As a security and compliance solution provider, Dome9 takes the security of its own platform and organization seriously. The Dome9 Arc SaaS platform meets rigorous security, privacy, and compliance standards, including ISO 27001, SOC 2 Type II, and PCI DSS attestation.
Dome9 has established an organization-wide information security policy designed to protect customer privacy and information at a level commensurate with its value. The policy dictates security controls for media where information is stored, the systems that process it, as well as infrastructure components that facilitate its transmission.
SOC 2 Type II
The Payment Card Industry Data Security Standard (PCI DSS) is a regulatory requirement for merchants and service providers that store, process or transmit customer payment card data.
The Dome9 Security Model
Shared Responsibility with AWS: The Dome9 SaaS application runs on Amazon Web Services (AWS). Security of the Dome9 application is built on the shared responsibility model, where AWS manages security of the cloud and Dome9 actively manages the security in its cloud environment. Physical security of the environment, for example, is managed by AWS. In fact, Dome9 employees do not have access to AWS data centers. AWS is responsible for implementing an appropriate set of controls in order to address physical security issues. AWS meets extensive and stringent security, privacy and compliance standards.
Access to all code and data is strictly controlled and managed on the principle of least privilege. Only authorized personnel who need access to resources are given required access. Dome9 has implemented a recertification process to help ensure that only authorized personnel have access to the production interface, servers, environments and databases. Employees whose job functions have changed and therefore no longer require access to a group of user permissions will have their access disabled or modified as needed.
Dome9 makes no compromises when it comes to customer confidentiality. We have implemented security measures to ensure the confidentiality of our customer’s sensitive personal information. The security measures aim to prevent unauthorized access, disclosure, alteration or destruction of sensitive personal information. Customer data has a single classification and access is restricted to authorized personnel. Connections to the Dome9 network and databases are obtained through dynamic access lease. Clients’ sessions and interactions are encrypted using 128-bit SSL V3/TLS HTTPS. Internet traffic is encrypted using high class level certificates based on the PKI infrastructure.
Penetration Testing and Active Protection
The Dome9 security team works with trusted third party vendors to perform regular penetration testing and security scanning. High issues are investigated and taken care of as part of the SDLC process or by any necessary means The penetration tests include, among others, procedures to prevent customers, groups of individuals, or other entities from accessing confidential information other than their own. Additionally, Dome9 uses active defense measures such as a real-time anti-virus solution to protect its servers against viruses, worms, NNN and other forms of malicious code that may cause damage.
All changes to the production environment in response to evolving customer and market needs are reviewed internally through a rigorous approval process and managed using well-defined processes. These include adding/removing/changing the configuration policies of the existing servers or performing routine maintenance activities, software updates, and other infrastructure-related changes. All changes are recorded, reported on and audited for complete transparency. On a regular basis, a risk assessment meeting is performed in order to, among others, re-assess risks, review operational aspects of the control environment and monitor the control environment.
The system is monitored for any security, confidentiality and availability non-compliance issues. These issues are documented as part of a RCA (Root Cause Analysis) report and escalated as needed to be handled. In addition, environmental, regulatory and technological changes are monitored. Their effects are assessed and their policies are updated accordingly. A summarized protocol is made available to relevant managers and team members.
Backup and Disaster Recovery
Data in the Dome9 platform is backed up several times a day. Access to the backup and offline storage, which is located within the production environment, is restricted to authorized individuals. Dome9 uses a dedicated database for data analysis. Access to the database is restricted to authorized personnel.
Dome9 has developed a Disaster Recovery Plan to enable the company to continue to provide critical services in case of a disaster. Dome9 maintains a backup server's infrastructure at a separated location within the AWS environments. The backup server's infrastructure has been designed to provide clients with business-critical services until the disaster has been resolved and the primary system is fully restored. The alternative processing environment is wholly managed by appropriate Dome9 personnel, as is the case with the primary production environment. To read a copy of the Dome9 SOC 2 Type II Attestation Report, contact us.