Yugabyte Security and Trust Center
Yugabyte’s End-to-End Approach to Security
YugabyteDB is built for sensitive, mission-critical transactional data. As a result, each and every one of our customers deserves best-in-class security from their data layer. Yugabyte is committed to delivering world-class security capabilities.
Aligned to our security mission and objectives, Yugabyte has established a security program based on the ISO 27001 security framework and audited by an independent accounting firm using the SSAE18 SOC 2 standards, which includes testing against the trust principles of security, availability, and confidentiality.
Our security protocols fall into 3 separate areas:
- Product Security: security features of our products, including how we help customers meet security and privacy compliance requirements
- Product Development Security: how we build our product securely
- Corporate Security: how we secure our company and comply with privacy obligations
Yugabyte leverages a holistic approach to securing our products and systems. Our product design approach is consistent with the SD3+C development methodology and spans each of our offerings: YugabyteDB, YugabyteDB Anywhere and YugabyteDB Managed.
The following security activities apply across all of our products:
- Vulnerability Disclosure Policy: Vulnerability reporting is essential to building a secure platform. We take vulnerabilities very seriously, and strongly encourage anyone to report security vulnerabilities privately to our security team so we can investigate and strive to resolve before they can be exploited.
- Security Advisory Council: We collaborate with industry experts on best practices around enterprise-wide information security programs designed to ensure the confidentiality, integrity, safety, and availability of products and services from unauthorized access, loss alteration, and damages.
Critical Enterprise-Grade Security Features
- YugabyteDB Anywhere
- YugabyteDB Managed
- Customer-Managed Infrastructure security features
- YugabyteDB Managed Security Architecture
- Shared Responsibility Model
- YugabyteDB Managed Administrative and Technical Safeguards based on ISO 27001-based and SOC 2-based security programs)
- Networks: Yugabyte maintains a Network Security Policy and divides the network into two logical environments: non-production and production.
- Data Retention & Destruction: Customer data is fully managed over the lifecycle of use, from submission to destruction
- Yugabyte Personnel: Personnel complete annual training and must undergo a complete screening process.
- Access Control: Yugabyte’s Information Security policy governs access to environments, customer data, managed service and more.
- Privileged Access: Admin access limited and reviewed bi-annually and includes an additional layer of authentication
- Environmental Safety: Utilize the data center environmental security safeguards maintained by cloud hosting providers
- System Monitoring: In addition to daily oversight, vulnerability assessments, security incident management, and security awareness training, Yugabyte uses automated monitoring to YugabyteDB Managed.
- Incident Response: Yugabyte maintains an Incident Response Policy which includes an Incident Response Plan
- Data Backup & Recovery: A default backup schedule allows for data recovery in the event of an incident with user-configurable frequency.
- System Account Management: In-scope system components require unique usernames and passwords for authentication.
- Risk Management: Yugabyte assesses risks posed by changes in the operating environment and addresses the implications for the internal control system.
- Vulnerability Management and Penetration Testing: Internal vulnerability management program includes OSS vulnerability software scanning, information systems vulnerability scanning, and general application vulnerability scanning.
- Vendor Risk Management: Yugabyte does due diligence on all vendors to address potential risks to the security, availability and confidentiality of customer information.
- Internal & External Audit Program: An internal audit program ensures any deviations from our standards, processes, and procedures are remediated in a timely fashion.
In accordance with the SD3+C approach to product development, Yugabyte’s Secure Software Development Lifecycle (SSDLC) includes security and privacy considerations throughout our product and service development process, enabling our engineers to build highly secure software, while addressing the modern privacy and security compliance requirements of our customers. We use best practices, tools and processes that include the following:
- Established security best practices including OWASP Secure Coding Practices
- Defined security and privacy requirements that reflect changes in the regulatory and threat landscape
- Vulnerability management program leveraging the Common Vulnerability Scoring System (CVSS) for classifying the severity of vulnerabilities
- Defined response metrics with set thresholds for responding to vulnerability reports
- Threat modeling incorporated in the product design phase of our SSDLC
- Established design requirements that prioritize new and requested security features
- Define and use cryptography standards with an established Cryptographic Security Policy
- Manage security risk of using open source components which benefits from having many eyes on the same code looking for vulnerabilities. But use of open source also comes with security risks that should be managed. We use a four stage process to manage any open source security risk: Track open source usage, perform vulnerability checks, complete regular patching and use approved tools.
- Third-party penetration testing that completes three types of penetration tests of our software: Application Penetration Testing, Binary and Runtime Analysis Testing, and Network Perimeter and System Penetration Testing.
- Third-party application security testing evaluates our products from both a design and vulnerability perspective.
- Third-page network protocol analysis using various packet flow analysis and packet capture tools to observe in-scope network traffic with the objective of identifying scenarios where the integrity of trusted communications can be diminished or reduced.
- Change control and release management controlled by established Yugabyte Change Management Policy
In accordance with our ISO 27001-based security program, Yugabyte has established the following corporate security policies, procedures, processes, and standards:
- Physical & Environmental Security
- Risk Management Program
- Network Security
- Asset Management
- Third-Party Vendor Risk Management
- Device Security
- Human Resources Security
- Incident Response and Breach Notifications
- Information & Engineering Systems