Infor Cloud security
Infor® takes security seriously. We have the tools, processes, and policies in place to safeguard the confidentiality, integrity, and availability of Infor products, services, and customer data.
Not only are security requirements for each Infor Cloud product defined and architected into the software design, they are constantly reviewed, tested, and updated to help ensure threats and vulnerabilities are mitigated.
A cloud environment is only as secure as its weakest link in the cloud security chain. Infor Cloud employs a “defense-in-depth” strategy. Multiple layers of overlapping security safeguard customer data through each link of the chain. These security controls are enforced by a team of specialists who continuously monitor and improve Infor Cloud security posture to stay ahead of threats and vulnerabilities.
Our dedicated Infor Cloud security staff works 24/7, vigilantly monitoring the cloud environment. If a customer requires more active collaboration to address security issues or concerns, our staff is readily available and easily engaged.
The Infor Cloud team is committed to protecting the privacy of customer data. Specific security/privacy policies, procedures, and technical controls are applied to our operations to ensure we provide unparalleled support, without infringing on confidentiality.
- Apply, review, and update security best practices
- Top 10 Open Web Application Security Project (OWASP)-based code review
- Formal configuration and change management practices via enforced and audited processes
- Vulnerability and penetration testing throughout product lifecycle
- Security principles of “least privilege” and “need to know” enforced by Role Based Access Controls (RBAC)
- Rigid protocols enforce security even when customers use compromised systems or don’t apply security best practices
- Infor Cloud is separate from Infor corporate network
- Proactive defense
- Real-time monitoring
- Firewall segmentation
- Two-factor authentication supported
- Digital certificates ensure Infor Cloud sessions occur only with authenticated systems
Physical security (IAAS PARTNER data centers)
- Guard-controlled access with man-trap technology
- Registered guest restrictions
- Locked cage spaces
- Closed-circuit television monitoring
- Additional systems for physical intrusion monitoring, detection, and alerting
- Restricted access
- Limited user-account permissions
- Hardening and managed patching of operating systems
- Separation of server duties and least privilege access
- Backup management
Infor Business Continuity Plan
Infor’s business continuity plan encompasses the plans and protocol to implement and maintain business continuity via our systems, management processes and policies. Our goal is protect and respond quickly and in an effective manner to safeguard our customers, partners and employees.
We achieve this goal by:
- Identifying critical business functions and key leadership for those functions to ensure Infor maintains operations during any incident.
- Having a Disaster Recovery plan. With locations around the world, Infor data centers provide BCP/DR services for each other. Should a failure occur at one data center, the systems hosted at that location will be restored and made available at another Infor location within the same AWS region.
- Executing effective communications plans – both internally and externally
- Training our staff to respond accordingly with the ability to work remotely via VPN, allowing secure access to our support systems and customer records. Our consultants are equipped to provide continued services remotely through use of secure technology and online collaboration tools.
- Organizing the company in a ‘command and control’ fashion via a dedicated Crisis Management Team (CMT). This is a cross-functional that meets daily to assess risks, responses, and document processes for disaster response.
- Testing Infor’s business continuity plan annually to verify that the recovery procedures work as intended, the supporting documentation is accurate and current, and gaps in procedures, personnel, and other resources are properly identified. All CMT members participate in at least one exercise per year.
Continuity in the Cloud
Business Continuity is designed into our Multi-tenant CloudSuite architecture so that the environment provides high availability and customer downtime is minimized or even eliminated.
Incident recognition and response
- Monitoring, characterizing, reporting, and automated logging of system activity and events
- Intrusion Protection Engine captures and analyzes intrusion attempts
- Technical escalation and customer notification paths
- Collaboration with customers to investigate attempts at intrusion—whether accidental or purposeful.
- In-transit data encrypted using appropriate mechanisms that include TLS, PGP, and secure FTP
- Data-at-rest encrypted using database, file system, or other appropriate encryption capabilities
Dynamic password management
- Centrally managed passwords
- Forced password change
- Unsuccessful password attempts and patterns registered, network management staff automatically alerted
- Customers own their data – if an engagement should terminate, customer data is returned or deleted at the customer’s request
Compliance, policies, and best practices
Infor SaaS Solutions
- SOC 1
Audited bi-annually—Report available end of June and end of November
Single-tenant SaaS and hosted environments
Audited bi-annually—Report available end of July and January
- SOC 2
Audited annually—Report available end of November
Infor Government Solutions (IGS)
- IGS consists of securely configured Infor CloudSuites running on AWS GovCloud infrastructure managed by US Persons
- IGS helps customers meet security and privacy standards and frameworks such as:
- DoD SRG IL2
- NIST 800-53
- NIST 800-171
- NERC CIP
- GDPR compliance is a priority at Infor. To learn about Infor’s GDPR privacy program validation please visit GDPR Validation
- Infor Privacy
Specific Infor Applications/SaaS Solutions
Please click on the link to see the latest solutions certified for ISO 27001
Security vulnerability reporting
Security is important for Infor and its customers, and we work hard to maintain secure customer environments. Current customers should report vulnerabilities through a support ticket. Security researchers, please click here for details on how to report a security vulnerability.
We understand that security awareness is a critical component of any security program. For more information on our efforts towards creating a culture of security please view our executive brief. In summary:
- Phishing simulations. We run internal phishing simulations to help our employees learn how to detect phishing attacks and provide remediation training where required.
- Security awareness training. We conduct security awareness training all year round to help keep momentum going in between our annual security awareness compliance training. We deliver security awareness through multiple communication channels and initiatives so there is material available for different preferred styles of learning.
- Creating a culture of security. In order to maximize security awareness efforts, we work to integrate security into the corporate culture itself so employees recognize that following security best practices is a core aspect of what we do.
- Positivity and recognition. We promote a positive security culture by recognizing outstanding security behavior demonstrated by our employees through reward schemes.
Infor Software follows and leverages Infor’s Secure Development Life Cycle process, inclusive application patches, and updates. Within IGS, this is audited through a Third Party Assessment Organization (3PAO) and included in the FedRAMP Moderate Authorization. Federal Agencies may request Infor’s authorization package through the FedRAMP Marketplace at: https://marketplace.fedramp.gov/#!/product/infor-government-solutions-igs-software-as-a-service?sort=productName&productNameSearch=infor