Security

1.866.937.1438 |

Security Overview

Physical Security
All of Arena’s production equipment is owned and operated by Arena Solutions, and is co-located at AboveNet. AboveNet maintains 24-hour security at the co-location facility, with all visits logged against customer-defined access lists. Once authorization is confirmed, a cardkey lock allows visitors to access only their own equipment area. In addition, AboveNet’s facility utilizes continuous power supply online generators as well as a Very Early Smoke Detection Alarm (VESDA) system that is four times more sensitive than a typical smoke detector. The VESDA system is paired with a Fire Master 200 fire suppressor system that does not damage electrical equipment.

 

Perimeter Defense
A strong perimeter defense is essential to prevent unauthorized or inappropriate system access. Arena secures the perimeters of both production and corporate networks with multiple firewalls. Primary production firewalls are managed by in-house technicians. An independent third party is employed to actively scan all public Arena IP addresses on all production and corporate networks for unauthorized open ports and known protocol vulnerabilities.

 

Data Encryption
Arena leverages the strongest encryption currently supported by browsers, using a 1024-bit RSA public key and letting users access data with 128-bit encryption from their browsers. An SSL certificate—signed by authentication leader VeriSign and bearing the Arena domain name—as well as the lock icon in the corner of the user’s browser, assure customers that their data is fully protected while in transit. In addition, all uploaded customer files are stored on Arena servers in encrypted form.

 

User Authentication
Arena customer data can be accessed only with a valid username and password combination, which is encrypted via SSL for Internet transmission. Username and password verification is provided by a hardened authentication service that is maintained separately from the main application service. For further security, Arena does not store user passwords. Instead, all passwords are encrypted using a one-way hashing algorithm. The hashed value is compared with a previously calculated hash value stored in the Arena authentication database. Once an Arena PLM session has been established, a randomized session ID cookie that does not contain username or password information is used to identify the user. One hour of inactivity causes the session to time out, after which a new session must be established in order to access customer data.

 

Application Security
Similar to multiple ATM machines accessing a centralized banking system, Arena’s robust application security model prevents one customer from gaining unauthorized access to another customer’s data when accessing Arena’s centralized database system. This security model is applied and enforced for all Arena customers and staff.

 

IP-based Access Restriction (Optional)
Arena offers our Enterprise Edition Customers the option to restrict access to their Arena Workspace by IP address. Customers can define different Access Restrictions for different user groups, so that customer administrators can ensure that each user can access product data only from a trusted client network. This feature includes the capability to monitor and log user attempts to access the workspace from untrusted networks.

 

Internal Systems Security
Within perimeter firewalls, Arena systems are safeguarded by a variety of security features such as network address translation, port redirection, IP masquerading, non-routable IP addressing schemes, internal firewalls, and other precautionary measures. Details regarding the implementation of these security features are proprietary.

 

Operating Systems Security
Arena Solutions enforces tight operating system-level security by using a minimal number of access points to all production servers and protecting all operating system accounts with strong passwords. Production servers do not share a master password database. For security, all operating systems are maintained at each vendor’s recommended patch levels. Multiple, third-party security applications are used to ensure that each machine is secure before being placed into production. These applications are also checked at regular intervals to ensure that configurations have not been changed.

 

Database Security
Database access is controlled at the operating system and database connection levels for additional security. Access to production databases is limited to a minimal number of points. As with production servers, production databases do not share a master password database.

 

Auditing
Arena has a robust auditing system. Our servers are monitored continually. Any potential problems are detected, isolated, and resolved without delay. Arena staff is alerted immediately in the event of potential hardware issues, hacker attacks, power fluctuations, or other potential difficulties.

 

Access by Arena Staff
There may be situations in which Arena staff members need to access customer data for administrative purposes. It is Arena’s policy to grant this access on a need-to-know basis only, and to limit such access to a small number of people with individual passwords. When providing customer support, Arena staff will always ask for permission prior to accessing customer data.

 

Reliability and Backup
Arena further enhances its reliability by storing all customer data on redundant disks. To protect against data loss due to catastrophic events, all customer data is backed up on an hourly basis to a warm production-capacity disaster recovery site in a separate co-location facility, up to the last committed transaction. To further protect against data loss, archival backups of all customer data are created on a weekly basis and maintained for 26 weeks. NOTE: Arena does not protect individual customers against deletion of their data by properly authorized and authenticated users. For this reason, customers are expected to maintain duplicate copies of all data for backup purposes.

Please address all questions to: info@arenasolutions.com.