RightNow Technologies, profile picture
Uploaded byRightNow Technologies
659 views

Cloud-Based Customer Experience Management Solutions For Government Agencies

This document discusses the opportunities and challenges of certifying cloud-based customer experience management solutions for U.S. federal government agencies. RightNow Technologies worked with SecureForce to certify its cloud solution against the NIST SP 800-53 "moderate" security baseline. They faced challenges with controls not written for cloud/multi-tenant environments and identifying hybrid controls. Lessons included documenting the architecture, automating processes, and considering the "high water mark" for system impact when multiple agencies use the solution. The document provides suggestions for NIST and considerations for both vendors and government customers regarding cloud security.

Embed presentation

Downloaded 38 times
CLOUD-BASED CUSTOMER EXPERIENCE MANAGEMENT SOLUTIONS FOR GOVERNMENT AGENCIES Opportunities and Challenges of Certifying Cloud-Based Solutions for U.S. Federal Government Civilian Agencies ©2009 RightNow Technologies. All rights reserved. RightNow and RightNow logo are trademarks of www.rightnow.com RightNow Technologies Inc. All other trademarks are the property of their respective owners. 9007
CLOUD-BASED CUSTOMER EXPERIENCE MANAGEMENT SOLUTIONS FOR GOVERNMENT AGENCIES TABLE OF CONTENTS Introduction .......... 1 Cloud Computing Fundamentals .......... 3 How We Approached C&A .......... 3 Challenges We Faced in Working Through Our C&A .......... 4 Lessons Learned in Working Through The Challenges .......... 5 Conclusion .......... 7 Authors .......... 9 About SecureForce .......... 9 About RightNow Technologies .......... 9 www.rightnow.com
INTRODUCTION RightNow Technologies RightNow is a provider of cloud-based customer experience management solutions that help consumer-centric organizations deliver exceptional customer experiences across the web, social networks, and contact centers. Founded in 1997, RightNow is headquartered in Bozeman, Montana, employs more than 800 people, and with more than eight billion customer interactions delivered, RightNow is the customer experience fabric for nearly 2,000 organizations around the globe. RightNow is listed on the NASDAQ under the symbol RNOW. Over 170 public sector clients, including nearly every US cabinet level agency, Army, Marines, Air Force, members of the Intelligence Community and DoD, rely on RightNow CX to deliver real-time information, when and where it’s needed. RightNow CX, the Customer Experience Suite RightNow CX is a total customer experience solution for consumer-centric organizations serious about enabling superior interactions across web, social, and contact center touchpoints. RightNow’s customer experience solutions give agencies the ability to coordinate disparate resources, including people and technology, across the organization to develop, rapidly execute, and manage a comprehensive customer experience strategy. RightNow CX applications address the three experiences that matter most (see diagram below), ensuring a seamless multi-channel (web, voice, chat, etc.) experience, regardless of the number or type of customer interactions initiated. RightNow Government Cloud To serve its U.S. Federal Government customers, RightNow has built a dedicated private cloud infrastructure from the ground up to provide enhanced security and satisfy regulatory compliance requirements. Deployed in a Tier 4 datacenter, the RightNow Government 1 www.rightnow.com Share This
Cloud offers logical separation of tenants and other controls necessary to provide the security, high availability, and redundancy equivalent to our commercial offering. The Government Cloud has been designed to satisfy the control requirements for the National Institute of Standards and Technology (NIST) 800-53 “moderate” baseline. Control implementation and compliance status has been independently verified and documented by a third party. SECUREFORCE SecureForce, LLC (SecureForce) is a Washington, DC Metro area based cybersecurity firm that has extensive experience supporting the U.S. Government. SecureForce has provided security engineering, Certification and Accreditation (C&A), security assessment, and security operations support to a broad customer base, including Federal Civilian agencies, the Department of Defense, and the Intelligence Community. SecureForce has performed numerous C&As leveraging the processes outlined in NIST 800-37, NIACAP, DIACAP and DCID 6/3. RightNow and SecureForce have partnered to ensure government compliance requirements are integrated throughout the lifecycle of the RightNow Government Cloud offering and a comprehensive C&A package is developed for each product release. The Demand for Cloud Computing We have seen an increasing demand for cloud computing resources to be made available in all enterprises globally. Very recently, the demand and interest for cloud computing resources in the Federal Government has increased tremendously. Increasingly, there is a need to offer cloud-based services to the Federal Government that have historically only been available to the private sector. The Goal of this Document RightNow and SecureForce have spent the last year and a half working through the complexities of certifying a cloud computing infrastructure against the moderate baseline of the NIST 800-53 control framework. Throughout this process we have identified a number of security controls that were not written with a cloud computing environment in mind. In this document we provide some insight into the high-level challenges that we have faced throughout this process, along with some of our findings, to raise the visibility for other cloud computing vendors who may be thinking about providing services to the Federal Government. We’ve also positioned this document to provide cloud computing buyers lessons learned with the goal of increasing awareness of the obstacles associated with performing C&A in the cloud. .......... 2 www.rightnow.com Share This
CLOUD COMPUTING FUNDAMENTALS In accordance with the NIST Definition of cloud computing (http://csrc.nist.gov/groups/ SNS/cloud-computing/), cloud-based services can be offered via one of three service models. Infrastructure Cloud (IaaS) Infrastructure services in the cloud. This type of cloud vendor will typically provide the processing, storage, and network infrastructure. Examples of IaaS vendors are: · Amazon EC2 and S3 · OpsSource · Rackspace Platform Cloud (PaaS) Cloud providers in this category typically provide either an application development platform, or a raw operating environment from which to house your applications. Vendors in the platform cloud could, in theory, be utilizing IaaS from another vendor underneath the covers. Examples of PaaS vendors are: · Microsoft Azure · Boomi · Google App Engine Application Cloud (SaaS) SaaS vendors are providing an actual application to their customers, typically delivered via web technologies such as Web 2.0 or smart client technology. SaaS vendors could, in theory, be utilizing both a PaaS vendor for delivery of their service and an IaaS vendor for the underlying infrastructure. Examples of SaaS vendors are: · RightNow Technologies · Concur · MessageLabs HOW WE APPROACHED C&A RightNow recognizes that meeting Federal Information Security Management Act (FISMA) compliance is a cost of doing business with the Federal Government. Furthermore, RightNow acknowledges the expectation of the government that vendors should be responsible for demonstrating FISMA compliance within their product offerings in order to establish the chain of trust as part of the implementation of the NIST Risk Management Framework (RMF). Through the partnership with SecureForce, RightNow has taken the initiative to demonstrate the required trustworthiness and address FISMA compliance head-on. Given the RightNow Government Cloud is a multi-tenant environment, we anticipated that certification boundaries would become blurry and controls would become harder to satisfy. In order to address all aspects of the cloud offering, a flexible yet comprehensive approach to addressing C&A within the cloud was required. Based upon the most common customer use cases and data types, the Federal Information Processing Standard (FIPS) 199 system categorization for the Government Cloud was determined to be moderate. To ensure consistent documentation and assessment of controls across tenants, the certification 3 www.rightnow.com Share This
boundary was determined to include all infrastructure components as well as the baseline application. The Government Cloud C&A package is built upon the NIST RMF and includes the following artifacts: Artifact Notes System Security Plan (SSP) Consistent with NIST SP 800-18 Security Assessment Report Consistent with NIST SP 800-53A Risk Assessment Report Consistent with NIST SP 800-30 Plan of Actions and Milestones (POA&M) Maintained by RightNow For each subsequent product version the C&A package is updated and made available to new customers or to existing customers that are upgrading to that version. For those customers that have extensive customizations that extend product functionality, an addendum to the C&A package for their product version must be developed to capture any non-compliant controls and potential risks that may be introduced via the customizations. CHALLENGES WE FACED IN WORKING THROUGH OUR C&A C&A is a complex process made more difficult when applied to a multi-tenant, cloud- based offering. The three most pressing issues we faced during the C&A of the Government Cloud were: 1) Multi-tenancy: Some NIST SP 800-53 controls and NIST SP 800-53A control assessment objectives were not written to address multi-tenancy or data co-mingling. As a result, this created some difficulty when assessing common controls applicable to the entire environment. Ultimately, those controls were fully documented in the SSP then assessed against the “spirit of the law” (i.e. does the control satisfy the control assessment objective while maintaining adequate isolation between customer instances?). 2) Hybrid Control Identification and Ownership Determination: While the majority of applicable security controls are the responsibility of the outsourced provider, some controls also require decision or action by the government customer. These types of controls in which there is shared responsibility between the vendor and the government are known as known as hybrid controls. Examples of hybrid controls include incident response and contingency planning where both the government and the vendor would be required to have policies and procedures in place and the policies and procedures in use by the government may be common for all systems within their inventory. Hybrid controls and the customer-specific responsibilities for meeting control assessment objectives are identified in both the SSP and SAR. 3) Lack of System and Control Documentation: The security architecture and concept of operations of the Government Cloud was not sufficiently documented to provide the necessary context for non-RightNow personnel to fully understand the Government Cloud architecture and operations in order to determine control adequacy and robustness. Having a fully documented security architecture and concept of operations is essential to ensuring complete transparency and establishing the necessary chain of trust between the vendor and the government customer. As part of the C&A process, the security architecture and concept of operations were documented in the SSP. 4 www.rightnow.com Share This
LESSONS LEARNED IN WORKING THROUGH THE CHALLENGES Multi-Tenancy Most cloud computing vendors in the SaaS space, including RightNow, offer a solution that is multi-tenant. Multi-tenancy presents a number of challenges, outlined above, in an environment that is to be certified and accredited. Here is a summary of the key lessons that we learned during our C&A. No context of cloud computing While multi-tenant environments are not explicitly prohibited, many of the controls in the NIST SP 800-53 framework assume a single-tenant installation. Because agencies have become familiar with these controls, many of the Information Assurance (IA) professionals and Authorizing Officials that we’ve worked with were initially very reluctant to housing their data in a multi-tenant environment. RightNow and SecureForce have been able to overcome this reluctance and provide a high degree of assurance regarding the effectiveness of control implementation by clearly outlining the security engineering decisions that RightNow made early-on to logically separate clients from one another. Throughout the C&A process, careful attention was paid to clearly detailing the technical steps taken to logically separate customers from one another in such a way that the risk of co-mingling of data on the same physical infrastructure and the likelihood of cross-organizational operational impact are minimal. System categorization must be based upon high watermark It was also recognized early-on that in a multi-tenant environment, the system as a whole would need to be certified and accredited at a FIPS 199 impact categorization that was commensurate with the highest level that any single potential client could require. This is due to the fact that a large number of the controls that are documented and audited are common controls that involve all of the underlying infrastructure components that are shared in a multi-tenant environment. Consequently, any cloud computing vendor who intends to run a multi-tenant environment would need to certify at the “high water mark”, determined by the highest feasible impact categorization of any single tenant of the infrastructure. Of course, this means that tenants that do not have an explicit requirement for a higher level impact categorization get to take advantage of the increased operational and security controls that are in place. Not only does this provide them with an extra level of assurance in their cloud computing vendor, but it allows them the flexibility to grow into system requirements that are beyond the scope of their original deployment. Consistent and repeatable processes are required Consistent and repeatable processes should be part of any mature cloud computing vendor’s operational practices. The NIST 800-53 control framework requires policies and procedures be developed for all three classes of controls—technical, operational, and management. The application of consistent and repeatable processes can be difficult and is further complicated when being applied to a multi-tenant cloud computing environment. Automation is key to cloud computing Automated and repeatable processes must be tightly integrated throughout all components of the environment to maintain the integrity and security of the cloud computing platform 5 www.rightnow.com Share This
and to ensure quality provisioning of elastic, on demand, services. RightNow has developed a comprehensive management system which automates commonly performed tasks throughout the Government Cloud, including the infrastructure, platform, and application. RightNow achieves operational excellence, while maintaining a robust security posture, in a complex multi-tenant environment by directly controlling all aspects of the Government Cloud. Change management approval process is mandatory In any computing environment, there will inevitably be some processes which cannot be automated. Those processes which cannot be automated require thorough review and approvals to ensure that operational risk is reduced as much as possible, without losing the ability to be flexible. We have implemented a change management and tracking process that allows the operators of the environment to propose changes to the environment. These proposals are reviewed by appropriate engineering resources and approved by management multiple times per week. This level of frequency allows us to be responsive to customer demands in a constantly evolving environment. Version control is taken to a new level The ability to run multiple versions of the application (SaaS level) of the cloud computing environment is driven primarily by the mission criticality of the application use case. Having a system that allows the tenants a choice in version and upgrade schedule is one of the many unique value propositions that RightNow provides. Maintaining a large number of versions in a production environment requires robust logical separation of tenants from one another. Only through robust logical separation can the integrity of the environment be maintained despite the disparity in service functionality and patch levels between tenants. 6 www.rightnow.com Share This
CONCLUSION Suggestions To address common concerns related to cloud computing, guidance should be developed that addresses the application of the NIST 800-53 control framework to a cloud computing environment. Particular attention should be paid to explaining the risks associated with multi-tenancy and the types of controls and countermeasures that may be put in place to effectively enforce and monitor logical separation, and their ability to mitigate the associated risks. Additionally, the guidance should address those hybrid controls that may be common across the cloud computing environment (i.e. common for all tenants) as well as those controls where the responsibility for control implementation should be shared between the vendor and the government. We are aware that NIST is presently developing guidance on cloud computing and we look forward to reviewing and providing feedback on the initial public draft. Considerations Vendors should be aware that: · Government customers are required to conduct C&A of their systems prior to operation and are required to monitor the system on a continuous basis thereafter. · Government customers expect the vendors to support the C&A process; therefore, C&A is a mandatory requirement for doing business with the government. · Government customers expect complete transparency into cloud computing offerings in order to ensure all aspects of the offering (e.g. 3rd party vendors and services) meet the necessary control requirements and do not weaken the chain of trust. · Hybrid controls exist where there may be shared responsibility between the vendor and government. · Security engineering should be tightly integrated throughout the lifecycle of cloud computing offerings so that security requirements are fully understood and a risk management program is in place to balance security against operational and functional requirements. Government customers should be aware that: · Many vendors have never dealt with C&A and are not fully educated on the requirements for complying with FISMA. Contracts should clearly identify the applicable NIST 800-53 controls and enhancements and the vendor’s responsibility to ensure they are satisfied. · NIST guidelines do not fully address cloud computing. Applicable controls must be assessed within the given context of their environment. · Hybrid controls exist where there may be shared responsibility between the vendor and government. · Mature cloud computing vendors should be able to demonstrate that security engineering principles are tightly integrated throughout the lifecycle of their offerings, that security requirements are fully understood, and a risk management program is in place to balance security against operational and functional requirements. 7 www.rightnow.com Share This
Chain of Trust Transparency is a key factor in developing trust with cloud computing consumers. If the chain of trust has fewer links, the service will ultimately be easier to secure and control, thereby facilitating: · Auditing · Reporting · Accountability Cloud computing vendors who have direct control over all three cloud service models will have a distinct advantage for providing transparency as well as addressing the numerous controls and policies necessary to achieve compliance and accreditation. Very little finger pointing can take place in an environment where a single vendor is responsible from end to end. Summary In going through the FISMA certification and accreditation process, we found several things particularly challenging: · Multi-tenancy: clarity and guidance needs to be provided to help define and control multi-tenant environments · Hybrid controls: standards need to be updated to accommodate that some controls may be applicable across multiple layers of infrastructure, with different responsible parties at each layer · Lack of system and control documentation: this is an area that vendors just need to be prepared to address We suggest that the FISMA guidelines be updated to provide clarity in the first two issues noted above and would welcome the opportunity to provide direct feedback in these areas to those who are responsible for writing/amending the guidelines. There have been some changes made recently to NIST 800-37 (revision 1) that will make a unified standard and methodology easier to achieve over the long term. However, we feel that these changes do not yet directly address the areas that we’re suggesting above. 8 www.rightnow.com Share This
AUTHORS Ben Nelson CISO & Director, IT Services RightNow Technologies Stefen Smith, CISSP-ISSEP Chief Technology Officer SecureForce ABOUT SECUREFORCE SecureForce is passionate about cyber security. We are comprehensive in our approach to providing end-to-end security solutions using state-of-the-art technologies supplemented with constantly evolving knowledge and expertise. Our methods are singularly focused on removing the threat of cyber exploitation. Located in Washington, DC, SecureForce has the proven credentials to assess, architect, engineer, certify, accredit, and operate the security infrastructure of the largest government agencies and corporations located in the U.S. and abroad. ABOUT RIGHTNOW RightNow (NASDAQ: RNOW) delivers the high-impact technology solutions and services organizations need to cost-efficiently deliver a consistently superior customer experience across their frontline service touchpoints. Approximately 1,900 corporations, government agencies, and institutions worldwide depend on RightNow to achieve their strategic objectives and better meet the needs of those they serve. RightNow is headquartered in Bozeman, Montana. For more information, please visit www.rightnow.com. RightNow is a registered trademark of RightNow Technologies, Inc. NASDAQ is a registered trademark of the NASDAQ Stock Market. Contact us today to find out how we can help you create the best possible customer experience for your customers. Our solutions: RightNow CX RightNow Social Experience RightNow Engage The Customer Experience Suite RightNow Web Experience RightNow Contact Center Experience RightNow CX Cloud Platform Be social with us: RightNow.com Twitter Facebook YouTube LinkedIn RightNow Blog 9 www.rightnow.com Share This

More Related Content

PDF
Losing Control to the Cloud
byRochester Security Summit
 
PDF
Value Plus July Edition - 2015
byRedington Value Distribution
 
PDF
Ensuring PCI DSS Compliance in the Cloud
byCognizant
 
PDF
CA
bypatrikbzz
 
PDF
G10.2013 Application Delivery Controllers
bySatya Harish
 
PDF
Cloud computing understanding security risk and management
byShamsundar Machale (CISSP, CEH)
 
PDF
Scaling Mobile Network Security for LTE: A Multi-Layer Approach
byF5 Networks
 
PDF
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
byIRJET Journal
 
Losing Control to the Cloud
byRochester Security Summit
 
Value Plus July Edition - 2015
byRedington Value Distribution
 
Ensuring PCI DSS Compliance in the Cloud
byCognizant
 
CA
bypatrikbzz
 
G10.2013 Application Delivery Controllers
bySatya Harish
 
Cloud computing understanding security risk and management
byShamsundar Machale (CISSP, CEH)
 
Scaling Mobile Network Security for LTE: A Multi-Layer Approach
byF5 Networks
 
IRJET- SAAS Attacks Defense Mechanisms and Digital Forensic
byIRJET Journal
 

What's hot

PDF
Rob kloots auditoutsourcedit
byRobert Kloots
 
PPTX
Cloud Security By Dr. Anton Ravindran
byGSTF
 
PPT
Hdcs Overview Final
byrjt01
 
PDF
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
byIJIR JOURNALS IJIRUSA
 
PDF
A Review on Data Protection of Cloud Computing Security, Benefits, Risks and ...
byUnited International Journal for Research & Technology
 
PDF
Cloud Computing Risk Management (IIA Webinar)
byBrian K. Dickard
 
PDF
Cloud Computing: A study of cloud architecture and its patterns
byIJERA Editor
 
PDF
Are your insurance processes cloud compatible?
byCognizant
 
PDF
Clues for Solving Cloud-Based App Performance
byNETSCOUT
 
PDF
Service Compositions: Curse or Blessing for Security?
byAchim D. Brucker
 
PDF
Risk management for cloud computing hb final
byChristophe Monnier
 
PDF
Improve network safety through better visibility – Netmagic
byNetmagic Solutions Pvt. Ltd.
 
PDF
IntelAdapt
byMaggie Albrecht
 
PDF
SECURITY ISSUES IN CLOUD COMPUTING
byInternational Journal of Technical Research & Application
 
PDF
Accenture Computing In A Cloud
bychzesin
 
PDF
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
byEnterpriseGRC Solutions, Inc.
 
PDF
PRISMACLOUD Cloud Security and Privacy by Design
byPRISMACLOUD Project
 
PDF
Cloud Computing Risk Management (Multi Venue)
byBrian K. Dickard
 
PDF
Information Security Governance
byBooz Allen Hamilton
 
PDF
IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...
byIRJET Journal
 
Rob kloots auditoutsourcedit
byRobert Kloots
 
Cloud Security By Dr. Anton Ravindran
byGSTF
 
Hdcs Overview Final
byrjt01
 
Ijirsm ashok-kumar-h-problems-and-solutions-infrastructure-as-service-securit...
byIJIR JOURNALS IJIRUSA
 
A Review on Data Protection of Cloud Computing Security, Benefits, Risks and ...
byUnited International Journal for Research & Technology
 
Cloud Computing Risk Management (IIA Webinar)
byBrian K. Dickard
 
Cloud Computing: A study of cloud architecture and its patterns
byIJERA Editor
 
Are your insurance processes cloud compatible?
byCognizant
 
Clues for Solving Cloud-Based App Performance
byNETSCOUT
 
Service Compositions: Curse or Blessing for Security?
byAchim D. Brucker
 
Risk management for cloud computing hb final
byChristophe Monnier
 
Improve network safety through better visibility – Netmagic
byNetmagic Solutions Pvt. Ltd.
 
IntelAdapt
byMaggie Albrecht
 
SECURITY ISSUES IN CLOUD COMPUTING
byInternational Journal of Technical Research & Application
 
Accenture Computing In A Cloud
bychzesin
 
Virtualization And Cloud Impact Overview Auditor Spin Enterprise Gr Cv4
byEnterpriseGRC Solutions, Inc.
 
PRISMACLOUD Cloud Security and Privacy by Design
byPRISMACLOUD Project
 
Cloud Computing Risk Management (Multi Venue)
byBrian K. Dickard
 
Information Security Governance
byBooz Allen Hamilton
 
IRJET- Authentication and Access Control for Cloud Computing Comparing Proble...
byIRJET Journal
 

Similar to Cloud-Based Customer Experience Management Solutions For Government Agencies

PPTX
Cloud is not an option, but is security?
byJody Keyser
 
PPT
Cloudcomputingoct2009 100301142544-phpapp02
byabhisheknayak29
 
PDF
Taiye Lambo - Auditing the cloud
bynooralmousa
 
PPTX
Data Tactics dhs introduction to cloud technologies wtc
byDataTactics
 
PDF
Dr. Michael Valivullah, NASS/USDA - Cloud Computing
byikanow
 
PDF
Peering Through the Cloud Forrester EMEA 2010
bygraywilliams
 
PDF
CCSK, cloud security framework, Indonesia
byWise Pacific Venture
 
PDF
Why the Cloud can be Compliant and Secure
byInnoTech
 
PPT
4831586.ppt
byahmad21315
 
PPTX
Piloting The Cloud: Acting on OMB's Mandate - RightNow Technologies
byNitin Badjatia
 
PDF
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
byHector Del Castillo, CPM, CPMM
 
PDF
Cloud Webinar Neiditz Weitz Mitchell Goodman
byjonneiditz
 
PPTX
Executive Briefing: Strategic Issues Surrounding Cloud Services
byWhitmeyerTuffin
 
PDF
Cloudsecurity
bydrewz lin
 
PDF
Cloud services and it security
byEast Midlands Cyber Security Forum
 
PDF
2011 IaaS standards report from Ad Hoc WG
byBob Marcus
 
PDF
Presd1 10
byNiels Groeneveld
 
PDF
Cloud provider transparency
byPrachyanun Nilsook
 
PDF
MISA Cloud workshop - Cloud 101
byMISA Ontario Cloud SIG
 
PPTX
NARA's FAQ and Bulletin on Cloud Computing
byArian Ravanbakhsh
 
Cloud is not an option, but is security?
byJody Keyser
 
Cloudcomputingoct2009 100301142544-phpapp02
byabhisheknayak29
 
Taiye Lambo - Auditing the cloud
bynooralmousa
 
Data Tactics dhs introduction to cloud technologies wtc
byDataTactics
 
Dr. Michael Valivullah, NASS/USDA - Cloud Computing
byikanow
 
Peering Through the Cloud Forrester EMEA 2010
bygraywilliams
 
CCSK, cloud security framework, Indonesia
byWise Pacific Venture
 
Why the Cloud can be Compliant and Secure
byInnoTech
 
4831586.ppt
byahmad21315
 
Piloting The Cloud: Acting on OMB's Mandate - RightNow Technologies
byNitin Badjatia
 
Cloud01: Best Practices for Virtual Cloud Security - H. Del Castillo, AIPMM
byHector Del Castillo, CPM, CPMM
 
Cloud Webinar Neiditz Weitz Mitchell Goodman
byjonneiditz
 
Executive Briefing: Strategic Issues Surrounding Cloud Services
byWhitmeyerTuffin
 
Cloudsecurity
bydrewz lin
 
Cloud services and it security
byEast Midlands Cyber Security Forum
 
2011 IaaS standards report from Ad Hoc WG
byBob Marcus
 
Presd1 10
byNiels Groeneveld
 
Cloud provider transparency
byPrachyanun Nilsook
 
MISA Cloud workshop - Cloud 101
byMISA Ontario Cloud SIG
 
NARA's FAQ and Bulletin on Cloud Computing
byArian Ravanbakhsh
 

More from RightNow Technologies

PPTX
2011 Customer Experience Impact Report
byRightNow Technologies
 
PPTX
2010 Customer Experience Impact Report
byRightNow Technologies
 
PPT
Drugstore.com Gartner Slides
byRightNow Technologies
 
PDF
RightNow Brings Social Into The Customer Experience
byRightNow Technologies
 
PDF
Consumer Electronics Gets CRM RightNow
byRightNow Technologies
 
PDF
RightNow's 4th Annual Customer Experience Impact Report
byRightNow Technologies
 
PDF
RightNow's 2nd Annual Customer Experience Impact Report
byRightNow Technologies
 
PDF
Nucleus Research ROI Case Study 2008
byRightNow Technologies
 
PDF
Nucleus Research: Evaluating The On-demand Contact Center
byRightNow Technologies
 
PDF
The Importance of Multi-Channel Contact and Social Media to the Customer Expe...
byRightNow Technologies
 
PDF
Decision Matrix: Selecting a CRM Vendor in Higher Education
byRightNow Technologies
 
PDF
Eight Steps to Great Customer Experiences for Government Agencies
byRightNow Technologies
 
PDF
Right now customer-feedback-survey-best-practices-brief
byRightNow Technologies
 
PDF
Empowered Interactions: Delivering a Differentiated Student Lifecycle Experience
byRightNow Technologies
 
PDF
Proactive Customer Service
byRightNow Technologies
 
PDF
Customer Experience Makeover: A Practical Approach to Differentiated Service
byRightNow Technologies
 
PDF
CRM and National Security: Five Essential Software Capabilities
byRightNow Technologies
 
PPTX
Webcast: Piloting the Cloud: Social Web and the Public Sector
byRightNow Technologies
 
PDF
Webcast: Piloting the Cloud: The Open Government Directive
byRightNow Technologies
 
PDF
Delivering Customer Service in the Cloud
byRightNow Technologies
 
2011 Customer Experience Impact Report
byRightNow Technologies
 
2010 Customer Experience Impact Report
byRightNow Technologies
 
Drugstore.com Gartner Slides
byRightNow Technologies
 
RightNow Brings Social Into The Customer Experience
byRightNow Technologies
 
Consumer Electronics Gets CRM RightNow
byRightNow Technologies
 
RightNow's 4th Annual Customer Experience Impact Report
byRightNow Technologies
 
RightNow's 2nd Annual Customer Experience Impact Report
byRightNow Technologies
 
Nucleus Research ROI Case Study 2008
byRightNow Technologies
 
Nucleus Research: Evaluating The On-demand Contact Center
byRightNow Technologies
 
The Importance of Multi-Channel Contact and Social Media to the Customer Expe...
byRightNow Technologies
 
Decision Matrix: Selecting a CRM Vendor in Higher Education
byRightNow Technologies
 
Eight Steps to Great Customer Experiences for Government Agencies
byRightNow Technologies
 
Right now customer-feedback-survey-best-practices-brief
byRightNow Technologies
 
Empowered Interactions: Delivering a Differentiated Student Lifecycle Experience
byRightNow Technologies
 
Proactive Customer Service
byRightNow Technologies
 
Customer Experience Makeover: A Practical Approach to Differentiated Service
byRightNow Technologies
 
CRM and National Security: Five Essential Software Capabilities
byRightNow Technologies
 
Webcast: Piloting the Cloud: Social Web and the Public Sector
byRightNow Technologies
 
Webcast: Piloting the Cloud: The Open Government Directive
byRightNow Technologies
 
Delivering Customer Service in the Cloud
byRightNow Technologies
 

Recently uploaded

DOCX
8 Best Places to Buy Facebook Accounts at Wholesale Prices.docx
byFacebook Accounts
 
PDF
Guide to Safely Buying Gmail Accounts for Safely-Aged.pdf
bysmartusapva.com
 
DOCX
Buy Verified Cash App Accounts In The Us
bysebastianparsonst8
 
PDF
Your presence tells your story in real time
byPatrice Bisiot
 
PDF
Stablecoins beyond narrow banking - Lombard Notes
byGiorgio Giuliani
 
PPTX
Legal Matters - Session 4 - Presentation
byshannonzipoy1
 
PDF
Top Platform to Buy Facebook Accounts in Bulk Safely.pdf
byBuy Facebook Accounts
 
DOCX
Buy Old Gmail Accounts in 2026_ Complete Buyer’s Guide
bypvasmmpath
 
PDF
KGA - Governing administration in a consolidated market
byHenry Tapper
 
DOCX
Best Place to Learn Old or Aged Verified Square Accounts in WWW.docx
byTopSelleriT
 
DOCX
Buy Old Gmail Accounts_ Top Benefits and Legal Considerations.docx
bypvasmmpath
 
PDF
AI,Analytics, Digital HR, Agentic AI.pdf
bypgp25chinica
 
PPTX
Levels of Management: Top, Middle and Lower Management Explained
bychrispshajugig
 
PDF
Intangible (Knowledge) Assets and Dynamic Capabilities: New Paradigms for Ana...
byDavid Teece
 
PDF
Safe Ways to Purchase Gmail Accounts (PVA & Aged) for Your Team.pdf
bypvaisback
 
PDF
ICv2 White Paper - Navigating the New World of Comics
byDennisViau
 
DOCX
What Are Telegram Accounts and Why Are They Important for Global Communicatio...
byx24gm4qs23vusc8s2b53
 
PDF
Ultra Map Section II Multifaceted Second Edition.pdf
byBrij Consulting, LLC
 
PDF
Sylvester Konadu Worcester MA - A Trusted Worcester Tech Professional
bySylvester Konadu Worcester
 
PDF
Prasenjit Bhaumik Plano - Proficient In JavaScript, Python, And Database Mana...
byPrasenjit Bhaumik Plano
 
8 Best Places to Buy Facebook Accounts at Wholesale Prices.docx
byFacebook Accounts
 
Guide to Safely Buying Gmail Accounts for Safely-Aged.pdf
bysmartusapva.com
 
Buy Verified Cash App Accounts In The Us
bysebastianparsonst8
 
Your presence tells your story in real time
byPatrice Bisiot
 
Stablecoins beyond narrow banking - Lombard Notes
byGiorgio Giuliani
 
Legal Matters - Session 4 - Presentation
byshannonzipoy1
 
Top Platform to Buy Facebook Accounts in Bulk Safely.pdf
byBuy Facebook Accounts
 
Buy Old Gmail Accounts in 2026_ Complete Buyer’s Guide
bypvasmmpath
 
KGA - Governing administration in a consolidated market
byHenry Tapper
 
Best Place to Learn Old or Aged Verified Square Accounts in WWW.docx
byTopSelleriT
 
Buy Old Gmail Accounts_ Top Benefits and Legal Considerations.docx
bypvasmmpath
 
AI,Analytics, Digital HR, Agentic AI.pdf
bypgp25chinica
 
Levels of Management: Top, Middle and Lower Management Explained
bychrispshajugig
 
Intangible (Knowledge) Assets and Dynamic Capabilities: New Paradigms for Ana...
byDavid Teece
 
Safe Ways to Purchase Gmail Accounts (PVA & Aged) for Your Team.pdf
bypvaisback
 
ICv2 White Paper - Navigating the New World of Comics
byDennisViau
 
What Are Telegram Accounts and Why Are They Important for Global Communicatio...
byx24gm4qs23vusc8s2b53
 
Ultra Map Section II Multifaceted Second Edition.pdf
byBrij Consulting, LLC
 
Sylvester Konadu Worcester MA - A Trusted Worcester Tech Professional
bySylvester Konadu Worcester
 
Prasenjit Bhaumik Plano - Proficient In JavaScript, Python, And Database Mana...
byPrasenjit Bhaumik Plano
 

Cloud-Based Customer Experience Management Solutions For Government Agencies

  • 1.
    CLOUD-BASED CUSTOMER EXPERIENCEMANAGEMENT SOLUTIONS FOR GOVERNMENT AGENCIES Opportunities and Challenges of Certifying Cloud-Based Solutions for U.S. Federal Government Civilian Agencies ©2009 RightNow Technologies. All rights reserved. RightNow and RightNow logo are trademarks of www.rightnow.com RightNow Technologies Inc. All other trademarks are the property of their respective owners. 9007
  • 2.
    CLOUD-BASED CUSTOMER EXPERIENCEMANAGEMENT SOLUTIONS FOR GOVERNMENT AGENCIES TABLE OF CONTENTS Introduction .......... 1 Cloud Computing Fundamentals .......... 3 How We Approached C&A .......... 3 Challenges We Faced in Working Through Our C&A .......... 4 Lessons Learned in Working Through The Challenges .......... 5 Conclusion .......... 7 Authors .......... 9 About SecureForce .......... 9 About RightNow Technologies .......... 9 www.rightnow.com
  • 3.
    INTRODUCTION RightNow Technologies RightNow is a provider of cloud-based customer experience management solutions that help consumer-centric organizations deliver exceptional customer experiences across the web, social networks, and contact centers. Founded in 1997, RightNow is headquartered in Bozeman, Montana, employs more than 800 people, and with more than eight billion customer interactions delivered, RightNow is the customer experience fabric for nearly 2,000 organizations around the globe. RightNow is listed on the NASDAQ under the symbol RNOW. Over 170 public sector clients, including nearly every US cabinet level agency, Army, Marines, Air Force, members of the Intelligence Community and DoD, rely on RightNow CX to deliver real-time information, when and where it’s needed. RightNow CX, the Customer Experience Suite RightNow CX is a total customer experience solution for consumer-centric organizations serious about enabling superior interactions across web, social, and contact center touchpoints. RightNow’s customer experience solutions give agencies the ability to coordinate disparate resources, including people and technology, across the organization to develop, rapidly execute, and manage a comprehensive customer experience strategy. RightNow CX applications address the three experiences that matter most (see diagram below), ensuring a seamless multi-channel (web, voice, chat, etc.) experience, regardless of the number or type of customer interactions initiated. RightNow Government Cloud To serve its U.S. Federal Government customers, RightNow has built a dedicated private cloud infrastructure from the ground up to provide enhanced security and satisfy regulatory compliance requirements. Deployed in a Tier 4 datacenter, the RightNow Government 1 www.rightnow.com Share This
  • 4.
    Cloud offers logicalseparation of tenants and other controls necessary to provide the security, high availability, and redundancy equivalent to our commercial offering. The Government Cloud has been designed to satisfy the control requirements for the National Institute of Standards and Technology (NIST) 800-53 “moderate” baseline. Control implementation and compliance status has been independently verified and documented by a third party. SECUREFORCE SecureForce, LLC (SecureForce) is a Washington, DC Metro area based cybersecurity firm that has extensive experience supporting the U.S. Government. SecureForce has provided security engineering, Certification and Accreditation (C&A), security assessment, and security operations support to a broad customer base, including Federal Civilian agencies, the Department of Defense, and the Intelligence Community. SecureForce has performed numerous C&As leveraging the processes outlined in NIST 800-37, NIACAP, DIACAP and DCID 6/3. RightNow and SecureForce have partnered to ensure government compliance requirements are integrated throughout the lifecycle of the RightNow Government Cloud offering and a comprehensive C&A package is developed for each product release. The Demand for Cloud Computing We have seen an increasing demand for cloud computing resources to be made available in all enterprises globally. Very recently, the demand and interest for cloud computing resources in the Federal Government has increased tremendously. Increasingly, there is a need to offer cloud-based services to the Federal Government that have historically only been available to the private sector. The Goal of this Document RightNow and SecureForce have spent the last year and a half working through the complexities of certifying a cloud computing infrastructure against the moderate baseline of the NIST 800-53 control framework. Throughout this process we have identified a number of security controls that were not written with a cloud computing environment in mind. In this document we provide some insight into the high-level challenges that we have faced throughout this process, along with some of our findings, to raise the visibility for other cloud computing vendors who may be thinking about providing services to the Federal Government. We’ve also positioned this document to provide cloud computing buyers lessons learned with the goal of increasing awareness of the obstacles associated with performing C&A in the cloud. .......... 2 www.rightnow.com Share This
  • 5.
    CLOUD COMPUTING FUNDAMENTALS In accordance with the NIST Definition of cloud computing (http://csrc.nist.gov/groups/ SNS/cloud-computing/), cloud-based services can be offered via one of three service models. Infrastructure Cloud (IaaS) Infrastructure services in the cloud. This type of cloud vendor will typically provide the processing, storage, and network infrastructure. Examples of IaaS vendors are: · Amazon EC2 and S3 · OpsSource · Rackspace Platform Cloud (PaaS) Cloud providers in this category typically provide either an application development platform, or a raw operating environment from which to house your applications. Vendors in the platform cloud could, in theory, be utilizing IaaS from another vendor underneath the covers. Examples of PaaS vendors are: · Microsoft Azure · Boomi · Google App Engine Application Cloud (SaaS) SaaS vendors are providing an actual application to their customers, typically delivered via web technologies such as Web 2.0 or smart client technology. SaaS vendors could, in theory, be utilizing both a PaaS vendor for delivery of their service and an IaaS vendor for the underlying infrastructure. Examples of SaaS vendors are: · RightNow Technologies · Concur · MessageLabs HOW WE APPROACHED C&A RightNow recognizes that meeting Federal Information Security Management Act (FISMA) compliance is a cost of doing business with the Federal Government. Furthermore, RightNow acknowledges the expectation of the government that vendors should be responsible for demonstrating FISMA compliance within their product offerings in order to establish the chain of trust as part of the implementation of the NIST Risk Management Framework (RMF). Through the partnership with SecureForce, RightNow has taken the initiative to demonstrate the required trustworthiness and address FISMA compliance head-on. Given the RightNow Government Cloud is a multi-tenant environment, we anticipated that certification boundaries would become blurry and controls would become harder to satisfy. In order to address all aspects of the cloud offering, a flexible yet comprehensive approach to addressing C&A within the cloud was required. Based upon the most common customer use cases and data types, the Federal Information Processing Standard (FIPS) 199 system categorization for the Government Cloud was determined to be moderate. To ensure consistent documentation and assessment of controls across tenants, the certification 3 www.rightnow.com Share This
  • 6.
    boundary was determinedto include all infrastructure components as well as the baseline application. The Government Cloud C&A package is built upon the NIST RMF and includes the following artifacts: Artifact Notes System Security Plan (SSP) Consistent with NIST SP 800-18 Security Assessment Report Consistent with NIST SP 800-53A Risk Assessment Report Consistent with NIST SP 800-30 Plan of Actions and Milestones (POA&M) Maintained by RightNow For each subsequent product version the C&A package is updated and made available to new customers or to existing customers that are upgrading to that version. For those customers that have extensive customizations that extend product functionality, an addendum to the C&A package for their product version must be developed to capture any non-compliant controls and potential risks that may be introduced via the customizations. CHALLENGES WE FACED IN WORKING THROUGH OUR C&A C&A is a complex process made more difficult when applied to a multi-tenant, cloud- based offering. The three most pressing issues we faced during the C&A of the Government Cloud were: 1) Multi-tenancy: Some NIST SP 800-53 controls and NIST SP 800-53A control assessment objectives were not written to address multi-tenancy or data co-mingling. As a result, this created some difficulty when assessing common controls applicable to the entire environment. Ultimately, those controls were fully documented in the SSP then assessed against the “spirit of the law” (i.e. does the control satisfy the control assessment objective while maintaining adequate isolation between customer instances?). 2) Hybrid Control Identification and Ownership Determination: While the majority of applicable security controls are the responsibility of the outsourced provider, some controls also require decision or action by the government customer. These types of controls in which there is shared responsibility between the vendor and the government are known as known as hybrid controls. Examples of hybrid controls include incident response and contingency planning where both the government and the vendor would be required to have policies and procedures in place and the policies and procedures in use by the government may be common for all systems within their inventory. Hybrid controls and the customer-specific responsibilities for meeting control assessment objectives are identified in both the SSP and SAR. 3) Lack of System and Control Documentation: The security architecture and concept of operations of the Government Cloud was not sufficiently documented to provide the necessary context for non-RightNow personnel to fully understand the Government Cloud architecture and operations in order to determine control adequacy and robustness. Having a fully documented security architecture and concept of operations is essential to ensuring complete transparency and establishing the necessary chain of trust between the vendor and the government customer. As part of the C&A process, the security architecture and concept of operations were documented in the SSP. 4 www.rightnow.com Share This
  • 7.
    LESSONS LEARNED INWORKING THROUGH THE CHALLENGES Multi-Tenancy Most cloud computing vendors in the SaaS space, including RightNow, offer a solution that is multi-tenant. Multi-tenancy presents a number of challenges, outlined above, in an environment that is to be certified and accredited. Here is a summary of the key lessons that we learned during our C&A. No context of cloud computing While multi-tenant environments are not explicitly prohibited, many of the controls in the NIST SP 800-53 framework assume a single-tenant installation. Because agencies have become familiar with these controls, many of the Information Assurance (IA) professionals and Authorizing Officials that we’ve worked with were initially very reluctant to housing their data in a multi-tenant environment. RightNow and SecureForce have been able to overcome this reluctance and provide a high degree of assurance regarding the effectiveness of control implementation by clearly outlining the security engineering decisions that RightNow made early-on to logically separate clients from one another. Throughout the C&A process, careful attention was paid to clearly detailing the technical steps taken to logically separate customers from one another in such a way that the risk of co-mingling of data on the same physical infrastructure and the likelihood of cross-organizational operational impact are minimal. System categorization must be based upon high watermark It was also recognized early-on that in a multi-tenant environment, the system as a whole would need to be certified and accredited at a FIPS 199 impact categorization that was commensurate with the highest level that any single potential client could require. This is due to the fact that a large number of the controls that are documented and audited are common controls that involve all of the underlying infrastructure components that are shared in a multi-tenant environment. Consequently, any cloud computing vendor who intends to run a multi-tenant environment would need to certify at the “high water mark”, determined by the highest feasible impact categorization of any single tenant of the infrastructure. Of course, this means that tenants that do not have an explicit requirement for a higher level impact categorization get to take advantage of the increased operational and security controls that are in place. Not only does this provide them with an extra level of assurance in their cloud computing vendor, but it allows them the flexibility to grow into system requirements that are beyond the scope of their original deployment. Consistent and repeatable processes are required Consistent and repeatable processes should be part of any mature cloud computing vendor’s operational practices. The NIST 800-53 control framework requires policies and procedures be developed for all three classes of controls—technical, operational, and management. The application of consistent and repeatable processes can be difficult and is further complicated when being applied to a multi-tenant cloud computing environment. Automation is key to cloud computing Automated and repeatable processes must be tightly integrated throughout all components of the environment to maintain the integrity and security of the cloud computing platform 5 www.rightnow.com Share This
  • 8.
    and to ensurequality provisioning of elastic, on demand, services. RightNow has developed a comprehensive management system which automates commonly performed tasks throughout the Government Cloud, including the infrastructure, platform, and application. RightNow achieves operational excellence, while maintaining a robust security posture, in a complex multi-tenant environment by directly controlling all aspects of the Government Cloud. Change management approval process is mandatory In any computing environment, there will inevitably be some processes which cannot be automated. Those processes which cannot be automated require thorough review and approvals to ensure that operational risk is reduced as much as possible, without losing the ability to be flexible. We have implemented a change management and tracking process that allows the operators of the environment to propose changes to the environment. These proposals are reviewed by appropriate engineering resources and approved by management multiple times per week. This level of frequency allows us to be responsive to customer demands in a constantly evolving environment. Version control is taken to a new level The ability to run multiple versions of the application (SaaS level) of the cloud computing environment is driven primarily by the mission criticality of the application use case. Having a system that allows the tenants a choice in version and upgrade schedule is one of the many unique value propositions that RightNow provides. Maintaining a large number of versions in a production environment requires robust logical separation of tenants from one another. Only through robust logical separation can the integrity of the environment be maintained despite the disparity in service functionality and patch levels between tenants. 6 www.rightnow.com Share This
  • 9.
    CONCLUSION Suggestions Toaddress common concerns related to cloud computing, guidance should be developed that addresses the application of the NIST 800-53 control framework to a cloud computing environment. Particular attention should be paid to explaining the risks associated with multi-tenancy and the types of controls and countermeasures that may be put in place to effectively enforce and monitor logical separation, and their ability to mitigate the associated risks. Additionally, the guidance should address those hybrid controls that may be common across the cloud computing environment (i.e. common for all tenants) as well as those controls where the responsibility for control implementation should be shared between the vendor and the government. We are aware that NIST is presently developing guidance on cloud computing and we look forward to reviewing and providing feedback on the initial public draft. Considerations Vendors should be aware that: · Government customers are required to conduct C&A of their systems prior to operation and are required to monitor the system on a continuous basis thereafter. · Government customers expect the vendors to support the C&A process; therefore, C&A is a mandatory requirement for doing business with the government. · Government customers expect complete transparency into cloud computing offerings in order to ensure all aspects of the offering (e.g. 3rd party vendors and services) meet the necessary control requirements and do not weaken the chain of trust. · Hybrid controls exist where there may be shared responsibility between the vendor and government. · Security engineering should be tightly integrated throughout the lifecycle of cloud computing offerings so that security requirements are fully understood and a risk management program is in place to balance security against operational and functional requirements. Government customers should be aware that: · Many vendors have never dealt with C&A and are not fully educated on the requirements for complying with FISMA. Contracts should clearly identify the applicable NIST 800-53 controls and enhancements and the vendor’s responsibility to ensure they are satisfied. · NIST guidelines do not fully address cloud computing. Applicable controls must be assessed within the given context of their environment. · Hybrid controls exist where there may be shared responsibility between the vendor and government. · Mature cloud computing vendors should be able to demonstrate that security engineering principles are tightly integrated throughout the lifecycle of their offerings, that security requirements are fully understood, and a risk management program is in place to balance security against operational and functional requirements. 7 www.rightnow.com Share This
  • 10.
    Chain of Trust Transparency is a key factor in developing trust with cloud computing consumers. If the chain of trust has fewer links, the service will ultimately be easier to secure and control, thereby facilitating: · Auditing · Reporting · Accountability Cloud computing vendors who have direct control over all three cloud service models will have a distinct advantage for providing transparency as well as addressing the numerous controls and policies necessary to achieve compliance and accreditation. Very little finger pointing can take place in an environment where a single vendor is responsible from end to end. Summary In going through the FISMA certification and accreditation process, we found several things particularly challenging: · Multi-tenancy: clarity and guidance needs to be provided to help define and control multi-tenant environments · Hybrid controls: standards need to be updated to accommodate that some controls may be applicable across multiple layers of infrastructure, with different responsible parties at each layer · Lack of system and control documentation: this is an area that vendors just need to be prepared to address We suggest that the FISMA guidelines be updated to provide clarity in the first two issues noted above and would welcome the opportunity to provide direct feedback in these areas to those who are responsible for writing/amending the guidelines. There have been some changes made recently to NIST 800-37 (revision 1) that will make a unified standard and methodology easier to achieve over the long term. However, we feel that these changes do not yet directly address the areas that we’re suggesting above. 8 www.rightnow.com Share This
  • 11.
    AUTHORS Ben Nelson CISO & Director, IT Services RightNow Technologies Stefen Smith, CISSP-ISSEP Chief Technology Officer SecureForce ABOUT SECUREFORCE SecureForce is passionate about cyber security. We are comprehensive in our approach to providing end-to-end security solutions using state-of-the-art technologies supplemented with constantly evolving knowledge and expertise. Our methods are singularly focused on removing the threat of cyber exploitation. Located in Washington, DC, SecureForce has the proven credentials to assess, architect, engineer, certify, accredit, and operate the security infrastructure of the largest government agencies and corporations located in the U.S. and abroad. ABOUT RIGHTNOW RightNow (NASDAQ: RNOW) delivers the high-impact technology solutions and services organizations need to cost-efficiently deliver a consistently superior customer experience across their frontline service touchpoints. Approximately 1,900 corporations, government agencies, and institutions worldwide depend on RightNow to achieve their strategic objectives and better meet the needs of those they serve. RightNow is headquartered in Bozeman, Montana. For more information, please visit www.rightnow.com. RightNow is a registered trademark of RightNow Technologies, Inc. NASDAQ is a registered trademark of the NASDAQ Stock Market. Contact us today to find out how we can help you create the best possible customer experience for your customers. Our solutions: RightNow CX RightNow Social Experience RightNow Engage The Customer Experience Suite RightNow Web Experience RightNow Contact Center Experience RightNow CX Cloud Platform Be social with us: RightNow.com Twitter Facebook YouTube LinkedIn RightNow Blog 9 www.rightnow.com Share This