Be assured of security, scalability, uptime and performance |
Cirrus has teamed up with Microsoft to use the world class security, scalability, uptime and performance of the Microsoft Azure cloud platform. With regular contact and support from Microsoft we are able to use their expertise and experience in providing the best architecture and product possible. Do not just take our word for it, take a look at the vast amount information within the Microsoft Trust Centre as to why they can be trusted as a cloud provider.
We are transparent with our security program so you can feel informed and safe using our product.
We don not look at security as a destination to reach — it is an ongoing journey. We continually strive to improve our software development and internal operational processes with the aim of increasing the security of our software. The secure way should be the easy way, and that is why security is built into the fabric of our product and infrastructure. Here are a few ways we build security in as part of the way we work, day-to-day.
Threat modelling is used to ensure we are designing in the right controls for the threats we face. During the planning and design phase, we use threat modelilng to understand the specific security risks associated with each feature. Generally speaking, threat modelling is a brainstorm session between engineers, security engineers, architects, and product managers of an application or service. Threats are identified and prioritized, and that information feeds controls into the design process and supports targeted review and testing in later phases of development. We use the Microsoft Threat Modelling Tool and the STRIDE Threat Model framework. STRIDE is an acronym for a common set of security concerns: Spoofing, Tampering, Reputation, Information Disclosure, Denial of Service, and Elevation of Privilege. We utilize threat modelling early and often and can ensure that relevant security configuration and controls are designed to mitigate threats specific to every feature we develop.
The criticality of Cirrus will vary from customer to customer. From talking to our customers, we know that products like Cirrus can often end up being part of key business processes. To that end, we understand the importance of reliability and recoverability.
The Microsoft Azure platform was chosen because their data centers have been designed and optimized to host applications, have multiple levels of redundancy built in, and run on a separate front-end hardware nodes from which application data is stored. We care about high availability of your data and services. We focus on product resiliency through standards and practices that allow us to minimize downtime.
With Cirrus being implemented with industry-leading services such as Azure it results in optimal performance with redundancy and failover options globally. While we currently only maintain one region for the main server we do have georedundant storage. Over time we will to bring availability zones across regions where we get most usage. This will be available by default for premium customers.
We have an extensive daily and weekly backup regime.
In addition to platform-wide resiliency, we also have a comprehensive backup program for Cirrus. However, restore and recovery of these backups will only be provided on our own platform. Application data is stored on a RAID 10 (mirrored and striped) storage node that is replaced to a secondary storage node every hour. If the primary storage nodes have a problem or become unavailable, the applications can be switched over to the secondary storage nodes. Application database backups occur on the following frequencies: daily automated backups are performed and retained for 30 days; daily manual snapshots of the standby instances are sent to the secondary region and are retained for 30 days; snapshots of cross-region replicas will provide the ability to restore data in case of Azure region loss and cross-region replica loss. All snapshot and backup data is fully encrypted.
We have comprehensive, tested business continuity and disaster recovery plans.
We are determined to not mess with our customers, and strive to maintain strong Business Continuity (BC) and Disaster Recovery (DR) capabilities to ensure that the effect on our customers is minimized in the event of any disruptions to our operations
It is an industry challenge is to ship secure products while maintaining a healthy speed to market. Our goal is to achieve the right balance between speed and security — after all, we run almost everything on our own software at Cirrus. There are a range of security controls we implement to keep our product and your data safe.
All data sent between our customers and our product is encrypted in transit (e.g. https only).
All content stored within Cirrus is encrypted at rest (storage level).
We take innovative approaches to building quality software.
We step outside the traditional realm of Quality Assurance (QA) to ensure new features are introduced quickly and safely by adopting the notion of Quality Assistance*. We focus on inculcating a "whole team" mentality to quality by changing the role of QA to a facilitator rather than the person who does the actual QA work. We also are actively working to empower and educate developers to test their own features to our quality standards. While we consistently strive to reduce the number of vulnerabilities in our product, we recognize that it is, to an extent, an inevitable part of the development process.
This approach spans planning, development and testing phases, each test building on previous work and progressively getting tougher. We have an established approach to static and dynamic code analysis at both the development and testing phases. In the development phase, we focus on embedding code scanning to remove any functional and readily identifiable, non-functional security issues. In the testing phase, both our development and security engineering team switch to an adversarial approach to attempt to break features using automated and manual testing techniques. Our security engineering team has developed a wide range of security testing tools to automate common tasks and make specialized testing tools available to our product teams. These tools are beneficial for the security team and they empower developers to "self-serve" security scans and take ownership of the output. Our security engineering team are subject matter experts, but it is ultimately every developer in our company who is responsible for their own code.
As much as securing our product is a priority, we also understand the importance of being conscious of the way we conduct our internal day-to-day operations. The concept of “building security in” is the same philosophy we use with our internal processes and influences how our business is conducted.
Access to customer data stored within applications is restricted on a 'need to access' basis.
Within our platform, we treat all customer data as equally sensitive and have implemented stringent controls governing this data. Awareness training is provided to our internal employees and contractors during the on-boarding / induction process which covers the importance of and best practices for handling customer data. Only authorized employees have access to customer data stored within our applications. Authentication is done via individual passphrase-protected public keys, and the servers only accept incoming SSH connections from Cirrus and internal data center locations. Unauthorized or inappropriate access to customer data is treated as a security incident and managed through our incident management process. This process includes instructions to notify affected customers if a breach of policy is observed.
Microsoft Azure is available on premises for those concerned about their data security.
The freemium and basic tiers of subscription used shared servers and have restricted access to features. Performance may be impacted during busy times. We have monitoring tools in place to ensure that the level of service is sufficient for a free service and will scale out to use more servers at busy times.