Trust Center

NetApp SaaS Backup Security

NetApp Trust Center

Keeping data secure in the Cloud

NetApp SaaS Backup provides Data Protection services to SaaS Services that help protect your SaaS service data. NetApp SaaS Backup Data Protection Service helps organizations safeguard data while compliant with industry and regional requirements.

Find out more about NetApp SaaS Backup
NetApp SaaS Backup

Protecting your data and keeping it secure with SaaS Backup

NetApp SaaS Backup is a cloud-born application service designed to protect your organizational data from the cloud and meet your data protection and compliance needs with robust security & reliability to help our customers save time and money.

When you move your organization to use a Cloud Service, you must be able to trust your service provider with your most important, sensitive and confidential data. Since Security is a paramount for business success, NetApp has implemented robust policies, controls and systems built into NetApp SaaS Backup Service to keep your information safe. NetApp SaaS Backup is designed on the principles of Security Development Lifecycle, a Mandatory NetApp process that embeds security and privacy requirements into every phase of the development.

NetApp SaaS Backup-managed security controls are enabled by default in our service, and along with the customer-managed controls in the service, allow you to customize your data protection levels and access controls to meet your organizational security needs.

The data that is protected and stored by NetApp belongs to you, which mean you have complete control over your data. NetApp provides extensive security and privacy controls and visibility into where the data resides, to who can access it, as well as availability of the service and the data. If you end your subscription with NetApp SaaS Backup, you can take advantage of our data portability to take your data with you within a prescribed provided by the SaaS Backup Service.

NetApp SaaS Backup

NetApp Investments in Security Research

NetApp is a pioneer in the data protection and data management space. Providing software and solutions that are secure to our customers is an imperative that has been driving our business. NetApp invests in industry research and partners with industry-leading organizations that drive the requirements of Future IT; Cloud Security is one such area. NetApp is a corporate member of the Cloud Security Alliance and an active member in the corporate membership councils providing important guidance to the solution council.

CSA - Cloud Security Center

NetApp also invests in a Bug Crowd program for NetApp SaaS Backup throughout the year and invites security researchers from around the world to perform security tests on our service and report bugs, vulnerabilities, etc. For more information on how to report security issues to NetApp .

NetApp SaaS Backup

NetApp SaaS Backup Secure Identity Management

NetApp provides our customers with the flexibility to manage and integrate with their organizational identity management preference. Our Customers will have the choice of using:

  • NetApp Single Sign-on
    NetApp uses its own integrated directory to manage users and provide authentication, identity management and access control to the NetApp SaaS Backup Service.
  • Federated/Synchronized or Cloud Identity
    NetApp also enables and allows our customers to use their Federated/Synchronized identity (like Azure AD) or Cloud Identity (like Office 365, Salesforce) to manage users and to provide authentication, identity management and access control to the NetApp SaaS Backup Service.

NetApp SaaS Backup also supports Multi-Factor authentication, managed from Office 365 Admin center, to help provide an extra layer of security. Office 365 offers the following subset of Azure multi-factor authentication capabilities part of your subscription and NetApp SaaS Backup honors the customer preferences like:

  • Ability to enable and enforce Multi-Factor Authentication for Administrators
  • Use of a mobile app (online and one-time password) as a second authentication factor
  • Use of a phone call as a second authentication factor
  • Use of a Short Message Service (SMS) message as a second authentication factor
  • Application passwords for non-browser clients (for example, the Skype for Business client software)
NetApp SaaS Backup

Auditing and Logging

Auditing and logging of security-related and user activity within the NetApp SaaS Backup Service are important components of an effective data protection strategy. NetApp SaaS Backup provides an audit trail with reports on user activity, thus enabling you to derive patterns of any suspicious activities. You can use the auditing to monitor user activity, document regulatory compliance, perform forensic analysis and more.

NetApp SaaS Backup

Data Encryption

For customer backup data in transit, NetApp SaaS Backup uses Transport Layer Security (TLS) for communication between the vendor's SaaS Service to NetApp SaaS Backup Service when backing up data. The backup data of our customers at rest is stored in the target destination and encrypted using AES 256 encryption algorithm.

NetApp SaaS Backup

Multi-Tenant Architecture

Multi-Tenancy is the primary benefit of cloud computing; this is the ability to share common infrastructure across numerous customer simultaneously. NetApp ensures that the muti-tenant architecture of NetApp SaaS Backup implements enterprise-level security controls to ensure compliance with Security, Confidentiality, Integrity, Availability and Privacy standards. Multiple forms of protection have been implemented and enabled to achieve data isolation on the NetApp SaaS Backup Service to prevent customers from compromising NetApp SaaS Backup Service or gaining unauthorized access to information of other tenants. The NetApp SaaS Backup Operations Team continuously monitors the system for any anomalies to the access controls on the NetApp SaaS Backup Service, and thus takes preventive and corrective actions as needed.

NetApp SaaS Backup

How NetApp Accesses your Data

NetApp SaaS Backup automated most of its Service operations, while intentionally limiting its own access to customer backup data. This enables NetApp to manage NetApp SaaS Backup Service at scale and address the risks of internal threats to customer content such as Malicious actor or Spear-Phishing of NetApp Engineers. By default, NetApp Engineers have zero-standing administrative privileges and zero-standing access to customer content in NetApp SaaS Backup Service.

NetApp SaaS Backup

How you Access your Data

NetApp has implemented control in place for the backup data managed by NetApp SaaS Backup and customers, while preserving the right to back up the data; customers themselves cannot delete the backups and are required to contact NetApp support to do so. In case of the subscription ending or terminating the NetApp SaaS Backup Subscription, our customers have the right to leverage our data portability feature and will be enabled to download their data to their desired location.

NetApp SaaS Backup

Security Management & Response

Threat Management

NetApp SaaS Backup Threat Management Strategy involves identifying a potential threat's intent, capability, and probability of successful exploitation of a vulnerability and the control implemented and used to safeguard NetApp SaaS Backup Service against such exploitations are based on industry standards and best practices.

Incident Response

NetApp SaaS Backup incident response includes a dedicated team that works 24/7 to Detect, Prevent, Monitor and respond to Security incidents. NetApp SaaS Backup team follows the approaches prescribed in NIST 800-61 and includes the following response Management phases.

  • Preparation – The organizational preparation needed to respond to an incident, including tools, processes, competencies, and readiness.
  • Detection and Analysis – The detection of a security incident in a production environment, and the analysis of all events to confirm the authenticity of the security incident.
  • Containment, Eradication, and Remediation – The required and appropriate actions needed to contain the security incident based on the analysis done in the previous phase. Additional analysis may also be necessary in this phase to fully remediate the security incident.
  • Post-Incident Activity – The analysis performed after the remediation of a security incident. The operational actions performed during the process are reviewed to determine if any changes need to be made in the Preparation or Detection and Analysis phases.

General Data Protection Regulation (GDPR)

Understanding Data Privacy Compliance and Its Business Implications

Find out more about

Compliance areas of NetApp SaaS Backup

ISO 27001:2013
ISO 27001 is one of the best security benchmarks available in the world. NetApp SaaS Backup have been verified to meet the rigorous set of physical, logical, process and management controls defined by ISO 27001:2013.
Statemment on Standards for Attestation Engaments No. 18 (SSAE 18)/Systems and Organizations Controls (SOC)
Defined by the American Institute of Certified Public Accountants (AICPA), is the name of a suite of reports produced during an audit. It is intended for use by service organizations (organizations that provide information systems as a service to other organizations) to issue validated reports of internal controls over those information systems to the users of those services. The reports focus on controls grouped into five categories called Trust Service Principles. NetApp SaaS Backup is compliant with SOC 2 Type II.
European Union (EU) Model Clauses
The EU Data Protection Directive, a key instrument of EU privacy and human rights law, requires our customers in the EU to legitimize the transfer of personal data outside of the EU. The EU model clauses are recognized as a preferred method for legitimizing the transfer of personal data outside the EU for cloud computing environments. Offering the EU model clauses involves investing and building the operational controls and processes required to meet the exacting requirements of the EU model clauses. Unless a cloud service provider is willing to agree to the EU model clauses, a customer might lack confidence that it can comply with the EU Data Protection Directive's requirements for the transfer of personal data from the EU to jurisdictions that do not provide "adequate protection" for personal data.
ISO 27018
ISO 27018 establishes a uniform and international approach to protecting the provsacy of personal information stored in the cloud. NetApp has implemented ISO 27018 security controls and is currently in the process of evaluating the security controls implementation to meet the ISO 27018 compliance requirements. NetApp's compliance with ISO 27018 means that NetApp only processes personal information in accordance with our customer instructions and NetApp is completely transparent about what happens to the customer data and provide strong security protection for the personal information in the cloud and NetApp does not the personal information of our customers or the personal information stored in their backup data for any advertising, marketing purposed and NetApp is committed to inform our customers about government access to their data.
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA imposes on our customers that may be "covered entities" under the law security, privacy, and reporting requirements regarding the processing of electronic protected health information. NetApp SaaS Backup is developed to provide physical, administrative, and technical safeguards to help our customers comply with HIPAA. NetApp offers a HIPAA Business Associate Agreement to our customers and for more information about HIPAA, please visit the HIPAA/HITECH FAQ.
Data processing terms
NetApp provide customers with additional contractual assurances through our data processing terms regarding NetApp handling and safeguarding of customer data.
Family Educational Rights and Privacy Act (FERPA)
FERPA imposes requirements on U.S. educational organizations regarding the use or disclosure of student education records, including email and attachments. NetApp agrees to use and disclosure restrictions imposed by FERPA that limit our use of student education records, including agreeing to not scan emails or documents for advertising purposes.

FAQs

Security and Privacy Features of NetApp SaaS Backup

  1. NetApp restricts physical data center access to authorized personnel and have implemented multiple layers of physical security, such as biometric readers, motion sensors, 24-hour secured access, video camera surveillance, and security breach alarms.
  2. NetApp SaaS Backup enables encryption of data both at rest and via the network as it is transmitted between a data center and a user.
  3. NetApp does not mine or access your data for advertising, marketing or any other purpose that deviates from the sole purpose of data protection for the subscribed service by our customers.
  4. NetApp SaaS Backup uses customer data only to provide the service; NetApp does not access your data without your permission.
  5. NetApp SaaS Backup regularly backs up your SaaS backup data.
  6. NetApp does not delete all the data in your account at the end of your service term until you have had time to take advantage of the data portability that we offer.
  7. NetApp hosts your customer data in-region.
  8. NetApp enforces "hard" passwords to increase security of your data.
  9. NetApp SaaS Backup has privacy features enabled by default and does not allow to turn the feature off.
  10. NetApp contractually commits to the promises made here with the data processing terms in your volume licensing agreement.

Customers need data protection solutions that is inherently secure and trustworthy. To help you determine the security and trustworthiness of NetApp SaaS Backup Service, we have identified they key privacy and security considerations that should enable you to make informed decisions.

Questionnaire

Using the following three categories of questionnaire can help you save time and make a more informed decision.

Who owns the data we store in your service? Will you use our data to build advertising products?
As a customer of NetApp, you own and control your data. We do not use your data for anything other than providing you with the service that you have subscribed for. As a provider of data protection service to SaaS Data, we do not scan your protected data for advertising, marketing or any other purposes that does not fall into protecting your data.
Do you offer privacy controls in your service?
Privacy controls are enabled by default for all customers of the NetApp SaaS Backup service to meet the needs of your organization. We contractually commit to robust privacy and security measures in the data processing terms of your agreement.
Do I have visibility into where you store our data in the service?
We are transparent about where your data is located. NetApp SaaS Backup service stores all backed up data of your subscribed SaaS services to Amazon S3 Bucket or Azure Blob Containers, by default.
What is your approach to security and which security features do you offer to protect your service from external attacks?
Security is one of the most important design principles and features of NetApp SaaS Backup. Our focus on security spans hardware, software, the physical security of our partner where SaaS Backup is hosted, policies and controls, and verification by independent auditors.
When it comes to security features, there are broadly two types of categories: 1) built-in security and 2) customer controls. Built-in security represents all the measures that NetApp SaaS Backup takes on behalf of our customers to protect your information and run a highly available service. Customer controls are features that enable you to customize Office 365 to meet the specific needs of your organization like RBAC, etc. within the NetApp SaaS Backup Service.
Can we get our backup out of your service?
You own your data and retain all rights, title, and interest in the data you protect and store with NetApp SaaS Backup. During and for 90 days after your subscription, you can download a copy of all your data at any time and for any reason.
Do you have change notification and breach notification?
NetApp SaaS Backup Service will keep you informed if there any important changes to the service, which may include new feature additions, Feature enhancements or any critical bug fixes that may have affected your service or any changes to the service with respect to Security, Privacy and Compliance. NetApp SaaS Backup also promptly notify you if your data has been accessed improperly.
Is NetApp transparent with that you use and access our data?
NetApp does share important aspects of data storage, such as where your data resides in terms of geographic location, who at NetApp can access it, and what we do with that information internally. For more information, please reach out to your NetApp Sales Rep or NetApp Support.
Our position on access to your data is:
NetApp will always give you access to your customer data. Access to customer data is strictly controlled and logged, and sample audits are performed by both NetApp and third parties to attest that access is only for appropriate business purposes. We recognize the extra importance of our customers' content. If someone such as NetApp personnel, partners, or your own administrators access your content on the service, we can provide you with a report on that access upon request.
What kind of commitments does NetApp have with respect to security and privacy?
On behalf of NetApp, we are willing to sign with each customer data processing terms, a HIPAA business associate agreement, and EU model clauses. We also comply with standards like ISO 27001, ISO 27018 and FISMA.

For more information click here.

How do you ensure that your service is reliable?
At NetApp, we apply best practices in Service design and Service operations, such as redundancy, resiliency, distributed services, and monitoring-to name a few. NetApp plans to provide these data on uptime & availability matrix to our customers via the NetApp SaaS Backup Trust Center shortly.
What are your commitments regarding keeping my service up?
We offer 99.9% uptime via a service level agreement. If a customer experiences monthly uptime that is less than 99.9%, we compensate that customer through service credits.

NetApp SaaS Backup HIPAA/HITECH Frequently Asked Questions

What is HIPAA/HITECH?
HIPAA and the HITECH Act are U.S. federal laws that apply to healthcare companies, including most doctors' offices, hospitals, and health insurers. They establish requirements for the use, disclosure, and safeguarding of individually identifiable health information.
Whom does HIPAA/HITECH law apply to? Who needs to be HIPAA compliant?
HIPAA and the HITECH Act apply to healthcare companies, including most doctors' offices, hospitals, and health insurers. HIPAA and the HITECH Act also require these covered entities to enter into written agreements (called business associate agreements or BAAs) with their service providers who provide certain functions using individually identifiable health information. BAAs impose privacy and security obligations on those service providers.
Does NetApp SaaS Backup allow their customers to be HIPAA/HITECH Act compliant?
Yes, NetApp SaaS Backup help their customers stay compliant with HIPAA and the HITECH Act by offering a HIPAA Business Associate Agreement.
How does a customer sign a HIPAA/HITECH Act BAA with Microsoft?
Customer who needs to enter a HIPAA BAA with NetApp SaaS Backup should work with their NetApp Sales Rep to obtain or sign a HIPAA BAA.
What are other things that a customer can do to be compliant with HIPAA and the HITECH Act?
While customers can use NetApp SaaS Backup Data Protection for SaaS services and remain compliant with HIPAA and the HITECH Act, using NetApp SaaS Backup does not on its own achieve HIPAA compliance. Your organization also needs to ensure it has taken appropriate steps to meet HIPAA's and the HITECH Act's requirements, including using the NetApp SaaS Backup data Protection service appropriately and training your employees to do the same.
Will NetApp send me confirmation that I have a HIPAA/HITECH Act BAA?
NetApp SaaS Backup will not contact you to confirm you have signed the BAA.
Is NetApp SaaS Backup HIPAA/HITECH Compliant?
NetApp SaaS Backup Service help enable our customers' HIPAA compliance, provided the customer has an adequate compliance controls and internal processes in place, including those described in the HIPAA Implementation Guidance.
What does NetApp SaaS Backup do if there is a security incident involving a customer who has a signed HIPAA/HITECH Act BAA?
When NetApp SaaS Backup becomes aware of a security incident, NetApp will both report this according to our standard notification procedures and, if the security incident involved HIPAA-protected health information, NetApp will also report the incident to the individual administrator that the customer has identified as its HIPAA administrative contact. Customers should follow the instructions in the BAA to provide their contact details for security incident notifications.
I am not a U.S. HIPAA-covered entity but would still like to have a HIPAA/HITECH Act BAA in place with NetApp. Am I permitted to do so?
Yes. You can simply engage your sales rep and obtain and sign a BAA with NetApp.