Approach to the Infrastructure Layer
Cloudsnap runs its staging and production environments entirely on Amazon Web Services. Amazon Web Services is the largest infrastructure provider in the world, employs world-class security experts, and uses the most advanced security methods — both virtual and physical — to protect their infrastructure. You can read more about Amazon Web Services’ approach to security here: https://aws.amazon.com/security/.
Approach to the Application, Data and Network Layer
Cloudsnap uses a distributed and containerized architecture for its applications and each microservice has strict access policies. Cloudsnap utilizes availability zones to achieve fault tolerance and high availability.
Customer data is encrypted both in transit and at rest. Cloudsnap uses the industry standard AES-256 to encrypt customer data. Cloudsnap manages its keys using the Amazon Web Services Key Management Service, which uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to generate and protect keys. Cloudsnap’s platform is only accessible over HTTPS and all traffic sent over HTTPS is encrypted.
Cloudsnap runs weekly vulnerability scans and utilizes intrusion detection systems to ensure application, data and network security. Cloudsnap utilizes services to protect against DDoS attacks. Cloudsnap uses web application firewalls to protect internal applications from the public internet. All traffic is analyzed against a set of custom rules to block common attack patterns, such as SQL injection or cross-site scripting. All internal applications run on private subnets and virtual private clouds. Internal applications cannot be accessed via the public internet and administrative access to Cloudsnap is performed via VPN or other secure protocols.
Cloudsnap’s staging and production systems are monitored on a 24×7 basis and third party penetration testing is performed on an annual basis. All application, data and network actions are logged. The retention of customer data logs can be adjusted by the customer (or defaults to the retention period of the customer selected plan) and sensitive customer data can be masked at a customer’s request. Cloudsnap performs nightly backups and has a robust Disaster Recovery and Business Continuity plan in place.
Authenticating with Third-Party Applications
To integrate applications and transfer data across applications, Cloudsnap requires customer or vendor-supplied credentials to third-party applications (e.g. Concur, Salesforce, SAP, etc.). When possible, Cloudsnap uses OAuth 2 to authenticate with third-party applications. When using OAuth 2, Cloudsnap does not store credentials, other than an access token used to maintain connection, in Cloudsnap’s systems. When OAuth cannot be used to authenticate, Cloudsnap stores encrypted credentials using an industry standard 256-bit key.
Connecting to Third-Party Applications
When Cloudsnap connects to third-party applications, Cloudsnap uses industry standard protocols. Clodusnap typically uses HTTPS, but also uses FTPS, SFTP and other similar protocols to securely connect to third-party applications.
Connecting to On-Prem Environments
When Cloudsnap connects to an on-prem environment, Cloudsnap installs an agent behind the customer’s firewall. When the agent is installed, Cloudsnap generates a unique RSA 2048-bit public / private key pair. The public key is encrypted using Amazon Web Services’ Key Management Service, which uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to generate and protect keys.The agent communicates with Cloudsnap over WebSocket with the ActionCable protocol, and the WebSocket connection is encrypted and protected by TLS.
Logging In as a Customer
Cloudsnap requires that its customers adhere to login best practices. Cloudsnap requires customers maintain complex passwords and rotate passwords on a regular basis. Cloudsnap supports multi-factor authentication and supports single sign-on via LDAP / Active Directory or SAML. Cloudsnap stores passwords via a secure hash and encrypts customer password using Bcrypt, a best-in-class password hashing program. Additionally, Cloudsnap forces session logouts after a set period of time or a set period of inactivity.
Cloudsnap uses Stripe to process payments. Stripe has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry. Cloudsnap does not process or store customer payment information. You can read more about Stripe’s approach to security here: https://stripe.com/docs/security.
Your Data Privacy
Our development teams and automation engineers receive regular training on secure coding practices. All employees are required to pass a background check that is administered via a third party. All employees are asked to sign a pledge regarding their roles and responsibilities as it relates to customer data and privacy. All employees are required to attend security awareness training annually.