GrC Security

Protecting this service is a top priority for Materna. Extensive security measures are applied for this purpose. These consist of the use of software, hardware, procedures, and an end-to-end sustainable security strategy. Information with the classification of “normaler Schutzbedarf” can be processed with this service.

BMC Helix for German Regulated Cloud is operated within the framework of the present ISO 27001 certification. The associated processes and tools ensure in particular:

• Identification of organization-wide critical processes and thereby detection of the actual risk objects to be protected within Materna and the service
• Systematic detection of threats and vulnerabilities
• Active (prioritized) minimization of identified risks
• Security measures for secure operation and data security
• Implementation of security controls according to the "Plan-Do-Check-Act" approach
• Regular internal and external review of Materna's internal processes and risk objects
• Access to the systems used only for a limited number of employees who are regularly trained and qualified with regard to IT security

Ensuring the ability to act quickly after disasters on the basis of an emergency plan.

Physical security

BMC Helix for German Regulated Cloud is operated in two physically separate data centers. They are designed according to the latest state of the art in order to implement the highest possible security. This includes, multiple fire compartments, uninterruptible power supply equipped with multiple paths, efficient and fail-safe air conditioning technology and a redundant fiber optic cable network for connectivity.

All systems are permanently monitored around the clock. The infrastructure consists of air-conditioning technology, cooling technology, power technology, fire protection and security technology. Access to the data centers is possible only for authorized persons 24 hours a day, 365 days a year, via multi-step authentication. Video surveillance is in place indoors and outdoors to detect attempted break-ins in a timely manner. A security service is always on standby.

Perimeter Security

The perimeter layer ensures that moving data is encrypted and that access to the environment is kept to the minimum necessary.

Key features of this layer include:

• Tiered web applications for the Internet
• Strict HTTPS compliance for all ports and protocols
• Industry-standard, fully redundant stateful firewalls
• Fine-grained software firewall for micro-segmentation
• Security Assertion Markup Language (SAML) support for single sign-on
• HTTPS encryption over public networks with 128-Bit symmetric keys and 2.048-Bit certificates at minimum
• Transport Layer Security (TLS) over public networks ensures secure email and file transfers
• TLS certificates with short validity periods (90 days)
• Annual penetration testing for perimeter, network and applications

Network Security

The network layer emphasizes segmentation and restriction of internal communications. These controls increase security, confidentiality, integrity, and availability of Service Recipient data and eliminate the risks associated with multi-tenant environments.

Key features of this layer include:

• Internal network segmentation ensures that data is private and secure
• Management layer with centralized administration and advanced system monitoring capabilities
• Implementation of compliance policies even at the network level.
• Inter-datacenter traffic is encrypted on layer 2 using AES-256-GCM at minimum
• For outgoing and incoming connections to Service Recipient systems, the Service Recipient en-sures that its systems are configured for secured connections.

Application Security

The application layer includes special security controls to enable role-based and secure application access.

Key features of this layer include:

• Elements of application security that protect data from unauthorized access
• Role-based access provides fine-grained control of data authorizations
• End-to-end encryption of credentials
• A logical, multi-tiered access control construct
• Static application security testing, with use of leading tools to proactively detect security-related issues in the code and third-party libraries in our solutions for each release
• Dynamic application security testing, including tests on risks of the Open Web Application Security Project (OWASP) Top 10. This comprises authentication testing, client-side attack testing, command execution testing, information disclosure testing, and logical attack testing for each release

Data Security

For any Data of the BMC Helix services stored in databases and backups, encryption is performed. Due to the technical design and the functional requirements of the cloud offering, the private keys used for this encryption are known exclusively to Materna in accordance with applicable legal and regulatory obligations and requirements.