Anda di halaman 1dari 7

Security overview

Security is a priority at Anaplan. Anaplan was built from the ground

up using the core principles of information security, also known as
the CIA triad:

Confidentiality Prevent the disclosure of information to

unauthorized individuals or systems.

Integrity Maintain and assure the accuracy and consistency of

data over its entire lifecycle.

Availability Ensure the information is available when needed.

Anaplan is committed to achieving and maintaining these principles

and the trust of our customers. Integral to this is providing a
robust security and privacy program that carefully considers data
protection matters across our suite of services, including data
submitted by customers to our services (customer data).
Company Architecture The following security and privacy-related
frame-works, audits, and certifications are
To support these principles, Anaplan was deliberately Anaplan hardware is hosted at third-party facilities applicable to Anaplan:
crafted as a highly distributed global company (data centers). Apart from utilities such as power,
ISO 27002 and 27018: Anaplan has adopted the
that allows for significant resiliency against threats lighting, fire suppression, etc., the production data
ISO 27k framework as the basis for information
and disasters. All functions within Anaplan are center infrastructure is completely owned, controlled,
security and privacy policies. Anaplan has scoped
geographically distributed across the globe, reducing managed, and maintained by Anaplan employees
and tailored this standard to meet our business
risks associated with regional events.
The U.S. offices host most of the sales, marketing, DATA CENTERS Service Organization Control (SOC) reports:
and support activities. Staff in the U.K. and Singapore
The Anaplan data centers are based in Virginia, Anaplan undergoes SOC 2 audits every six
offices provide regional coverage, in addition to
U.S., and Amsterdam, EU. These locations were months, and SOC 1 audits at least annually.
backup support.
chosen based on their low-risk environments Anaplans data centers information security
The U.K. office provides core product development, for earthquakes, flooding, and other large-scale control environment applicable to Anaplan
with additional staff in the U.S. and France develop- natural disasters. undergoes an evaluation in the form of SSAE 16
ment offices. The source code repository is hosted Service Organization Control (SOC-1) report. The
at the offsite data center. All development, tests, and Prior to selection, each facility was subjected EU data center is also ISO 27001 certified.
support staff are able to operate remotely over secure, to a stringent assessment for the presence,
implementation, and ongoing administration of Anaplan is currently in the process of obtaining
two-factor VPN connections and provide ongoing
physical security controls. TRUSTe Enterprise Certification, which demonstrates
development and technical support in the event that
our privacy compliance against a number of globally
the main offices are unavailable.
Each facility is fully protected 24x7x365 by security recognized privacy frameworks.
Anaplan has a number of processes to ensure that guards, high-security fencing, and video cameras.
All access and activity is logged, recorded, and Anaplan is also in the process of evaluating Privacy
any invocation of the disaster recovery plan leads to a
stored for no less than 30 days. Shield requirements.
quick and efficient restoration of services in the event
of a major disaster.
Entry to each facility requires prior authorization
Onsite and offsite backups, resilience and redundancy and a process of identification validation and
in the infrastructure, availability of secondary data biometric confirmation.
centers, and the use of geographically distributed
Facilities have an annual audit by industry-leading
infrastructure and support staff enable disaster
firms for ISO 27001 and SSAE 16 Type II compli-
recovery plans to execute quickly and efficiently in the
ance. Anaplan performs its own annual data center
event of a major disaster.

Technology providers are Cisco, Dell, EMC, F5, HP,

and RSA.

REDUNDANT INFRASTRUCTURE WiFi and removable media are not available in the
Security controls data centers.
Anaplans infrastructure utilizes a redundant active/
Anaplan is designed with security in mind, from
passive design to enable full operational failover. A
networks and servers, to how users access and USER ACCESS, CONTROLS,
failure of any single component should not lead
manage data. The Anaplan platform is a unique blend AND POLICIES
to a disruption in customer service or a loss of
of proprietary technology that securely collects and
customer data. In the event of a primary failure, the Anaplan supports a variety of configurable security
stores data, yet is agile enough to interface with
redundant architecture will allow for full failover to controls that provide customers the security of
external systems.
the secondary system(s). Anaplan for their own use. These controls include:
Anaplan maintains an ACID-compliant software stack
Anaplan Administration to give administrators
SECURITY INFRASTRUCTURE that guarantees data is always in a known safe state.
greater governance and control, enabling them
Each facility is protected by a defense-in-depth Atomicity requires that each transaction is all to implement user changes and organize models
security architecture consisting of firewalls, IDS or nothing. If any one part of the transaction fails, across the business.
(Intrusion Detection Systems), anti-virus/anti- then the entire transaction fails and the model is
Unique user identifiers (user IDs) to ensure that
malware protection, and monitoring capabilities. left unchanged.
activities can be attributed to the responsible

NETWORK INFRASTRUCTURE Consistency ensures that any change will individual.

bring the model from one valid state to another.
Controls to revoke access after several
The internal network infrastructure is securely
segmented using firewalls, virtual networks (VLANS), Isolation requires that multiple transactions consecutive failed login attempts.

and access control lists (ACLs), which limit access occurring at the same time do not impact one
Controls to ensure generated initial passwords
and communication between systems. No system or anothers execution.
must be reset on first use.
individual can reach another system unless explicitly
authorized to do so.
Durability means that once a transaction Controls to force a user password to expire after
has been committed, it will remain so even in the a period of use.
event of a crash or error.
SERVER INFRASTRUCTURE Controls to terminate a user session after a
Core software consists of an in-memory data period of inactivity.
All servers run Linux Operating System and are storage model to achieve the fastest computational
hardened according to policy based on Center for results, yet maintains an active log of all changes Password complexity requirements:
Internet Security standards. on disk in real time.
Minimum of 8 characters
All hosts are subject to a regular patching and The full data model is persisted to SAN using AES
maintenance routine. At least one uppercase character
256-bit encryption.

All hosts are periodically scanned for vulnerabili- At least one lowercase character
User query logs are written to disk before any
ties and security threats using the industry- changes are applied in memory. At least one numeric character
leading Nessus.
All data is stored and accessed through the same Must be changed every 90 days
All servers are controlled and managed by secure interface.
an automation system to ensure consistent
configuration across the environment. Data never crosses the Internet unencrypted.

New users are denied access to any data by default. All employees are subject to background checks WEB APPLICATION
Access must be granted by the customer-designated prior to employment. VULNERABILITY MANAGEMENT
All employees are trained on documented The Anaplan application is subjected to a regular web
Anaplan fully supports SAML 2.0 for Single Sign- information security and privacy procedures. application scanning (WAS) process carried out using
On (SSO) and can be utilized for customers who market-leading security and compliance provider,
All employees are required to sign customer data
prefer to retain total control of their users through a QualysGuard. Further scans are performed using
confidentiality agreements.
centrally managed system. Leveraging SSO affords Nessus and Burp Scanner.
the customer the ability to place user authentication All employees in the Engineering, Quality
entirely under their control. This includes password Assurance, Technical Operations, and Security
complexity policies, time-of-day access windows,
two-factor authentication, and any other controls
teams receive additional security training. Security procedures,
required by the customers security policies. All access is immediately revoked upon policies, and logging
termination of employment.
All services are monitored both internally and from an
ANAPLAN EMPLOYEE ACCESS, external system. Anaplan is operated in accordance
CONTROLS, AND POLICIES SECURITY TEAM with the following procedures to enhance security:

Employee access to production infrastructure is Anaplan has a number of full-time employees around
the world focused on governance, risk, audit, and SECURITY LOGS
permitted only with RSA two-factor authentication
via secure VPN. compliance in the areas of security and privacy. Team
All systems (for example, firewalls, routers,
members have years of industry experience and well-
network switches, and operating systems)
Access to any data center server is further known industry certifications, including CISSP, CISM,
used in the provision of Anaplan will log
protected by the mandatory use of SSH public key CISA, CIPT, CIPM, and CIPP/US.
information to their respective system log
infrastructure (PKI) technology.
facility and to a centralized syslog server.
Employees do not have access to customer data.
Vulnerability and All data access by customer and staff is
All customer data is owned by the customer. monitored and logged.
malware management
Anaplan staff cannot see any end-user data All data changes by customer and staff are
without being granted permission by the customer MALWARE AND VIRUSES monitored and logged.
through the native access control system.
Anaplan will never introduce any virus or malware Logging will be kept for a minimum of 365 days.
Access is based on the information security to a customers systems. Scans are performed
for viruses and malware that could be included in Logging will be kept in a secure area to
principle of least privilege, with access strictly
attachments or other customer data uploaded into prevent tampering.
limited to a select number of skilled individuals.
Anaplan by a customer.
All access is monitored and logged.

Audit logs include the following: Data at rest within the system is stored in a unique
non-readable binary format and subject to full- Disaster recovery
Date, time, and time zone of the event. disk AES-256 encryption. Disaster recovery plans are in place and tested at least
URL executed or entity ID operated on. once per year.

Identity of the system and the component. The last full test was performed in June 2016.
Type of event and operation performed (viewed, Anaplan utilizes disaster recovery facilities that are
edited, etc.). All onsite data is held on redundant disk-encrypted geographically remote from their primary data
SAN using industry-standard AES-256 technology. centers, along with the required hardware, software,
Success or failure. and Internet connectivity. In the event production
Data is also streamed in near real time to an offsite
capabilities at the primary data centers becomes
User ID. backup and disaster recovery center via 2048-bit
unavailable, the disaster recovery hosting facilities
SSL encryption.
Client IP address.* would be enabled and brought online. Since
Backed up data is stored using AES-256 customer data is already streamed and held at these
*Not available if NAT (Network Address Translation)
encryption. same facilities, recovery time is greatly decreased.
or PAT (Port Address Translation) is used by a
customer or its ISP. Model changes are easily reversible and can be Anaplans disaster recovery plans currently have the
returned to previous versions within seconds. following target recovery objectives:
Passwords are not logged under
any circumstances. End users can archive models within their a) RTO of 12 hours after declaration of a disaster.
workspace at will.
b) RPO of 30 minutes.
All user changes are reviewable and easily
Data encryption reversible.

Anaplan uses industry-standard encryption

products to protect customer data and
Data is stored in more than one area, with each
model store being replicated to a secondary unit
System maintenance
communications during transmissions between a that will assume responsibility in the event of a Maintenance is carried out during non-business hours,
customers network and Anaplan. primary failure. typically Saturday afternoon from 1 p.m. to 5 p.m.,
Pacific Time. Maintenance is most commonly used for
All data in transit between client and server is
RECOVERY PROCEDURE a new version release, typically every 4-6 weeks.
encrypted via HTTPS using TLS 1.2. Key exchange is
done via the browser using certificates that are 2048- In the event that data needs to be restored and
bit. Session key length is negotiated by the end-user application history is not available, the onsite
browser using the strongest available encryption. SAN backups would be the next point of recovery.
Restoration time will vary depending on the volume
of data to be recovered from the SAN, but a single
server restore would take no more than a few hours.

Event occurs

Change management Security analyst Event management

Anaplan follows fully documented change Anaplan maintains event management policies and
management procedures for all tiers of the service procedures as shown in this Information Security
covering application, operating system, server, and Event Management Escalation Workflow.
network layers.

All configuration changes are tracked and

managed through a written ticketing system.

Customer data

Upon contract termination, customer data submit-

ted to Anaplan is retained in inactive status within
Anaplan for 30 days and a transition period of up to
an additional 30 days, after which it is overwritten
or deleted. Anaplan reserves the right to reduce the
number of days it retains such data after contract
termination. This process is subject to applicable legal
and/or contract requirements.


Plans by Line of Business

About Us
Anaplan is the leading planning and performance management
platform for smart businesses. Anaplan combines an unrivaled
planning and modeling engine, predictive analytics, and cloud
collaboration into one simple interface for business users.
Anaplan is a privately held company based in San Francisco
with 16 offices worldwide. To learn more, visit
Follow us on: Twitter, LinkedIn, YouTube, and Facebook.