Security Practices


Updated date: Jan 04, 2022
Network Security

 

Fluency/LavaDB controls access using a VPC architecture. The shared infrastructure consists of three master nodes distributed in three availability zones, one SSH bastion node, and a LoadBalancer in two subnets. 

 

Each customer account has three subnets and its own S3 buckets. In addition to this, it also has one Fluency server node and at least one LavaDB worker node.

Systems and Services

There are two providers used by Fluency Cloud: Amazon Web Service (AWS) and VirusTotal. VirusTotal is not considered a critical service as its loss does not impact data collection and retention. It does, however, weaken the ability to validate events. 

 

AWS services issues are accessible directly through Amazon and through its partner Pinnacle Technologies. 

 

AWS S3 is designed for durability of 99.999999999% of objects across multiple Availability Zones. Data is stored across multiple data centers in a region.  All “live” data on EBS volume is saved on S3 via ZFS snapshot.  Extra durability could be achieved by running a backup site on a different AWS region. 

Physical Security

Secure areas shall be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. Fluency has a single open floor design at its main office. Access is by lock and key. Cameras and intrusion detection systems is installed to monitor operations continuously. 

 

Visitors, delivery personnel, outside support technicians, and other external agents shall not be permitted access to secure areas without escort and/or appropriate oversight. Third-parties in secure areas shall sign in and out on a visitor log and shall be escorted or monitored by Fluency personnel. 

Infrastructure

Changes to systems within the development lifecycle shall be controlled by the use of formal change control procedures. Development related activity to changes are tracked in Redmine (backend) and Pivot Tracker (frontend). Significant code changes must be reviewed and approved by product lead before being merged into any production branch in accordance with the Software Release Process. 

 

The software release process is part of the overall development cycle.  Fluency uses an agile development process, which allows critical features to be developed, tested, and released based on workload. 

 

Development and staging environments shall be strictly segregated from production SaaS environments to reduce the risks of unauthorized access or changes to the operational environment. Confidential production customer data must not be used in development or test environments without the express approval of the lead developer. 

 

In order to protect the company’s infrastructure against the introduction of malicious software, detection, prevention, and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness. 

 

Anti-malware protections, SentinelOne, shall be utilized on all employee issued laptops except for those running operating systems not normally prone to malicious software. Additionally, threat detection and response software shall be utilized for company email. The anti-malware protections utilized shall be capable of detecting all common forms of malicious threats. All data from SentinelOne agents is managed through the operational Fluency portal and to the development portal. 

 

Using SentinelOne, Fluency shall scan all files upon their introduction to systems, and continually scan files upon access, modification, or download. Anti-malware definition updates should be configured to be downloaded and installed automatically whenever new updates are available.  Known or suspected malware incidents must be reported as a security incident. 

 

Changes to the organization, business processes, information processing facilities, and systems that affect information security in the production environment and financial systems shall be controlled. All significant changes to in-scope systems must be documented. 

Incident Response

Fluency maintains an incident response plan for situations in which a threat to the secure system is presented. For critical issues, the response team will follow an iterative response process designed to investigate, contain exploitation, eradicate the threat, recover system and services, remediate vulnerabilities, and document a post-mortem with the lessons of an incident. 

 

At the initial issue of an incident, a ticket is to be started in the Incident forum, or in the proper forum related to the issue. In general, a ticket will be created on Pivotal Tracker and a message will be sent on Slack to the appropriate parties. At this point, the issue needs to be verified and scoped. 

 

Once the issue has been closed, the Incident Review Team is responsible for reviewing the incident and the actions taken to determine if there is improvement in the processes, architecture or policies of Fluency. If warranted, an after-action report is written to address corrections to help mitigate future occurrences. 

 

This Incident Response Plan shall be reviewed and tested at least annually. 

Personnel

Prior to hire, applicants are required to sign a background check consent form. Applicants will not be hired until the results of the background check and returned and evaluated. 

 

During onboarding, new hires must agree to all the security policies associated with Fluency. In addition, new hires are required to undergo security awareness training during the onboarding process. Employees are required to review this training annually. 

Access Control

Only authorized administrators shall be permitted to create new user IDs, and may only do so upon receipt of a documented request from authorized parties. User provisioning requests must include approval from data owners or Fluency management authorized to grant system access. 

 

In general, only when a service does not provide two-factor authentication are passwords used. Two-factor authentication is required for all users when available. 

 

As notes in the roles tables, access to privileges are limited to need. Fluency Corp personnel are the only individuals with AWS and System administration. Access to data via Fluency Cloud interface requires a separate Fluency Cloud account, to which all such users and actions are visible to the Fluency Cloud Administrator, who is a client of the service.

Security Monitoring

Fluency makes use of the Fluency software to aggregate and monitor logs from various sources. Using these logs, Fluency is able to create behavioral models to monitor its data. These models can detect suspicious activities, sending alerts to analysts through email or a ticketing system for further analysis.