Success is Built on Trust
Security is a commitment, a state of mind, and a culture – not a checkbox - especially when it comes to information about your people.
At Saba, we know that success is built on trust, and our approach is based on the fundamental principle of security by design. We’re committed to delivering industry best practice security and compliance services, continuously validating of the strength of our security program, and providing a robust, scalable and secure platform that meets even the most rigorous requirements for data protection and privacy.
Comprehensive Security & Compliance
Saba maintains a best-in-class multi-tenant, multi-database architecture with the highest compliance and uptime standards, and accommodating the most stringent global data protection requirements.
The Saba Security Program implements a multi-business review process that focuses on meeting and exceeding industry-accepted practices. In addition to embedding security throughout the system development life cycle, Saba adheres to global privacy requirements, provides appropriate controls, and addresses secure data handling, retention and deletion, and transference of personally identifiable information (PII) in accordance with customer privacy requirements.
Compliant With Industry Standards and Regulations
As new security frameworks, standards and regulatory requirements are developed and gain traction in the cloud industry, Saba reviews them and adopts the ones that are relevant to our customers and help improve our security program and reduce our security risk. Depending on the focus of a particular service offering, Saba and/or its service partners may comply with, or help customers to comply with, some or all of the following certifications, standards and best practices:
Validated Environment Managed Services (VEMS)
Companies operating in highly regulated industries, such as drug makers, medical device manufacturers, biotech companies, biologics developers, life science companies, and food manufacturers are subject to rigorous compliance requirements set forth by the regulatory bodies in the countries in which they operate.
Saba provides industry-specific functionality and validation assurance for compliance with US FDA 21 CFR Part 11, and services to support customers who are required to perform their own validation and documentation. We validate the security of our platform through industry-wide audits and certifications that are performed by independent third-party auditors. These audits allow for Saba’s security controls to be independently evaluated for both design and operating effectiveness.
A commitment to independent assurance
Not surprisingly, our customers expect validation from independent third parties that the measures we take at Saba meet security standards and controls, work effectively, and support specific requirements of various industries where needed. To assist our customers in meeting their compliance and security requirements, we’re continually investing in resources and providing our customers with access to independent assessments and evaluations of our security controls and overall security effectiveness. Third-party evaluations are available upon request, including AICPA SOC 2 Type 2 audit reports, web pplication vulnerability reports, and network and host vulnerability scanning results.
Dedicated security and compliance organisation
Our dedicated Saba Security team is made up of industry leaders and certified experts in security best practices with a mindset of risk management around the evolving threat landscape, emerging data protection, compliance and data privacy requirements. Saba’s Security Organisation practices separation of duties, reports separately and directly to senior management, and works alongside our IT, Cloud Operations and Product Development teams to ensure that our products and services are designed with security from a customer’s perspective, while continuously monitoring Saba’s cloud operational activities. With our dedicated security and privacy expertise and a collaborative approach, we partner with you to ensure a trusted environment for your business.
Controlling the location of your data is a critical element of data privacy and compliance, and Saba has data centers across North America, EMEA and Asia Pacific. Data centers in North America and Europe are SSAE–16/AT101 Type 2 and/or SOC 2 Type 2 audited, and ISO 27001 certified, and are capable of meeting many additional regulatory requirements. To ensure that privacy regulations are met, customer data is hosted only within primary and secondary data centers within each region.
Physical and logical access to our data centres is strictly controlled, with access restricted to preauthorised personnel and layered identity management systems, including card-key and biometric identification systems, and mandatory pre approved customer lists and sign-in/sign-out procedures enforced. Service levels for availability and quality of service are strictly defined, and are continually monitored by a range of applications which report on availability, performance and quality of service. All data centre facilities include redundant environmental protections, including considerations for cooling, power, physical security, network connectivity and natural disasters.
Security by Design
Architected with a defence-in-depth security model, Saba gives careful attention to the implementation of security controls in the design and operation of our infrastructure and services. Our objective at Saba is security by design – ensuring that we deliver strong security in the most efficient manner possible to our customers around the world.
Saba Security Council
The Security Council provides a consensus-based forum to support the Chief Information Security Officer to collaborate on:
- Identifying high-priority security and privacy initiatives; and
- Developing recommendations for policies, procedures and standards to ensure those initiatives did enhance the security posture and protection afforded to Saba and its customer networks, information and information systems; and
- Evaluating compliance with existing regulatory and customer requirements.
System and Data Access Control
Saba’s security model restricts access to both systems and data according to defined separation of duties (SoD), operational roles and responsibilities (RACI), and “need to know”. Logical access to our systems is restricted by security policies and procedures, two -factor authentication with unique usernames / passwords, and restrictive localhost permissions. Direct access to system administration accounts (e.g., root) is prohibited. Data classification standards require that customer data may only be accessed using Saba-Authorised systems.
Network security is achieved through the use of layered firewalls, advanced network design and network segmentation. High-availability firewalls are used to filter traffic between the web, application and data tiers. Firewalls support deep-packet stateful inspection, dropping of anomalous packets, denial of service protection, spoofing monitoring, and anti-virus filtering. Saba networks have been designed to support vLAN and subnet segmentation, port restrictions, access control lists, and address and port translation. All physical data connections are configured in a high-availability mesh topology, with each system and service having not less than two routes for communications. Saba’s network communications mesh assures integrity and uninterrupted flow of data across our networks. Saba firewalls are configured consistent with National Institute of Standards and Technology (NIST) standards, and connections to all end-points reinforce our “least permissive” policy. All security devices and firewalls are monitored 24/7/365. Monitors are defined to trigger alerts when predefined thresholds are exceeded.
Global Data Centers
Data centers in North America and EMEA are SSAE–16/AT101 Type 2 and/or SOC 2 Type 2 audited, and ISO 27001 certified. Additional capabilities are available to meet strict regulatory requirements.
All data centers are equipped with redundant and high-density power systems with automated and monitored facility controls. Power generators at all data centers are tested regularly and supported by multiple fuel suppliers to ensure continuous operations in the event of a disaster.
Physical access to our data centres is tightly controlled, with access restricted to preauthorised personnel and layered identity management systems. Individual access to the facilities, interior vault and cage areas is managed by card-key and biometric identification systems with mandatory pre approved customer lists and sign-in/sign-out procedures enforced. All servers and infrastructures are protected within locked racks. Only authorised personnel have access to the servers.
Multi-layer physical security systems include the requirement for management pre-authorisation, and authorised individuals must provide government issued photo ID to a manned security desk. Additionally, controlled man-traps and two-factor authentication (including biometrics) are required to gain access to the data centre server room floor and Saba’s dedicated and secured cage.
Saba engages with a different third party security consultant to perform a gray-box security assessment of our applications for each major release. This includes tests of both Saba’s web and mobile applications, as well as, penetration tests against the network.
Web Application Scanning
As part of our System Development Lifecycle, and to assess our applications, Saba leverages industry-leading dynamic scanning solutions as well as static code analysis to assess against known security vulnerabilities including the OWASP. Sample testing includes but is not limited to:
- Cookie manipulation
- Cross-site scripting
- Hidden field manipulation
- Input/output Validation
- Logical Vulnerability Checks
- Parameter tampering
- Privilege Escalation
- Sensitive Data Handing
- Session Management
Our team of experts maintain professional certifications that demonstrate their knowledge and acumen in their related field. Certifications include Certified Systems Engineers, Cisco Certified Network Associates (CCNA), Certified Information Systems Security Professionals (CISSP), Certified Information System Auditors (CISA), Certified Information Security Managers (CISM), GIAC Web Application Penetration Testers (GWAPT) and Certified Information Privacy Professional (CIPP). In addition, our technicians are certified and/or trained on various infrastructure and operating system software products.
Validated Environment Managed Services (VEMS)
Companies operating in highly regulated industries, such as drug makers, medical device manufacturers, biotech companies, biologics developers, life science companies, and food manufacturers are subject to rigorous compliance requirements set forth by the regulatory bodies in the countries in which they operate. Saba supports compliance requirements such as U.S. FDA — Title 21 CFR Part 11 including how electronic records and related e-signatures should be kept within validated computerised systems.
Saba is a solution we sought out largely because they are a secure platform.
— Gavin Hoover, Vice President of Training, Go Wireless