Saba Cloud Security

The Saba Security Program implements a multi-business review process that focuses on meeting and exceeding industry-accepted practices. In addition to embedding security throughout the System Development Life Cycle, Saba adheres to privacy requirements that provide controls that address secure handling, retention/deletion, and transference of personally identifiable information in accordance with customer privacy requirements.

Saba Security Council

The Security Council provides a consensus-based forum to support the Vice President of Information Services and Chief Information Security Officer to collaborate on:

  1. Identifying high-priority security and identity-management initiatives; and
  2. Developing recommendations for policies, procedures and standards to address those initiatives that enhance the security posture and protection afforded to Saba and its customer networks, information and information systems; and
  3. Evaluating compliance with existing regulatory and customer requirements (Safe Harbor, FISMA-Moderate, and other geographic/vertical requirements).

System and Data Access Control

Saba’s security model restricts access to both systems and data according to defined Segregation of Duties (SoD), operational roles and responsibilities (RACI), and “need to know.” Logical access to Saba Cloud systems is restricted by security policies and procedures, two-factor authentication with unique usernames/passwords, and restrictive local host “permissions.” Direct access to system administrative accounts (e.g., root) is prohibited, and these can only be accessed using predefined “alias” accounts. Data classification standards require that client data may only be accessed using Saba-authorized systems.

Network Security

Network security is achieved through the use of layered firewalls, advanced network design and network segmentation. High-availability firewalls are used to filter traffic between the web, application and data tiers. Firewalls support deep-packet stateful inspection, dropping of anomalous packets, denial of service protection, spoofing monitoring, and anti-virus filtering. Saba networks have been designed to support vLAN and subnet segmentation, port restrictions, access control lists, and address and port translation. All physical data connections are configured in a high-availability mesh topology, with each system and service having not less than two routes for communications. Saba’s network communications mesh assures integrity and uninterrupted flow of data across our networks. Saba firewalls are configured consistent with National Institute of Standards and Technology (NIST) standards, and connections to all end-points reinforce our “least permissive” policy. All security devices and firewalls are monitored 24/7/365. Monitors are defined to trigger alerts when predefined thresholds are exceeded.

Data Center Overview

Saba Cloud data centers in North America and EMEA are SSAE–16/AT101 Type II audited, Safe Harbor certified, and either FISMA-Moderate or ISO 27001 certified. Our Asia Pacific data center is AS/NZS 7799.2:2003 accredited. Additional capabilities are available to meet strict regulatory requirements.

Environmental Safeguards

All data centers are equipped with redundant and high-density power systems with automated and monitored facility controls. Power generators at all data centers are tested regularly and supported by multiple fuel suppliers to ensure continuous operations in the event of a disaster.

Physical Security

Physical access to Saba data centers is tightly controlled, with access restricted to preauthorized personnel and layered identity management systems. Individual access to the facilities, interior vault and cage areas is managed by card-key and biometric identification systems with mandatory preapproved customer lists and sign-in/sign-out procedures enforced. All servers and infrastructures are protected within locked racks. Only authorized personnel have access to the Saba People Cloud servers.

Penetration Test

Saba engages with a third party to perform a black-box security assessment of our main domain and associated hosts. This includes a Software Quality Assurance (SQA) scan of the Saba web application as well as a network penetration test.

Web Application Scan

As part of Saba System Development Lifecycle, Saba incorporates an initial scan utilizing Qualys Web Application Scan (WAS) and then validates that through a third-party solution, Veracode. Veracode performs dynamic and static code analysis.

The following is a sample list of what both Qualys and Veracode scan for:

  • Cross-site scripting
  • SQL injection
  • Session management
  • OS command injection
  • Directory traversal

Professional Certifications

The Saba team consists of Certified Systems Engineers, Cisco Certified Network Associates (CCNAs), Certified Information Systems Security Professionals (CISSPs), and technicians certified and/or trained on various infrastructure and operating system software products.


Saba gives careful attention to the implementation of security controls in the design and operation of the Saba Cloud Infrastructure and Services. Information security remains the highest priority at Saba, enabling Saba to achieve its goal of providing the most efficient and secure services to our clients. Saba maintains multiple third-party validations that assess Saba Security Controls on an ongoing basis. For more information on the Saba Security Program, please contact your Account Executive or send an email to