WIXLIB

NETSUITE DATACENTER FACT SHEETEnterprise-Class Data Management,Security, Performance and AvailabilityNetSuite is the world’s largest cloud ERPvendor, supporting over 40,000 organizations,processing over 500 million applicationrequests per day with 9 terabytes of dataadded every day. NetSuite also has a trackrecord since 1998 of maintaining the securityof our customers’ records.NetSuite Data Center ArchitectureNetSuite operates six geographicallyseparated data centers present in twoRegions, US and Europe. The data centersoperate in a hub-spoke architecture. Eachregion has a dedicated data center thatprovides data mirroring, disaster recoveryand failover capabilities for the other datacenters in that region in case any datacenter becomes non-operational. Customerdata is not shared between the regions.All data center facilities are operated by aChicagoleading collocation provider, which providesearthquake and fire protection, along withheating, cooling and backup power. TheNetSuite application is multi-tenant, and allservers, storage and hard drives are built onseveral layers of redundancy.www.netsuite.com

Facts about NetSuite’s DataCenter InfrastructureData Management Redundancy: Many layers in the NetSuitesystem implement multiple levels of redundancy.This design allows one or more elements tofail without any interruption in service byhaving multiple, redundant systems online toautomatically assume processing on behalfof the failed component. Disaster Recovery: Within one region, data isreplicated and synchronized between theactive data centers and the dedicated DRdata center by way of a proprietary replicationmechanism built in house. In the event thatthe primary data center fails, all operationsfail over to the DR data center. This failoverprocedure is tested and proven on the livesite twice annually. The failover procedure isautomated and can be triggered in pushbutton fashion. NetSuite has operationsengineers geographically distributed fromeach other, as well as the data centers inorder to be able to execute a failover in anydisaster scenario. NetSuite conducts semiannual DR exercises to ensure that systemsand processes are in place, as well as toassess and enhance competency of allrelevant personnel key to the successfulimplementation of DR activities. NetSuitedata centers utilizes tape backups whichsupports customer-initiated data restores. Scalability: NetSuite supports over 40,000organizations with over 500 million applicationrequests per day with 9 terabytes of dataadded every day. NetSuite has designed itssystems to accommodate surges and spikesCopyright 2018, Oracle and/or its affiliates. All rights reserved.in usage, and to scale upward smoothly toaddress increased volume and transactions.Application Security Encryption: Transmission of users’ unique IDand passwords, as well as all data in theresultant connection, are encrypted withindustry standard protocol and cipher suite.NetSuite supports Custom Attribute encryptionand provide encryption APIs. The applicationauthentication is token based while end userauthentication supports modern two factorauthentication with mobile devices orauthentication FOBs. Application-Only Access: The system isdivided into layers that separate data fromthe NetSuite application itself. Users of theapplication can only access the applicationfeatures, and not the underlying database orother infrastructure components. Role-Level Access and Idle Disconnect:Customers can assign each end user aspecific role with specific permissions to onlysee and use those features related to his orher own job. There is a complete audit trailwhereby changes to each transaction aretracked by the user login details and atimestamp for each change is provided. Thesystem also detects idle connections andautomatically locks the browser screen toprevent unauthorized access from anunattended computer screen. IP Address Restrictions: Restrictions onaccessing a NetSuite account from specificcomputers and/or locations can be enforced.This is very useful for customers who areconcerned not only about who is able to accessPage 2

their NetSuite account, but from where theyaccess it as well. This feature significantlyreduces the risk of unauthorized third partiesaccessing a user’s account. Robust Password Policies: NetSuite offersfine-grained password configurationoptions—from the length of the user’spasswords, to the expiration of a user’spassword at any timeframe they desire.Customers can set up strict password policiesto ensure that new passwords vary from priorpasswords, and that passwords are complexenough to include a combination of numbers,letters and special characters. Accounts arealso locked out after several unsuccessfulattempts. For customers who desire a higherlevel of access control, NetSuite offersmulti-factor authentication using a simplephysical token. In addition to entering theirown passwords, users must possess physicaltokens that generate random one-timepasswords. These cryptographically robustpasswords prevent key loggers, shouldersurfers, phishers and password crackers fromaccessing a user’s account.Operational Security Continuous Monitoring: NetSuite employsnumerous Intrusion Detection Systems (IDS)to identify malicious traffic attempting toaccess its networks. Unauthorized attemptsto access the data center are blocked, andany unauthorized connection attempts arelogged and investigated. Enterprise-gradeanti-virus software is also in place to guardagainst Trojans, worms, viruses and othermalware from affecting the corporatesoftware and applications.Copyright 2018, Oracle and/or its affiliates. All rights reserved. Separation of Duties: In addition to mandatoryemployee background checks at all levels ofNetSuite operations, job responsibilities areseparated. The Principle of Least Authority(POLA) is followed and employees are givenonly those privileges that are necessary to dotheir duties. Physical Access: All data centers’ operatorsmaintain stringent physical security policiesand controls to allow unescorted access topre-authorized NetSuite Operations personnel:ºThe first layer of security includes photo IDproximity access cards and a biometricidentification system. This multi-factorauthentication system provides additionalassurance against lost badge risks or otherattempts at impersonation. Proximity cardreader devices are located at major pointsof entry and are used to secure critical areaswithin the data centers.ºSingle-person portals and T-DAR man trapsguarantee that only one person is authenticatedat one time to prevent tailgating. Reliabledetection and prevention of tailgating andpiggybacking through secure doorssignificantly increases the effectiveness ofthe access control system.ºIn addition, all perimeter doors are alarmedand monitored and all exterior perimeterwalls, doors, windows and the main interiorentry are constructed of materials that affordUnderwriters Laboratory (UL) rated ballisticprotection. Vegetation and other objectsaround the data center are landscaped in amanner such that an intruder would notbe concealed.Page 3

Guarded Premises: On-premise securityguards monitor all alarms, personnel activities,access points and shipping and receiving,and ensure that entry and exit proceduresare correctly followed on a 24x7 basis. Guardsare provided with ongoing awareness trainingand skills-building. Numerous CCTV videosurveillance cameras with pan-tilt-zoomcapabilities are located at points of entry tothe collocation and other secured areaswithin the perimeter. Video is monitored andis stored for review for non-repudiation. Security Certifications: NetSuite haspassed a SOC 1 Type II audit, is certifiedfor PCI-DSS and is EU-US Privacy Shieldcompliant. NetSuite has defined itsInformation Security Management System inaccordance with NIST standards, including800-53 and ISO27000 series standards.ºNetSuite’s SOC 1 Type II audit is preparedby and audited by independent third-partyauditors. SOC 1 Type II reports show thatwe have been through an in-depth auditof our control environment, includingcontrols over data and network security,backup and restoration procedures, systemavailability and application development.The requirements of Section 404 of theSarbanes-Oxley Act make a SOC 1 Type IIaudit report essential to the process ofreporting on the effectiveness of internalcontrol over a company’s financial reporting.ºIn complying with PCI-DSS requirements,NetSuite offers optional 3D Securecredit card authentication—also knownas Verified by Visa and MasterCardSecureCode. 3D Secure adds a higherlevel of credit card fraud protection. Itrequests shoppers to create authenticationpasswords for their credit cards, or requiresthem to enter their password if they alreadyhave one assigned.ºNetSuite has achieved the InternationalOrganization for Standardization (ISO) Dedicated Security Team: NetSuite employsa global security team dedicated to enforcingsecurity policies, monitoring alerts andinvestigating any anomalous behavior withinthe system. This team is active 24x7 frommultiple worldwide locations. All access toproduction is reviewed and granted by thesecurity team. Data Center Performance Audits: NetSuiteOperations management implements suchauditing controls as appropriate for SOC1 Type II and PCI compliance. NetSuite’scomprehensive risk management processhas been modeled after the NationalInstitute of Standards and Technology’s(NIST) special publication 800-30 and theISO 27000 series of standards. Periodicaudits are carried out to help ensurethat personnel performance, proceduralcompliance, equipment serviceability,updated authorization records and keyinventory rounds are above par.Copyright 2018, Oracle and/or its affiliates. All rights reserved.Page 4