BMCs Security Strategy for

ITSM in the SaaS Environment

BMCS SECURITY STRATEGY FOR ITSM IN THE SAAS ENVIRONMENT

TABLE OF CONTENTS
Introduction ..................................................................................................................................................................... 3
Data Security................................................................................................................................................................... 4
Secure Backup ................................................................................................................................................................ 6
Administrative Access ..................................................................................................................................................... 6
Patching Processes ........................................................................................................................................................ 6
Security Certifications ..................................................................................................................................................... 7
Penetration Tests ............................................................................................................................................................ 7
Disaster Recovery/Business Continuity (DR/BC) ............................................................................................................ 8
Notification of Security Breaches .................................................................................................................................... 8
BMC Remedy OnDemand for Public Sector ................................................................................................................... 8
Summary ......................................................................................................................................................................... 9
Next Steps ...................................................................................................................................................................... 9

Page | 2

BMCS SECURITY STRATEGY FOR ITSM IN THE SAAS ENVIRONMENT

INTRODUCTION
Faced with a growing number of regulatory, corporate, and industry requirements, organizations must be
absolutely sure their important applications and data are secure when deploying them through a software-as-aservice (SaaS) model.
This is as true for IT service management as for any other application. IT service management does the critical
work of assuring IT applications, devices, and services are available to meet business needs. Juggling IT
service management tasks, such as help desk calls, requests for new servers, required security updates, and
changes in user access rights, is difficult enough. Maintaining the hardware, software, and storage required to
run the IT service management solution is, for some organizations, not a good use of staff, budget, or time.
Choosing a SaaS solution lets organizations reduce their management costs and focus on keeping applications
running, passwords updated, servers patched, and employees productive rather than on running the IT
service management infrastructure.
Yet IT service management applications may hold sensitive data about users and the business, ranging from
the names of servers to changes in employee status. With its BMC Remedy OnDemand SaaS offering, BMC
has built in the security tools and processes needed to provide the strongest possible protection for data. This
means that you can reduce the total cost of ownership of IT service management, while also securing your
sensitive corporate and user information.
This white paper examines the key security concerns facing organizations considering BMC Remedy
OnDemand, and how BMC addresses these concerns.

Page | 3

BMCS SECURITY STRATEGY FOR ITSM IN THE SAAS ENVIRONMENT

DATA SECURITY
The data contained in IT service management systems ranges from ticket structures to the tickets themselves
to usage logs. Organizations must be assured this data is secure, both during the initial migration of IT service
management data to the BMC data center and whenever they retrieve that data for reporting or other purposes.
BMC maintains the security of the network infrastructure with a three-tiered architecture consisting of an
external zone, a DMZ, and an internal zone. All are protected by firewalls and network monitoring devices, as
well as by intrusion prevention systems that are monitored 24x7 by a security operations center. (See Figure 1)

Figure 1. The BMC Remedy OnDemand three-tiered architecture, with the BMC Remedy system and the data
i
safely in the internal zone

All servers that access or store data are protected by antivirus software and are hardened at the operating
system, database, and application levels against attack through a series of defined policies and procedures.
Any changes made to the operating system, database, or application configurations are monitored by change
management processes to ensure that an accepted baseline is maintained. Security and other patches are

Page | 4

BMCS SECURITY STRATEGY FOR ITSM IN THE SAAS ENVIRONMENT

applied at least monthly, with critical security patches applied whenever available. All patches are tested in a
staging environment before deployment to production servers.
All data entering the BMC cloud is encrypted using IP SEC or a minimum of AES 256-bit encryption. Whats
more, BMC can comply with any authentication policies established by your organization for your own
employees. (See Figure 2)

AES 256-bit encryption

Figure2. Application server with data inside and protected

Page | 5

BMCS SECURITY STRATEGY FOR ITSM IN THE SAAS ENVIRONMENT

SECURE BACKUP
Sensitive data, such as that stored in IT service management systems, must be protected both at rest in
servers and on storage arrays and in transit, such as during backups. Backups that are done within the BMC
data center are protected by its firewalls, network, and server protection policies. Backup to a remote location,
if requested, is encrypted through a VPN with a minimum of AES 256-bit encryption.

Sensitive data must be protected both at rest in servers and on storage arrays and in transit.

If you require the use of digital signatures to assure the authenticity of the sending or receiving device, BMC is
prepared to adopt any PKI model that you request.

ADMINISTRATIVE ACCESS
Given that many attacks on corporate data are carried out by insiders, its critical that you can restrict which
users have administrative access to your IT service management system (and thus can see all the tickets in
process or even change the look and feel of the system) and which users can see only the tickets that they
have submitted.
BMC administrators must pass through a two-factor authentication system before accessing servers and
network devices through a VPN. By default, all administrators are given the minimum access needed to do their
jobs, and are granted greater privileges only as needed.
The authentication system logs all transactions and user activity, allowing its use as not only a security tool, but
also as a tool for auditing, accounting, and compliance.

PATCHING PROCESSES
As new vulnerabilities are identified, software vendors respond with patches to remediate them and protect
sensitive data. Although regular patches are essential to maintaining security, in a SaaS environment, you must
rely on your vendor for that patching. You must also rely on the vendor to test patches to ensure they do not
harm applications, and to have processes in place to roll back the patches if needed.

As hackers roll out new attacks, applying regular patches is essential to maintaining
security.

BMC applies all required patches to its BMC Remedy OnDemand environment at least monthly, with critical
patches applied as soon as they have been tested and made available. All patches are tested in a staging
environment before being released to production to ensure system stability and performance.

Page | 6

BMCS SECURITY STRATEGY FOR ITSM IN THE SAAS ENVIRONMENT

SECURITY CERTIFICATIONS
Security certifications are a critical indicator of the level of skill and commitment a SaaS provider brings to
protecting data.
BMC Remedy OnDemand for Public Sector's infrastructure data centers are audited annually to the SAS70
Type 2/SSAE 16 Type 2 standard and maintain ISO/IEC 27001 certification. The latest available audit reports
are:
1) SSAE 16, SOC1 Report for Plano Technology Center (PTC); for period of 1/1/2011 through 10/31/2011
2) SSAE 16, SOC1 Report for Florence Technology Center (FTC) ); for period of 1/1/2011 through 10/31/2011

PENETRATION TESTS
Periodic penetration tests are essential to assuring that the proper security tools and processes are in place to
meet ever-changing security threats. A SaaS vendor should rigorously perform such tests.
BMC maintains a third-party white hat security penetration team that regularly conducts tests of the security of
its BMC Remedy OnDemand environment. BMCs Web application monitoring teams continually monitor the
results of such tests and remediate any vulnerability that is found. (See Figure 3)

Page | 7

BMCS SECURITY STRATEGY FOR ITSM IN THE SAAS ENVIRONMENT

Figure 3. BMC employs proper protection from outside attacks to ensure data center is secure

BMC also performs a weekly critical parameters audit and monthly operations review. An outside vendor
conducts an external ISO 27001 audit and a penetration test every six months as well as annual SSAE 16 Type
II and ISAE 3402 Type II audits.

DISASTER RECOVERY/BUSINESS CONTINUITY (DR/BC)

Being able to quickly resume operations in the wake of a natural or man-made disaster is critical in todays
24x7 economy. When you run your own data centers, you can control the nature, scope, and quality of your
DR/BC efforts. However, when deploying applications in a SaaS model, you must get assurances from your
SaaS vendor that the proper steps are being taken to assure application uptime.
BMC Remedy OnDemand environment uses industry-standard, high-capacity servers and a network
infrastructure employing redundant switches and networks to avoid a single point of failure. The use of
clustered servers and backup systems helps assure uninterrupted access to service desk functions even in the
event of system failure.
BMC also follows its own DR/BC policies, which are continuously updated and modified to reflect changes in
the technical and business environments, as well as its own regular mock drills and tests.

NOTIFICATION OF SECURITY BREACHES

Organizations that trust their data to a SaaS provider need to know if the vendor has suffered a security
breach, so that they can take the proper steps internally to safeguard their data and to make any legally
required notifications. BMC has a formal incident response and reporting procedure that is tested regularly.

BMC REMEDY ONDEMAND FOR PUBLIC SECTOR

As the first and only cloud-based IT service management solution designed to support the Federal Information
Security Management Act (FISMA) with Low and Moderate NIST 800-53 controls for infrastructure, services,
and applications, BMC Remedy OnDemand for Public Sector is managed by U.S. staff from U.S.-based data
centers.

ENCRYPTION
In support of FISMA and FIPS-197, BMC uses one of the strongest block ciphers available, the Advanced
Encryption Standard (AES), and encrypts all application and database data at the 256-AES level and with SSL
assurance. AES specifies a FIPS-approved cryptographic algorithm that can be used to protect electronic data.
The AES algorithm is a symmetric block cipher that can encrypt (encipher) and decrypt (decipher) information.
Encryption converts data to an unintelligible form called ciphertext; decrypting the ciphertext converts the data
back into its original form, called plaintext. The AES algorithm is capable of using cryptographic keys of 128,
192, and 256 bits to encrypt and decrypt data in blocks of 128 bits.
Encrypting databases at rest is an important part of most regulatory compliance requirements, such as PCI,
HIPAA, FISMA, and HiTech, and can help protect all of your agencys sensitive data.

U.S.-BASED SOLUTION SUPPORT

BMC has implemented its cloud offering in U.S.-based data centers (both primary and recovery sites) that are
managed by U.S.-based personnel. Although data is encrypted, as an additional layer of security, BMC
employees who may have visibility into customer data are U.S. citizens.

Page | 8

BMCS SECURITY STRATEGY FOR ITSM IN THE SAAS ENVIRONMENT

FISMA/FEDRAMP
To provide the highest quality of support to our customers, BMC Remedy OnDemand offerings have been
designed to securely operate under the strict security controls and technical implementation guidelines of
FISMA and Federal Risk and Authorization Management Program (FedRAMP) with minimal risk to your
organization.

SUMMARY
In building its BMC Remedy OnDemand environment, BMC has taken into account the sensitivity of the
information contained in organizations IT service management systems. BMC provides a rigorous, ISOcertified security environment that includes 24x7 monitoring of physical and logical systems, encryption of all
sensitive data, continual Web application security monitoring, industry-leading authentication, access control,
and password management.

With BMC Remedy OnDemand, you can be assured that your IT service management
data is protected.

In addition to its own stringent safeguards, BMC allows organizations to specify their own requirements in such
areas as disaster planning, business continuity, and visibility into the results of ongoing security tests.
With BMC Remedy OnDemand, you can be assured that your IT service management data is protected
even as you take advantage of the cost and flexibility benefits of the SaaS model.

NEXT STEPS
For more information or to register for a demo, please visit www.bmc.com/itsm.

Business runs on IT. IT runs on BMC Software.

Business thrives when IT runs smarter, faster and stronger. Thats why the most demanding IT organizations in
the world rely on BMC Software across distributed, mainframe, virtual and cloud environments. Recognized as
the leader in Business Service Management, BMC offers a comprehensive approach and unified platform that
helps IT organizations cut cost, reduce risk and drive business profit. For the four fiscal quarters ended
September 30, 2011, BMC revenue was approximately $2.2 billion.

BMC, BMC Software, and the BMC Software logo are the exclusive properties of BMC Software, Inc., are
registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other
countries. All other BMC trademarks, service marks, and logos may be registered or pending registration in the
U.S. or in other countries. All other trademarks or registered trademarks are the property of their respective
owners. 2010, 2012 BMC Software, Inc. All rights reserved.

*228965*
i

All diagrams are for general illustrative purposes only.

Page | 9