The key components of the layers going from hardware to software, are:
1.Infrastructure and Operating system,
2.Core software components, and
3.MetricStream Web application
The Security architecture has a Shared Responsibility model. For items 1 and 2, MetricStream Cloud Security takes complete responsibility where we use well-architected ‘security in layers’ design, vendor/ OEM updates, VA/PT, BitSight scans to maintain and enforce robust controls.
For item 3, by the very nature of the application’s configurability, extensions, and customizations, responsibility falls between MetricStream and customer. The MetricStream Platform and products are designed with Secure SDLC principles and validated via Application Pen testing of the latest release.
Given MetricStream Cloud customer’s leverage a multi-instance model (not multi-tenant) they can plan their software upgrades at this own pace. However given the above design and practice, what that means is that customers can take two possible routes:
- 1. There are customers that upgrade to the latest version of the platform and applications as soon as they are released. For the application and platform level penetration-testing they get the assurance from the fact that MetricStream R&D does these tests. The topic of customizations and extensions needs to be considered while getting that assurance.
- 2. Customer does not have reasons to upgrade or would like to upgrade at a different pace up to a maximum of a year after the release. Some customers invest in their own pen testing and MetricStream supports them as per the Support SLA. Even there staying too far back in versions has other downsides of missing use cases and functionality as well. There are implications of de-support as well if the version becomes older than a year.