As a result, we have put an enormous amount of time and energy into robust security practices. If elite paramilitary hackers broke into our data centers and took the physical servers, ran keyloggers on our machines, took snapshots of our DB, stole our laptops and ironkeys … they still wouldn’t have enough to compromise our users’ sensitive data.
Below are some highlights but if you’d like more detail, we’d be happy to arrange a call with someone on your team.
Cloudability (SOC) Reports are independent third-party examination reports that demonstrate how Cloudability achieves key compliance controls and objectives. The purpose of these reports is to help you and your auditors understand the Cloudability controls established to support operations and compliance.
Your sensitive data is encrypted every step of the way; we never receive or transmit unencrypted account information. We first encrypt it in the browser then re-encrypt with an even more secure algorithm (RSA 2048 and SHA-256) once it reaches our servers. All web connections are sent via 256-bit SSL.
Cloudability uses roles for cross-account access which is the current best practice for granting access to resources in one account (yours) to a trusted principal in a different account (Cloudability). Cloudability does not require an IAM User nor does it require you to share Access Keys, which are outdated processes with potential security risks. Roles created to grant Cloudability access to your account follow a specific policy that can easily be revoked by you at any time. Cloudability always uses an external ID when assuming the cross-account role, according the AWS best practices to avoid the "confused deputy" problem.
Cloudability uses Enterprise Agreement (EA) API Access Keys to collect cost data from Microsoft Azure. This is Azure's best practice for obtaining cost data. API Keys are uploaded to Cloudability over an encrypted connection and can be revoked and regenerated by you at any time. The Azure Platform requires these API keys to be rotated every 6 months.
Cloudability uses Azure's Enterprise Applications with federated role-based access to collect infrastructure utilization metrics from your Azure environment. You trust Cloudability's enterprise application and provide it read-only access to this metric data. Additionally, for certain utilization metrics, you generate time-based Shared Access Signature (SAS) tokens that you provide to Cloudability in order to access them from your Azure Storage. These tokens expire every 90 days and must be regenerated and uploaded to Cloudability.
Cloudability uses roles for cross-project access. This is the current best practice for granting access to resources in one project (yours) to a trusted member in a different account (Cloudability). Cloudability does not require a Service Account in your projects, and does not require a Service Account key. Roles created to grant Cloudability access to your account follow the principle of least privilege. Permissions can be revoked by you at any time.
Cloudability is an official solution provider for Amazon Web Services. See our official AWS page
Cloudability’s data is stored on AWS data centers that have achieved ISO 27001 certification, PCI DSS Level 1 compliance, and SAS70 Type II. Learn more about AWS security
Staff members do not have the ability to decrypt encrypted account data, and we use extensive best practices to keep your sensitive information secure.
If you’d like more detail about our approach to security, we’d be happy to arrange a call with a member of your team. Email support at cloudability.