August 15, 2019
Gremlin's Commitment to Security
Gremlin is committed to providing a secure environment for our users to embrace the practice of Chaos Engineering (check out our security page). It is, after all, one of our core principles: Simple, Safe, Secure. In practice, security is a continual journey of improvement and we wanted to share a few milestones.
SOC 2 Type II
We’ve recently completed auditing for the Service Organization Control (SOC) 2 Type II report. Compiled by Peterson & Sullivan, the report documents how Gremlin’s information security practices, policies, and procedures are suitable to meet the SOC 2 trust principles criteria for security and confidentiality.
The goal of the report is to verify the existence of internal controls designed and implemented to meet the requirements for the security principles set forth in the Trust Services Principles and Criteria for Security. It provides a thorough review of how Gremlin’s internal controls affect the security, availability, processing integrity, and confidentiality of the systems it uses to process users’ data, and the confidentiality and privacy of the information processed by these systems. This independent validation of security controls is crucial for customers in highly regulated industries.
GDPR
On May 25th the new EU GDPR regulations went into effect. GDPR provides enhanced privacy rights and protections to EU (EEA) citizens, and strict penalties for violators. We supported this move to strengthen privacy protections, ensuring we were in compliance from day one, and we've also gone a step further by providing those same rights and protections to all our customers, regardless of nationality or location. We've summed up how we collect data and what we do with it in our privacy policy found at gremlin.com/privacy -- if you have any questions or concerns feel free to contact us at privacy@gremlin.com!
Signature Based Authentication
On the product side, we've recently added support for signature based authentication, utilizing certificates for the Gremlin client. This provides greater flexibility for deploying Gremlin into ephemeral environments such as AWS Lambda, allows for simple integrations with enterprise certificate and key management systems, and also makes it easier to distribute new credentials. The traditional way of authenticating a Gremlin client (using a shared secret entered via command line or stored in the environment) will continue to be available -- this change simply adds another way to authenticate.
Encryption
On the subject of data protection, we've always encrypted all communications with our service using TLS and we've always encrypted sensitive data we store using AES-256 (and in the case of passwords a randomly seeded SHA2 hash). Recently, however, we’ve updated our internal systems to encrypt all data that our service stores, regardless of the sensitivity level. We want to ensure our customers that Gremlin provides their data with the same level of protection or better than they would treat it themselves. You can rest easy knowing that we are treating even the most mundane details as if they were your most privileged information!
Role-Based Access Control
With RBAC you can ensure that every Gremlin user at your company has the correct level of permissions for running attacks, managing users and teams, as well as configuring account settings. Permissions are assigned to roles that you can assign to users in order to establish a precise separation of duties. Besides facilitating better segregation of duties among users, it will also improve visibility into what privileges each user possesses. For more information, read RBAC blog post.