Answering the Security Question Audience The information in this deck is geared towards IT security personnel, system administrators, and chief information officers (CIO). However, anyone with IT experience will find it helpful in explaining security at Yammer. 2 Topics and Learning Objectives This deck covers the following topics about Yammer’s security: • • • The different practices that Yammer has instituted to maintain security The technical aspects of Yammer’s security features The security tools that Yammer provides customers to help them administer security After completing this course, you will be able to: • • • 3 Discuss Yammer’s security and privacy policies Describe Yammer’s user access and content controls Articulate Yammer security to CIOs and other security professionals What Do CIOs Want To Hear? Yammer is Private and Secure Yammer is Private • • • All customer data in a Yammer network is fully owned and managed by the customers that input their data. The information shared through Yammer is private and restricted to employees within your organization. Preserving the confidentiality and integrity of your information is a top priority at Yammer. Yammer is Secure • • 5 Yammer’s deep culture of security is engrained into its product development and practices. Yammer takes an iterative approach in designing security procedures and controls. We continuously analyze our controls, policies, and software designs to ensure users are protected. Yammer Takes Compliance Seriously Yammer takes third-party compliance seriously. To meet industry standards and keep our customers secure, our Security Engineering Leadership has charted a roadmap that includes: 6 • Compliance with the American Institute of CPAs (AICPA) SSAE 16-SOC1 attestation for its production data center. • Pursuit of the International Organization for Standardization’s 27001 Information security management standard. • Preparation for the Federal Risk and Authorization Management Program (FedRamp) security authorization. Yammer’s Secure Foundation Secure Connections and Applications Yammer takes steps to secure network traffic and in-transit customer data: • • • • • Connections are secured via HTTPS. Attempts over HTTP are always redirected to HTTPS. Transport-layer security (TLS) certificates are enabled with a minimum 1024-bit asymmetric key. Yammer maintains deny access control lists (ACL) at all Internet ingress connections. Security context verification is enabled to verify the source and destination of customer data. Yammer uses a mix of third-party firms to conduct quarterly penetration tests and provides test results to customers. Yammer makes application security a priority: • • 8 • Yammer is tested against the Open Web Application Security Project (OWASP) Top Ten Vulnerabilities Project, which includes: SQL injection and cross-site scripting (XSS) attacks. Broken authentication and session management bugs. A Modern and Secure Infrastructure Yammer’s infrastructure is secured through: • • • • Strict personnel access controls including biometric and PIN-based locks. Detailed visitor entry logs and video surveillance all day, every day. Linux servers hardened using industry standard configuration scripts developed by the Center for Internet Security. Physical and logical separation between the web, application, and data storage servers. Yammer’s infrastructure is compliant: • • • • 9 Security and compliance are a top priority for Yammer’s security team. Yammer’s data center is offsite and Tier IV SSAE 16 SOC1 compliant. Weekly access audits are performed to ensure data center access is limited appropriately. Yammer is migrating to Microsoft's Global Foundation Services (GFS) data centers in the next year. GFS has a host of compliance certifications, including ISO27001. Robust Backup and Recovery Yammer’s disaster recovery plan ensures that your data is safe and secure, even when the unthinkable happens. • • • 10 Backups of the database are taken daily, and sometimes multiple times a day. Backups are encrypted with AES128 after completion and replicated securely offsite. Yammer can redeploy its infrastructure in the cloud quickly and securely if its data center is affected by a natural disaster. Yammer’s Security Tools Easy and Powerful User Provisioning Yammer’s user provisioning tools take the work out of user access control: • • Yammer’s administration panel gives the customer’s verified administrator the ability to manage user details individually or in bulk using comma-separated values. Beyond its own user access tools, Yammer supports Active Directory integration giving the customer easy access to streamlined user management. Yammer makes it easy to support Single Sign-on (SSO): • • 12 User Yammer’s SSO module lets you easily access Yammer in just one click from an SSO portal, where all your enterprise applications are already located. Yammer’s SSO server connects to your existing SAMLbased SSO server to automatically log in your users based on your authentication mechanisms. SAML SSO Server SSO Portal Passwords, Sessions, and Keywords Yammer makes it simple to manage password policies for every user. • • • • Through the Yammer Admin Console, verified administrators can control: Password strength. Password length. Password expiry. Yammer allows users and administrators to manage their sessions. • • Verified administrators can log users out using the Yammer Admin Console. Users are able to manage their own specific sessions. Using keyword monitoring Yammer puts you in control of your content. • • • 13 Verified administrators can monitor keywords and regular expression strings. Administrators and community managers are notified of banned keyword entries. Administrators may remove the post in question from the Yammer UI. Learning Review and Additional Resources Learning Review In this deck, we provided information covering: • • • How to position Yammer’s security to CIOs. The tools Yammer provides to help you manage users and security. Yammer’s security layers and commitment to compliance. With this information, you should be able to: • • • 15 Discuss Yammer’s security and privacy policies. Describe Yammer’s user access and content controls. Articulate Yammer’s security to CIOs and other security professionals. Additional Resources The following resources can provide you with additional information about Yammer’s security practices and tools: The Security Information page at the Yammer Success Center contains the latest security information and overview document. For a information about the security of Yammer and Office 365, visit the Office 365 Trust Center. 16 Questions?