ARENA’S SECURITY PLATFORM
Our Cloud Technology Makes
Arena the Most Secure Choice
LAYERS OF DEFENSE
Arena’s security model is robust, protecting our customers’ valuable product and quality information. This data is crucial to each customer’s business, so protecting it is our core priority. By prioritizing security in our platform architecture, we provide customers one of the most secure places against threats for data at scale, in or out of the cloud.
HOW IT WORKS
Arena’s product lifecycle management (PLM) and quality management system (QMS) solutions use a multilayered approach to protect your intellectual property (IP). Each security layer provides a specific level of protection for your data.
PROCESS & POLICY LAYER
The first layer of defense is a well-defined, comprehensive set of security processes and policies to ensure the security of our customers’ data and user accounts. Our solution is SOC2 Type 2 compliant.
We use a formal change control policy to evaluate the system and standard operating procedure (SOP) changes. And, all Arena employees and contractors train annually to ensure employee awareness of and compliance with security policies using Arena Training.
PHYSICAL LAYER
All Arena production equipment is owned and operated by Arena Solutions and is co-located at a secure world-class facility. Only a restricted set of Arena operations employees have operational access.
INFRASTRUCTURE LAYER
This perimeter defense layer includes multiple firewalls, operating system-level security measures, and network protocols. No root access is allowed and unnecessary ports are closed. All security patch activities are subject to SOC2 auditing.
APPLICATION LAYER
Arena uses many security measures to enable the secure flow of product and quality information from input through the delivery to the end-user or an integrated system. Measures include data encryption, controlled application access, secure API for integrations, redundant and backed-up storage, and isolated multi-tenancy.
USER LAYER
User security is enforced by allowing only authorized users to view and modify a strictly defined set of objects and data, enabling users to have access to the information they need. When a user changes product information, the changes are logged in the database. In addition to system-wide measures for passwords and sessions, customer administrators can enforce two-factor authentication and define their users’ access to defined data sets.
For more information on each layer of the solution, read our Security Tech Note.
FURTHER PROTECTION
Your PLM and QMS teams are users of your systems and therefore part of your corporate security success. To help with your security, users can stay current on security topics.
Two-Factor Authentication
If the administrator does not require it systemwide, Arena users can choose to enable two-factor authentication at an individual account level. This sends a unique code to the user’s email address or mobile number when the user logs in from an unknown computer.
Password Policy
Users create and secure their passwords. Passwords expire at an interval controlled by your Account Administrator (recommended no more than 90 days). When your password expires, you will be prompted to change your password upon login. Depending on how your workspace is configured, you may be able to keep the same password. Arena passwords must be 8-18 characters long and must include at least one lowercase letter, one uppercase letter, and one number.
Phishing
Brief, formal phishing education may be beneficial for Arena users. Phishing is the fraudulent attempt to obtain information such as usernames, passwords, and data, or disrupt an entire computer system or network. Attackers phish for malicious reasons, by disguising as a trustworthy entity in an email.
Some simple recommendations you can make to your Arena users:
- Teach users to not be fooled by phishing, and to not click links or open attachments in suspicious emails. One of the most effective cyber attack techniques is tricking someone to click a link or open an attachment that installs malware. These are called phishing emails because they lure you into opening an email. Phishing email can say something intriguing, useful, or appear to be a legitimate message from a real company (package delivery, payroll, IRS, social networking, etc.). They can include logos or other official-looking images.
- Instruct users to never open emails from unknown sources. Hackers want people to click on their link so that they can infect the user’s computer. Similarly, teach users that emails received from an unknown source should be evaluated based on the source and whether it makes sense. If not, it may be malicious. The sender’s address should always be verified and any links to URLs can be hovered over to validate them. For example, if the link says it’s from Arena, then hovering over the link should show a URL ending in “.arenasolutions.com”.
HERE TO HELP
If you or any of your users have questions about security or are unsure about whether an Arena Solutions email is legitimate, please forward the email to [email protected].