How is the data secured in the cloud?
Service-Flow solution consists of two main components: broker and adapters. Adapters handle the communication between Service-Flow and specific ITSM systems transforming messages from a system-specific format to a general Service-Flow format. Broker routes messages and maps data between source and destination systems. Most ITSM systems offer encrypted communications, so adapters will communicate with them in a tool-specific secure and encrypted way (typically HTTPS).
Communication between adapters and broker is always done using an encrypted SSL connection. The message data is stored into Service-Flow database in encrypted form and kept secure by restricting the access to the database with access control mechanisms so that only authorized personnel (i.e. Service-Flow operations team) can access it.
Do you use separate databases per client or how do you manage to keep the data of different clients separated and secure?
Service-Flow has a multi tenant database, which means that data from all the clients is stored into the same database. The data is kept separated by access control mechanisms in the software.
What is the technology of the solution based on? I know you build the solution yourselves, but what kind of language did you use etc.?
Service-Flow uses MongoDB as the main database technology. The database runs in a replicated, high-availability setup where nodes are located in different AWS datacenters in Ireland. Redis is used for user session persistence.
What about date formats, can Service-Flow convert between different formats?
The Service-Flow Adapters transform date fields from system-specific formats to a common format so that there is no need for you as a user to define conversions between date formats.
What is required from our tool to integrate with Service-Flow?
At Service-Flow we say "keep your tools". Our adapters are built to connect with your system as easily as possible using the native mechanism of the tool, for instance:
- ServiceNow Business rules for outgoing and direct web services for incoming
- Efecte Listeners and WebAPI
- SOAP, REST
- System specific file format like XML, CSV, Fixed-length, over common transfers like FTP, SFTP & email
How is Service-Flow service security audited?
- Evaluate the security of Service-Flow service and find the risks and vulnerabilities associated with the software.
- Done manually at least yearly, automatically weekly
- Done by external auditor
Scope and methodology
- Evaluate the application level security from the outside of the system by utilizing the same interfaces as the users of the application
- Performed using a gray-box method, where the full architecture and source of the system are not completely known.
- The aim of the audit is to identify security problems related to the service, of which the most common ones are according to the OWASP Top Ten list.
- The assessment includes manual work of an expert for detecting characteristic vulnerabilities and logical errors in the system, in addition to using automated tools.
What are the used security controls?
Service-Flow implements appropriate security controls for level 2 of the OWASP Application Security Verification Standard 3.0 (ASVS). An application achieves level 2 verification if it adequately defends against prevalent application security vulnerabilities whose existence poses moderate-to-serious risk. Level 2 is typically appropriate for applications that handle significant business-to-business transactions, including those that process healthcare information, implement business-critical or sensitive functions, or process other sensitive assets.
The security controls in use can be found from the ASVS document.
How is security taken into account when developing the Service-Flow service?
Service-Flow has integrated the OWASP Secure Coding Practices Quick Reference Guide as part of our development lifecycle. The focus in the guide is on secure coding requirements. Developers use the reference guide as a checklist when implementing new functionality.
How is Service-Flow service monitored?
Service-Flow service is monitored 24/7 by multiple automated monitoring systems:
- Papertrail logging service alerts about errors in applications to PagerDuty, mail and devops chat channels
- New Relic Application Performance Management alerts about applications and servers to mail, devops chat channels and though PagerDuty to devops team mobile phones (calls and SMS)
- Automatic alerts from Compose about MongoDB performance and downtime events
- Automatic alerts from AWS about the state of the AWS components (virtual machines etc)
What if a customer wants to stop using Service-Flow, do we get the configurations with us?
When customer leaves, Service-Flow can provide them the routing rule configurations so that they can recreate the integration with some other tools. Because there are no relevant integration standards, the value that the rule configurations give might be mostly descriptive in nature.
What type of data (e.g. tickets, CIs, contacts, etc.) gets exchanged to and from partners via Service-Flow?
There is no limitation of the entity types used. It can be defined case by case.
What features and functions does Service-Flow SaaS solution provide?
Service-Flow solution provides all needed tools to implement a robust integration between ITSM (or other) systems.
Does Service-Flow handle asynchronous or synchronous transactions?
Does Service-Flow support JSON REST, SOAP/WSDL, HTTPS/XML type of transactions?
Can attachments be exchanged on a ticket?
Are there any restrictions for the processing of attachments (such as size or file types)?
Limits and file type limitations can be configured according to the needs of the customer tools. There's possibility to filter out attachments if the receiving end supports only certain amount or size of attachments.
What security models (e.g. basic authentication, WS-Security) do you support?
Towards Service-Flow, we recommend to use http basic authentication. It's also possible to use WS-Security to sign the messages and require Service-Flow to accept only properly signed messages. Towards customer, you are also able to use client certificate, form based authentication, OAuth2 and WS-Security message signing. If there is a need to use some other way, we can evaluate it case by case.
Can Service-Flow SaaS solution be deployed as on-premise?
Service-Flow is a SaaS solution and it is only available from the cloud. Service-Flow runs on Amazon infrastructure, so regional solutions can be available, if there is a specific need. The service is currently located at AWS EU cloud in Ireland.
Is there an admin tool to configure Service-Flow for new partner connections, mappings, transaction flows, etc.?
Yes. Customers have access to Service-Flow UI where all needed configurations are done.
What can be viewed via tracking console and will I and/or my client have access to it?
The Service-Flow User Interface (UI) has view of all message transactions. It provides an easy to understand view to the relayed messages and to ticket lifecycle (a.k.a. ticket conversation). As a customer, you will have access to Service Flow UI.
What type of transactions (e.g. batch, real-time) can Service-Flow support?
Typical and recommended setup is to use real-time transactions. Either by the integrated tool sending Service-Flow transactions immediately or, as another option, to poll a defined API for changes. Batch updates are sometimes used in old CMDB related integrations.
Do the vendor adapters still require the client ITSM system to have an adapter component or development on their side?
Typically, Vendor adapters communicate with Vendor's integration infrastructure (ESB etc). In that case, the Vendor usually defines that actions and APIs needed to be able to send out transactions.
What is your operational model?
Integration related configuration such as rules and mappings and related troubleshooting is done by our customers or partners. Service-Flow’s Operations Team monitors the service 24/7/365. Service-Flow's Experience team provides support for customers and partners.
Will the system provide notifications (e.g. email, SMS) about broken connections, tickets getting stuck, etc.?
Yes. Majority of alerts can be configured to be relayed automatically to customer's administrators via email. The rest will be sent to them by our Operations Team.
Do you have a capability to measure KPIs such as latency between components, end-to-end response time and volumes of the messages?
Service-Flow solution provides reports of integration related variables (the ones mentioned here). Solution is also able to react in real-time to situations where for.ex. an ACK message is not received in a certain time frame.
We want to emphasize that Service-Flow is not an ITSM tool. It means that all the process related (e.g. SLA) reports should be implemented in the tools that are integrated.
Do you support endpoint outage management in the event end of the end-point systems are temporary unavailable?
In a case of an end-point outage, Service-Flow will queue the transactions and delay their sending to happen when the connectivity is restored. Service-Flow makes sure that the messages are sent in the order they were received.
What kind of field transformation capability do you provide?
Service-Flow User Interface (UI) provides tools for even the most complex mappings, from one-to-one to many-to-many. You are also able to concatenate and apply formatters to the data that is received. Typical formatters can be e.g. stripping of html formatting, replacing certain characters or using regular expressions on the data. Data can be translated according to a mapping table and even translated between languages, if needed.
How is version control of configurations managed in the Service-Flow?
Service-Flow has a built-in versioning of configurations. It is possible to make new configurations and separately activate any of those versions. Each version will store metadata; who did the change, when it was done and an additional comment.
Can a case / ticket exchange flow include the use of acknowledgement processing to link 2 tickets together in the end point ITSM workflow systems?
Do you provide a business rule engine capability for applying any business logic to the message content?
How long is the typical time to set up a ticket exchange using standard APIs out of the box between the two ITSM systems?
For example the technical setup time for ServiceNow is from 30 minutes to an hour. That is naturally only the initial step. The most time consuming parts are the process definitions and testing. Usually if the parties integrating have a common understanding what the integrations should do, the project can be run through in 2-4 weeks calendar time.
What development tools are available, if I wanted to build the Service-Flow connections to our endpoints.
The basic principle is that Service-Flow develops and maintains the technology that;
1) adapts to all tools (e.g. ITSM software) needed
2) provides tools to fulfill the rules and logic between the integrated parties.
This means that there is no cost for our customers for the technology development. All technology developed is available to our customers for the monthly subscription fee.The tools needed here are designed to be easy-to-use, so that there is no need for major training. Naturally, we provide materials for our customers and training can also be arranged on demand basis.
Why I should pay the monthly subscription fee?
Traditional integration approach would require your to acquire infrastructure (server), integration applications and build (develop) integrations. Important thing to understand is, that you would need to anyway pay for servers, software licenses and related maintenance and support services + development and maintenance of the integrations. The question is how much would a server and application environment with 99,9% end-to-end availability, 24/7 maintenance, monitoring and technical support services AND continuous development work cost?
Where as Service-Flow SaaS is all-inclusive, the Subscription includes everything that is needed to run reliable integrations. Please take a look at the attached service description for the details, but as a summary. SaaS Subscription includes:
a) Highly available, scalable and secure Infrastructure ("Servers")
b) Enterprise grade highly scalable and secure integration applications ("Software")
c) Ready-to-use integrations e.g ITSM adapter and supplier connection ("connections + logic")
d) Continuous development of all components (Servers+Software+Integrations)
e) Operations (support & maintenance services for all components)
f) Enterprise level SLA: Continuous delivery, 99,9% availability, 24/7/365 (no maintenance breaks)
Shortly put, all these with only one monthly price = Subscription