Professional Documents
Culture Documents
2
REDUNDANT INFRASTRUCTURE WiFi and removable media are not available in the
Security controls data centers.
Anaplans infrastructure utilizes a redundant active/
Anaplan is designed with security in mind, from
passive design to enable full operational failover. A
networks and servers, to how users access and USER ACCESS, CONTROLS,
failure of any single component should not lead
manage data. The Anaplan platform is a unique blend AND POLICIES
to a disruption in customer service or a loss of
of proprietary technology that securely collects and
customer data. In the event of a primary failure, the Anaplan supports a variety of configurable security
stores data, yet is agile enough to interface with
redundant architecture will allow for full failover to controls that provide customers the security of
external systems.
the secondary system(s). Anaplan for their own use. These controls include:
Anaplan maintains an ACID-compliant software stack
Anaplan Administration to give administrators
SECURITY INFRASTRUCTURE that guarantees data is always in a known safe state.
greater governance and control, enabling them
Each facility is protected by a defense-in-depth Atomicity requires that each transaction is all to implement user changes and organize models
security architecture consisting of firewalls, IDS or nothing. If any one part of the transaction fails, across the business.
(Intrusion Detection Systems), anti-virus/anti- then the entire transaction fails and the model is
Unique user identifiers (user IDs) to ensure that
malware protection, and monitoring capabilities. left unchanged.
activities can be attributed to the responsible
and access control lists (ACLs), which limit access occurring at the same time do not impact one
Controls to ensure generated initial passwords
and communication between systems. No system or anothers execution.
must be reset on first use.
individual can reach another system unless explicitly
authorized to do so.
Durability means that once a transaction Controls to force a user password to expire after
has been committed, it will remain so even in the a period of use.
event of a crash or error.
SERVER INFRASTRUCTURE Controls to terminate a user session after a
Core software consists of an in-memory data period of inactivity.
All servers run Linux Operating System and are storage model to achieve the fastest computational
hardened according to policy based on Center for results, yet maintains an active log of all changes Password complexity requirements:
Internet Security standards. on disk in real time.
Minimum of 8 characters
All hosts are subject to a regular patching and The full data model is persisted to SAN using AES
maintenance routine. At least one uppercase character
256-bit encryption.
All hosts are periodically scanned for vulnerabili- At least one lowercase character
User query logs are written to disk before any
ties and security threats using the industry- changes are applied in memory. At least one numeric character
leading Nessus.
All data is stored and accessed through the same Must be changed every 90 days
All servers are controlled and managed by secure interface.
an automation system to ensure consistent
configuration across the environment. Data never crosses the Internet unencrypted.
3
New users are denied access to any data by default. All employees are subject to background checks WEB APPLICATION
Access must be granted by the customer-designated prior to employment. VULNERABILITY MANAGEMENT
administrator.
All employees are trained on documented The Anaplan application is subjected to a regular web
Anaplan fully supports SAML 2.0 for Single Sign- information security and privacy procedures. application scanning (WAS) process carried out using
On (SSO) and can be utilized for customers who market-leading security and compliance provider,
All employees are required to sign customer data
prefer to retain total control of their users through a QualysGuard. Further scans are performed using
confidentiality agreements.
centrally managed system. Leveraging SSO affords Nessus and Burp Scanner.
the customer the ability to place user authentication All employees in the Engineering, Quality
entirely under their control. This includes password Assurance, Technical Operations, and Security
complexity policies, time-of-day access windows,
two-factor authentication, and any other controls
teams receive additional security training. Security procedures,
required by the customers security policies. All access is immediately revoked upon policies, and logging
termination of employment.
All services are monitored both internally and from an
ANAPLAN EMPLOYEE ACCESS, external system. Anaplan is operated in accordance
CONTROLS, AND POLICIES SECURITY TEAM with the following procedures to enhance security:
Employee access to production infrastructure is Anaplan has a number of full-time employees around
the world focused on governance, risk, audit, and SECURITY LOGS
permitted only with RSA two-factor authentication
via secure VPN. compliance in the areas of security and privacy. Team
All systems (for example, firewalls, routers,
members have years of industry experience and well-
network switches, and operating systems)
Access to any data center server is further known industry certifications, including CISSP, CISM,
used in the provision of Anaplan will log
protected by the mandatory use of SSH public key CISA, CIPT, CIPM, and CIPP/US.
information to their respective system log
infrastructure (PKI) technology.
facility and to a centralized syslog server.
Employees do not have access to customer data.
Vulnerability and All data access by customer and staff is
All customer data is owned by the customer. monitored and logged.
malware management
Anaplan staff cannot see any end-user data All data changes by customer and staff are
without being granted permission by the customer MALWARE AND VIRUSES monitored and logged.
through the native access control system.
Anaplan will never introduce any virus or malware Logging will be kept for a minimum of 365 days.
Access is based on the information security to a customers systems. Scans are performed
for viruses and malware that could be included in Logging will be kept in a secure area to
principle of least privilege, with access strictly
attachments or other customer data uploaded into prevent tampering.
limited to a select number of skilled individuals.
Anaplan by a customer.
All access is monitored and logged.
4
Audit logs include the following: Data at rest within the system is stored in a unique
non-readable binary format and subject to full- Disaster recovery
Date, time, and time zone of the event. disk AES-256 encryption. Disaster recovery plans are in place and tested at least
URL executed or entity ID operated on. once per year.
Identity of the system and the component. The last full test was performed in June 2016.
Backups
Type of event and operation performed (viewed, Anaplan utilizes disaster recovery facilities that are
edited, etc.). All onsite data is held on redundant disk-encrypted geographically remote from their primary data
SAN using industry-standard AES-256 technology. centers, along with the required hardware, software,
Success or failure. and Internet connectivity. In the event production
Data is also streamed in near real time to an offsite
capabilities at the primary data centers becomes
User ID. backup and disaster recovery center via 2048-bit
unavailable, the disaster recovery hosting facilities
SSL encryption.
Client IP address.* would be enabled and brought online. Since
Backed up data is stored using AES-256 customer data is already streamed and held at these
*Not available if NAT (Network Address Translation)
encryption. same facilities, recovery time is greatly decreased.
or PAT (Port Address Translation) is used by a
customer or its ISP. Model changes are easily reversible and can be Anaplans disaster recovery plans currently have the
returned to previous versions within seconds. following target recovery objectives:
Passwords are not logged under
any circumstances. End users can archive models within their a) RTO of 12 hours after declaration of a disaster.
workspace at will.
b) RPO of 30 minutes.
All user changes are reviewable and easily
Data encryption reversible.
5
Event occurs
Customer data
DELETION OF CUSTOMER DATA
EVENT / INCIDENT
6
Plans by Line of Business
About Us
Anaplan is the leading planning and performance management
platform for smart businesses. Anaplan combines an unrivaled
planning and modeling engine, predictive analytics, and cloud
collaboration into one simple interface for business users.
Anaplan is a privately held company based in San Francisco
with 16 offices worldwide. To learn more, visit anaplan.com.
Follow us on: Twitter, LinkedIn, YouTube, and Facebook.