Security & Compliance
Workato
Arcanum is proud to be partnered with specialists in integration and workflow automation, Workato.
This partnership enables customers to use Workato’s Platform to integrate Arcanum’s Intelligent AI Features into their current workflows easily. This can be used for both operational improvements and product enhancements to take companies and products to the next level.
Workato is committed to providing a highly secure and reliable integration and businessautomation service. This includes maintaining the confidentiality of its customers' informationand ensuring that customers' information will be available when it is needed. To achieve this weuse proven, tested, best-in-class security tools, technologies, practices and procedures.
Workato Security Overview
Last updated: September 2022
Workato is committed to providing a highly secure and reliable integration and businessautomation service. This includes maintaining the confidentiality of its customers' informationand ensuring that customers' information will be available when it is needed. To achieve this weuse proven, tested, best-in-class security tools, technologies, practices and procedures.Compliance
SOC 2 Type 2 audited
Workato has successfully completed a Service Organization Controls 2 (SOC 2) Type 2 auditwith a third-party evaluator certified by The American Institute of CPAs (AICPA). This audit usesthe Trust Services Principles, published by the AICPA, to evaluate the effectiveness of a serviceorganization's controls with respect to security, availability, processing integrity, online privacy,and confidentiality. Audit reports are available to current and prospective customers under NDA.
PCI
Workato uses PCI Compliant Level 1 audited payment processor Stripe for processing creditcard payments for the Workato services.
Hosting Environment and Physical Security
Workato is hosted on public cloud infrastructure from Amazon Web Services (AWS). Amazonmaintains high standards of security for their data centers. You can read further about AWSsecurity here: aws.amazon.com/security/
Workato supports hosting in various cloud regions, at the customer’s option.
Network Security
The Workato website is only accessible over HTTPS. Traffic over HTTPS is encrypted and isprotected from interception by unauthorized third parties. Workato follows current best practicesfor security, including the use of strong encryption algorithms with a key length of at least 128bits.
Workato also uses secure protocols for communication with third-party systems: usually HTTPS,but other protocols such as SFTP and FTPS are also supported. For on-premise systems,access requires the installation of an on-premises agent behind the firewall, whichcommunicates outbound to Workato over an encrypted link, using TLS 1.2.
Workato uses a multi-tier architecture that segregates internal application systems from thepublic Internet. Public traffic to the website passes through a Web Application Firewall (WAF)and then is routed to interior systems running on private subnets. Interior as well as exteriornetwork traffic uses secure, encrypted protocols. All network access, both within the datacenterand between the datacenter and outside services, is restricted by firewall and routing rules.Network access is recorded into a centralized secure logging system.
Authentication
Clients login to Workato using a password which is known only to them. Password length,complexity and expiration standards are enforced. Passwords are not stored; instead, as isstandard practice, only a secure hash of the password is stored in the database. Because thehash is relatively expensive to compute, and because a “salting” method is used, brute-forceguessing attempts are relatively ineffective, and password reverse-engineering is difficult even ifthe hash value were to be obtained by a malicious party.
Workato users can optionally configure their accounts to use Two-Factor Authentication, bymeans of an authenticator app such as Google Authenticator, Microsoft Authenticator, or Authy.Workato supports automatic session logout after a period of time. The timeout can be set from15 minutes up to 14 days. Enterprises can set the appropriate timeout period according to theirsecurity needs.
Workato supports integration with 3rd party SAML compliant Single Sign-On (SSO) systems.This allows an enterprise to manage access to Workato as well as other enterprise applicationsand apply custom authentication schemes and policies. Workato’s best practicerecommendation is for customers to utilize SAML for authentication.
When Workato recipes connect to remote systems using user-supplied credentials, wherepossible this is done using OAuth2, and in those cases, no credentials need to be stored in theWorkato system. However, if a remote system requires credentials to be stored, they areencrypted using a 256-bit key.
Workato’s best practice recommendation is for customers to use an integration specific useridentity (ISU) with appropriate entitlements/scopes for connection authentication for applicationsthat are part of the recipes.
Application Development
Workato has a comprehensive software development lifecycle process that incorporatessecurity and privacy considerations. Design and code reviews, as well as unit and integrationtesting, are part of the process.
Development staff receive regular training on Secure Coding Practices, including avoidance ofthe OWASP Top Ten Web application vulnerabilities.
Vulnerability and Penetration Testing
Workato conducts regular internal vulnerability testing. Workato also engages a qualified3rd-party to conduct a regular platform level vulnerability and penetration test.The results are analyzed and vulnerabilities are addressed based on risk and severity.
Data Privacy
Workato has a public privacy policy, which details the types of personal information we collect,our handling of this information, and our customers’ privacy rights.
Transaction Data Retention and At-Rest Protection
All information on the Workato platform is encrypted at rest and in transit. All data stored in theWorkato system is encrypted at rest using a strong encryption algorithm (AES-256).Workato has innovative key management features for securing customer data. Transaction datais double-encrypted. All data is encrypted with a global key managed by our cloud providers.These keys are rotated at least annually. In addition, Workato encrypts data with secondary,tenant-specific keys whose lifetimes are tied to the configured retention period for the data. Anew key is generated hourly and this key is used to encrypt all data for a single customer withinthat hourly period. At the end of the configured retention interval, the key is deleted, effectivelyerasing the data by making it unreadable. Subsequently, the data storage is also reclaimed.Workato’s Enterprise Key Management feature allows customers to use their own masterencryption keys, maintained within their own AWS account, for encryption of data in the Workatoplatform.
Workato stores a log of transactions for a limited period of time, in order to provide visibility intosystem activity, facilitate testing and debugging, allow the re-running of failed transactions, andto support long running transactions. The maximum retention period varies by Workato plan andin some plans is configurable. If desired, zero retention can be selected, on a per-recipe basis,in which case data will be held only temporarily in memory during processing. Workato providesthe capability (an optional add-on feature) to stream transaction logs and audit history to anexternal customer provided HTTPS endpoint for longer-term retention and/or analysis.
Data Masking
Workato provides the ability to mask out sensitive data for additional security. The data maskingfeature is available in certain Workato plans. It can be applied to individual Workato recipe steps(triggers or actions). The input and output of a masked step are not shown in the job historyview within the Workato UI. Masked trigger data must still be persisted, to support retry of afailed recipe; but when masking is enabled for subsequent steps (action steps), data from thosesteps is only stored transiently in memory.
High Availability
Workato is designed to offer high availability and resilience to service disruption. Technicalmeasures used to ensure high availability include running Workato services in redundantclusters, utilizing multiple redundant cloud Availability Zones, and continuous replication of theapplication database to a standby system.
Current system status and recent uptime statistics are continuously available atstatus.workato.com.
Workato has implemented a Business Continuity and Disaster Recovery program. This programincludes not just measures to insure the high availability of Workato’s IT assets, but alsocontingency planning for natural disasters and other possible disruptions.
Incident Response
Workato has deployed a variety of security and monitoring tools for its production systems.There is 24x7 monitoring of the security status of its systems and automated alerts areconfigured for security and performance issues. Current status and historical uptime areavailable at status.workato.com.
While we don't anticipate there being a breach of our systems, Workato has put in place aSecurity Incident Response Plan, which details roles, responsibilities and procedures in case ofan actual or suspected security incident.
Workato’s Organisation
All employees are subject to background checks that cover education, employment and criminalhistory, to the extent permitted by local law. Employment at Workato requires writtenacknowledgement by employees of their roles and responsibilities with respect to protectinguser data and privacy.
Workato applies to the principle of least privilege for access. All access and authorization rightsare reviewed regularly. Access or authorization rights will be withdrawn or modified, asappropriate, promptly upon termination or change of role.Workato maintains an information security training program that is mandatory for all employees.Knowledgeable full-time security personnel are on staff.
Vulnerability Disclosure
Workato welcomes reports of vulnerabilities or other security issuesNote that we are primarily interested in issues that may affect authenticated users of ourservices, rather than something related to our public facing sites, many of which are hosted by3rd parties unrelated to our services. Note also we do not generally allow automated scanningof our sites and may block it if detected.Vulnerability reports will be acknowledged and reporters kept apprised of their report’s status.Reports can be submitted to vulnerability@workato.com.
Security Status
November 1, 2022
Amazon Web Services (AWS)
As a trusted AWS technology partner, you can leverage Amazon Web Services to run your intelligent applications, made awesome by Arcanum.
The Arcanum Accelerate Platform leverages a number of AWS services including; Auto Scaling, Load Balancing, EC2, ECS and ECR to ensure your intelligent features operate as high performance micro-services.
AWS risk and compliance program
AWS has integrated a risk and compliance program throughout the organization. This program aims to manage risk in all phases of service design and deployment and continually improve and reassess the organization’s risk-related activities. The components of the AWS integrated risk and compliance program are discussed in greater detail in the following sections.
AWS business risk management
AWS has a business risk management (BRM) program that partners with AWS business units to provide the AWS Board of Directors and AWS senior leadership a holistic view of key risks across AWS. The BRM program demonstrates independent risk oversight over AWS functions. Specifically, the BRM program does the following:
Performs risk assessments and risk monitoring of key AWS functional areas
Identifies and drives remediation of risks
To drive the remediation of risks, the BRM program reports the results of its efforts, and escalates where necessary, to directors and vice presidents across the business to inform business decision-making.
Operational and business management
AWS uses a combination of weekly, monthly, and quarterly meetings and reports to, among other things, ensure communication of risks across all components of the risk management process. In addition, AWS implements an escalation process to provide management visibility into high priority risks across the organization. These efforts, taken together, help ensure that risk is managed consistently with the complexity of the AWS business model.
In addition, through a cascading responsibility structure, vice presidents (business owners) are responsible for the oversight of their business. To this end, AWS conducts weekly meetings to review operational metrics and identify key trends and risks before they impact the business.
Executive and senior leadership play important roles in establishing the AWS tone and core values. Every employee is provided with the company’s Code of Business Conduct and Ethics, and employees complete periodic training. Compliance audits are performed so that employees understand and follow established policies.
The AWS organizational structure provides a framework for planning, executing, and controlling business operations. The organizational structure includes roles and responsibilities to provide for adequate staffing, efficiency of operations, and the segregation of duties. Management has also established appropriate lines of reporting for key personnel. The company’s hiring verification processes include validation of education, previous employment, and, in some cases, background checks as permitted by law and regulation for employees commensurate with the employee’s position and level of access to AWS facilities. The company follows a structured on-boarding process to familiarize new employees with Amazon tools, processes, systems, policies, and procedures.
Control environment and automation
AWS implements security controls as a foundational element to manage risk across the organization. The AWS control environment is comprised of the standards, processes, and structures that provide the basis for implementing a minimum set of security requirements across AWS.
While processes and standards included as part of the AWS control environment stand on their own, AWS also leverages aspects of Amazon’s overall control environment. Leveraged tools include:
Tools used across all Amazon businesses, such as the tool that manages separation of duties
Certain Amazon-wide business functions, such as legal, human resources, and finance
In instances where AWS leverages Amazon’s overall control environment, the standards and processes governing these mechanisms are tailored specifically for the AWS business. This means that the expectations for their use and application within the AWS control environment may differ from the expectations for their use and application within the overall Amazon environment. The AWS control environment ultimately acts as the foundation for the secure delivery of AWS service offerings.
Control automation is a way for AWS to reduce human intervention in certain recurring processes comprising the AWS control environment. It is key to effective information security control implementation and associated management of risks. Control automation seeks to proactively minimize potential inconsistencies in process execution that might arise due to the flawed nature of humans conducting a repetitive process. Through control automation, potential process deviations are eliminated. This provides increased levels of assurance that a control will be applied as designed.
Engineering teams at AWS across security functions are responsible for engineering the AWS control environment to support increased levels of control automation wherever possible. Examples of automated controls at AWS include:
Governance and Oversight: Policy versioning and approval
Personnel Management: Automated training delivery, rapid employee termination
Development and Configuration Management: Code deployment pipelines, code scanning, code backup, integrated deployment testing
Identity and Access Management: Automated segregation of duties, access reviews, permissions management
Monitoring and Logging: Automated log collection and correlation, alarming
Physical Security: Automated processes related to AWS data centers, including hardware management, data center security training, access alarming, and physical access management
Scanning and Patch Management: Automated vulnerability scanning, patch management, and deployment
Controls assessment and continuous monitoring
AWS implements a variety of activities prior to and after service deployment to further reduce risk within the AWS environment. These activities integrate security and compliance requirements during the design and development of each AWS service and then validate that services are operating securely after they are moved into production (launched).
Risk management and compliance activities include two pre-launch activities and two post-launch activities. The pre-launch activities are:
AWS Application Security risk management review to validate that security risks have been identified and mitigated
Architecture readiness review to help customers ensure alignment with compliance regimes
At the time of its deployment, a service will have gone through rigorous assessments against detailed security requirements to meet the AWS high bar for security. The post-launch activities are:
AWS Application Security ongoing review to help ensure service security posture is maintained
Ongoing vulnerability management scanning
These control assessments and continuous monitoring allow regulated customers the ability to confidently build compliant solutions on AWS services. For a list of services in the scope for various compliance programs see the AWS Services in Scope webpage.
AWS certifications, programs, reports, and third-party attestations
AWS regularly undergoes independent third-party attestation audits to provide assurance that control activities are operating as intended. More specifically, AWS is audited against a variety of global and regional security frameworks dependent on region and industry. AWS participates in over 50 different audit programs.
The results of these audits are documented by the assessing body and made available for all AWS customers through AWS Artifact. AWS Artifact is a no cost self-service portal for on-demand access to AWS compliance reports. When new reports are released, they are made available in AWS Artifact, allowing customers to continuously monitor the security and compliance of AWS with immediate access to new reports.
Depending on a country’s or industry’s local regulatory or contractual requirements, AWS may also undergo audits directly with customers or governmental auditors. These audits provide additional oversight of the AWS control environment to ensure that customers have the tools to help themselves operate confidently, compliantly, and in a risk-based manner using AWS services.
For more detailed information about the AWS certification programs, reports, and third-party attestations, visit the AWS Compliance Program webpage. You can also visit the AWS Services in Scope webpage for service-specific information.
Cloud Security Alliance
AWS participates in the voluntary Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR) Self-Assessment to document its compliance with CSA-published best practices. The CSA is “the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment”.The CSA Consensus Assessments Initiative Questionnaire (CAIQ) provides a set of questions the CSA anticipates a cloud customer and/or a cloud auditor would ask of a cloud provider. It provides a series of security, control, and process questions, which can then be used for a wide range of efforts, including cloud provider selection and security evaluation.
There are two resources available to customers that document the alignment of AWS to the CSA CAIQ. The first is the CSA CAIQ Whitepaper, and the second is a more detailed control mapping to our SOC-2 controls which is available to via AWS Artifact. For more information about the AWS participation in CSA CAIQ, see the AWS CSA site.
Customer cloud compliance governance
AWS customers are responsible for maintaining adequate governance over their entire IT control environment, regardless of how or where IT is deployed. Leading practices include:
Understanding the required compliance objectives and requirements (from relevant sources)
Establishing a control environment that meets those objectives and requirements
Understanding the validation required based on the organization’s risk tolerance
Verifying the operating effectiveness of their control environment
Deployment in the AWS Cloud gives enterprises different options to apply various types of controls and various verification methods.
Strong customer compliance and governance may include the following basic approach:
- Reviewing the AWS Shared Responsibility Model, AWS Security Documentation, AWS compliance reports, and other information available from AWS, together with other customer-specific documentation. Try to understand as much of the entire IT environment as possible, and then document all compliance requirements into a comprehensive cloud control framework.
- Designing and implementing control objectives to meet the enterprise compliance requirements as laid out in the AWS Shared Responsibility Model.
- Identifying and documenting controls owned by outside parties.
- Verifying that all control objectives are met and all key controls are designed and operating effectively.
Approaching compliance governance in this manner will help customers gain a better understanding of their control environment and will help clearly delineate the verification activities to be performed.
Conclusion
Providing highly secure and resilient infrastructure and services to our customers is a top priority for AWS. Our commitment to our customers is focused on working to continuously earn customer trust and ensure customers maintain confidence in operating their workloads securely on AWS. To achieve this, AWS has integrated risk and compliance mechanisms that include:
The implementation of a wide array of security controls and automated tools
Continuous monitoring and assessment of security controls to help ensure AWS operational effectiveness and strict adherence to compliance regimes
Independent risk assessment by the AWS Business Risk Management program
Operational and business management mechanisms
In addition, AWS regularly undergoes independent third-party audits to provide assurance that the control activities are operating as intended. These audits, along with the many certifications AWS has obtained, provide an additional level of validation of the AWS control environment that benefit customers.
Taken together with customer-managed security controls, these efforts allow AWS to securely innovate on behalf of customers and help customers improve their security posture when building on AWS.