Transcription
Enterprise-Class Data Management,Security, Performance and AvailabilityNetSuite Data CenterOracle NetSuite currently operates geographicallydistinct data centers across North America,Europe, and Asia-Pacific. Each data center has acounterpart that provides data mirroring, disasterrecovery and failover capabilities in its region incase any data center becomes non-operational.The NetSuite service is natively multi-tenant andleverages cloud infrastructure designed aroundmultiple layers of redundancy.Data Center LocationsNorth America Seattle Santa Clara Phoenix Chicago Boston AshburnEurope London Dublin Frankfurt AmsterdamAsia-Pacific Sydney Melbournewww.netsuite.com
NetSuite Data Center InfrastructureData Management Redundancy: Many layers in the NetSuitesystem contain multiple levels of redundancy.This design allows uninterrupted servicebecause redundant systems automaticallyassume processing in the event that one ormore elements fail. Disaster Recovery (DR): Within each region, datais replicated and synchronized between datacenters. Semi-annual DR exercises ensure thatsystems and processes are in place, as well asto assess and enhance the competency of allpersonnel key to the successful implementationof DR activities. Data centers use archival mediabackups, which supports customer-initiated datarestores for up to a year. Oracle Terms of Use and Privacy Scalability: NetSuite supports over 26,000customers with over 1.5 billion applicationrequests per day and more than six petabytes ofdata under management. The system has beendesigned to accommodate routine surges andspikes in usage, and to scale upward smoothlyto address increased transaction volume.Application Security Encryption: Transmission of user credentials,as well as all data in the resultant connection,are encrypted with industry standard protocoland cipher suite. NetSuite supports CustomAttribute encryption and provides encryptionAPIs. NetSuite uses token-based applicationauthentication and multi-factorend-user authentication.Page 2
Role-Level Access and Idle Disconnect:Each end user can be assigned a specific rolewith permissions that are specific only to his orher own job. There is a complete audit trail thattracks changes to each transaction by the userlogin details and a timestamp. IP Address Restrictions: Customers can restrictaccess to a NetSuite account from specificcomputers and/or locations, which is valuablefor those who are concerned not only aboutwho is able to access their NetSuite account butfrom where they access it as well. This featuresignificantly reduces the risk of unauthorizedthird parties accessing a user’s account. Robust Password Policies: Customers havegranular password configuration options,ranging from the length of the passwords tothe password expiration policy. They can set upstrict policies to ensure that new passwords varyfrom prior passwords and that passwords arecomplex enough to include a combination ofnumbers, letters and special characters.Accounts are also locked out after severalunsuccessful attempts. For customers who desirea higher level of access control, there is a multifactor authentication option using text SMS,one-time passwords (OTP) and backup codes. Inaddition to entering their own passwords, usersmust possess TOTP-compatible devices toreceive the random one-time passwords. Thesecryptographically robust passwords preventkey loggers, shoulder surfers, phishers andpassword crackers from accessing auser’s account. Oracle Terms of Use and PrivacyOperational Security Continuous Monitoring: NetSuite employs bothnetwork and server-based Intrusion DetectionSystems (IDS) to identify malicious trafficattempting to access its servers and networks.Security alerts and logs are sent to a SecurityInformation and Event Management (SIEM)system for monitoring and response actions bya dedicated security team. Separation of Duties: In addition to mandatoryemployee background checks at all levels ofthe operations organization, job responsibilitiesare separated. The Principle of Least Authority(POLA) is followed and employees are givenonly those privileges that are necessary to dotheir duties. Physical Access: All data centers maintainstringent physical security policies and controlsincluding photo IDs, proximity access cards,biometrics, single person entry portals andalarmed perimeters. Dedicated Security Team: Oracle NetSuiteemploys a global security team dedicated toenforcing security policies, monitoring alerts andinvestigating any anomalous system behaviorincluding unauthorized connection attempts andmalicious software. Near real-time monitoringis in place with a 24x7 worldwide incidentresponse capability. All access to production isapproved and regularly reviewed by thesecurity team.Page 3
Data Center Performance Audits: There areauditing controls appropriate for SOC 1 Type II,SOC 2 Type II, ISO 27001 and PCI compliance.NetSuite has implemented a comprehensiverisk management process modeled after theNational Institute of Standards and Technology’s(NIST) special publication 800-30 and the ISO27000 series of standards. Periodic auditsare carried out to help ensure that personnelperformance, procedural compliance,equipment serviceability, updated authorizationrecords and key inventory rounds meet orexceed industry standards. Security Certifications: Oracle NetSuite issuesreports upon the completion of periodic SOC 1Type II and SOC 2 Type II audits and is certifiedfor PCI DSS and ISO 27001:2013. Oracle NetSuite has defined its InformationSecurity Management System in accordancewith NIST 800-53 and ISO 27000series standards. Independent third-party auditors prepareand conduct SOC 1 Type II and SOC 2 Type IIaudits. A SOC 1 Type II audit report is essentialto meeting the reporting requirements on theeffectiveness of internal controls over financialreporting of Section 404 of the SarbanesOxley Act. SOC 2 Type II reports on controlsthat directly relate to the security, availabilityand confidentiality trust services criteria at aservice organization. PCI DSS is a security standard designed toensure that companies are processing, storingand transmitting payment card information in Oracle Terms of Use and Privacya secure environment. A PCI Qualified SecurityAssessor (QSA) issues an Attestation ofCompliance (AOC) to NetSuite. Privacy Certifications: Oracle Corporate(Oracle EMEA Ltd) has obtained EU/EEA-wideauthorization from the European data protectionauthorities for its Binding Corporate Rules forProcessors (BCR-p). This helps our customersaddress their privacy and security requirementsunder the EU General Data ProtectionRegulation (GDPR) and other European dataprotection laws and regulations in the EU/EEA, the UK and Switzerland (“European DataProtection Law”). See the Privacy Code forProcessing Personal Information of CustomerIndividuals (Oracle Processor Code).Oracle NetSuite provides Product FeatureGuidance documents that describe how theservice functionality is designed to assistcustomers with their EU GDPR requirements.Oracle NetSuite has extended the ISO 27001Information Security Management System toinclude the ISO 27018 control set, demonstratingprotection and adequacy for processingPersonal Information as a Public Cloud HostingProvider. Oracle NetSuite performs reviewsand annual audits, conducts privacy riskmanagement and oversees remediations, hasa third-party vendor management program toensure that the suppliers adhere to the privacyregulations, oversees privacy by design intechnology and processes, and is committedto maintaining and improving its privacyinformation management and dataprotection programs.Page 4
Performance Scalable Application Architecture: The NetSuiteapplication runs on a three-tiered architecturesupported by additional specialized services. Alltiers are highly scalable and support multi-datacenter deployment. Performance Team: NetSuite invests heavilyin performance at every layer. This includesa dedicated performance team of developersand database engineers whose sole purpose isto proactively verify application performancebenchmarks and tune the application formaximum performance. High-Performance Databases: The NetSuiteapplication runs on high-performancedatabase server hardware with multiple coresand maximum RAM configuration. NetSuiteproduction database servers run exclusively onsolid state storage ensuring the fastest possibledatabase I/O performance available inthe industry. Performance Monitoring Tool: The NetSuiteApplication Performance Management (APM)tool provides a comprehensive performancedashboard that allows users to easily and quicklydrill down and investigate the root cause of asite’s performance issues. By capturing criticalperformance data and quickly identifying,analyzing and fixing the problem areas, customerscan optimize performance, improve userexperience and maintain critical transactions. Oracle Terms of Use and PrivacyAvailability Service Level Commitment (SLC): An SLCguarantees a 99.7% uptime (outside scheduledservice windows) for the NetSuite productionapplication for all customers. A credit is availableif NetSuite does not deliver its applicationservices with 99.7% uptime. A publicly availablestatus page is provided to display system statusat all times that includes quantitative currentand historic uptime metrics as well as up-to-theminute announcements during disruptions. World-Class Hosting Operations Team: Aglobal team of dedicated operations personnelproactively monitors the health of the entiresystem with industry leading alert and trendbased tools designed to identify and resolveevents before they impact the live site. Thisteam provides 24x7 coverage to respond to anyincident with automated recovery procedures. Dedicated Event Response Team: A global cloudevent response team is dedicated to expeditingresponses and resolutions while establishingcommunications and regular updates duringservice-impacting events. This team is active24x7 from multiple worldwide locations. Network Design: The network was built to meetor exceed commercial telecommunicationsstandards worldwide for availability, integrityand confidentiality. The network design ensuresreliable connectivity and maximum uptime withno single-point data transmission bottlenecksto or from the data center. Finally, NetSuite usesa content delivery network (CDN) to enhancenetwork reliability and help protect againstdenial-of-service attacks.
Oracle NetSuite currently operates geographically distinct data centers across North America, Europe, and Asia-Pacific. Each data center has a counterpart that provides data mirroring, disaster recovery and failover capabilities in its region in case any data center becomes non-operational. The NetSuite service is natively multi-tenant andFile Size: 1MB
