Resources
Cyber Security
When it comes to using software as a service, security and privacy controls are always a top priority. At Carbyne we are committed to the protection of confidentiality, integrity, availability and privacy of our customer’s data and to their service continuity. We are committed to providing our customers with a highly secure and reliable environment for its cloud-based application. Carbyne’s cloud service is secure, reliable and trusted. The service offers a platform through which businesses can safely store and process personal and internal data.
Security and compliance are top priorities for Carbyne because they are fundamental to your experience with the product. Carbyne is committed to securing your application’s data, eliminating systems vulnerability, and ensuring continuity of access.
Compliance Programs
The Carbyne cloud service is based on Amazon Web Services (AWS) as an Infrastructure as a Service (IaaS) provider. AWS provides top industry security measures and is also compliant with the following certifications, assurance programs and third-party verifications:
ISO 27001
Information Security Management System (ISMS) covering infrastructure, datacenters, and services. Carbyne cloud service has been ISO 27001:2013. This security standard outlines the requirements for information security management systems and is the highest level of global information security standard available today. This certification provides our customers the assurance that Carbyne cloud service meets stringent international standards on security.
SOC 2 Type II Audit Report
Internal controls report capturing how a company safeguards customer data and how well those controls are operating. Carbyne cloud service is audited annually against the Service Organization Control (SOC) 2 Type II reporting framework by qualified independent auditors. The scope of audit for Carbyne cloud service covers key compliance controls and objectives applicable to in scope trust principles. A copy of Carbyne cloud service SOC 2 Report can be requested via Carbyne Sales Account Team point of contact.
HIPAA and HITECH
Health Insurance Portability and Accountability Act. Carbyne has implemented safeguards to adequately protect Protected Health Information (PHI) that may be captured by Carbyne products and stored in Carbyne Evidence. Carbyne can enter into Business Associate Agreements with customers who are covered entities or business associates under HIPAA and expect PHI to be processed or stored within Carbyne Evidence. Contact your Carbyne Sales Representative for more information.
CSA STAR (CAIQ) Level 1
Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ). Additionally, Carbyne has achieved Cloud Security Alliance (CSA) STAR Level 1 which addresses fundamental security principles across 16 domains to help cloud customers assess the overall security risk of a cloud service. STAR encompasses the key principles of transparency, rigorous auditing, cloud security and privacy best practices, and harmonisation of standards outlined in the Cloud Controls Matrix (CCM).
Physical Security
Carbyne has deployed physical security controls including access badges, video surveillance, fire detection equipment and other means and relies on Amazon Web Services to provide physical security for its data centers. These AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
Network Security
Once physical security is addressed, it is critical to ensure a robust network security posture. To this end, Carbyne has instituted the following measures:
Host Intrusion Detection System
Carbyne leverages OSSEC as Host based Intrusion Detection System that performs log analysis, integrity checking, registry monitoring, rootkit detection, real time alerting and active response. OSSEC has a central manager for monitoring and receiving information from agents, syslog, databases, and from agentless devices.
Firewalls
Carbyne leverages the firewall solution provided by the cloud service provider. By default, the cloud instances are configured in a default deny all mode and Carbyne opens the ports needed to allow inbound traffic depending on the customer requirement.
Cloud Networking (VPC and
Virtual Network)
For single tenant based deployment, Carbyne employs Cloud Networking approach in order to launch isolated network specific for a customer. Within each Cloud Network, Carbyne defines multiple subnets to further group similar kinds of instances based on IP address range, and then set up routing and security to control the flow of traffic in and out of the instances. Refer to Carbyne Deployment Architecture overview document for supported deployment models.
Network Security
AWS utilizes a wide variety of automated monitoring systems to provide a high level of service performance and availability. AWS monitoring tools are designed to detect unusual or unauthorized activities and conditions at ingress and egress communication points. These tools monitor server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts. The tools have the ability to set custom performance metrics thresholds for unusual activity.
Networking Access Control
Cloud instances hosting Carbyne solutions are located inside a private subnet and it will not be able to connect to them remotely from the internet. Connecting to these servers are made possible using bastion servers in the public subnet to act as proxies.
Authentication/Universal Login
Multi-Factor Authentication: Enhances security by allowing only authorized individuals access to Carbyne’s products and associated documents, adding an extra layer of protection.
Role-Based Authorization: Allows you to assign access to specific individuals for all types of business transactions, ensuring only authorized actions are performed.
Flexible Authentication Methods: Carbyne provides a variety of authentication methods, including SAML, OAuth, Password-based, and Single Sign-On (SSO). These methods can be individually enabled or disabled for an account. For users who authenticate with a username and password, there is an option to enable two-factor authentication (2FA) for an added layer of security during sign-in.
Single Sign-On (SSO): Allows users access to multiple applications with one set of login credentials (e.g., name and password). The service authenticates the end user for all the applications they have been given rights to and eliminates further prompts when the user switches applications during the same session. This simplifies the user experience and increases security.
Data Security
Now that Physical and Network Security are assured, the next level involves Data Security. Carbyne ensures the security and privacy of user information by encrypting data on all servers at rest and in transit. Our systems are designed to ensure data is protected at all times. Specifically, we’re using TLS v1.2 with strong ciphers to protect data in transit, and AES-256 to encrypt data at rest. User passwords are hashed and salted with a modern hash function. Carbyne’s cloud-based solution is deployed using Amazon Web Services (AWS), enabling us to guarantee high security through utilizing a series of high tech, best in the industry solutions that work to ensure the safety of all user data on the cloud network.
Vulnerability Management
With Physical, Network, and Data Security assured, Carbyne also addresses Vulnerability Management:
Availability, Monitoring, and Capacity Planning
Beyond Physical / Network / Data Security and Vulnerability Management, Carbyne also engages in comprehensive Availability, Monitoring, and Capacity Planning, including:
Load Balancing
Carbyne uses Cloud Load Balancing to manage and distribute traffic to different instances across all availability zones within a region, where the Carbyne solution has been deployed. Cloud Load Balancing has all the advantages of an on-premises load balancer, plus several security benefits.
Failover & Disaster Recovery
Carbyne has been architected to take advantage of multiple regions and availability zones of the cloud provider. Distributing applications across multiple availability zones and regions provides the ability to remain resilient in the face of most failure modes, including natural disasters or system failures.
Monitoring and Alerting
Carbyne utilizes several controls that are capable of warning of potential threats or misuse of the system. Each service in the Carbyne environment is monitored for operational effectiveness and to track availability. These metrics include but are not limited to network connectivity, CPU utilization, memory utilization, storage utilization, service status etc. Any failure will generate alerts that are pushed to the operations team through email and SMS.
Capacity Planning
Carbyne is built to support changes in the growth with auto-scaling and dynamically allocated resources, which means that customers can utilize beyond their allocated resources as demand increases.
Corporate Security
Carbyne’s approach to Corporate Security encompasses a number of areas:
Malware Protection
All company-provided workstations are enrolled in Mobile Device Management (MDM) and Endpoint Detection and Response (EDR) solutions to enforce security settings including full-disk encryption, screen lock, and OS updates.
Risk Management
All Carbyne product changes must go through code review, CI, and build pipeline to reach production servers. Only designated employees on Carbyne’s operations team have secure shell (SSH) access to production servers. We perform testing and risk management on all systems and applications on a regular and ongoing basis. New methods are developed, reviewed, and deployed to production via pull request and internal review. New risk management practices are documented and shared via staff presentations on lessons learned and best practices.
Security Policies
Carbyne maintains an internal wiki of security policies, which is updated on an ongoing basis and reviewed annually for gaps. An overview of specific security policies is available to Carbyne enterprise customers upon request:
Background Checks
Carbyne conducts background checks for all new hires, including verification on the following:
Security Training
All new employees receive onboarding and systems training, including environment and permissions setup, formal software development training (if pertinent), security policies review, company policies review, and corporate values and ethics training. All employees additionally complete security training at least once a year. Policies presented to employees as part of the onboarding process are reviewed once a year to ensure we are keeping up with best practices.
References
Carbyne uses best practices provided by AWS to ensure highest security and has referred to the following documentation while developing the security architecture.
Carbyne has also undergone a thorough well-architecture review process from AWS which is based on the four pillars—security, reliability, performance efficiency, and cost optimization.