Workfront Fusion enforces several best-practice security standards to ensure data is appropriately scoped to the most limited set of required uses, is maintained and transferred securely, and is safe from external threats. Security mechanisms include, but are not limited to:
Connector Authentication - Workfront Fusion includes a set of application connectors that enable administrators to connect to other applications without coding. Each connector is built to use the connecting vendor’s preferred authentication mechanism to securely authenticate to related APIs. Best practice authentication mechanisms include the use of OAuth2, wherein usernames and passwords are never stored in Workfront Fusion. Connected applications that support OAuth2 can revoke Workfront Fusion’s access at any time without having access to Workfront Fusion. Additionally, Workfront Fusion users can also revoke Workfront Fusion’s access to the connected solution at any time. Additionally, all information related to credentials (such as the target URL of other systems and usernames) are never retrievable by administrators using Workfront Fusion.
Connector Authorization - Workfront Fusion leverages the authorization mechanisms enabled by connected applications to ensure that users only have access to the information and actions for which they are authorized. If a user’s credentials do not enable them to access information in the connecting application, that information will not be accessible within Workfront Fusion.
Data Encryption - Workfront Fusion interacts with connectors through the highest level of security offered by the connected solution. At a minimum, data is encrypted in transit over a TLS connection.
Role-Based Access - Workfront Fusion has multiple roles and authorization controls that ensure that Workfront Fusion users only have access to their own flows and connections, and those flows and connections that have been explicitly shared with them.
Intrusion Prevention - Workfront Fusion, like Workfront, follows best practices in preventing unauthorized access to the platform. Such best practices include those outlined in the Open Web Application Security Project (OWASP) and other common intrusion prevention mechanisms. This includes regular security testing.
How is Fusion 2.0 different from a security perspective?
Our new Fusion experience, Fusion 2.0, is hosted and runs on the same infrastructure we have always used for Fusion. This means that the security controls that have been in place for Fusion in the past are still in place with Fusion 2.0. As with legacy Fusion, our new experience is regularly tested for security weaknesses so that we can keep customer data as secure as possible. There are no changes from a security perspective between legacy Fusion and Fusion 2.0.