How Skyflow Keeps
Your Data Safe

We go above and beyond industry security requirements to ensure that your data is secure.

Security Controls

Skyflow's team, processes and technologies use a three-pronged approach to protect customer data:

1. Application-Level Security Control

Security Development Lifecycle

We follow established security patterns for hardening, encryption, authentication and authorization. Our security team performs regular risk-based threat analysis during development cycles to continually re-evaluate and refine our security posture. To ensure additional security of our platform, we regularly conduct the following security checks:

  • Peer design and code review
  • Internal vulnerability scans as well as contracts with Approved Scanner Vendors (ASV) to scan for vulnerabilities
  • Contracts with top penetration testers to perform offensive and defensive analysis of our application and infrastructure
  • Leverage talents and skills of global security researchers by running paid Bug Bounty programs to look for vulnerabilities

Access Control of Customer Data

As it relates to policy, we employ the principle of least privilege — engineers are only granted the authorization required to perform their job functions. The following details the type of access we have internally to customer’s data:

Type of Access
Infrastructure
Application
Production Systems
Direct access to production systems is disallowed unless user has documented approval. Special provisioning of a fully audited and fine grained access controlled virtual bastion host is required to access production environments.
Skyflow employees do not have permissions to access customer vault data unless explicitly authorized by customer’s vault administrators.
Tools & Systems
Access to tools and systems that interact with the production system is managed through respectively built in access control and is limited to trained operation engineers.
Access to Skyflow vaults is controlled by a built-in policy-based access control system; only authorized tools can gain access to their respective vault data.

2. Infrastructure-Level Security Control

Audits and Accountability

Skyflow’s platform has detailed audit logging to track all security-sensitive events on a centralized log server for analysis and alerts. To maintain constant operational security of the platform, we conduct the following maintenance:

  • All changes to production systems require documented approvals
  • All changes to the Skyflow platform software application require documented peer engineering review and approvals

Architecture

The Skyflow platform architecture sets up an independent network security zone at the Workspace and Vault level to protect data from each customer so access rules are fully customizable and hardened to each environment. Additionally, the network and data segmentation also limits the potential impact from any individual system failures.

Media Protection

All storage media used in production are enabled with encryption. Further, the Skyflow application, per configuration, performs application encryption to protection-marked data sets using encryption keys managed by the Skyflow systems.

System and Communication Protection

All inter-system communications within Skyflow are encrypted and routed through private channels only and do not enter the public internet. All ingress and egress communications are controlled by network security and are periodically reviewed and approved by the security team.

Recovery

Skyflow infrastructure employs multiple levels of system recovery and data recovery scheme, including as the following:

  • Production system data is continuously backed up to ensure low Recovery Point Objective ( RPO ) to minimize data loss during DR
  • Production infrastructure operations are streamlined and automated to ensure low Recovery Time Objective ( RTO ) to minimize operation disruption during DR
  • All services are deployed on AWS Multi Availability-Zone ( multi-AZ ) setup, clustered and continuously monitored to ensure high availability
  • Data backup is AWS cross region to ensure cross region data recovery
  • Data is regularly backed up and tested

Identification and Authentication

We have implemented Multi-Factor Authentication-based Single Sign-On for infrastructure system access. System management tools have built-in support for Skyflow’s SSO system. Exceptions require the implementation of strong passwords to minimize the risk of credential theft or brute force attacks.

3. Operation-Level Security Control

For security operations, Skyflow covers a number of areas detailed below:

Domain
System Controls
Vulnerability Management
  • Deploys numerous vulnerability and security scanners to ensure all systems are up to date with supported versions and patches
Configuration Management
  • Establish and maintain baseline configuration for all systems
  • All changes to production systems require documented approvals
  • All changes to the Skyflow vault application require documented engineering review and approvals
System and Information Integrity
  • Continuous monitoring of production systems and alerts are set up to ensure systems are performing as designed and comply with service level agreements
Threat Detection
  • Skyflow subscribes to threat detection services to monitor health and state of the production system
  • Skyflow customizes rule-based alerts to look for potential threats
Incident Response
  • 24x7 staff availability
  • Established runbook
  • Breach notification procedure following compliance and best practices guidelines

Staffing and Continued Education

We maintain a high level of organizational and employee compliance and security standards with role-based mandatory training. They ensure that we stay up to date with responsibilities and guidelines for handling security, system and any data. These efforts include:

  • Mandatory training during new hire onboarding
  • Skyflow works with a training firm to develop new content for ongoing security training
  • CISSP and CISA on staff to help provide the expertise in security and compliance

Report a Vulnerability

If you believe you have found a security issue on Skyflow Data Privacy Vault, please submit a report to our security team via email security@skyflow.com.

Bug Bounty Program

We have a private bug bounty program to cover security research on Skyflow Data Privacy Vault. You could join our bug bounty program by inquiring at bugbounty@skyflow.com. The bug bounty registration will have the scope and program details.

Certifications and Compliance

Our platform environment and team adhere to the following standards:

The team at Skyflow is dedicated to ensuring that your sensitive data is stored and utilized securely.

Contact us to schedule a demo, or check out our docs to learn more.