Encryption- All data is encrypted in transit and at rest. Data at rest – Database instances, are encrypted using the industry standard AES-256 encryption algorithm. Encryption for data in transit is forced via HTTPS with TLS 1.2.

Access Controls – Role-based access control using different scopes e.g. user and organization are defined and enforced for each API. Every API request is first validated for scope to determine user permissions to invoke the API. The principle of least privilege is enforced on all the scopes.

Authentication: CloudNuro authenticates all users with a unique ID and password. Access to CloudNuro restricted API resources are always authenticated.

CloudNuro also supports industry standard authentication protocols like SAML 2.0, OpenID, allowing customers to implement Single Sign-On (SSO), including whitelisting and multi-factor authentication (MFA).

Authorization– Access control rules are defined to ensure proper authorization for data APIs. Every API request is first validated to determine user permissions to invoke the API. The principle of least privilege is enforced on all the APIs.   

Accountability– All audit trail is maintained which includes date, time, and user information associated with any resource accessed or transaction performed.

Cloud Computing Services: CloudNuro leverages Google Cloud Platform for hosting and compute power. GCP maintains and demonstrates SSAE-16 SOC 1, 2 and 3, ISO 27001 and FedRAMP/FISMA reports and certifications. Web servers and databases run on servers in secure data centers

Backups– To maintain a robust disaster recovery strategy, CloudNuro leverages GCP enabled automated backups which allows us to take secure backups as well as quick recovery. We test our backup recovery regularly.

Incident & Breach Management– Procedures are established for reporting incidents, and tracking it for timely communication, investigation and resolution.

Security by Design: Product road-map is defined and reviewed for each release and periodically by the Product Owner. Security is incorporated right from design and security fixes are prioritized. They are integrated in the earliest possible sprint.

Code Review– CloudNuro follows established process for performing unit test, code coverage, code reviews, web vulnerability assessment, and advanced security tests.

Quality Assurance– All builds are put through a strict regression test, functionality tests, performance tests and UX tests before the build is certified as “Stage Gate Passed”. Test Readiness Review and Production Readiness Review are conducted before code is promoted to higher environments.

DevOps CI/CD- Source Code is managed centrally with version controls and access restricted based on various teams that are assigned to specific sprints. A well-defined CI/CD process with proper stage gates including security code scanning,  unit test coverage, approval process is defined for code promotion.

Principle of Least Privilege- At CloudNuro, the principle of least privilege is followed diligently. For example, Access to the production environment is restricted to very limited set of users based on the job roles. Production environment access for CloudNuro support teams  are also restricted based on their job responsibilities.