Security By Design: How Dome9 Goes Above and Beyond to Keep Your Cloud Safe

At Dome9, we live by a simple motto: security-first. At every opportunity, we push past the expected minimums to provide unexpected satisfaction and confidence to our customers. As a security firm, we are held to a high standard when it comes to securing our platform. We want to be prepared at all times to provide our clients not only with fantastic results, but also with verifiable proof that our security posture is strong.

In our pursuit of demonstrable security, we have pushed ourselves to earn the industry’s most recognized  accreditations – Dome9 is a SOC 2 Type 2 and ISO 27001 certified organization. These titles were achieved after exhaustive audits of Dome9’s security processes and technologies conducted by highly recognized third party organizations. You can find out more about the substance and processes of these awards below.

SOC 2 Type 2 –

What is it?

SOC 2 compliance is part of the AICPA Service Organization Control (SOC) reporting platform. The American Institute of Certified Public Accountants launched these SOC reporting platforms in order to keep service agencies more accountable. It replaced the previous industry-standard SAS 70 report in 2011.

There are three (3) reporting options: SOC 1, SOC 2, and SOC 3. SOC 2 is the accreditation specifically dealing with an organization’s readiness to provide services safely in the public cloud. This is the certification that Dome 9 has achieved.

The main purpose of earning this accreditation is to demonstrate to customers that a respected third party has examined your services and found that they meet a set of high security standards. These standards are known as “Trust Principles” and are as follows:

Security: The system is protected both logically and physically from unauthorized access.

Availability: The system is available for use as committed and agreed to.

Processing Integrity: System processing is complete, timely, accurate and organized.

Confidentiality: Information that is designated “confidential” is protected as protected and agreed to.

Privacy: Personal information is protected used retained and disclosed in conformity with the commitment’s in the entity’s privacy notice and with the privacy principles put forth by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants.

How did we get it?

Achieving SOC 2 Compliance requires an exhaustive audit of a service provider’s products and methodologies. In our case, the audit was performed by  EY (formerly Ernst & Young) — a global leader in assurance, tax, transactions and advisory services.

EY’s examination included independent testing of controls related to the Dome9 Arc SaaS platform. The SOC 2 Type 2 report indicates that controls were suitably designed and operating effectively over a period of time.

These controls meet the criteria for security, availability, processing integrity, confidentiality and privacy defined in Section 100 of Trust Services Principles and Criteria established by the American Institute of CPAs (AICPA), Assurance Services Executive Committee (ASEC).

In short: we passed with flying colors! According to a venerable third party, Dome9 is a service you can trust. If you would like to read the SOC 2 attestation report, please contact us.

ISO 27001 Certification

What is it?

The ISO/IEC 27001 is the world’s leading and best-known standard in providing requirements for an information security management system (ISMS). It is essentially a gold star from one of the world’s premiere regulating agencies and a beacon to the world that your system is considered safe to the highest possible standards.

How did we get it?

In order to be certified in ISO 27001, your entire organization needs to be prepared to push themselves towards perfection.

To begin with, ISO certification is not mandatory. Therefore going for it means that your organization’s leadership needs to see the value in being able to express to customers a ratified proof of excellence.

Once the senior team has okayed the time and money spend the process will require, the real work begins.

ISO certification audits are provided by a variety of third party groups. However, before even reaching out to them a thorough internal review is required. A full look at the reviews and checks necessary for ISO certification to be obtained can be found here. But, in general, the audit that is conducted by the third party certifier will include the following three stages:  

• Stage 1—Informal review of the system that includes checking the existence and completeness of key documents such as the:

 – Organization’s security policy

 – Risk treatment plan (RTP)

 – Statement of applicability (SOA)

• Stage 2—Independent tests of the system against the requirements specified in ISO/IEC 27001. Certification audits are usually conducted by ISO/IEC 27001 lead auditors.
• Stage 3—Follow-up reviews or periodic audits to confirm that the organization remains in compliance with the standard. Certification maintenance requires periodic reassessment audits to confirm that the system continues to operate as specified and intended.

Passing these rigorous tests requires some serious economic and personnel buy-in. But, at Dome9, our customers day in and day out security is our number one priority. With that in mind we were completely willing to take on this challenge.

In Conclusion: We’ve got your back!

Dome9 will always go above and beyond to ensure that you can sleep well at night — even if it means losing sleep ourselves.

Whether you’re an existing customer, or considering a change, with Dome9 you can rest assured that your public cloud environments are under a very well certified lock and key. You can learn more about the security of the Dome9 platform by visiting the Security By Design page.