Infor Cloud security

Infor® takes security seriously. We have the tools, processes, and policies in place to safeguard the confidentiality, integrity, and availability of Infor products, services, and customer data.

Not only are security requirements for each Infor Cloud product defined and architected into the software design, they are constantly reviewed, tested, and updated to help ensure threats and vulnerabilities are mitigated.

A cloud environment is only as secure as its weakest link in the cloud security chain. Infor Cloud employs a “defense-in-depth” strategy. Multiple layers of overlapping security safeguard customer data through each link of the chain. These security controls are enforced by a team of specialists who continuously monitor and improve Infor Cloud security posture to stay ahead of threats and vulnerabilities.

Our dedicated Infor Cloud security staff works 24/7, vigilantly monitoring the cloud environment. If a customer requires more active collaboration to address security issues or concerns, our staff is readily available and easily engaged.

The Infor Cloud team is committed to protecting the privacy of customer data. Specific security/privacy policies, procedures, and technical controls are applied to our operations to ensure we provide unparalleled support, without infringing on confidentiality. The National Cyber Security Alliance has recognized this commitment, naming Infor a 2019 NCSAM Champion organization

Application security

  • Apply, review, and update security best practices
  • Top 10 Open Web Application Security Project (OWASP)-based code review
  • Formal configuration and change management practices via enforced and audited processes
  • Vulnerability and penetration testing throughout product lifecycle

Network security

  • Security principles of “least privilege” and “need to know” enforced by Role Based Access Controls (RBAC)
  • Rigid protocols enforce security even when customers use compromised systems or don’t apply security best practices
  • Infor Cloud is separate from Infor corporate network
  • Proactive defense
  • Real-time monitoring
  • Firewall segmentation
  • Two-factor authentication supported
  • Digital certificates ensure Infor Cloud sessions occur only with authenticated systems

Physical security (IAAS PARTNER data centers)

  • Biometric-protected
  • Guard-controlled access with man-trap technology
  • Registered guest restrictions
  • Locked cage spaces
  • Closed-circuit television monitoring
  • Additional systems for physical intrusion monitoring, detection, and alerting

Infrastructure security

  • Restricted access
  • Limited user-account permissions
  • Hardening and managed patching of operating systems
  • Separation of server duties and least privilege access
  • Backup management

Infor Business Continuity Plan

Infor’s business continuity plan encompasses the plans and protocol to implement and maintain business continuity via our systems, management processes and policies. Our goal is protect and respond quickly and in an effective manner to safeguard our customers, partners and employees.

We achieve this goal by:

  • Identifying critical business functions and key leadership for those functions to ensure Infor maintains operations during any incident.
  • Having a Disaster Recovery plan. With locations around the world, Infor data centers provide BCP/DR services for each other. Should a failure occur at one data center, the systems hosted at that location will be restored and made available at another Infor location.
  • Executing effective communications plans – both internally and externally
  • Training our staff to respond accordingly with the ability to work remotely via VPN, allowing secure access to our support systems and customer records. Our consultants are equipped to provide continued services remotely through use of secure technology and online collaboration tools.
  • Organizing the company in a ‘command and control’ fashion via a dedicated Crisis Management Team (CMT). This is a cross-functional that meets daily to assess risks, responses, and document processes for disaster response.
  • Testing Infor’s business continuity plan annually to verify that the recovery procedures work as intended, the supporting documentation is accurate and current, and gaps in procedures, personnel, and other resources are properly identified. All CMT members participate in at least one exercise per year.

Continuity in the Cloud

Business Continuity is designed into our Multi-tenant CloudSuite architecture so that the environment provides high availability and customer downtime is minimized or even eliminated.

Incident recognition and response

  • Monitoring, characterizing, reporting, and automated logging of system activity and events
  • Intrusion Protection Engine captures and analyzes intrusion attempts
  • Technical escalation and customer notification paths
  • Collaboration with customers to investigate attempts at intrusion—whether accidental or purposeful.

Encryption

  • In-transit data encrypted using appropriate mechanisms that include TLS, PGP, and secure FTP
  • Data-at-rest encrypted using database, file system, or other appropriate encryption capabilities

Dynamic password management

  • Centrally managed passwords
  • Forced password change
  • Unsuccessful password attempts and patterns registered, network management staff automatically alerted

Data ownership

  • Customers own their data – if an engagement should terminate, customer data is returned or deleted at the customer’s request

Compliance, policies, and best practices

Infor SaaS Solutions

  • SOC 1
    • Multi-tenant SaaS
            Audited annually—Report available end of June and end of November
    • Single-tenant SaaS and hosted environments
            Audited annually—Report available end of July and January
  • SOC 2
    • Multi-tenant SaaS
            Audited annually—Report available end of November
  • CSA


Infor Regulated Industries SaaS (IRIS)

  • IRIS consists of securely configured Infor CloudSuites running on AWS GovCloud infrastructure managed by US Persons
  • IRIS helps customers meet security and privacy standards and frameworks such as:
    • FedRAMP
    • DoD SRG IL2
    • NIST 800-53
    • NIST 800-171
    • ITAR
    • HIPAA
    • FERPA
    • NERC CIP
    • CJIS


Privacy

  • GDPR compliance is a priority at Infor. To learn about Infor’s GDPR privacy program validation please visit GDPR Validation
  • Infor Privacy


Specific Infor Applications/SaaS Solutions


Please click on the link to see the latest solutions certified for ISO 27001

Security vulnerability reporting

Security is important for Infor and its customers, and we work hard to maintain secure customer environments. If you are a security researcher and would like to report a security flaw, please send us an email at security@infor.com with your name and contact information. Please use PGP; here is our key. Please provide technical details to help us reproduce the vulnerability. We will verify each vulnerability, we will respond to legitimate ones, and we will work to remediate them. We thank you for the coordinated disclosure.