As a security and compliance solution provider, Dome9 takes the security of its own platform and organization seriously. The Dome9 Arc SaaS platform meets rigorous security, privacy, and compliance standards, including ISO 27001, SOC 2 Type II, and PCI DSS attestation.
Dome9 has established an organization-wide information security policy designed to protect customer privacy and information at a level commensurate with its value. The policy dictates security controls for media where information is stored, the systems that process it, as well as infrastructure components that facilitate its transmission.
SOC 2 is an auditing standard that focuses on organizational controls in five areas: security, availability, processing integrity, confidentiality and privacy. The principles are defined by the American Institute of Certified Public Accountants (AICPA). EY (formerly Ernst & Young), a global leader in assurance, tax, transactions and advisory services, performed a rigorous audit of Dome9’s security controls and processes for its products and services. To download a copy of the Dome9 SOC 2 Type II Attestation Report, please contact us.
ISO 27001, formally referred to as ISO/IEC 27001, is a specification that mandates requirements for information security management in an organization. ISO 27001 is the de factor industry standard for information security management, and certification ensures that an organization is managing information security proactively and cost-effectively. With ISO 27001 certification, Dome9 continues to play a critical role in enabling security professionals and engineers to take great confidence and trust in cloud solutions such as AWS.
The Payment Card Industry Data Security Standard (PCI DSS) is a regulatory requirement for merchants and service providers that store, process or transmit customer payment card data. PCI DSS is the most rigorous, industry-recognized payment-card security standard available globally. According to version 3.0 of PCI DSS that went into effect in 2015, PCI compliance is a requirement, not only for organizations that handle customer payment card data, but also for vendors of these companies that handle payment card information or impact security. Solution providers that help companies achieve PCI DSS compliance must demonstrate their compliance to these stringent security requirements as well. To download a copy of Dome9's Attestation of Compliance (AOC), please contact us.
Shared Responsibility with AWS: The Dome9 SaaS application runs on Amazon Web Services (AWS). Security of the Dome9 application is built on the shared responsibility model, where AWS manages security of the cloud and Dome9 actively manages the security in its cloud environment. Physical security of the environment, for example, is managed by AWS. In fact, Dome9 employees do not have access to AWS data centers. AWS is responsible for implementing an appropriate set of controls in order to address physical security issues. AWS meets extensive and stringent security, privacy and compliance standards.
Access to all code and data is strictly controlled and managed on the principle of least privilege. Only authorized personnel who need access to resources are given required access. Dome9 has implemented a recertification process to help ensure that only authorized personnel have access to the production interface, servers, environments and databases. Employees whose job functions have changed and therefore no longer require access to a group of user permissions will have their access disabled or modified as needed.
Dome9 makes no compromises when it comes to customer confidentiality. We have implemented security measures to ensure the confidentiality of our customer’s sensitive personal information. The security measures aim to prevent unauthorized access, disclosure, alteration or destruction of sensitive personal information. Customer data has a single classification and access is restricted to authorized personnel. Connections to the Dome9 network and databases are obtained through dynamic access lease. Clients’ sessions and interactions are encrypted using 128-bit SSL V3/TLS HTTPS. Internet traffic is encrypted using high class level certificates based on the PKI infrastructure.
The Dome9 security team works with trusted third party vendors to perform regular penetration testing and security scanning. High issues are investigated and taken care of as part of the SDLC process or by any necessary means The penetration tests include, among others, procedures to prevent customers, groups of individuals, or other entities from accessing confidential information other than their own. Additionally, Dome9 uses active defense measures such as a real-time anti-virus solution to protect its servers against viruses, worms, NNN and other forms of malicious code that may cause damage.
All changes to the production environment in response to evolving customer and market needs are reviewed internally through a rigorous approval process and managed using well-defined processes. These include adding/removing/changing the configuration policies of the existing servers or performing routine maintenance activities, software updates, and other infrastructure-related changes. All changes are recorded, reported on and audited for complete transparency. On a regular basis, a risk assessment meeting is performed in order to, among others, re-assess risks, review operational aspects of the control environment and monitor the control environment.
The system is monitored for any security, confidentiality and availability non-compliance issues. These issues are documented as part of a RCA (Root Cause Analysis) report and escalated as needed to be handled. In addition, environmental, regulatory and technological changes are monitored. Their effects are assessed and their policies are updated accordingly. A summarized protocol is made available to relevant managers and team members.
Data in the Dome9 platform is backed up several times a day. Access to the backup and offline storage, which is located within the production environment, is restricted to authorized individuals. Dome9 uses a dedicated database for data analysis. Access to the database is restricted to authorized personnel.Dome9 has developed a Disaster Recovery Plan to enable the company to continue to provide critical services in case of a disaster. Dome9 maintains a backup server's infrastructure at a separated location within the AWS environments. The backup server's infrastructure has been designed to provide clients with business-critical services until the disaster has been resolved and the primary system is fully restored. The alternative processing environment is wholly managed by appropriate Dome9 personnel, as is the case with the primary production environment. To read a copy of the Dome9 SOC 2 Type II Attestation Report, contact us.