Security is Our Top Priority
At CloudPassage, the security, integrity, and the availability of our customers’ applications and data is a top priority. We have implemented a multi-layered security approach that protects systems, services and data against unauthorized use, disclosure, modification, damage and loss.
Data Center Security
CloudPassage®, a Fidelis Cybersecurity® company, operates its Fidelis CloudPassage Halo® (“Fidelis Halo”) processing grids operate through Amazon Web Services (AWS), which ensures data center security, per their shared responsibility model. These security controls are described in the AWS documentation at https://aws.amazon.com/compliance/data-center/controls/.
Systems & Application Security
- New systems are provisioned with a hardened operating system (only necessary programs and services)
- Security patches are applied on a regular basis
- Provisioning follows documented policies and procedures
- All systems are firewall protected
- Fidelis Halo constantly monitors the internal network, provides daily status emails, and provides weekly vulnerability scans of all internal machines
- Virus scanning and detection are on all machines
- CloudPassage tests all code for security vulnerabilities before release and regularly scans networks and systems for vulnerabilities.
- Fidelis Halo services are based on proven and secure open-source solutions and custom applications.
- Applications and servers are regularly patched to provide ongoing protection from exploits
- The Information Security team monitors internal and external security events and implements corrective actions
- Systems access logged and tracked for auditing purposes
- Application access logs are collected and analyzed according to internal security procedures
INTERNAL AND THIRD-PARTY TESTING AND ASSESSMENTS
- All code is tested for security vulnerabilities prior to release
- Third-party assessments are conducted regularly:
- Application vulnerability threat assessments
- Network vulnerability threat assessments
- Selected penetration testing and code review
- Security control framework review and testing
SSAE-16 SOC 2
CloudPassage has been audited against the Service Organization Control (SOC) reporting framework for SOC 2, Type 2. The SOC 2 report is available to customers to meet a wide range of US and international auditing requirements.
The SOC 2 is an evaluation of the design and operating effectiveness of controls that meet the criteria for the security principle set forth in the AICPA’s Trust Services Principles criteria. This report provides additional transparency into Fidelis Halo security and availability based on a defined industry standard and further demonstrates CloudPassage’s commitment to protecting customer data.
PCI DSS 3.2 LEVEL 1
Our PCI DSS 3.2 compliance certifies safe and secure handling of credit card holder information. As overseen by the Payment Card Industry Security Standards Council (PCI SSC), CloudPassage places stringent controls around cardholder data as both a service provider and merchant.
The Fidelis Halo service does not store, process, or transmit any cardholder data. Under the PCI Data Security Standards, our services fall into the category of impacting the security of cardholder data and as such, we acknowledge our responsibility to comply with applicable requirements for PCI for our environment. As CloudPassage does not perform hosting services, customers are fully responsible for meeting all PCI DSS requirements within their own environments.
CSA STAR LEVEL 1
The CSA Security, Trust & Assurance Registry (STAR) is a free, publicly accessible registry that documents the security controls provided by various cloud computing offerings, thereby helping users assess the security of cloud providers they currently use or are considering contracting with. CloudPassage is a CSA STAR registrant and has completed the Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ). The latest version of the CAIQ, aligned to CSA’s Cloud Controls Matrix (CCM) v.3.0.1, provides answer to almost 300 questions a cloud customer or a cloud security auditor may wish to ask of a cloud provider
A CSA STAR Level 1 Questionnaire for CloudPassage is available for download on the Cloud Security Alliance’s website here.
All Fidelis CloudPassage Halo services officially support customers in their data centers and all globally connected regions for AWS, Azure, and GCP.
AMAZON WEB SERVICES
US East (N. Virginia, Ohio), US West (Oregon, N. California), GovCloud (US-West, US-East), Canada (Central), South America (São Paulo), Europe (Frankfurt, Ireland, London, Milan, Paris, Stockholm), Middle East (Bahrain), Africa (Cape Town), Mainland China (Beijing and Ningxia) Asia Pacific (Singapore, Sydney, Tokyo, Seoul, Osaka, Mumbai, Hong Kong)
US (Central, East, East 2, East 3, North Central, South Central, West Central, West, West 2, West 3) US DoD (Central, East), Us Gov (Arizona, Texas, Virginia), US Sec (East, West, West Central), Brazil South, Canada (Central, East), Mexico Central, S. Africa Central, Asia (East, Southeast), Australia (Central, East, Southeast, China (East, East 2, North, North 2, North 3), India, (Central, South, West), Japan (East, West), Korea (Central, South), Europe (North, West), France Central, Germany West Central, Norway East, Switzerland North, UK (South, West), UAE North
GOOGLE CLOUD PLATFORM
Oregon, Los Angeles, Salt Lake City, Las Vegas, Iowa, S. Carolina, N. Virginia, Montreal, Toronto, São Paulo, London, Belgium, Netherlands, Zurich, Frankfurt, Finland, Warsaw, Mumbai, Delhi, Singapore, Jakarta, Hong Kong, Taiwan, Tokyo, Osaka, Sydney, Melbourne, Seoul