Appian has been a recognized leader in cloud-based enterprise software platforms since delivering Appian Cloud in 2007. From the outset, we built our software to integrate with and complement the cloud’s unique advantages, and to protect it from vulnerabilities. We did so with a unique design philosophy, employing cloud-native and globally recognized frameworks like NIST for optimal security protection, business continuity, and enhanced support.
Our security strategy is based on layered defense practices, where a cloud-native architecture not only forms the core of its design, but also facilitates the securing of all components down to their most granular levels.
The Appian architectural advantage.
Cloud-native architecture forms the foundation of the Appian platform and provides many advantages, including enabling high levels of security, scalability, and resiliency.
Cloud-native architecture uses a layered approach. It uses three “planes”: the data plane, the control plane, and the management plane, with each layer being compartmentalized and segregated from the others. This enables a greater level of security as the information at each level does not commingle with the other levels unless it is specifically told to do so.
Customer instance isolation.
A cloud site is only truly your site when it offers 100% dedicated processing and storing of data, providing separation between the servers and data stores and those processing and storing somebody else’s. In Appian, each customer instance is completely isolated from that of any other customer.
Such single instance architecture is the correct model for a secure cloud implementation. It does not commingle data or processing. Only this cloud architecture approach can do the following:
- Prevent data from being mistakenly read or written by another cloud resident.
- Ensure that others’ flawed processes do not crash or affect your system.
- Limit any potential security issue or vulnerability of one customer’s cloud instance to only that instance, so it does not compromise other Appian customers’ applications or data.
Appian Cloud provides each customer with a dedicated, single-tenant virtual machine instance for each site that isolates processing and storage at the operating system, database, and application layers. Resources are never shared with other customers, so pooling or data processing alongside other customer’s data is never a concern.
With the usual multi-tenant architecture commonly delivered by most cloud vendors, a breach of a single customer installation is a potential breach for all customers. Not so with Appian.
Firewalls.
Stateful inspection firewalls, such as security groups, isolate each site and provide ingress- and egress-level security through individual and group access control. They also give Appian precise control over what servers are allowed to talk to each other and how they are allowed to communicate. Any traffic not explicitly defined is not allowed and rules define the necessary ports, protocols, and other security groups, such as servers, that are allowed into that server.
End-to-end encryption and advanced key management.
Appian Cloud uses strong encryption algorithms to secure data in transit and at rest. Any connections to Appian Cloud are encrypted using TLS 1.2 or above. Customers may provide their own TLS certificates, including those with extended validation, whitelist IP ranges, or set up inbound VPN tunnels to limit connections to users from trusted sites.
Data at rest—which includes all business, process, and log data as well as all documents and anything in a virtual storage container--is protected at the virtual disk level with best-in-class, industry-standard algorithms, such as AES, using key lengths considered to be strong, such as 128-bit, 256-bit, etc.). Data backups on existing AWS services are encrypted using similar algorithms.
Each Appian Cloud site is protected through unique key encryption keys (KEKs) for each customer and each customer environment, such as development, test, and production.
Appian trust: compliance and audit programs.
Appian Cloud’s comprehensive security compliance program meets an array of industry standards, including the following: Service Organization Control 2 (SOC 2), PCI-Data Security Standard (PCI-DSS), International Standard for Assurance Engagements (ISAE) 3402, GxP, Health Insurance Portability and Accountability Act (HIPAA), ISO 27001, and FedRAMP. Each certification sets rigorous requirements and demands evidence of conformance with those requirements. Each requires submission of test results and on-site audits to protect customer data. To continue to meet the certification requirements of the compliance frameworks, Appian hosts numerous annual third-party audits to validate that controls are operating effectively.
A complete list and details may be viewed at trust.appian.com. A mapping of controls between the many different compliance frameworks can be found in the submission to the Cloud Security Alliance registry at cloudsecurityalliance.org/registry/appian/.
Summary
As large enterprises, regulated organizations, and public sector agencies move to cloud environments, they are rightfully concerned about commingling data, unencrypted data, insufficient access controls, and unmonitored cloud assets. Our extensive history has made Appian Cloud’s security architecture among the most mature in the market. Appian is committed to transparency around our security posture and to helping our customers understand the Appian Cloud security framework, including the multiple security certifications Appian maintains to validate a secure and reliable platform.
To learn more visit the Appian Trust Center.
