Author: Eric Vasbinder
Viewpoint's state-of-the-art ERP cloud, hosted in Microsoft Azure, provides powerful technical and procedural security controls to ensure that our customers' data is protected and cyber security risks are mitigated as much as possible. There are multiple capabilities that provide enhanced data confidentiality, integrity, and availability.
In addition to standard financial data, which are the keys to the kingdom for any organization, our processes and tools are designed to provide a high level of protection for secure Personally Identifiable Information (PII) including Social Security numbers (SSNs), as well as other controlled information in our cloud.
Security controls in Viewpoint's Vista ERP cloud hosting include, but are not limited to:
Least Privilege: Assigning the least level of access necessary to Viewpoint's cloud operations and support staff to perform operations.
Segmented VLANs: Using the power of Microsoft's Azure Network Security Groups, each customer's environment is isolated at the network level from any other environment in our cloud, significantly limiting the ability of threat actors to operate horizontally within our environment.
Cloud Systems Isolated from IT Environment
All Trimble Viewpoint IT systems and workstations are isolated from the enterprise network where a customer's Viewpoint products operate. Operational VMs, data backups, and more.
Customer data backups, for example, are stored in a separate Azure blob storage container from operational uses. This provides another layer of cyber defense versus the determined threat actors of today. As such, customer backups are isolated and located in separate Azure blob storage containers from those used by day-to-day operations.
Anti-Malware: We utilize multiple layers of anti-malware protection on all machine instances hosted in our cloud, combined with Azure Deep Packet inspection, and other solutions to significantly mitigate application layer and content security risks.
Encryption at Rest: Every Vista cloud customer has their virtual machines set to be encrypted at the disk level using AES-256 encryption, provided by Microsoft Azure. We use either Azure Storage Service Encryption (SSE) or Azure Disk Encryption, depending on the customer.
Encryption in Transit:
VRL connected clients: All information sent to and from our clients using Vista Remote Link (VRL) is encrypted using standard HTTPS TLS 1.2 encryption by default.
RDP connections: These connections are encrypted from our RDP terminal server to the end user's workstation using standard Microsoft RDP TLS 1.2 encryption.
Authentication Security:
Internally, we use Microsoft Active Directory (AD), tied to Kerberos for credential authentication
We support Multi-factor authentication for cloud users through our SSO integration to both Trimble ID directly and to Okta and Microsoft Entra ID (Azure AD) SSO.
Viewpoint One and our ERP clouds are subject to stringent, industry leading compliance auditing, reporting, and review standards. The following standards to which we adhere are of greatest interest to our customers:
Vista ERP Cloud: SOC 1, SOC 2 Type 2, NIST 800-171
Spectrum Cloud: SOC1, SOC 2 Type 2, NIST 800-171
ProContractor Cloud: SOC 2 Type 2
ProjectSight: NIST 800-171
As you can see, our ERP and project management clouds are currently compliant to and have security certification reports (i.e. SOC 3) that can be provided upon request for multiple industry standard frameworks. In addition, we have a thorough description of the additional compliance standards to which we adhere located at this address: https://trust.trimble.com/
NOTE: Our UK / EU-based product offerings are also compliant to GDPR: https://www.viewpoint.com/legal/gdpr-faq
NOTE on SSAE16 and SAS70
SSAE16 is the procedural framework under which auditing organizations perform the effort to validate appropriate controls. The end result of such an effort is the SOC 1 report (for financial purposes) and the SOC 2 report (for information security and systems). SAS70 is an older, deprecated standard for performing these audits that was rendered obsolete by SSAE 16 in January 2010
The SOC reports themselves are the most important for determining the maturity of a service provider's systems and controls.
REMINDER
You may request a copy of our available compliance reports at this URL: https://trust.trimble.com/
Trimble Viewpoint's ERP Cloud solutions have a leading business continuity framework, with multiple layers of backup protection and an aggressive 15 minute RPO. Please see this cloud FAQ article for more details on our Business Continuity processes: Does Viewpoint's Vista Cloud Help Me with Disaster Recovery, Business Continuity, Availability Risk, etc?
Columnar Encryption, also known as Always Encrypt, leverages SQL's "Always Encrypt" capability. This capability allows for PII to be encrypted at rest with an additional layer of privacy, with encryption certificates controlling access to data that is encrypted at the column (field) level. This is a level of encryption beyond that provided by either Transparent Data Encryption (TDE) or Azure Disk Level Encryption.
This capability is slowly being worked on and has seen some strides with support for the necessary infrastructure being released some time ago. However, this capability requires significant, additional, app server and client-side redesign due to the nature of certificate key management and the need for app server-based reporting to still have the ability to generate reports. In addition, this would necessitate significant indemnification from the customer due to the customer's need to manage their own keys in this scenario. For example, no recovery of data would be possible from Viewpoint if a customer were to lose keys.
Though we are working on this capability, we cannot comment on any expected timeline for release.
changelog
Wednesday, 29 January 2025 at 08:59AM:
Added note about Okta being supported for SSO as well.
Wednesday, 04 December 2024 at 08:17PM:
Added section on the Trimble Trust Portal where people can go to request a copy of our compliance reports.
Wednesday, 07 August 2024 at 11:08AM:
Added note about NIST 800-171
Tuesday, 16 January 2024 at 12:05PM:
Added clarification on the availability of Columnar Encryption
Tuesday, 16 January 2024 at 10:32AM:
Added reference to PII to allow for this article to be more findable.
Friday, 09 June 2023 at 03:42PM:
Added additional item talking to cloud system isolation from IT environments
Thursday, 09 March 2023 at 10:58AM:
Added Trimble ID as SSO MFA option
Wednesday, 09 March 2022 at 09:19AM
Updated to include reference to anti-malware solutions.
Monday, 15 November 2021 at 07:53AM
Included information on adherence to GDPR for customers in the EU/UK