged and a retrospective is performed as part of the next SIRP meeting.
The SIRP process is based on industry standard best practices and methodology. It specifies roles and responsibilities as well as priorities for each of the six phases:
- Identification – Alerts may come from a variety of sources, typically our Technical Support, IT and SaaS Operations teams, or automatically from monitoring systems. These teams are trained in the identification and escalation processes.
- Triage – The team evaluates the criticality of the incident based on defined guidelines, logs the incident and triggers the formal deployment of the SIRP if necessary.
- Containment – The first goal of the SIRP team is to prevent the situation from getting worse and keep client data safe. During this phase, the team isolates compromised systems and starts planning for the following phases.
- Eradication – Once the situation is under control, the SIRP team moves to mitigate the impact of the incident and resolve the immediate situation. It identifies the root cause of the incident and prepares for the recovery by documenting known facts and identifying impacted clients, if any.
- Recovery – The recovery phase starts as soon as possible, but may require the eradication phase to be complete. Systems are returned to normal operation, patches or configuration changes are applied, documentation is finalized and communications go out to necessary parties.
- Retrospective – This critical phase allows Webtrends to learn from the incident. Documentation of the incident as well as the response process are reviewed to identify, define and deploy needed improvements to process, policies, system configurations, etc.
Security incidents are managed by Webtrends Security Incident Response Process team. All communications with clients in case of security or privacy incident will be through our support team, using the status page Status Page, and/or agreed upon contacts.
Webtrends Technical Support team will notify client contacts assigned to the account as soon as possible after confirming them as being affected by a security or privacy breach or by a DR event, but in any event within 24 hours for significant events and within 2 business days for non-critical events.
13 Business Continuity & Disaster Recovery
13.1 Disaster Recovery Plan
Webtrends maintains and tests a business continuity plan (BCP) and disaster recovery (DR) plan that prioritizes critical functions (such as data collection) supporting the delivery of its Solutions to its clients. Under such a plan, the disruption resulting from a complete site outage at a data collection center would be limited to single geographic region and would only last for a few minutes while traffic is automatically rerouted. Webtrends retains DR archives of Client Data for up to six months after the backup.
13.2 Monitoring and Communication
We establish continuous monitoring of each system, throughout the application, and in each location where data is stored and moved. Monitoring is a critical component of everything we do.
A system-level failure, for any component in the Webtrends SaaS solutions environment, is easily identified and resolved through Webtrends 24×7 SaaS Operations Center. When monitoring detect a failure, failed systems are automatically removed from the production environment, and the SaaS Operations team is alerted and resolves the issue or escalates to the appropriate vendor as needed.
13.3 Risk Assessment
Webtrends BCP & DR planning consider all relevant threats as well as the criticality of each part of the SaaS Solutions. Webtrends SaaS Solutions disaster recovery strategy focuses on the following priorities:
- Protection of client’s website
- Maintaining uninterrupted data collection
- Protection of client’s website visitors from adverse impact
- Limiting data processing and access disruption
13.4 Testing Disaster Recovery Plans
Webtrends takes advantage of the distributed architecture of its SaaS Solutions to exercise critical aspects of its disaster recovery routinely when significant organizational or environmental changes are necessary. Other less critical aspects such as events affecting data storage are tested less frequently.
Disaster recovery plans for the most critical parts of the solution (data collection) are exercise quarterly at minimum, and tabletop exercises performed annually for the data processing functions.
Webtrends maintains Client Data within the Solutions production environment on fully redundant or replicated storage systems, utilizes a multi-tiered backup approach, and transfers backup media in locked containers for storage in a secured offsite location. Webtrends SaaS Solutions extends redundancy beyond storage through the entire infrastructure, from load balancers and processing engines, to power and telecommunication providers. Specifically:
- Webtrends data collection environment (the most critical part of the infrastructure) is architected for high availability with >N+1 resiliency. Webtrends leverages global load balancing and multiple regions in North America and Europe to ensure uninterrupted data collection.
- Each data collection instance is independent and scaled to three times its daily average traffic. Unavailability of any data collection instance does not result in any data collection failure as the other data collection instances automatically adjust and are scaled to absorb the load from the failed instance(s).
- A full data collection region failure is automatically resolved. If our monitoring systems detects a failure of a region, internet traffic is automatically re-routed to the remaining regions. This allows Webtrends SaaS Operations team to troubleshoot the issue with the failed region, escalate as needed to the appropriate vendor(s), and resolve the issue. All of this occurs without client impact, and all data is collected as expected.
- A failure in the primary Webtrends SaaS solutions processing region may involve some manual intervention on the part of the Webtrends SaaS Operations team depending on the level of severity and complexity of the issue. In the unlikely event of complete data center failure, the SaaS Operations team has instructions and recovery steps to bring the solution back online in the most expeditious manner at an alternate region.
Webtrends complies with statutory and regulatory requirements, and uses reasonable efforts to comply with applicable industry standards.
For information on GDPR, CCPA, Privacy Shield, and other privacy related compliance, please see the Webtrends Privacy Statement.
14.2 Independent Review
Webtrends engages annually a reputable third-party security firm to conduct a comprehensive application penetration test and network vulnerability scan of Webtrends SaaS Solutions. The primary objective of these scans and tests is to gain independent third-party validation of Webtrends security stance and provide actionable recommendations for mitigation of any risks that may have been identified. All critical issues confirmed are remediated immediately. Issues of lesser severity are evaluated for resolution as part of the standard development process.
Microsoft maintains strict security and privacy controls for suppliers and requires third-party validation of over 70 controls as part of their SSPA program. Webtrends maintains compliance with the SSPA via an annual third-party audit.