Overview
...
This is a customer-focused details page describing the security in place for ZenGRC storage. As always, if you have additional questions feel free to reach out to support@zengrcsupport@reciprocitylabs.com.
Questions
...
Where does my data go?
ZenGRC uses Amazon S3 for storage when ZenGRC storage is selected. As such, we inherit many of the security and availability controls put in place by AWS. Details of AWS' security controls can be found here: http://docs.aws.amazon.com/AmazonS3/latest/dev/DataDurability.html
S3 is a globally distributed platform, and as such data stored in it is not contained to a particular geographic region.
What if this configuration doesn't meet my security needs (e.g. I'm a HIPAA covered entity, or need EU-based storage for GDPR compliance)?
Reciprocity It is working to deliver a Bring Your Own S3 option, with a projected delivery date in 4Q17. This possible to configure ZenGRC with other storage options.
You may for example use your own S3 bucket, Box, or Google Drive as the backing store for your data. For more information on setting up an S3 bucket for ZenGRC Storage, see Setting Up AWS Custom Storage. This will allow you to configure at-rest encryption, data monitoring, georestrictions, etc. to meet your unique needs. ZenGRC Storage relies on S3's REST API, so this will be as simple as providing ZenGRC with the URL and security keys to your own S3 bucket.
...
There are two approaches to this. First, you may grant external users access to your ZenGRC application (following your relevant access control procedures). Second, the Audit Dashboard provides a convenient way to download a zip file of evidence, which can then be provided to your external auditors (this feature is scheduled for delivery in v2.14).
How is my data protected in ZenGRC Storage?
Segregation
Each customer gets their own S3 bucket, which 's data is logically segregated from other customer buckets. Access to ZenGRC storage requires access to an instance of the ZenGRC application; if users outside your organization don't have access to your ZenGRC app, they can't access data in your ZenGRC Storage. This relies on authenticated requests to S3, whereby each customer ZenGRC application has a unique IAM key used to access their S3 bucketdata using a combination of encryption keys, access keys, and IAM policies.
Encryption at Rest
Data is not encrypted at rest in ZenGRC Storage.encrypted with Amazon managed keys:
Each object is encrypted with a unique key employing strong multi-factor encryption. As an additional safeguard, it encrypts the key itself with a master key that it regularly rotates. Amazon S3 server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt your data
https://docs.aws.amazon.com/AmazonS3/latest/dev/serv-side-encryption.html
Encryption in Transit
Data is encrypted using TLS 1.2 when in transit between the ZenGRC application and ZenGRC Storage (AWS S3). Data is encrypted between the ZenGRC application and user based on the highest version of TLS supported by the user's browser. The minimum version of TLS supported by ZenGRC is v1.1.
Availability and Backup
Data availability, durability, and recovery is provided by the underlying S3 storage system, which performs continuous checks for data integrity. Data durability is a feature of AWS designed to obviate the need for manual backups, and it provides durability and availability above 99%. Details of these can be found in AWS documentation.
...
Data in ZenGRC Storage is stored in Amazon AWS data centers, and relies on the physical and environmental controls put in place by AWS. Reciprocity reviews the AWS SOC 2, Type II report annually to identify any deficiencies, and tracks any identified deficiencies through to closure.
What is your backup and recovery policy?
Please review our plan at ZenGRC Backup and Recovery Policy 10-31-2019.
How does access control work?
...