As with all cloud-based services, security can be a concern. That's especially true for services that address compliance issues and access vulnerabilities. Cloud Compliance employs the Amazon EC2 (Elastic Compute Cloud) service which has extensive and comprehensive physical and logical controls, including:
- State of the art intrusion detection systems
- Authorized staff must pass two-factor authentication at least twice
- Immediate deprovisioning of admin when no longer has business need
- Extensive background check of staff with potential access to customer data
- All admin access logged and audited
- Network security: DDoS, MITM, firewall, etc.
- Firewall requires customer's X.509 certificate and key to authorize changes
- API calls to launch and terminate instances and perform other functions require X.509 certificate
- S3 (storage) read permissions controlled by ACL
- S3 authentication using HMAC-SHA1 signatures
- Storage device decommission based on NIST 800-88 (media sanitation)
- AWS recurring SAS-70 Type II certification
Cloud Compliance encrypts data in transit as well as data at rest. And it's worthwhile pointing out that the Cloud Compliance solution does not require access to personal identifying information (PII); only log records (with internal user names) are required.