Overview
When an organization considers using Bizagi Cloud Platform, it is important to understand how Bizagi manages privacy, security, and compliance requirements and offers functionality that enables secure configuration of the Bizagi Cloud Platform. Some organizations assume that using a cloud solution shifts most of their data protection, privacy, security, and compliance responsibilities to the cloud solution provider (CSP). Bizagi, as a CSP, offers a secure solution for elements of the physical infrastructure and network and provides services to protect our customers' data. For their part, customers should be aware of their responsibilities in protecting the security and privacy of their data.
Bizagi uses the shared responsibility model in the cloud proposed by Microsoft.
Shared responsibilities
The division of responsibilities varies according to the cloud service delivery mechanism: Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), or in a local data center. Bizagi Cloud Platform offers its service using the PaaS mechanism. In a local data center, customers are responsible for all components of the solution. When using a cloud service, some responsibilities are transferred to Bizagi.
The following diagram shows the type of solution deployment, the responsibility of the customers, and the cloud service provider (CSP).
For all cloud deployments, customers own their data, identities, and regulatory compliance.
Customers are responsible for:
•Data
•Endpoints
•Access management
•Accounts
•Regulations
Cloud Service Providers (CSPs) are fully responsible for physical security. The other responsibilities are shared between customers and cloud service providers. For example, in the case of the Bizagi Cloud Platform, being a PaaS offering, application-level controls, and identity management are shared responsibilities. Bizagi supports integration with Azure Active Directory, but the configuration of services such as multi-factor authentication is up to the customer.
The responsibilities are described below.
Data classification and accountability
The customer is responsible for identifying and classifying its data as set forth in its information management and classification policy. In the case of the Bizagi Cloud Platform, the customer's responsibility for data classification and management is defined in the cloud service agreement. You can consult it in Bizagi Standard Agreements.
Likewise, Bizagi has functionalities to configure access to information and protect it in transit and at rest. See details in our Security section.
Protection of devices (mobiles and PCs) and connection points
Customers are responsible for the management of the devices that connect to the Bizagi Cloud Platform. The customer must define clear boundaries and responsibilities that these devices must comply with. For example, security configurations of operating systems and the use of solutions such as antivirus. For mobile devices, the use of a mobile management solution is the customer's responsibility. Bizagi supports integrating with Microsoft Intune.
Identity and access management
Identity and access management allows users to access the Bizagi Cloud Platform and make use of the resources to which they are authorized. In PaaS solutions, identity and access management is a shared responsibility between the customer and Bizagi. Bizagi is responsible for the Identity Infrastructure, i.e., the authentication and authorization protocols and mechanisms. The customer must use this infrastructure to create its own users, roles, and permissions. The customer can integrate its identity provider to manage users and implement two-factor authentication. See the Identity and Access Management article for Bizagi's capabilities to integrate with identity providers.
In addition, customers must define information access controls.
Application level controls
The control level of your application (configuration, development, deployment, etc.) is your responsibility (Customer responsibility), Bizagi offers the tools through its services for you to take care of this responsibility.
With Bizagi, the client does not need to implement by itself the security configurations in the environments where it will deploy its processes, since Bizagi as CSP takes care of it. Bizagi is in charge of patch management, anti-malware, and baseline configuration, among other elements to secure the applications that make use of the Bizagi Cloud Platform.
The customer is responsible for the correct configuration of the solution built on Bizagi, integrations, connectors, and widgets created.
Also, take into account that every upgrade/update of elements like environment, desktop app, etc. Are your responsibility (Customer responsibility). Howerver, Bizagi will assist with road maps, information and help step by step on how to update/upgrade your application, environment, etc.
Network controls
Network controls include the configuration, management, and protection of Bizagi Cloud Platform network elements such as virtual networks, load balancers, and DNS. Network controls are managed and secured for customers as part of a PaaS offering. It is the customers' responsibility to configure their corporate network. In the case of VPN, Bizagi is responsible for configuring the VPN gateway endpoint of our services. The customer is responsible for the configuration of the gateway of their local installation.
Infrastructure
Bizagi is not responsible for the infrastructure. Bizagi relies on Microsoft Azure as the provider of the physical infrastructure, and Bizagi manages the service connectivity, patches, bug fixes, etc. to the physical infrastructure.
Responsibility for the host infrastructure includes the configuration, management, and security of the compute (service fabric, auto-scaling), storage (objects, CDN, file storage), and platform services. The CSP operates and secures the host services.
Bizagi relies on Microsoft Azure as its cloud service provider. See more information in the article Azure infrastructure security.
Physical security
As stated previously, Bizagi relies on Microsoft Azure as its cloud service provider, this means that the physical security of the service (monitoring, control, etc) is the responsibility of Microsoft Azure
One of the great advantages of PaaS models is that the responsibility for ensuring physical security is shifted entirely to the CSP. The elements that make up physical security such as buildings or facilities, servers, and network devices are protected against unauthorized physical access. Other factors such as power supply, cooling, air management (air quality), device management, and power regulation are also the responsibility of the CSP.
Bizagi relies on Microsoft Azure as its cloud service provider. See more information in the article Azure facilities, premises, and physical security
Vulnerability remediation and security findings
When a vulnerability is identified in Bizagi it may be related to an application defect or improper configuration of Bizagi environments. Bizagi is responsible for remediating vulnerabilities inherent in the product or applications and identifying and documenting recommended security configurations for the customer's platform.
The customer is responsible for implementing the security configurations recommended by Bizagi.
Last Updated 11/3/2023 2:41:54 PM