Joyent Security and Compliance
Joyent has built a hardened and secure cloud infrastructure for deployment of a wide range of production applications and trusted data. In addition to maintaining key industry certifications, reports, and attestations, we provide unique service features which enable customers to mitigate the risks of multi-tenant cloud infrastructure today. Working with these features customers can build and maintain all levels of required security in the Joyent Cloud.
This page includes the following sections: overview of Joyent’s security strategy, information on the certifications and independent assessments in our possession, and a FAQ on PCI DSS compliance.
Overview
There are several key elements in our strategy to ensure the security of the Joyent infrastructure:
Certifications and Attestations of Compliance
Joyent holds the following:
- SOC 1/SSAE 16 report
- PCI DSS Level 1 compliance
- Safe Harbor certification
Physical Security
Joyent infrastructure is housed within carrier-grade Tier 4 data centers. These data centers are secured with a variety of physical controls to prevent unauthorized access.
Secure Services
Each of the services within the Joyent cloud is architected to be secure and to restrict unauthorized access or usage.
Data Privacy
Joyent strongly recommends that users encrypt their personal or business data within the Joyent cloud, both in production and in backup / storage environments. While data encryption is NOT a default offering in the Joyent Cloud, the Joyent team can recommend a variety of appropriate encryption options that users can implement within their own Joyent Cloud environment.
Certifications and Attestations of Compliance
SSAE 16/SOC 1
In accordance with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16), Joyent has completed a SOC 1 Type 1 report. This audit attests that Joyent’s control objectives are effectively designed and that the individual controls defined to safeguard customer data are operating effectively. Our commitment to the SOC 1 report is ongoing and we plan to continue our process of periodic audits.
PCI DSS Level 1
An Independent Qualified Security Assessor (QSA) under the Payment Card Industry (PCI) Data Security Standard (DSS) has successfully validated Joyent as a Level 1 service provider. PCI validated services include the Joyent Cloud virtual infrastructure, the Joyent Cloud management environment, and the underlying physical infrastructure.
Joyent does not provide credit card services to its customers. All additional required PCI DSS controls for a customer environment implemented within the Joyent Cloud remain the responsibility of Joyent’s customers. Those controls must be assessed and validated on an individual merchant or service provider basis, as part of the customer’s validation of PCI DSS compliance for the customer’s own report on compliance (ROC).
Safe Harbor Certification
Safe Harbor certifies that Joyent provides "adequate" privacy protection by the standard of the European Commission's Directive on Data Protection. This means that data can flow unhindered in and out of European Union (EU) countries, saving time and money by removing the obstacles encountered by non-Safe Harbor Certified providers.
The European Commission's Directive on Data Protection prohibits the transfer of personal data to non-European Union nations that do not meet the European "adequacy" standard for privacy protection. While the United States and the European Union (EU) both share the goal of enhancing privacy protection for their citizens, the United States and the European Union take differing approaches.
In order to bridge these different privacy approaches and provide a streamlined means for US organizations to comply with the Directive, the US Department of Commerce in consultation with the European Commission developed a "Safe Harbor" framework. The Safe Harbor - approved by the EU in July of 2000 — is an important way for US companies to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by European authorities under European privacy laws. Certifying to the Safe Harbor will assure that EU organizations know that your company provides "adequate" privacy protection, as defined by the Directive.
The Safe Harbor provides a number of important benefits to US and EU firms. Benefits for US organizations participating in the safe harbor will include:
- All 25 Member States of the European Union will be bound by the European Commission's finding of adequacy
- Companies participating in the safe harbor will be deemed adequate and data flows to those companies will continue
- Member State requirements for prior approval of data transfers either will be waived or approval will be automatically granted
- Claims brought by European citizens against US companies will be heard in the US subject to limited exceptions.
Security Features
Joyent Two-Factor Authentication
Joyent two-factor authentication is an opt-in feature for Joyent Cloud users. Two-factor authentication relies on two inputs to provide a greater level of security – one input set that a customer already has (an SSL certificate and a password) and a second input factor that they must receive (a single-use alphanumeric code). When using Joyent two-factor authentication, Joyent Cloud users will need to provide a six-digit single-use code in addition to a standard user name and password credentials in order to access their designated virtual environments. This single use code may be transmitted to a single-purpose authentication device or a special application on a mobile phone.
The Joyent Cloud API uses a signature mechanism derived from SSH keys. Because customers use their SSH keys to sign requests, and SSH supports protecting keys with a passphrase, Cloud API is protected for customers using the API as long as the customer SSH keys are protected with a passphrase. The SSH key is something they have, one factor, and the passphrase is something they know, second factor.
Key Rotation and Changes
Joyent recommends that users rotate or change access keys and certificates on a regular basis to prevent unauthorized access and provide additional security.
Additional Information
Delivering a secure cloud computing platform involves implementing numerous best practices for on-premise infrastructure as well as a host of additional considerations unique to a hosted infrastructure environment.
The Joyent Wiki also provides a wide variety of information and recommendations on best security practices in particular relating to firewalls, isolating networks with VLANs, backup and data encryption. Here are a few key differences for Joyent Cloud with regard to security practices.
- L2 Isolations – Joyent Cloud users may access physically separated VLANs that are pulled in the switch and provide true Layer 2 Separation.
- Firewalls – Joyent Cloud users may deploy a wide variety of commercial grade proprietary and open source firewalls including Riverbed Stingray (Layer 7 application firewall), IPFilter, SmoothWall (Linux-based firewall), IPTables, and others.
- Data Encryption – Joyent Cloud deploys local storage for high speed and high reliability. There are no limitations on a customer’s ability to encrypt data.
- VPNs – Customers wishing to securely access layers of their application tiers not accessible to the public via encrypted means may deploy either SSL or IPSec VPNs. These VPNs can also be used to construct DMZs as needed.
- DDOS – Joyent Cloud customers enjoy DDOS protection by default.
- Zones: Joyent Cloud uses Zones to contain SmartMachines (SmartOS) and virtual machines (Linux / Windows).
- Only the zone can see its own network traffic
- Disk storage is accessed via the ZFS file system and never via raw devices.
- Each Zone enjoys its own file system and cannot see other file systems in the virtual multi-tenant environment. Upon deletion of a Zone, the file system is deleted and there is no device path to retrace the contents of that Zone.
- Users have no access to raw memory devices and cannot scan system memory. As such, there is no code path to “break out” of a hypervisor and impact other users.
