SuccessFactors security overview
On February 23, 2012, SAP acquired the Software-as-a-Service (SaaS) HCM and Talent Management software vendor SuccessFactors for $3.4 billion. This acquisition turned SAP into a vendor of both on-premise and SaaS HCM software and a major player in the competitive SaaS HCM market. It also brought the experience and expertise of SuccessFactors’ founder Lars Dalgaard onto the SAP Executive Board, to bring what was termed “Cloud DNA” into the organization.
Prior to the acquisition, SuccessFactors was a vendor of SaaS “Business Execution” (BizX) software for the Human Capital Management (HCM) market. SuccessFactors was formed in 2001, by Lars Dalgaard and Aaron Au, and is based in South San Francisco, California. The company has offices in more than 35 locations worldwide, including several countries in South America, Europe and Asia–Pacific. SuccessFactors went public in November 2007 on the NASDAQ stock market, ticker symbol SFSF, but in 2011 moved from NASDAQ to become the first company ever to be triple-listed on the New York Stock Exchange, Euronext Paris and Frankfurt Stock Exchange.
SuccessFactors’ business is focused around providing SaaS covering core Human Resources (HR), workforce planning, talent management, social collaboration and workforce analytics, with talent management, social collaboration and analytics are particular strengths. Social collaboration underpins a lot of the processes in the SuccessFactors HCM suite, while its vendor- agnostic analytics solution provides more than 1,500 out-of-the-box analytics that cover all solutions. The talent management suite comprises solutions for all the major process areas, which are recruiting, performance management, goal management, compensation, learning, succession planning and development.
SuccessFactors, an SAP Company, has more than 3,600 customers in 177 territories using 35 different languages in 60 different industries. This large customer base provides it with 20+ million subscriptions and with revenues of $364 million (in 2011 prior to the acquisition).
SuccessFactors has many recognized companies within its customer list including 20th Century- Fox, Adobe, Allstate, American Airlines, Astra Zeneca, the Department of Homeland Security, NASA, PepsiCo, Siemens, Sobeys, Starbucks and Kawasaki.
Originally, SuccessFactors focused on performance management software, but in 2009 the company expanded its strategy to offer what is called “business execution” software.
SuccessFactors launched the business execution suite, originally known as the BizX suite and now called the HCM suite, to extend its reach from measuring employee performance and goal setting to supporting companies in executing business strategy with a full end-to-end suite of solutions including core HR in the cloud.
During its history, SuccessFactors has made a number of acquisitions to strengthen its existing portfolio. It acquired six companies for more than $400 million:
- Inform Business Impact
- Plateau Systems
Each of these acquisitions brought in applications that are now core parts of the integrated SuccessFactors solutions.
Product Innovation and Leadership
We take pride in not only delivering world-class products, but also in leading the industry in innovation and thought leadership. SuccessFactors has led the industry in actual product innovation through a blistering pace of development. Since 2001, SuccessFactors has released over 130 new versions of the application. And due to the SuccessFactors software-as-a-service (SaaS) multi-tenant cloud solutions architecture, functionality from these new versions is seamlessly and immediately available to all customers around the world at the same time, and without costly upgrades.
Leveraging a single code base, SuccessFactors has built a platform that enables our development teams to rapidly deliver new, relevant business optimization applications for companies of all sizes. We are focused on providing solutions for businesses to get the most from their people and for employees to take an active role in their own development. This effort has resonated around the world as the SuccessFactors’ end-user count continues to dramatically increase.
A real multi-tenant environment never comingles data from multiple customers. It provides complete flexibility to configure objects or import/export historical data. And it is not a virtualized single-tenant solution. Most importantly, each customer’s data is secure relative to other customer’s data and customization can be employed to the degree the application supports it without regard to what the other tenants are doing.
With a customer-focused ethic that is our single most important and recognized quality, we have worked to achieve a growth rate 3x that of our nearest competitor. It has also helped us earn nearly 100% customer reference-ability and to become one of the most widely recognized Business Execution Software solutions in the world. SuccessFactors currently has over 3,600 customers. We had one million end users at the end of 2005, more than two million end users at the end of 2006, three million end users at the end of 2007, and currently have more than 20 million subscribers in 177 countries and 60 different industries.
Always looking to the future and striving to improve, we take a three-pronged approach to product innovation:
- Industry Visionaries and Analysts. We routinely work with talent management industry visionaries and analysts to stay abreast of industry trends and to proactively enhance our application to support trends in the
- SuccessFactors Our research team of industry experts and PhDs are recognized leaders in the talent management marketplace. This research team has often afforded us the opportunity to set the direction for talent management vendors.
- Customer Community. As a 1-stop portal for customers, one of the SuccessFactors Customer Community’s main features is the ability for customers to proactively impact product Customers can suggest enhancements to the core product via our Idea Factory – then other users in the Community can “vote” on whether or not the enhancement should be included. Many of the best features of SuccessFactors originated as ideas from our customers.
Complete, Beautiful, Start Anywhere/Go Everywhere
Your Human Resources (HR) department impacts your organization’s ability to drive better business execution. We help HR leaders impact business execution by delivering beautiful, engaging HCM solutions that span the entire employee life cycle, supported by a global partner ecosystem, and the experience and commitment of SAP.
The SuccessFactors HCM suite is comprehensive, engaging and flexible enough to start with any product and expand to every product in the suite. SuccessFactors ties people strategy to business strategy with work flows, content, insights and expertise that directly impacts business results and drives company success.
The SuccessFactors HCM Suite includes a complete set of tightly integrated talent management solutions, robust workforce analytics and planning, plus a next generation core HR solution. We are uniquely advantaged to innovate and invest at the pace, breadth and depth necessary to help you drive business execution. We ensure your employee acquisitions are done right by combining the best of SAP with SuccessFactors to deliver a “future proof” HCM roadmap. We have over 40 years’ experience in helping our customer run their company’s businesses, combined with the innovation, speed and culture of our cloud DNA. Our accelerated Employee Central development is delivering state of the art core HR in the cloud.
SAP SuccessFactors has a comprehensive and approved incident management policy and process. Upon the occurrence of a security incident, initial communication is distributed to the appropriate individuals and an escalation process is followed. Upon becoming aware of the incident, measures are promptly taken by the team to resolve the situation. All affected customers should be informed within 24 hours of confirming a potential breach in the privacy of their data. Following incident resolution, follow-up is required to ensure that the incident has been resolved effectively and that the threat is no longer present.
SuccessFactors is aligned with ISO 27k standards for event and incident management and has formal incident management policies and processes in place. These policies and procedures are tested in the ISO 27k and SOC 2 audits. SuccessFactors has appropriate security measures in place to protect its systems, as described below:
Ports and Equipment
Every page of the application is delivered via TLS encryption. The only port enabled in the infrastructure is port 443. No HTTP or port-80 traffic is allowed. SuccessFactors uses Cisco Systems network equipment, including firewall and switches. Each device in the network has a failover backup to ensure maximum uptime.
Intrusion Detection and Prevention
SuccessFactors offers the following standard for IDS/IPS:
- Host-based IDS/IPS, alerts responded to 24×7 – Puppet
- Network-based IDS/IPS, alerts responded to 24×7 – SecNap
On a daily basis, SuccessFactors uses multiple vendors to conduct vulnerability assessment testing. SuccessFactors also conducts these tests against the production environment, not a black box test environment that is configured to always pass. SuccessFactors believes that any vulnerability assessment and penetration testing is valuable, but only if under real world conditions with the opportunity to address any issues in real-time. The following vendors are used for vulnerability/penetration testing:
- WhiteHat Security, application-level vulnerability testing, focusing on ethical hacking, daily
- McAfee ScanAlert, application-level vulnerability testing, focusing on PCI-DSS, daily
- SecNap, network and infrastructure-level penetration testing, monthly
Defense against Common Attacks
SuccessFactors is a member and contributing author of OWASP. As such, SuccessFactors follows OWASP guidelines for application and server hardening and guidelines from the Center for Internet Security (CIS). Patented and proprietary technology is in place and specifically designed to mitigate against SQL injection, cross-site scripting (XSS), and cross-site request forgery attacks.
SuccessFactors uses the following strategy to mitigate against denial of service (DoS) attacks:
- Use a major third party for managed external DNS, providing a scalable, fault-tolerant global DNS infrastructure that is resistant against large scale distributed DoS attacks
- Monitor for DoS attacks at gateway routers and firewall interfaces
- Gateway routers have ACLs set to drop invalid inbound IP address ranges and unused TCP ports
- Have an incident response policy and procedure for remediation upon detection or report of DoS attacks
- Have contractual SLA from primary ISP for DoS response and mitigation support to prevent from becoming a launching point for DoS attacks
- All data center servers and workstations are locked down and secured
- Internally use egress filtering, e., verify source IP address ranges to prevent spoofing
- Disable directed/multicast traffic to prevent Smurf attacks
SuccessFactors has implemented a multi-tiered architecture, leveraging a strategy of “defense in depth” with 6 tiers of virtual networks (VLAN) for separation at each delivery layer. Network traffic is logged and monitored with live monitoring through an intrusion detection system (NIDS), and controlled through a series of switches and routers where data must pass through each tier in order to get to the next tier. In addition to physical (site) security, the logical network stratification includes the following:
- Tier 1 (external VLAN/firewall): the first tier consists of the external network and perimeter These provide an initial layer of defense and protect the following layers from unauthorized access. Note that port 443 (HTTPS for web traffic) is the only port open.
- Tier 2 (internal VLAN/firewall): a de-militarized zone (DMZ) exists with load The DMZ provides a second line of defense while the load balancers are the first layer of scalability for the service delivery. The DMZ functions as a neutral zone between the network and the outside public network.
- Tier 3 (web VLAN): the web tier presents the user interface to the application and separates the application, reporting, and utility servers from the other
- Tier 4 (application VLAN): the application tier contains the business logic and transaction servers and is managed through clustered, high availability (HA) Pre-configured as “Pods,” additional servers can be added as needed to provide scalability and performance.
- Tier 5 (database VLAN): the database tier is protected by an additional set of perimeter firewalls. The database processing is executed on database servers leveraging a multi- tenant, fully qualified database
- Tier 6 (storage VLAN): data is persisted to disks, which include a storage area network (SAN). Prior to storage, data is encrypted by way of data appliance with AES-256 bit encryption.
A. Disaster Recovery Plan
SuccessFactors has a formal Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) in place, which are reviewed and tested at a minimum of once per year. SuccessFactors’ BCP and DRP are also independently reviewed as part of an semi-annual SSAE16-SOC2 audit.
SuccessFactors maintains two distinct co-location facilities in each major geographic region (i.e., Americas, Europe, and Asia), each configured as a warm-site failover to each other in case of disaster. Database backups are encrypted and stored at both facilities for redundancy and disaster recovery purposes.
While SuccessFactors cannot release copies of its BCP or DRP for confidentiality reasons, the following is an outline of the plans. The Business Continuity and Disaster Recovery plans are organized as follows:
- 1.1 Including Information Security in the Business Continuity Management Process: SuccessFactors has developed and maintained a managed process for business continuity throughout the company that addresses the information security requirements needed for SuccessFactors’ business continuity.
- 1.2 Business Continuity and Risk Assessment: SuccessFactors has identified events that can cause interruptions to business processes, along with the probability and impact of such interruptions and their consequences for information security.
- 1.3 Developing and Implementing Continuity Plans Including Information Security: SuccessFactors has developed and implemented plans to maintain or restore operations and ensure availability of information at the required level and in the required time scales following interruption to, or failure of, critical business processes.
- 1.4 Business Continuity Planning Framework: SuccessFactors maintains a single framework of business continuity plans to ensure all plans are consistent, to consistently address information security requirements, and to identify priorities for testing and maintenance.
- 1.5 Testing, Maintaining and Reassessing Business Continuity Plans: SuccessFactors regularly tests and updates business continuity plans to ensure effectiveness.
SuccessFactors load balances at every tier in the infrastructure, from the network to the database servers. F5 load balancers are used to route traffic to an available web server to process the request. Application server clusters are enabled to ensure that servers can fail without interrupting the user experience. SuccessFactors maintains an N+1 approach for all equipment in its hosted SaaS environment, so that there is never a single point of failure.