Offering a Software-as-a-Service (SaaS) solution for enterprise companies today requires security considerations at the forefront.
Think security isn’t the most critical factor for a cloud provider? Consider the ironic nightmare scenario for cloud-based password security site, LastPass, which suffered a 2015 data breach compromising account email addresses and authentication hashes among other items. As reported by ZDNet at the time, the indignities didn’t stop with the breach for the firm which allows users to store passwords in encrypted form on its servers. Many LastPass users weren’t notified of the attack until days later, and others couldn’t get past the site’s password-reset page due to overloaded servers.
Now consider when the solution under consideration involves a corporation’s revenue management processes – the top line of any financial system. Security considerations are – as they should be – paramount.
Why Leeyo Selected SOC 2, Type 2 Certification
Leeyo Software understands the responsibility placed upon our virtual shoulders in delivering a trusted SaaS solution to some of the largest and most sophisticated enterprise organizations across the globe. It is why the company uses service organization Amazon Web Services (AWS) for its Elastic Compute Cloud (EC2) virtual machine infrastructure. In response to the high degree of scrutiny in the quality of controls in place for cloud providers, Leeyo has since the inception of its SaaS solution sought and earned repeated certification through independent service organization control (SOC) 2 Type 2 audits.
The independent assurance behind this certification plays a key role in enabling Leeyo to deliver transparency to its customers and the industry as a whole. Leeyo as a company understands a material demonstration of trust – the key commerce among SaaS providers – is essential. The best way to build that trust in the service offered through RevPro OnCloud is through SOC 2 attestation.
These standards of control originated from an international accounting standard formerly referred to as SAS 70, developed by the Accounting Standards Board (ASB) and the American Institute of Certified Public Accountants (AICPA) to focus on “Trust Service Principles” (TSP) for service organizations. SOC reports are internal control reports on the services provided by a service organization and are designed to provide valuable information to help users and customers define and interpret risks associated with outsourced financial and accounting services. The SOC 2 report, endorsed by the Cloud Security Alliance, is based on TSPs to go beyond financial reporting controls and examine cloud-based systems for security, availability, processing integrity, confidentiality and privacy in accordance with AICPA attestation standards. A “Type 2” report includes design and testing of controls to report on the operational effectiveness of controls over a period of time, in comparison to a “Type 1” report which evaluates and reports on the design of controls put into operation as of a specific point in time.
As the RevPro application, a revenue recognition automation software solution, is based on organizational controls, Leeyo selected SOC 2 Type 2 as certification of choice with complete confidence.
Unlike the SOC 1 audit which is based on internal controls over financial reporting, the purpose of a SOC 2 audit is to evaluate an organization’s information systems relative to the aforementioned security, availability, processing integrity, confidentiality and privacy concerns.
The following were additional RevPro-specific factors considered when selecting the means by which to test and validate the controls put in place:
- RevPro is purely a configurable application. Based on the configurations performed in RevPro upon customer approval, revenue is processed and reported.
- RevPro doesn’t certify the accuracy of the statements. We expect the customer to certify the numbers based on the rules to which they have agreed.
- RevPro provides a framework to configure, process and report revenue.
- The RevPro application follows GAAP guidelines and is not generic across all industries. Every vertical and customer has its own way of processing revenue and report out the same.
Leeyo Performs Constant, Additional Security Testing
In addition to the aforementioned SOC 2 audit, Leeyo performs penetration testing regularly through a security posture assessment of its web applications, performed by an information assurance research firm. This assessment features in-depth business logic testing, including Open Web Application Security Project (OWASP) Top 10 vulnerabilities, CWE/SANS Top 25 most dangerous software errors (the result of a collaboration between the SANS Institute, MITRE, and top software security experts in the US and Europe) and Web 2.0 vulnerabilities among them.
By employing AWS, one of the largest cloud providers, as a sub-service, all other certification and accreditation processes surrounding data center facilities, platforms, network protection from rogue machines/hubs/switches/routers, etc. are inherently addressed by way of AWS infrastructure and compliance controls. Leeyo hosts cloud data for all customers at undisclosed AWS East and AWS West locations.
Twenty Questions About RevPro’s Cloud Security
Leeyo receives a lot of questions from potential customers on a variety of security topics. We have answered the top 20 here:
Questions About Integration
Q: What options does RevPro OnCloud offer to bring data from a source system and post data back into the source system?
A: RevPro OnCloud offers three options: SOAP based web services, flat-file-based integration and manual upload and download via the RevPro front end. With the release of RevPro 3, the product has now added RESTful web services for data integration, supporting different forms of application exchange formats including XML, JSON and text/csv (for additional detail, see “RevPro NextGen APIs for 3.x”)
Q: With what other systems does RevPro integrate?
A: The product is ERP agnostic and has been designed to integrate with any transactional source system. The software has standard adapters for integration with Oracle, SAP, NetSuite, Microsoft Dynamics AX, Workday and other ERP/CRM systems. Additional integration adapters are in the works, and custom integration can be done for other systems.
Questions About System Backup and Maintenance
Q: How frequently are system backups performed?
A: Leeyo performs various types of backups on a daily basis, each with different, yet extensive, retention periods, depending upon the type of backup and retention policy. We have daily, physical and logical backups in place. Every 15 minutes we do a change log backup, the result of which is ported to a Disaster Recovery (DR) site for safe-keeping. Our daily backups can range in frequency from 15 minutes to 24 hours, with an ultimate retention policy of up to five years. In addition. Leeyo also does weekly, monthly and annual backups. We are confident in our ability to match and often exceed any customer’s specific needs regarding our backup policy.
Q: Is there a scheduled maintenance window and, if so, what is the frequency?
A: Leeyo provides a patch with security updates and product bug fixes on a quarterly basis. However, any critical security bugs are fixed as soon as they are identified and a fix is made available. In terms of notification, we ensure a minimum of a two-week advance notice to customers. Scheduled maintenance is performed in the middle of a month, outside of typical month-end and quarter-end processes as much as possible. Leeyo understands our users’ critical need to direct attention to those month-end and quarter-end windows of time, and as such all reasonable business effort is made to avoid those time frames. Scheduled maintenance can include security updates, product bug fixes, tech stack updates and resource re-balancing.
Q: Do Leeyo customers have the right to deny the product patches or upgrades?
A: Customers cannot deny the patches and updates. However, as mentioned, Leeyo will make every effort to work with our customers to schedule patching/upgrades following a standard change control process, keeping in mind period closing cycles. As an example, a customer may request of Leeyo to adjust the maintenance window and we will make a reasonable effort to accommodate such a change, but cannot guarantee this.
Q: What are the Service Level Agreements (SLAs) around restoration of services in the event of a disaster?
A: Leeyo commits to a Recovery Point Objective (RPO) of 1 hour or less and a Recovery Time Objective (RTO) of 48 hours. [definition of RPO and RTO can be breakouts – Recovery Point Objective is a company’s stated goal of how much of a loss (measured in downtime) could occur for customers, in the event of a site level disaster. For RevPro, that loss of time could be for a maximum of up to an hour; Recovery Time Objective is the maximum amount of time required to get a data recovery site back up and running.]
Questions About System Monitoring
Q: What is the monitoring frequency for RevPro system performance?
A: Leeyo runs a 20-point system, application and database level check a minimum of every 10 minutes to ensure availability and performance. This procedure includes a check on availability, utilization, resource contention alerts and security incidents with built-in notification and escalation systems in place.
Q: What is the frequency of capacity planning to determine how the RevPro product is performing?
A: Overall capacity analysis is performed at least once each quarter with the involvement of key department representatives from support, infrastructure, security, finance and human resources. The analysis helps identify any bottlenecks, issues and concerns and, if necessary, assign a responsible party to resolve, in accordance with our SOC 2 Type II requirements.
Questions About Data Rights and Accessibility
Q: Are customers provided direct access to the database?
A: No, like most other SaaS providers, Leeyo does not give our customers direct access to the database as it would compromise system data security and compliance. Customers instead are given access through the RevPro user interface and APIs.
Q: Who owns the data in RevPro OnCloud?
A: Each RevPro customer owns their own data. In the unlikely event of a contract termination, Leeyo ensures a secure erasure of data within RevPro. With sufficient advance notification, Leeyo can provide an extract of customer data upon request.
Q: Is customer data shared with any third party?
A: No, Leeyo does not share customer data with anyone outside the Leeyo organization, and the only teams within Leeyo with access to customer data are our support and system administration teams in order to provide day-to-day support and troubleshooting. Every member of Leeyo, regardless of employee or contractor status, undergoes a thorough background check. Leeyo support and system administration teams are only staffed with full-time employees, not contractors.
Q: Is data encryption provided for Data-in-Transit and Data-at-Rest?
A: Any data leaving Leeyo’s SaaS environment is encrypted by default, in accordance with industry best practices for data-in-transit using Transport Layer Security (TLS) 1.1 and 1.2. Data-at-Rest encryption is also available using AWS EBS encrypted volumes, using Advanced Encryption Standard (AES) 256-bit encryption.
Q: Where does customer data physically reside?
A: At all points, customer data in RevPro never leaves the aforementioned AWS platform. Leeyo uses AWS East US as the primary site, and AWS West US as secondary/DR site. AWS operates its data center in alignment with the Tier III+ guidelines, as determined by the Uptime Institute, but has chosen not to have a certified Uptime Institute-based tiering level to allow for additional flexibility to expand and improve performance. Although AWS does not claim alignment with Tier 4, the systems have a fault tolerant sequence of operations with self-correcting mitigations in place.
Questions About Authentication
Q: What type of authentication services are supported by RevPro OnCloud?
A: In addition to providing local/built-in authentication, Leeyo also provides Secure Access Markup Language (SAML) 2.0-based single sign on authentication for RevPro. By definition, authentication is a means of verifying a user is who she or he says they are when signing into the RevPro system. Local (or built-in) authentication is in the code for RevPro. In providing SAML, Leeyo includes a third party system to do the authentication to verify a trusted user of the system. RevPro, an enterprise-based system, does not use OAuth-based authentication which is is more consumer-based. The type of authentication utilized, between local and SAML-based, is up to the RevPro customer.
Q: Do customers have the right to do their own audit of Leeyo?
A: No, Leeyo does not allow customers to perform their own audits and instead supports its customer audit needs using existing controls. In other words, while Leeyo is unable to allow each and every customer to come in an in-person audit, we supply the results of our own standardized SOC 2 certification audit covering all controls to meet that need.
Q: Do Leeyo customers need to supply any software licenses?
A: No additional products are required to run RevPro OnCloud. Basic requirements are an Internet connection and any currently supported web browser including Mozilla Firefox 35 or higher, Google Chrome 40 or higher, Apple Safari 7 or higher, Microsoft Internet Explorer 9 or higher
Questions About Security Infrastructure
Q: Does Leeyo have in place a formal information security policy?
A: Yes, our 57-page information security policy is shared upon execution of a mutual NDA. The document covers everything from administrative controls to asset accountability, personnel screening, communications management and system audit considerations.
Q: Does Leeyo have in place a formal Disaster Recovery Plan?
A: Yes, our company’s Disaster Recovery Policy, also available upon execution of a mutual NDA, includes contact details for key internal and external personnel, emergency response steps and a technology disaster recovery plan.
Q: Does Leeyo perform background checks on all employees and contractors?
A: Yes, thorough background checks are performed as well as periodic follow ups. These checks include credit, criminal, professional and academic verification and drug screening. If a background check is a requirement for deployment by a client, the potential resource’s background check must be current within the last six months.
Q: Have all Leeyo personnel been provided formal information security training?
A: Yes, information security training is provided at least annually for employees, covering an employee’s responsibility to report security incidents, awareness of current “social engineering” attempts (i.e. phishing, spam, physical intrusion attempts) and the latest technical exploits and vulnerabilities.