Joyent has built a hardened and secure cloud infrastructure for deployment of a wide range of production applications and trusted data. In addition to maintaining key industry certifications, reports, and attestations, we provide unique service features which enable customers to mitigate the risks of multi-tenant cloud infrastructure today. Working with these features customers can build and maintain all levels of required security in the Joyent Cloud.
This page includes the following sections: overview of Joyent’s security strategy, information on the certifications and independent assessments in our possession, and a FAQ on PCI DSS compliance.
There are several key elements in our strategy to ensure the security of the Joyent infrastructure:
Joyent holds the following:
Joyent infrastructure is housed within carrier-grade Tier 4 data centers. These data centers are secured with a variety of physical controls to prevent unauthorized access.
Each of the services within the Joyent cloud is architected to be secure and to restrict unauthorized access or usage.
Joyent strongly recommends that users encrypt their personal or business data within the Joyent cloud, both in production and in backup / storage environments. While data encryption is NOT a default offering in the Joyent Cloud, the Joyent team can recommend a variety of appropriate encryption options that users can implement within their own Joyent Cloud environment.
In accordance with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16), Joyent has completed a SOC 1 Type 1 report. This audit attests that Joyent’s control objectives are effectively designed and that the individual controls defined to safeguard customer data are operating effectively. Our commitment to the SOC 1 report is ongoing and we plan to continue our process of periodic audits.
An Independent Qualified Security Assessor (QSA) under the Payment Card Industry (PCI) Data Security Standard (DSS) has successfully validated Joyent as a Level 1 service provider. PCI validated services include the Joyent Cloud virtual infrastructure, the Joyent Cloud management environment, and the underlying physical infrastructure.
Joyent does not provide credit card services to its customers. All additional required PCI DSS controls for a customer environment implemented within the Joyent Cloud remain the responsibility of Joyent’s customers. Those controls must be assessed and validated on an individual merchant or service provider basis, as part of the customer’s validation of PCI DSS compliance for the customer’s own report on compliance (ROC).
Safe Harbor certifies that Joyent provides "adequate" privacy protection by the standard of the European Commission's Directive on Data Protection. This means that data can flow unhindered in and out of European Union (EU) countries, saving time and money by removing the obstacles encountered by non-Safe Harbor Certified providers.
The European Commission's Directive on Data Protection prohibits the transfer of personal data to non-European Union nations that do not meet the European "adequacy" standard for privacy protection. While the United States and the European Union (EU) both share the goal of enhancing privacy protection for their citizens, the United States and the European Union take differing approaches.
In order to bridge these different privacy approaches and provide a streamlined means for US organizations to comply with the Directive, the US Department of Commerce in consultation with the European Commission developed a "Safe Harbor" framework. The Safe Harbor - approved by the EU in July of 2000 — is an important way for US companies to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by European authorities under European privacy laws. Certifying to the Safe Harbor will assure that EU organizations know that your company provides "adequate" privacy protection, as defined by the Directive.
The Safe Harbor provides a number of important benefits to US and EU firms. Benefits for US organizations participating in the safe harbor will include:
Joyent two-factor authentication is an opt-in feature for Joyent Cloud users. Two-factor authentication relies on two inputs to provide a greater level of security – one input set that a customer already has (an SSL certificate and a password) and a second input factor that they must receive (a single-use alphanumeric code). When using Joyent two-factor authentication, Joyent Cloud users will need to provide a six-digit single-use code in addition to a standard user name and password credentials in order to access their designated virtual environments. This single use code may be transmitted to a single-purpose authentication device or a special application on a mobile phone.
The Joyent Cloud API uses a signature mechanism derived from SSH keys. Because customers use their SSH keys to sign requests, and SSH supports protecting keys with a passphrase, Cloud API is protected for customers using the API as long as the customer SSH keys are protected with a passphrase. The SSH key is something they have, one factor, and the passphrase is something they know, second factor.
Joyent recommends that users rotate or change access keys and certificates on a regular basis to prevent unauthorized access and provide additional security.
Delivering a secure cloud computing platform involves implementing numerous best practices for on-premise infrastructure as well as a host of additional considerations unique to a hosted infrastructure environment.
The Joyent Wiki also provides a wide variety of information and recommendations on best security practices in particular relating to firewalls, isolating networks with VLANs, backup and data encryption. Here are a few key differences for Joyent Cloud with regard to security practices.