Cloud Services Security and Privacy Guide
Date Last Revised: September 2021
This guide is an overview of the people, processes, and technology that Blueshift Inc. and its subsidiaries (“Blueshift” or “us”, “our”) uses to develop, test, and deploy our cloud products.
When evaluating the security of a cloud solution, it is important to distinguish between:
- “security of the cloud”—security measures the cloud service that the provider implements and operates.
- “security in the cloud”—security measures the cloud user implements and operates, related to the security of applications using AWS services.
Blueshift uses Amazon Web Services™ (AWS) as our cloud hosting provider. AWS shares responsibility with Blueshift for the security of cloud operations. AWS provides “security of the cloud” while Blueshift provides “security in the cloud.” AWS publishes substantial documentation on their security best practices.
This guide describes Blueshift’s security procedures in five areas:
- How we protect your data
- Our operational security procedures
- Our secure development practices
- Our organizational security program and policies
- Privacy and compliance considerations
Security does not end with Blueshift. Your team also shares responsibility for security. AWS is responsible for the security of their infrastructure, Blueshift is responsible for the security of the Blueshift application(s), and you are responsible for the security of your accounts. Your team should choose strong passwords, enable two-factor authentication for all users, and carefully protect email accounts to reset forgotten passwords. You should also review your internal data classifications and have a good understanding of what types of (regulated) data might be within your environment and processed by Blueshift.
As of the publication of this document in March 2020 Blueshift has initiated, but not yet achieved, the steps necessary to have its Cloud Services covered by a SSAE-16 SOC2 Type 1 report (“SOC 2”). SOC 2 reports are developed and governed by the American Institute of Certified Public Accountants. Such reports are similar in structure to financial audit reports, except that they focus on technical controls instead of on financial controls. It is an industry standard that is used to validate the security controls to manage the confidentiality, integrity, and availability of cloud infrastructure and customer data. If you have questions that are not covered in this guide, contact your Blueshift representative or email us at firstname.lastname@example.org. Due to the evolving nature of threats and business needs, Blueshift reserves the right to modify our practices.
The security controls, processes, and procedures in this guide apply to all Blueshift products and services that are delivered via the cloud (referred to as “Cloud Services”).
In the world of the cloud, “data security” has different definitions for different people. This section covers data security from the following four perspectives:
- Physical—where your data is physically located.
- Political— the political environment where your data and data-controlling entities reside.
- Legal—the legal entities that control or process your data.
- Logical—which people and networks have access to your data.
AWS Cloud Hosting
AWS datacenters are staffed 24×7 by trained security guards. Datacenter access is authorized strictly on a least privilege basis. AWS customers are not authorized physical access to any AWS datacenter. Physical controls in AWS datacenters are validated by auditors as part of AWS’s SSAE-16 SOC 2 Type II report. Independent reviews of these physical controls is included in AWS ISO 27001 audit, the PCI assessment, ITAR audit, and FedRAMP testing programs. See the AWS Risk and Compliance Whitepaper for information about AWS physical security.
Private Datacenter in Fort Myers, FL
Resources in Blueshift’s private datacenter in Fort Myers, FL are physically isolated in a dedicated area and restricted to authorized personnel. Physical controls include strict visitor access management procedures.
Political and Legal
Neither AWS nor Blueshift will disclose your data unless required by law, regardless of the applied source or type of political pressure. Both AWS and Blueshift policy will notify customers before disclosing their data, unless we are legally prevented from doing so.
See Amazon Web Services Data Privacy FAQ for more information on AWS data privacy policies.
In providing Cloud Services, Blueshift can engage other third party services providers. Before engaging such providers, Blueshift conducts review of service provider’s security, privacy and confidentiality practices, and contractually imposes Blueshift’s standard security and privacy requirement as required by applicable laws.
Each Cloud Service is an independent security and administrative domain. Administrator access to one Cloud Service does not mean access to another. Similarly, if one Cloud Service is compromised, it does not enable lateral movement into another Cloud Service. Each Cloud Service is further segmented, based on the service requirements and the principle of least privilege.
Access to data requires access to the systems on which it is processed. Access is permitted via the operating system of the machine that processes the data or the Blueshift application.
Only Blueshift authorized personnel have access to production systems where customer data is stored. All access is supplied via remote desktop or secure shell, authenticated per-user, and requires a username, password, SSH public/private keys, and a two factor authentication token. Role based access controls, audit logging and the policy of least privilege are used to provide logical segmentation and tracking of user behavior on assets in which each user is permitted. Network access to systems is restricted via comprehensive network controls.
The data from your endpoint(s) to the cloud instance is encrypted in transit by using Transport Layer Security (TLS). Blueshift closely monitors industry best practices for TLS configurations and makes sure that our products enforce appropriate protocols and ciphers. Any data transmission via unsecured transports is not supported and is strictly prohibited.
Reference individual product “Data Collection Guide” documents for specifics.
Data Segmentation and Destruction
Your data is segmented from the data of other Blueshift clients. When your license ends, your logins are disabled and Endpoint data stored in your console is purged within 90 days after termination of business relationship. The destruction delay is a safeguard against miscommunication and coordination.
Audit Logging and Retention
Role-based access controls, audit logging, and the policy of least privilege are used to provide logical segmentation and tracking of authorized user behavior on assets. These logs are retained for 12 months.
Blueshift staffs a Cloud Network Operations Center with analysts to investigate any unusual activity. These analysts receive security alerts and respond as needed. Any abnormal activity is escalated for deeper investigation and response.
Activity from all Blueshift’s Cloud Services is centrally logged. Scripts, pattern analysis and threat intelligence sources are applied to the data to highlight suspicious activity. A team of security analysts actively review activity across all environments for suspicious activity.
Third-Party Penetration Tests
All of Blueshift’s Cloud Services undergo regular network penetration tests and intrusion exercises. The network penetration tests validate our configuration management procedures, and the intrusion exercises validate our detection and response procedures. To maintain the security and stability of our service, we do not allow clients to perform their own penetration tests against any Blueshift Cloud Service.
Secure Network, Operating System Configurations and Patch Management
Because each Cloud Service is an independent security and administrative domain, network configurations are tightly segmented. Public services are limited to TCP/80 ,TCP/443 (HTTP and HTTPS), UDP/53 (VPN) and TCP/22 (SSH). HTTP simply redirects to HTTPS. Management access for administration is limited to the small number of cloud operations staff who are directly responsible for managing the service’s infrastructure.
Operating system configurations are tightly controlled and hardened. In addition to unnecessary services, they consume resources They present a stability risk to the availability and performance of systems that are running on cloud systems. We carefully limit operating system services to those services that are critical to the function of the operating system and our application.
Our Cloud Service team follows patch management procedures to make sure that software packages are at current patch levels, and all required security patches are applied. Patches are applied regularly as part of the routine operations and updates to the systems; exception procedures are in place for critical patches that require immediate application to maintain optimal security.
All of Blueshift’s Cloud Services use a variety of vulnerability scanning/management platforms to monitor systems for unexpected configuration changes and vulnerable software packages. These platforms run at least monthly. Many are in constant use and proactively deliver alerts to the Cloud Network Operations Center in near real time. Like penetration tests, we do not allow clients to perform their own vulnerability scans against any Blueshift’s Cloud Services.
Backups and Availability
Data backups and disaster recovery preparations adhere to each service’s defined recovery point objective (RPO) and recovery time objective (RTO). Each Cloud Service maintains procedures that are required for the specific technology that is used.
Blueshift Cloud Services are hosted on a virtual machine and data stored on a network SAN in an AWS datacenter in your selected region. AWS data centers are highly-available in their design: network, power and other critical resources are redundant to mitigate the risk of wide datacenter outages.
Local and off-site backups are encrypted at rest using AES-256. Encryption keys are unique for each customer.
Blueshift’s product operations teams follow “Infrastructure as Code” development principles.
When infrastructure is code, it is checked into a source code repository. Proposed changes are tracked on a per commit basis, and each commit includes a brief message with context, including a link to a ticket. Each change goes through a manual code review process, which includes automated testing and other checks that are used as a conditional acceptance before review by other members of the team.
These procedures mirror those of the traditional software development processes, allowing consistent procedures and practices between application development and infrastructure management within the team. These practices are a core tenant of “DevOps.”
- Each proposed change undergoes automated acceptance testing, including QA tests and security-specific tests, static and dynamic code analysis.
- All proposed changes that pass acceptance testing must pass code review by at least one additional engineer who has sufficient knowledge of the system.
- Any security-sensitive changes must pass code review by the team’s designated security engineer.
- Both regular and security engineers have escalation procedures to senior members of the architecture and security teams to escalate change reviews as needed.
Denial of Service
Every Denial of Service (DoS) attack is unique and the solution is tailored to the attack.
AWS uses proprietary techniques to mitigate the risk and reduce the impact of many off-the-shelf Distributed Denial of Service (DDoS) attacks. In the event of an attack, Blueshift personnel will actively work with AWS staff to develop countermeasures specific to the attack profile. This can be simple IP filtering, specialized proxy servers in front of the server, deep packet inspection, or any combination of these measures.
A secure product starts with secure development. The security of our products is critical for our customers and we are committed to doing our part to secure our products.
Security procedures in our product development teams are governed by the Blueshift Product Security Program. It includes three primary components:
- Product Risk Management Plan: A bottom-up evaluation of the risks to product security, the mitigations in place to reduce risks, and the areas in which we are investing to further reduce risks.
- Secure Development Lifecycle: Activities during software development that are required to make sure that security is deliberately considered during planning, development, and release testing.
- Security Response Center: Monitoring for and responding to vulnerabilities in our products post-release.
Secure Organization Policies and Procedures
Blueshift maintains a large library of policies and procedures that are related to information security and privacy. These policies are reviewed and refreshed at least annually, as required. They are provided to employees during the hiring process as part of initial training and are always available to employees via a web portal. Blueshift does not distribute these policies. As part of our SSAE-16 SOC2 ongoing assessment process, our auditors will review these policies to ensure their suitability. Summaries of the SOC2 reports will be made available, when they become available, upon request.
Blueshift takes a blended approach to information security policies and procedures which is administered by the executive staff, which sets the policies and frameworks for the company and our personnel. The Engineering Product Security Team manages the day to day execution of the cloud-specific security operations policies and procedures. Governance of this security program currently includes oversight by the Chief Executive Officer, Chief Financial Officer, Chief Technology Officer, and VP of Engineering.
Every Blueshift employee undergoes a background screening during the hiring process. Background checks for US personnel include:
- 7-year criminal history search at federal, state and county levels (county availability is state- dependent)
- Social security trace
- Widescreen Plus National Criminal Search
- Social security validation
The background screening must be completed with no material findings before an employee’s start date or contract start.
Every Blueshift employee’s employment agreement includes confidentiality clauses that explicitly describes and legally protects customer/confidential data. Any raw or attributable data from our customers is considered Customer Data and is subject to usage that is described in the applicable license agreement. Any agreements with third-party service providers also include confidentiality clauses.
Acceptable Use and Code of Conduct
All Blueshift employees are bound by the Blueshift’s code of business conduct which outlines the behaviors that our culture demands and describes appropriate use of our information and information systems.
In addition to the Acceptable Use policy, Blueshift maintains detailed security policies that describe appropriate use of our information systems, specific to security concerns. Employees are required to review and acknowledge the security policies annually.
Every Blueshift employee undergoes regular security training. Training content is regularly refreshed to reflect current threats and trends in the security industry. Employees are required to acknowledge that they understand their responsibilities in the security of our systems.
Data Classification, Data Handling and Data Retention Policies
In addition to the Personnel Security policies that provide guidelines to our employees, Blueshift maintains separate policies specific to classification, handling, and data retention. These policies provide guidelines to ensure consistency across the entire company in the classification, handling, and retention of all data, including customer data.
Incident Response Plans and Exercises
Blueshift maintains a detailed incident response plan to prepare for the technical and administrative aspects of handling a potential breach. Like other policies, the incident response plan is reviewed and updated regularly to make sure that it remains consistent and complete. Blueshift staffs a team of responders that monitor our Cloud Services for suspicious activity, using a variety of data sources and methods. In the event of an actual breach, we commit to notifying any customer whose data has been compromised as soon as possible.
Business Continuity Management
Blueshift’s Cloud Services are architected to be highly available and minimize or eliminate single points of failure. Service architecture follows modern cloud application practices to make sure that the service remains available.
Additionally, each Cloud Service is an independent administrative domain that is logically isolated from
each other as well as Blueshift’s internal office automation and IT systems. For example, failure of Blueshift’s email server or a domain controller does not impact your service, and each service is architected to further isolate failure domains and limit the impact of failure as much as is practical.
Blueshift’s Corporate IT services for critical business processes are similarly architected to eliminate or reduce single points of failure in technical systems and personnel. Even in the event of a catastrophic outage that affects Blueshift’s Fort Myers headquarters, critical support operations could be rapidly transferred to personnel in other regions until service is restored.
All Blueshift’s Cloud Services undergo an ongoing risk assessment to minimize risk to the security and availability of Blueshift’s Cloud Services. Any high risk item is considered for additional investment to reduce the risk.
Privacy and Compliance
Blueshift’s Cloud Services collect data in two classes:
- Device attributes: At initial registration and at each check-in, attributes such as computer name and operating system are collected and stored for computer management, context, and event correlation.
- Packet metadata: All ingress and egress network traffic is collected, decoded (not-decrypted) and used for analysis, event and incident detection and threat hunting.
The data can include user or device IDs, IP addresses, executable files, file paths, file names, email addresses, binary data and other. Some of these attributes can constitute ‘personal data’ under applicable privacy laws such as the General Data Protection Regulation (“GDPR”). Blueshift has done an extensive review of all data elements that each Cloud Service collects and processes. For a more detailed breakdown of what data elements are collected, more information is available upon request after an NDA has been executed.
Blueshift Privacy Program
Blueshift respects and is committed to protecting personal data. Our data protection and privacy program reflects current global principles, legal frameworks and standards on processing personal data.
To read Blueshift’s full privacy statement, see our Policies page.
General Data Protection Regulation (GDPR)
Processing personal data to ensure network security is broadly recognized as a “legitimate interest” under the GDPR. Recital 49 of the GDPR says that every data controller has a legitimate interest in
“the processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity and confidentiality of stored or transmitted personal data. And the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams, computer security incident response teams, by providers of electronic communications networks and services and by providers of security technologies and services.”
Blueshift’s Cloud Services are aimed at preventing unauthorized malware, malicious code or other attack distribution and damage to computer systems. Please consult your privacy advisor for proper classification of the legal basis under the GDPR before deploying Blueshift’s Cloud Services.
Although Blueshift’s Cloud Services are not a compliance tool, certain cloud services are often used by our customers to detect, contain and respond to a data breach. For example, Blueshift for Networks empowers security operations teams and/or incident response teams to proactively hunt for threats, uncover suspicious behavior, disrupt active attacks, and address gaps in defenses.
Other Compliance Requirements and Blueshift
Blueshift’s Cloud Services may or may not help you meet your compliance requirements.