Security architecture
Server security
All IPS/Planning Space services are run on Windows Server architecture, which may be deployed on-premise (physical or virtual), or virtual in the cloud via IaaS (e.g., using Microsoft Azure data centers). Beyond the Planning Space-specific issues discussed in this document, the Windows Server (virtual) machines deployed must be maintained following best practices for security; for example customers should follow their corporate internal best practices to secure Windows web servers, which may include server hardening; anti-virus, malware and intrusion detection systems (IDS); zero trust (both for network and access); appropriate group policies, etc.
Microsoft Security provides conceptual and practical resources and guidance to securing a Microsoft Windows environment: see Microsoft Security.
Secure HTTP (HTTPS)
Enabling HTTPS mode for the IPS Server is the recommended way to encrypt Planning Space data in transit. This covers the client's use of both web interfaces and Planning Space application client software. HTTPS is a standard protocol to protect data in transit, and offers a high level of security provided that it is correctly configured and managed (using certificates issued by trusted authorities, managing access to private keys, using key rotation schemes, etc.).
Note: IPS Server is initially installed in (insecure) HTTP mode, and Quorum Software recommends the immediate re-configuration to HTTPS mode, as explained in the 'Installation' section of this guide. A trusted certificate (backed by a standard Certificate Authority) or a self-signed certificate may be used. However only trusted certificates should be used in a production deployment.
External applications consuming the Planning Space Web APIs (including OData) will encrypt all data in transit whenever the IPS Server has HTTPS mode enabled.
Web Application Firewall
All Planning Space web server endpoints are recommended to be secured behind a web application firewall (WAF), especially where the servers are publicly accessible.
A WAF provides a public listener which proxies requests to Planning Space running on 'backend' application server(s). This should be secured by:
- Using encryption with an HTTPS certificate that is chained and trusted to the root level
- Disabling all encryption protocols except TLS versions 1.2 and 1.3
- Removing unused/insecure TLS 1.2 ciphers, and putting the ciphers in a server-preferred order with most-secure first
- Enabling Strict Transport Security (HSTS) with a high max-age (for example, 63072000), with 'includesubdomains' and preload options enabled
If the Planning Space endpoint URLs are public, they can be easily tested with an external tool; a basic web-based tool can be found at: https://www.ssllabs.com/ssltest.
SSL offloading
'SSL offloading' is an optional IPS Server configuration, where the SSL encryption and decryption can be handled by the load balancer server, and traffic between the load balancer and the IPS Server machines uses unencrypted HTTP communication. (See SSL offloading.)
When configuring SSL offloading, it is recommended to use a separate certificate to that which is bound to the service address via the load balancer. Then, the certificate configured in IPS Server wil be used only for the purpose of token signing of SAML authentication requests; this certificate may be revoked and replaced without affecting the security of Planning Space web endpoints.
Database traffic encryption
To secure data in transit between the IPS server and the SQL Server databases there is an option to enable Transport Layer Security for the SQL connection; this is configured separately (by enabling the option 'Use transport encryption') when the IPS Common or Tenant databases are assigned. (The SQL Server must have been configured with a self-signed or trusted certificate; in each assignment there is a second option 'Trust server certificate' such that IPS Server will then trust any certificate that is offered by the SQL Server, otherwise the standard Windows certification protocols will be applied.)
The same setting is also available to secure the connection between CX Suite client applications (CASH and FINANCIALS) and the SQL Server.
Loader tools in the Planning Space applications that consume data from external databases also have optional settings to enable transport encryption, which can be used when this is offered by the external database server.
Note: It is essential to the overall security of a Planning Space deployment that good security practices are followed for the databases, whether they are based on a local SQL Server machine, or cloud-based Azure SQL service; for example encryption, delegated access, and zero trust (both for network and access) are important for securing SQL, and all of these systems are supported by Planning Space. For more information, see for example: Vulnerability assessment for SQL Server, Secure a database in Azure SQL Database, Extensible Key Management Using Azure Key Vault (SQL Server).
SAML authentication for Planning Space user accounts
SAML provides secure authentication via encrypted tokens provided by an Identity Provider (for example, Azure Active Directory). SAML is recommended to be used for all production deployments of Planning Space, since it provides the best level of security, and also allows integration with corporate authentication services to provide features such as SSO (single sign on).