Data Security and Privacy Principles for 21Vianet SaaS
Last Updated: May 30, 2016
Cloud computing offers business leaders cost- effective elasticity and scalability, which is critical in today’s dynamic and fiercely competitive market. Software as a Service, or “SaaS,” further optimizes this concept by shifting much of the onus of deployment, administration, maintenance, and security of applications, middleware, databases, operating systems, hypervisors, servers, storage, and networking to the service provider.
It is natural for any responsible business leader to be wary of relinquishing command over the Information Technology policies and controls protecting their data to a third party. The impact of a data breach can be catastrophic, and when it comes to protecting your data, not all SaaS providers are equal.
At 21Vianet, data privacy and security are not afterthoughts or “the cost of doing business.” 21Vianet continues our long tradition of privacy and security leadership because data security and privacy have been essential values of our organizational culture for decades.
It is important to bear all of this in mind when comparing 21Vianet to other SaaS providers because with any SaaS offering you are trusting your provider with one of your most critical assets: your data. While SaaS customers must assess any SaaS offering to determine if its data processing and security measures satisfy their organizational and regulatory requirements, the SaaS provider decides where risks lie in its services and implements security measures accordingly. The provider’s capabilities, experience, and attitude towards data privacy and security matter greatly.
21Vianet maintains the confidentiality of the data you own and upload into an 21Vianet SaaS offering. We do not use, disclose, or access your data for any reason except to deliver services and support to you in accordance with the terms of the offering.
We would like to share with you some of the practices and principles we live by at 21Vianet that keep our systems and data safe, as it is this same security- driven culture that safeguards the confidentiality, integrity, and availability of the data you entrust to 21Vianet SaaS.
21Vianet’s IT Security policies are defined by essential principles and practices centered on a philosophy of continuous improvement. We continuously assess the effectiveness of IT Security measures and evaluate them against emerging threats and technological advances that can further enhance 21Vianet’s secure computing capabilities.
21Vianet security policies are reviewed regularly and refined as necessary to keep current with modern threats and in line with international standards updates.
21Vianet security incidents are handled in accordance with our comprehensive incident response procedures, taking into account any data breach notification requirements under applicable law.
21Vianet employees are required to complete security and privacy education annually and certify each year that they will comply with 21Vianet’s ethical business conduct, privacy, confidentiality, and security requirements.
Access, Intervention, Transfer and Separation Control
The architecture of 21Vianet SaaS offerings maintain logical separation of client data. Internal rules and measures separate data processing (store, change, copy, delete and/or transfer data) and/or storage media according to the contracted purposes. Access to client data (including any personal data) is allowed only by authorized personnel in accordance with principles of segregation of duties, strictly controlled under 21Vianet’s identity and access management policies, and monitored in accordance with 21Vianet’s internal privileged user monitoring and auditing program.
21Vianet’s privileged access authorization is individual, role-based, and subject to regular validation.
Access to client data is only granted as necessary to deliver services and support to the client (i.e., least required privilege).
Transfer of data within 21Vianet’s network takes place behind 21Vianet’s firewalls. Wi-Fi is not used within 21Vianet production data centers.
Service Integrity & Availability Controls
Modifications to operating system resources and application software are governed by 21Vianet’s rigorous change management process. Changes to firewall rules are also governed by the change management process and are separately reviewed by 21Vianet security staff before implementation.
21Vianet systematically monitors production data center resources 24x7. Internal and external vulnerability scanning is regularly conducted by authorized administrators to help detect and resolve potential exposures. 21Vianet’s data center services support a variety of information delivery protocols for transmission of data over public networks such as HTTPS, SFTP, and FTPS.
21Vianet policy defines clear back-up requirements for production systems and data. Compliance with these policies is monitored and rigorously enforced. Backup data intended for off-site storage, if any, is encrypted prior to transport.
Security configuration and patch management activities are performed and reviewed regularly. 21Vianet’s infrastructure is subject to emergency planning concepts (i.e., disaster recovery, solid disk mirroring, etc.). Business continuity plans for 21Vianet’s infrastructure are documented and regularly revalidated.
Activity Logging, Input Control
21Vianet maintains logs of its activity for systems, applications, and network infrastructure devices. Changes made to production systems are logged and governed in accordance with 21Vianet’s change management policies.
Physical Security, Entry Control
21Vianet maintains physical security standards designed to restrict unauthorized physical access to data center resources. Only limited access points exist at 21Vianet data centers, which are controlled by access readers and monitored by surveillance cameras. Access is allowed only by authorized personnel.
Delivery areas and loading docks where unauthorized persons may enter the premises are strictly controlled.
Non-21Vianet operations and security staff are registered upon entering the premises and are escorted by authorized personnel while on the premises.
Employees upon termination are removed from the access list and required to surrender their access badge. Usage of access badges is logged.
Data processing is performed according to written agreement by which 21Vianet describes the terms, functionality, support, and maintenance of a SaaS offering and measures taken to maintain the confidentiality, integrity, and availability of client- owned data.
21Vianet security standards are regularly reviewed against broadly accepted, industry standard practices, such as ISO 27001.We continue to develop external auditing and certification requirements for 21Vianet SaaS offerings as they and applicable standards and regulations evolve.
Assessments and audits are conducted regularly by 21Vianet to confirm compliance with its information security policies, and industry standard audits are performed annually in all 21Vianet production data centers.
While no SaaS provider can promise 100% protection against cybersecurity threats, our clients rest assured knowing that their data is protected by 21Vianet. No other SaaS provider on the planet can match our depth of skills and knowledge, resources, and decades-long record of data security and privacy leadership.