Transcription

Cloud Services PlatformSecurity and Availability Controls Overview

Table of ContentsOffering Statement . 3Data Centers . 3Software Upgrades . 4Data Protection . 5Availability . 6Technology . 7

Offering StatementThe Aerohive Cloud Services Platform is a globally distributed, cloud-based infrastructure that ishome to Aerohive software-as-a-Service (SaaS) applications. HiveManager Online is the cloudbased management system that provides access to configuration and network monitoringstatistics for all managed Aerohive network devicesAerohive Networks reduces the cost and complexity of today's networks with cloud-enabled Wi-Fi,switching, routing, and application solutions for medium and large enterprise headquarters,branch offices, and teleworkers. Aerohive’s award-winning cooperative control Wi-Fi architecture,public or private cloud-enabled network management, unified switching, routing and VPNsolutions eliminate costly controllers and single points of failure. This gives its customers missioncritical reliability with granular security and policy enforcement and the ability to start small andexpand without limitations.Aerohive’s approach enables scalable, secure and reliable network applications by takingadvantage of the Cloud while also preserving an unmatched level of flexibility often associatedwith on-premise solutions. Customers can still decide what to run, when to upgrade, and complywith their network operation policies.Data CentersGeographically DistributedAerohive employs geographically distributed data centers to optimize customer networkconnectivity. Data centers are located in North America, Europe, and Asia Pacific regions.CertificationsAll Aerohive Cloud-based technical support operations are hosted in SAS70 (superseded by SSAE16) Type II data centers. Aerohive utilizes industry-leading 3rd party providers with public statementsof SAS70 and SSAE-16 compliance. Aerohive reviews vendor capabilities, scale, SLAs and costbenefits associated with their offerings in order to determine the best operational platform.International Compliance and Safe HarborAerohive meets European privacy controls and Safe Harbor certification by adhering togeographic data policies. The European-based data center performs cross data replication withinthe EU region in order to meet EU privacy controls.Physical AccessPhysical access to data centers is restricted to authorized staff and access is strictly controlled 24x7by professional security staff, video surveillance, and other electronic means.Logical AccessSegmentation of logical vs. physical access is achieved through policies enforced with theAerohive Technical Operations Team. Third-party cloud providers do not possess logical access toAerohive systems. Selected Technical Operations staff requires extra credentials to accessproduction systems.Facilities Robustness Data centers are physically isolated and housed in non-descript facilities

Automated systems and personnel monitor and maintain optimal temperature andhumidity Redundant uninterruptible power supply (UPS) units for essential systems, andgenerators to provide backup power for the entire facility Automatic fire detection and suppression systems Multi-zoned systems, with double interlocks to prevent accidental water discharge All facilities meet or exceed local seismic building codes and are located in lower riskflood areasCloudTrust CertifiedAerohive is CloudTrust Certified Enterprise-Ready.Skyhigh Networks performs objective and thorough evaluations of the enterprise-readinessof cloud service based on a detailed set of criteria developed in conjunction with theCloud Security Alliance (CSA). Services designated as Skyhigh Enterprise-Ready are theservices receiving the highest CloudTrust Ratings, which fully satisfy the most stringentrequirements for data protection, identity verification, service security, business practices,and legal protection.Software UpgradesFlexibility AdvantageAerohive recommends that customers upgrade to the latest supported version of HiveManagerOnline in order to benefit from new perfomance and security features and the latest enhancedproduct experience. At all times, customers control and decide when to upgrade their Aerohivehardware devices (access points, switches, routers and HiveOS Virtual Appliances). Customers can4Copyright 2014, Aerohive Networks, Inc.

Cloud Services Platform: Security and Availability Controlsinitiate their HiveManager Online upgrade either by themselves, or they can request Aerohive toupgrade on their behalf (by phone or by opening a ticket).Occasionally, Aerohive may notify customers that Aerohive will upgrade the Cloud ServicesPlatform to a newer version in order to address potential security issues and/or major bug fixes.Aerohive Applications, including ID Manager and Client Management, may also be upgradedperiodically to provide new features and functionality to existing customers. Notifications are sentout prior to the upgrade and do not affect any Aerohive hardware devices or policy configuration.Details about Aerohive’s upgrade policy can be found at:http://www.aerohive.com/330000/docs/Cloud Services Platform Upgrade Policy.pdfSecurityAerohive automatically applies critical security patches deemed necessary to maintain integrity ofHiveManager Online (HMOL), cloud-based servers, and applications in the Cloud Services Platform.Change Control PolicyAerohive typically employs a three-stage Change Control Process for softwate releases andupgrades. Software is delivered, tested, and exercised through a Beta program. Once acandidate for final release is selected, it is put through a staging scenario, then tested andoperated as if it were in production. After passing operational production tests, the release ismoved into a production environment during pre-scheduled, announced maintenance windows.Data ProtectionPrivacyNo actual data traffic from managed Aerohive network devices (e.g., Aerohive APs, switches, androuters) traverses the Aerohive Cloud Services Platform. Third parties employed for our Clouddelivery platform don't have logical access to Aerohive customer data.Data SensitivityCloud Services Platform applications provide access to configuration, management, and networkmonitoring statistics. Stored data does not include anything traditionally considered "personalinformation," such as a name plus an associated social security, driver’s license or financialaccount number, or personal medical or insurance information.Data available in Cloud Services PlatformHiveManager Online (HMOL) defines users with different roles and permissions: Login passwords arehashed with SHA-2 using 512-byte keys and the results are stored within each VHM. Whenadministrators attempt to login, their submitted passwords are hashed and the results arecompared to the stored hash values. HMOL provides access to configuration management andnetworking monitoring statistics for all managed Aerohive network devices. Information mayinclude the following: For each user, information as to when the client device authenticates to an AP, towhich AP, and when it de-authenticates. For each user, user name from 802.1X, Private Pre-Shared Key, or Captive Web Portal;however it does not receive the login credentials from the AP. It will also detect theclient device’s MAC address, IP address, and OS. For each user, records of aggregate traffic, but not any detail as to individualdestinations.Copyright 2014, Aerohive Networks, Inc.5

If StudentManager or TeacherView applications are enabled, then HiveManager willhave data as to what URLs are accessed by individual clients registered in thoseapplications. If Guest Management capabilities are utilized, some information may be collected fora guest registering for PPSK access. For example, fields to enter visitor name, emailaddress, company and sponsor, PPSK, start time, end time, and SSID assigned. If management of Bonjour Services is enabled, the type of services re-advertised willbe collected but not the actual service data. If Client Management is in use, Aerohive can detect installed applications, certificatedata, and security policy configuration for each enrolled device as well as manageand revoke applications.Monitoring & Incident ResponseAerohive has technical support personnel available 24x7, with additional staff on call for incidentescalation responses. If Aerohive were to detect any breach or other major security incident, itsstaff would immediately escalate, investigate, and remediate as necessary. The EscalationNotification List includes the VP of Client Services and representatives from technical support, cloudoperations and product engineering.Breach NotificationsAerohive aims to notify its affected customers within 7 days of detecting any security breach to itsCloud Services Platform and provide as much information as available on the extent of anybreach. Aerohive will meet any other notification requirements as required by United States federaland California laws.Information about security vulnerabilities or breaches are posted on the Aerohive corporate website and can be found by following the links to how to contact us, and from there to the productsecurity pages. ensic Analysis ProceduresAerohive has technical support personnel 24x7, with additional staff on call responsible forperforming forensic security analysis if required. The technical support staff has the ability to collectrelevant logs and records using proper best practice diagnostic procedures.AvailabilityUptimeHiveManager Online is guaranteed for 99.99% uptime, excluding scheduled maintenancewindows. Aerohive’s Cloud Service Level Agreement (SLA) is available vices-Platform-SLA.pdfDisaster Recovery (DR)Aerohive’s Disaster Recovery Plan includes proactive platform monitoring of customerperformance data. Hourly snapshots are taken to assess operational health programmatically. Inaddition, hourly backups are taken for all customer configurations, ensuring recovery from atheoretical disaster situation by restoring changes that happened up to 1 hour ago. In addition,daily backups are performed to preserve all collected data beyond configuration.6Copyright 2014, Aerohive Networks, Inc.

Cloud Services Platform: Security and Availability ControlsAvailability MonitoringAerohive employs a distributed availability monitoring system on our cloud infrastructure whichincludes transactional user login simulation monitoring from multiple regions. If the end user isunable to login to our Cloud Services Platform, an email alert and text message will be autogenerated and sent to the Aerohive Cloud Operations Team. Aerohive also provides proactivenotifications to our customers via the Aerohive support portal.It is important to note that HiveManager as a network management platform, is not in the datapath of customer data nor does its failover impact the ability of end users or devices to access thenetwork.Backup & Storage Strategy Cross backups are performed utilizing storage in opposing data centers. In order to maintain privacy and European Safe Harbor compliance, data centers indifferent locations within the EU region perform cross backups. Hourly backups are taken for customer device configurations and daily (nightly) for allcustomer data. Backups are stored on both local and remote servers (at different data centers) in acompressed format and inaccessible to users. Backups are archived for 7 days on a local server and for 30 days on a remote server. An authenticated administrative-level user is required to restore the data incorresponding user accounts.Data RecoveryBacked-up customer data can be recovered in potential cases of malfunction within an account,malfunction of a logical server, malfunction of a physical server, or malfunction of an entiredatacenter. Since the configuration data is backed-up hourly, it is possible to restore a customerconfiguration data which existed up to 1 hour prior to the failure. Applications such as ID Managerand Client Management are backed up daily and configuration data can be restored from theprior daily backup.System MonitoringComplete monitoring is performed for the Cloud Services Platform encompassing usage of aglobal system performance monitoring tool, measuring service level monitoring & notification, andcloud HTTP monitoring. Aerohive's Cloud Operations Team has access to dashboards measuringproduction capacity, usage, and trend monitoring. Performance snapshots are taken of runningsystems and are programmatically raised as alarms when internal thresholds are met for learnedperformance metrics.The Aerohive Technical Support Team has personnel operating 24x7, with additional staff on call asrequired for subsequent help.TechnologyCloud ScalingAerohive’s Cloud Service Platform scales by taking advantage of the inherent elasticity of thecloud. New servers and back-end infrastructure can be instantiated as needed based on load,customer, and partner growth and as a consequence of monitoring operations for learnedpatterns of system performance.Copyright 2014, Aerohive Networks, Inc.7

Traffic Encrypted & RestrictedAll administrative network traffic is encrypted. HiveManager uses CAPWAP over HTTPS and SSH foruploading & downloading relevant traffic (such as HiveOS image files, full configurations, captiveweb portal pages, and certificates) from HiveManager Online to & from devices.Aerohive Technical Operations can perform traffic restriction by IP address at any time, ifdetermined desirable. No unauthenticated users have administrative or monitoring access toHiveManager Online or other Aerohive applications.LoggingAll logs in the system can be redirected to a central syslog server, if desired. In addition, the cloudapproach with HiveManager Online and the Cloud Services Platform applications permitscollecting all relevant Events/Alarms/Logs in a centralized manner.Vulnerability Scans, Penetration Tests and AntivirusAerohive’s infrastructure proactively manages firewall and networking security policies for theservices hosted. Aerohive utilizes best current industry practices regarding security and accessprocedures, to limit access and permissions to these systems. External security experts are undercontract to perform regular vulnerability scans and penetration tests.Segmented Environments for Development, UAT and ProductionSeparate environments are maintained for Development, User-Acceptance, and Production.Aerohive's products go through a 3-stage process of Development, QA, and Beta testing beforegetting staged in a production environment, tested again, and finally deployed in production. TheCloud Services Platform allows customers to participate in the Aerohive Beta program, test-drivingthe latest functionality by trying HiveManager Online and application Betas without having toupgrade their entire network and disrupt operations.Third Party Software PatchesThird-party patches are applied into Aerohive systems following the same three-stage ChangeControl Policy as Aerohive product releases. Major version upgrades of third-party software areplanned as part of main development cycles, implying a longer duration testing cycle and gainedstability for intermediate software releases.User Roles PoliciesHiveManager Online provides administrative options to manage user roles and levels of permissionsfor users. A customer will have a superuser account with ability to create users with granularpermissions within the realm of his/her account.Customers having accounts managed by an Aerohive partner (an integrator or managed serviceprovider) will be able to restrict/grant access to their parent partner (i.e. for preventing partner stafffrom monitoring or configuring their system, or alternatively granting them access for partnermaintenance). Partners can disable a customer account (i.e. for non-paying or terminatedcustomers).Account ProvisioningNew accounts are provisioned when Cloud Services Platform applications are being evaluated byor sold to a customer. The new user will be registered with Admin permissions and can create otherusers within the account realm. Aerohive's Technical Operations (TechOps) and Technical SupportTeams have potential logical access to the system for troubleshooting purposes.8Copyright 2014, Aerohive Networks, Inc.

Cloud Services Platform: Security and Availability ControlsPassword Policies (Resets, Storage)Only an administrator who has sufficient permission to administer other users within his/her accountrealm can perform password resets. No passwords are stored in clear text. Users can utilize the“Forgot Password” option in the login page to reset passwords. Alternatively, customers cancontact their account representative who will perform a full verification with the company orpartner registered for that account, before making any changesSSO, Session TimeoutsAerohive supports SSO within the MyHive environment that includes the portals for HiveManagerOnline, ID Manager, Client Management, Redirector, and Social Login. Administrative sessions areautomatically closed if idle for 15 minutes. Timeout expiry values are configurable. Reports of failedlogin attempts could potentially be requested.Copyright 2014, Aerohive Networks, Inc.9

About AerohiveAerohive (NYSE: HIVE) unleashes the power of enterprise mobility. Aerohive’s technology enablesorganizations of all sizes to use mobility to increase productivity, engage customers, and grow theirbusiness. Deployed in over 14,000 enterprises worldwide, Aerohive's proprietary mobility platformtakes advantage of the cloud and a distributed architecture to deliver unified, intelligent, simplifiedand cost-effective networks. Aerohive was founded in 2006 and is headquartered in Sunnyvale,Calif.For more information, please visit www.aerohive.com, call us at 408-510-6100, follow uson Twitter @Aerohive, subscribe to our blog, join our community, or become a fan onour Facebook page.“Aerohive,” “HiveManager” and “HiveOS” are registered trademarks of Aerohive Networks, Inc. Allproduct and company names used herein are trademarks or registered trademarks of theirrespective owners. All rights reserved.Corporate HeadquartersAerohive Networks, Inc.330 Gibraltar DriveSunnyvale, California 94089 USAPhone: 408.510.6100Toll Free: 1.866.918.9918Fax: [email protected] HeadquartersAerohive Networks Europe LTDThe Court Yard16-18 West StreetFarnham, Surrey, UK GU9 7DR 44 (0)1252 736590Fax: 44 (0)1252711901WP1204109

home to Aerohive software-as-a-Service (SaaS) applications. HiveManager Online is the cloud-based management system that provides access to configuration and network monitoring statistics for all managed Aerohive network devices Aerohive Networks reduces the cost and complexity of today's networks with cloud-enabled Wi-Fi, switching, routing, and application solutions for medium and large .