Versions Compared

Old Version 4

changes.mady.by.user David Driggers

Saved on

compared with

New Version 5

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Customer-facing page detailing This is a customer-focused details page describing the security in place for ZenGRC storage. Link to Amazon's S3 Security pageAs always, if you have additional questions feel free to reach out to support@zengrc.com

Questions

Where does my data go?

ZenGRC uses Amazon S3 for storage. As such, we inherent many of the security and availability controls put in place by AWS. Details of AWS' security controls can be found herehttp://docs.aws.amazon.com/AmazonS3/latest/dev/DataDurability.html

How much does it cost?

There is no additional cost to use ZenGRC Storage. It's included in your subscription price.

Can I browse the repository?

Not directly. The data you store in ZenGRC Storage is visible only in ZenGRC - to retrieve a document, navigate to the object where it's attached.

How does access control work?

Access to ZenGRC Storage is controlled by the ZenGRC application. If a user has access to an object in ZenGRC (such as an evidence Request), they have access to any files attached to that object. 

Restrictions


Logging & Monitoring

How is my data protected in ZenGRC Storage?

Segregation

Each customer gets their own S3 bucket, which is logically segregated from other customer buckets. Access to ZenGRC storage requires access to an instance of the ZenGRC application; if users outside your organization don't have access to your ZenGRC app, they can't access data in your ZenGRC Storage. This relies on authenticated requests to S3, whereby each customer ZenGRC application has a unique IAM key used to access their S3 bucket.

Encryption at Rest

Currently, data is not encrypted at rest in ZenGRC Storage.

Encryption in Transit

Data is encrypted using TLS when in transit between the ZenGRC application and ZenGRC Storage (AWS S3).


How do I share stored data with users outside of Zen?



Answers from Slobodan appear in purple

Data protection

  • How is data being protected?
    • We have one S3 bucket per instance (we're not mixing data from different

      Data is protected by Amazon logging system. We're not protecting data, we're just using S3, which has it's own security system. The users log into this system with their own credentials. Only we (as Reciprocity (devops)) have access to this, besides our customers

    How is data segregated - do we have one S3 bucket per instance, or one bucket that all customers use?

    • customers

      )

  • Are we encrypting information stored in S3? If so, who can decrypt it?
    • We're not encrypting this information. I don't know if this is even possible to do automatically, but it sounds like a lot of effort for not so much gain
  • Are keys shared between customers, or does each ZenGRC instance get its own encryption key?
    • Each instance has its own keys, which are from that customer only, and only our devops have access to them.

Backup schedules

  • How do we back up/replicate data in S3?
  • What is the frequency of backups?

Rok is probably more qualified than me to answer the questions about the backup. But the following is certainly true: we do a regular DB backups to S3 (those are the same buckets that we use for evidence collection). These backups are only done for zengrc db data. Now, the evidence data that's being stored on S3, it's not being backed up, this is kinda pointless. AWS sould take care of this automagically

Access logs & restrictions

  • Who can access files/information in S3 (other than the customer)?
    • Only the customers can access their evidence data. Nobody outside of the zengrc has access to this. Of course, this doesn't apply to our devops
  • How is this access monitored/logged?
    • This access is not monitored or logged in zengrc. I don't know if S3 has automatic logging, it's possible that it does, but I'd have to double-check
  • Do we have any security monitoring in place (e.g., if Rok downloads all the customer files stored in S3, would anybody get an alert?)
    • Again, our devops are exception to the access restriction (because they have the keys). If they download or even delete the data, no one would get notified. But I don't see a problem in this fact, since the same thing would apply to the entire zengrc DB, and the customer instance.

Other considerations

  • Versioning (S3 supports it, are we using it/exposing it to customers)?
  • Other types of access (API) - are there use cases for supporting this?
  • Compliance/Regulatory 
    • Do we offer different configurations of S3 for different applications (e.g. geo-bounded storage for certain compliance requirements, or higher level of encryption, etc.)? 
  • BYO Options (relevant to compliance/regulatory)
  • Pricing (link to website?)
  • How do I share stored data with users outside of Zen?
  • Can I browse the repository?
  • How does access control work?