This is a customer-focused details page describing the security in place for ZenGRC storage. As always, if you have additional questions feel free to reach out to to support@zengrc.com
Questions
Where does my data go?
ZenGRC uses Amazon S3 for storage. As such, we inherent many of the security and availability controls put in place by AWS. Details of AWS' security controls can be found here: http://docs.aws.amazon.com/AmazonS3/latest/dev/DataDurability.html
S3 is a globally distributed platform, and as such data stored in it may leave particular geographic regions.
What if this configuration doesn't meet my security needs (e.g. I'm a HIPAA covered entity, or need EU-based storage for GDPR compliance)?
Reciprocity is working to deliver a Bring Your Own S3 option, with a projected delivery date in 4Q17. This will allow you to configure at-rest encryption, data monitoring, georestrictions, etc. to meet your unique needs. ZenGRC Storage relies on S3's REST API, so this will be as simple as providing ZenGRC with the URL and security keys to your own S3 bucket.
How much does it cost?
There is no additional cost to use ZenGRC Storage. It's included in your subscription price.
...
How does access control work?
Restrictions
Access to ZenGRC Storage is controlled by the ZenGRC application. If a user has access to an object in ZenGRC (such as an evidence Request), they have access to any files attached to that object.
...
Logging & Monitoring
Changes to ZenGRC objects are logged in the ZenGRC Events log. This includes updates such as metadata changes, as well as attaching evidence (files). Individual object history is visible to anyone with at least Reader permissions to that object, while Administrators have access to the system-wide event log.
Does anybody at Reciprocity have access to my ZenGRC Storage?
Yes. Your Customer Success Manager and GRC Expert may have access, since they are often granted access to your ZenGRC application. You can remove this access if you wish, by updating their permissions.
Reciprocity DevOps also has access to files in your ZenGRC storage, as they administer the AWS and S3 platforms. You can not remove this access if you use cloud-hosted ZenGRC. These DevOps users are trained on proper access procedures and policies, which include only accessing customer data in the course of troubleshooting or required maintenance duties.
Access Control Diagram
How is my data protected in ZenGRC Storage?
...
Data is encrypted using TLS when in transit between the ZenGRC application and ZenGRC Storage (AWS S3).
...
Answers from Slobodan appear in purple
Data protection
- How is data being protected?
Data is protected by Amazon logging system. We're not protecting data, we're just using S3, which has it's own security system. The users log into this system with their own credentials. Only we (as Reciprocity (devops)) have access to this, besides our customers
- Are we encrypting information stored in S3? If so, who can decrypt it?
- We're not encrypting this information. I don't know if this is even possible to do automatically, but it sounds like a lot of effort for not so much gain
- Are keys shared between customers, or does each ZenGRC instance get its own encryption key?
- Each instance has its own keys, which are from that customer only, and only our devops have access to them.
Backup schedules
- How do we back up/replicate data in S3?
- What is the frequency of backups?
Rok is probably more qualified than me to answer the questions about the backup. But the following is certainly true: we do a regular DB backups to S3 (those are the same buckets that we use for evidence collection). These backups are only done for zengrc db data. Now, the evidence data that's being stored on S3, it's not being backed up, this is kinda pointless. AWS sould take care of this automagically
Access logs & restrictions
- Who can access files/information in S3 (other than the customer)?
- Only the customers can access their evidence data. Nobody outside of the zengrc has access to this. Of course, this doesn't apply to our devops
- How is this access monitored/logged?
- This access is not monitored or logged in zengrc. I don't know if S3 has automatic logging, it's possible that it does, but I'd have to double-check
- Do we have any security monitoring in place (e.g., if Rok downloads all the customer files stored in S3, would anybody get an alert?)
- Again, our devops are exception to the access restriction (because they have the keys). If they download or even delete the data, no one would get notified. But I don't see a problem in this fact, since the same thing would apply to the entire zengrc DB, and the customer instance.
Other considerations
...
- Do we offer different configurations of S3 for different applications (e.g. geo-bounded storage for certain compliance requirements, or higher level of encryption, etc.)?
...
...
...
Availability and Backup
Data availability, durability, and recovery is provided by the underlying S3 storage system, which performs checks for data durability. Data durability is a feature of AWS designed to obviate the need for manual backups, providing durability and availability above 99%. Details of these can be found in AWS documentation.
How do I share stored data with users outside of Zen?
There are two approaches to this. First, you may grant external users access to your ZenGRC application (following your relevant access control procedures). Second, the Audit Dashboard provides a convenient way to download a zip file of evidence, which can then be provided to your external auditors.