Category Archives: IaaS
The security of information systems is a complex, shared responsibility between infrastructure, system and application providers. Informatica doesn’t take lightly the responsibility our customers have entrusted to us in this complex risk equation.
As Informatica’s Chief Information Security Officer, I’d like to share three important security updates with our customers:
- What you need to know about Informatica products and services relative to the latest industry-wide security concern,
- What you need to do to secure Informatica products against the ShellShock vulnerability, and
- How to contact Informatica if you have questions about Informatica product security.
1 – What you need to know
On September 24, 2014 a serious new cluster of vulnerabilities to Linux/Unix distributions was announced, classified as (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE-2014-6278) aka “Shellshock” or “Bashdoor”. What makes ShellShock so impactful is that it requires relatively low effort or expertise to exploit and gain privileged access to vulnerable systems.
Informatica’s cloud-hosted products, including Informatica Cloud Services (ICS) and our recently-launched Springbok beta, have already been patched to address this issue. We continue to monitor for relevant updates to both vulnerabilities and available patches.
Because this vulnerability is a function of the underlying Operating System, we encourage administrators of potentially vulnerable systems to assess their risk levels and apply patches and/or other appropriate countermeasures.
Informatica’s Information Security team coordinated an internal response with product developers to assess the vulnerability and make recommendations necessary for our on-premise products. Specific products and actions are listed below.
2 – What you need to do
Informatica products themselves require no patches to address the Shellshock vulnerability, they are not directly impacted. However, Informatica strongly recommends that you apply your OS vendors’ patches as they become available, since some applications allow customers to use shell scripts in their pre-and post-processing scripts. Specific Informatica products and remediations are listed below:
|Cloud Service||Version||Patch / Remediation|
|Springbok||Beta||No action necessary. The Springbok infrastructure has been patched by Informatica Cloud Operations.|
|ActiveVOS/Cloud||All||No action necessary. The ActiveVOS/Cloud infrastructure has been patched by Informatica Cloud Operations.|
|Cloud/ICS||All||Customers should apply OS patches to all of their machines running a Cloud agent. Relevant Cloud/ICS hosted infrastructure has already been patched by Informatica Cloud Operations.|
|Product||Version||Patch / Remediation|
|PowerCenter||All||No direct impact. Customers who use shell scripts within their pre- / post-processing steps should apply OS patches to mitigate this vulnerability.|
|IDQ||All||No direct impact. Customers who use shell scripts within their pre- / post-processing steps should apply OS patches to mitigate this vulnerability.|
|MM, BG, IDE||All||No direct impact. Customers who use shell scripts within their pre- / post-processing steps should apply OS patches to mitigate this vulnerability.|
|Data Services / Mercury stack||All|
|PWX mainframe & CDC||All||No direct impact. Recommend customers apply OS patch to all machines with INFA product installed.|
|UM, VDS||All||No direct impact. Recommend customers apply OS patch to all machines with INFA product installed.|
|IDR, IFC||All||No direct impact. Recommend customers apply OS patch to all machines with INFA product installed.|
|B2B DT, UDT, hparser, Atlantic||All||No direct impact. Recommend customers apply OS patch to all machines with INFA product installed.|
|Data Archive||All||No direct impact. Recommend customers apply OS patch to all machines with INFA product installed.|
|Dynamic data masking||All||No direct impact. Recommend customers apply OS patch to all machines with INFA product installed.|
|IDV||All||No direct impact. Recommend customers apply OS patch to all machines with INFA product installed.|
|SAP Nearline||No direct impact. Recommend customers apply OS patch to all machines with INFA product installed..|
|TDM||No direct impact. Recommend customers apply OS patch to all machines with INFA product installed.|
|MDM||All||No direct impact. Recommend customers apply OS patch to all machines with INFA product installed.|
|IR / name3||No direct impact. Recommend customers apply OS patch to all machines with INFA product installed.|
|B2B DX / DIH||All||DX & DIH on Red Hat Customers should apply OS patches. Other OS customers still recommended to apply OS patch.|
|PIM||All||PIM core and Procurement are not not directly impacted. Recommend Media Manager customers apply OS patch to all machines with INFA product installed.|
|ActiveVOS||All||No direct impact for on-premise ActiveVOS product. Cloud-realtime has already been patched.|
|Address Doctor||All||No direct impact for AD services run on Windows. Procurement service has already been patched by Informatica Cloud Operations.|
|StrikeIron||All||No direct impact.|
3 – How to contact Informatica about security
Informatica takes the security of our customers’ data very seriously. Please contact our Informatica’s Knowledge Base (article ID 301574), or our Global Customer Support team if you have any questions or concerns. The Informatica support portal is always available at http://mysupport.informatica.com.
If you are security researcher and have identified a potential vulnerability in an Informatica product or service, please follow our Responsible Disclosure Program.
Bill Burns, VP & Chief Information Security Officer
In Ashwin Viswanath’s previous video blog, he spoke about why it is important to have a cloud integration solution that has purpose-built integration applications. In this video, he delves deeper into the security aspects of cloud integration and how to rapidly provision integration environments for distributed business units, subsidiaries and departments in a quick and efficient manner.
In Ashwin Viswanath’s previous blog post, SaaS Data Integration for SaaS Applications, he explained how SaaS applications are much more dynamic than on-premises business applications with new fields and objects added with just a few clicks. This same agility is required when it comes to integrating SaaS applications, which is why it is important to have a hybrid IT strategy for your data integration architecture. Informatica PowerCenter together with Informatica Cloud can help you get started with such a strategy.
In a recent Sand Hill article, Jeff Kaplan, the managing director of THINKstrategies, reports on the recent and changing state of data integration with the addition of cloud computing. “One of the ongoing challenges that continues to frustrate businesses of all sizes is data integration, and that issue has only become more complicated with the advent of the cloud. And, in the brave new world of the cloud, data integration must morph into a broader set of data management capabilities to satisfy the escalating needs of today’s business.” (more…)
Salesforce.com – a company that has become synonymous with the cloud – acquired over 100,000 customers and one million users within a span of just 10 years. Compare that to a traditional company like General Electric, the only company to be on the Dow Jones Index for over 100 years – it took them over five-times that many years to acquire the same number of customers. This goes to say that customers have been enamored by the cloud and its benefits – no software maintenance, rapid time-to-value, and subscription pricing – to name a few. No wonder, there are thousands of cloud applications and millions of users out there now. I’ve seen projections that the cloud computing market will grow to $241 billion by 2020. This might be a conservative estimate.
Cloud Slam ’11 is the first hybrid event that I’ve been a part of – in other words, its both virtual and live. Naturally I’ll be doing a session focusing on the hybrid reality of today’s IT organization and the importance of cloud data integration.