Security & Trust
When it comes to using software as a service, security and privacy controls are always a top priority. At Carbyne we are committed to the protection of confidentiality, integrity, availability and privacy of our customer’s data and to their service continuity. We are committed to providing our customers with a highly secure and reliable environment for its cloud-based application. Carbyne’s cloud service is secure, reliable and trusted. The service offers a platform through which businesses can safely store and process personal and internal data.
Security and compliance are top priorities for Carbyne because they are fundamental to your experience with the product. Carbyne is committed to securing your application’s data, eliminating systems vulnerability, and ensuring continuity of access.
The Carbyne cloud service is based on Amazon Web Services (AWS) as an Infrastructure as a Service (IaaS) provider. AWS provides top industry security measures and is also compliant with the following certifications, assurance programs and third-party verifications:
SOC2+ – Internal controls report capturing how a company safeguards customer data and how well those controls are operating
ISO 27001 – Information Security Management System (ISMS) covering infrastructure, datacentres, and services
HIPAA – Health Insurance Portability and Accountability Act
CSA STAR Level 1 – Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire (CAIQ)
The following compliance programs are applicable to Carbyne cloud services, address all aspects of security and data privacy and maintain the confidence of our customers in the status of information security that we provide.
Carbyne cloud service has been ISO 27001:2013. This security standard outlines the requirements for information security management systems and is the highest level of global information security standard available today. This certification provides our customers the assurance that Carbyne cloud service meets stringent international standards on security.
SOC 2 Type II Audit Report
Carbyne cloud service is audited annually against the Service Organization Control (SOC) 2 Type II reporting framework by qualified independent auditors. The scope of audit for Carbyne cloud service covers key compliance controls and objectives applicable to in-scope trust principles. A copy of Carbyne cloud service SOC 2 Report can be requested via Carbyne Sales Account Team point of contact.
HIPAA and HITECH
Carbyne has implemented safeguards to adequately protect Protected Health Information (PHI) that may be captured by Carbyne products and stored in Carbyne Evidence. Carbyne can enter into Business Associate Agreements with customers who are covered entities or business associates under HIPAA and expect PHI to be processed or stored within Carbyne Evidence. Contact your Carbyne Sales Representative for more information.
CSA STAR (CAIQ) Level 1
Additionally, Carbyne has achieved Cloud Security Alliance (CSA) STAR Level 1 which addresses fundamental security principles across 16 domains to help cloud customers assess the overall security risk of a cloud service. STAR encompasses the key principles of transparency, rigorous auditing, cloud security and privacy best practices, and harmonisation of standards outlined in the Cloud Controls Matrix (CCM).
Carbyne has deployed physical security controls including access badges, video surveillance, fire detection equipment and other means and relies on Amazon Web Services to provide physical security for its data centers. These AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
Once physical security is addressed, it is critical to ensure a robust network security posture. To this end, Carbyne has instituted the following measures:
Host Intrusion Detection System
Carbyne leverages OSSEC as Host-based Intrusion Detection System that performs log analysis, integrity checking, registry monitoring, rootkit detection, real-time alerting and active response. OSSEC has a central manager for monitoring and receiving information from agents, syslog, databases, and from agentless devices.
Carbyne leverages the firewall solution provided by the cloud service provider. By default, the cloud instances are configured in a default deny-all mode and Carbyne opens the ports needed to allow inbound traffic depending on the customer requirement.
Cloud Networking (VPC and Virtual Network)
For single-tenant based deployment, Carbyne employs Cloud Networking approach in order to launch isolated network specific for a customer. Within each Cloud Network, Carbyne defines multiple subnets to further group similar kinds of instances based on IP address range, and then set up routing and security to control the flow of traffic in and out of the instances. Refer to Carbyne Deployment Architecture overview document for supported deployment models.
AWS utilizes a wide variety of automated monitoring systems to provide a high level of service performance and availability. AWS monitoring tools are designed to detect unusual or unauthorized activities and conditions at ingress and egress communication points. These tools monitor server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts. The tools have the ability to set custom performance metrics thresholds for unusual activity.
Network Access Control
Cloud instances hosting Carbyne solutions are located inside a private subnet and it will not be able to connect to them remotely from the internet. Connecting to these servers are made possible using bastion servers in the public subnet to act as proxies.
Now that Physical and Network Security are assured, the next level involves Data Security. Carbyne ensures the security and privacy of user information by encrypting data on all servers at rest and in transit. Our systems are designed to ensure data is protected at all times. Specifically, we’re using TLS v1.2 with strong ciphers to protect data in transit, and AES-256 to encrypt data at rest. User passwords are hashed and salted with a modern hash function. Carbyne’s cloud-based solution is deployed using Amazon Web Services (AWS), enabling us to guarantee high security through utilizing a series of high tech, best in the industry solutions that work to ensure the safety of all user data on the cloud network.
With Physical, Network, and Data Security assured, Carbyne also addresses Vulnerability Management:
– Application Security Testing: All code is tested for application security flaws such as those described by OWASP (Open Worldwide Application Security Project) Top 10. Carbyne uses application security testing tools and works with third party security experts to review our design, code and implementation.
– Penetration Testing: On a periodic basis, Carbyne conducts third-party penetration tests in different sandbox and production environments. These assessments are organized with consultation from customers so that the testing team has complete access to uncover any vulnerabilities.
Availability, Monitoring, and Capacity Planning
Beyond Physical / Network / Data Security and Vulnerability Management, Carbyne also engages in comprehensive Availability, Monitoring, and Capacity Planning, including:
Carbyne uses Cloud Load Balancing to manage and distribute traffic to different instances across all availability zones within a region, where the Carbyne solution has been deployed. Cloud Load Balancing has all the advantages of an on-premises load balancer, plus several security benefits.
Failover & Disaster Recovery
Carbyne has been architected to take advantage of multiple regions and availability zones of the cloud provider. Distributing applications across multiple availability zones and regions provides the ability to remain resilient in the face of most failure modes, including natural disasters or system failures.
Monitoring and Alerting
Carbyne utilizes several controls that are capable of warning of potential threats or misuse of the system. Each service in the Carbyne environment is monitored for operational effectiveness and to track availability. These metrics include but are not limited to network connectivity, CPU utilization, memory utilization, storage utilization, service status etc. Any failure will generate alerts that are pushed to the operations team through email and SMS.
Carbyne is built to support changes in the growth with auto-scaling and dynamically allocated resources, which means that customers can utilize beyond their allocated resources as demand increases.
Carbyne’s approach to Corporate Security encompasses a number of areas:
All company-provided workstations are enrolled in Mobile Device Management (MDM) and Endpoint Detection and Response (EDR) solutions to enforce security settings including full-disk encryption, screen lock, and OS updates.
All Carbyne product changes must go through code review, CI, and build pipeline to reach production servers. Only designated employees on Carbyne’s operations team have secure shell (SSH) access to production servers. We perform testing and risk management on all systems and applications on a regular and ongoing basis. New methods are developed, reviewed, and deployed to production via pull request and internal review. New risk management practices are documented and shared via staff presentations on lessons learned and best practices.
Carbyne maintains an internal wiki of security policies, which is updated on an ongoing basis and reviewed annually for gaps. An overview of specific security policies is available to Carbyne enterprise customers upon request:
- Access Management
- Change Management
- Data Request
- Data Management
- Information Security
- Incident Response
- Policy Management and Maintenance
- Risk Management
- Vendor Management
- Vulnerability Management
Carbyne conducts background checks for all new hires, including verification on the following:
- Identity verification
- Global watchlist check
- National criminal records check
- County criminal records check
- (U.S. only) Sex offender registry check
All new employees receive onboarding and systems training, including environment and permissions setup, formal software development training (if pertinent), security policies review, company policies review, and corporate values and ethics training. All employees additionally complete security training at least once a year. Policies presented to employees as part of the onboarding process are reviewed once a year to ensure we are keeping up with best practices.
Carbyne uses best practices provided by AWS to ensure highest security and has referred to the following documentation while developing the security architecture.
Carbyne has also undergone a thorough well-architecture review process from AWS which is based on the four pillars—security, reliability, performance efficiency, and cost optimization.