To ensure the optimal performance and security of CloudSoda’s products, it is critical that customers and CloudSoda clearly understand and fulfill their respective obligations. CloudSoda offers two deployment models for its solution: on-premises, where the customer assumes responsibility for maintaining a CloudSoda-compatible environment or Software-as-a-Service (SaaS), where the customer's responsibility to manage their operating system, backups, and network access for CloudSoda software are significantly reduced. This document outlines the key responsibilities of CloudSoda and its customers in both scenarios.
On-Premises Installation
This section outlines joint responsibilities between CloudSoda and the customer when CloudSoda products are installed in the customer’s data center, including security, maintenance, and compliance obligations.
Customer Responsibilities
1. Operating System Management
- Supported Linux Distribution: The customer is responsible to run a supported Linux distribution. It is critical that the customer maintain their operating system consistent with the OS vendor’s requirements and best practices.
- Patching and Updates: The customer must regularly apply security patches and updates to the operating system. Active patching and OS updates ensure that their network environment remains secure and compatible with CloudSoda’s software.
- Monitoring: Client-hosted environments must be monitored by the client's own methods. Currently, clients are permitted to use industry-trusted monitoring platforms as long as they do not negatively impact the operation and/or performance of the CloudSoda platform.
2. Backup Management
- Folder Backup /soda: The customer is responsible to regularly back up the `/soda` folder. Maintaining regular backup ensures that, in the event of a system failure or data corruption event, critical data and configurations can be recovered and restored.
3. Network Access and Configuration
- Controller Internet Access:
- Updates: The customer's server must be able to retrieve required updates from the internet. The customer is responsible to ensure that the server has sufficient internet access to download and apply these updates.
- Functionality: To guarantee full functionality of the CloudSoda product, we highly recommend that the customer configure their controller for unrestricted internet access. Limiting the controller's access could result in degraded CloudSoda performance or limited functionality of the CloudSoda platform. The controller does not need to be accessible from the internet, but it must be accessible from anywhere that a CloudSoda Agent will be deployed.
- Firewall Management: If the customer opts to limit internet access by applying firewall rules, then the customer is fully responsible to maintain these rules and provide CloudSoda with consistent network access. Specifically, firewall rules must meet these requirements:
- URL-Based Rules: The firewall must use URL-based rules that enable URL handling rather than static IP addresses, as required resources may periodically change IP addresses.
- Consistency: The firewall rules must be consistently monitored and updated to ensure they do not block connections used by CloudSoda to apply product updates and/or functional upgrades. CloudSoda may add public services relied on by the controller and the customer must be willing to open their URLs to allow the controller to access these services.
4. Server IP Address Management
- Static IP Requirement: The server must retain a consistent IP address to function correctly with CloudSoda’s services. If the server's IP address needs to be changed, then the customer must contact CloudSoda prior to making this update.
- Planning IP Changes: The customer should work with CloudSoda to plan any IP changes to their network environment. This collaboration is intended to minimize disruption to the delivery of CloudSoda's services and enables the customer and CloudSoda to determine the proper reconfiguration of required settings. CloudSoda will not be responsible for service interruptions relating to unplanned IP changes. We can assist the customer to bring the CloudSoda platform back online after a service interruption.
5. DNS, SSL Certificates for non-CloudSoda Domains
For deployments that do not use CloudSoda's domains (such as cloudsoda.io), the customer must create and manage DNS records related to application services. These records do not need to be published publicly, however they must be resolvable anywhere that an Agent will be placed.
CloudSoda's application stack requires valid SSL certificates. Customers must provide sufficient facilities to request and furnish valid SSL certificates to coordinate with their DNS entries. Self-signed certificates are not acceptable for this solution. Private Certificate Authorities may be functional, but they must meet several requirements - be valid wherever users will access the UI and work on any browsers that may be used. CloudSoda can provide recommendations regarding DNS and SSL certificates, and suggest practices for using them, but we do not assume responsibility for the certificates or their creation.
CloudSoda Responsibilities
1. Software Maintenance and Support
- Regular Software Updates: CloudSoda is responsible to maintain and support our software by releasing regular product updates. It is critical that the customer timely apply these updates to ensure the security, stability, and performance of the CloudSoda product.
- Technical Support Resources: CloudSoda provides both a documentation portal and technical support resources to assist customers with any issues or problems related to our product. This support is available to help customers with CloudSoda troubleshooting, applying updates, and other technical needs.
2. Update Notifications and Communication
- Update Notifications: Due to the critical nature of some updates, CloudSoda may or may not notify the customer before an update is released to their environment. This approach ensures that urgent updates can be applied without delay to protect the customer's system.
- Post-Update Communication: CloudSoda is responsible to communicate with the customer after an update has been applied. This notification will include a description of the changes made and any relevant details that the customer needs to know regarding the update.
3. DNS, SSL Certificates for CloudSoda Domains
CloudSoda will manage DNS and SSL certificates for deployments using CloudSoda domains (cloudsoda.io). This management responsibility includes, but is not limited to generation, maintenance, and decommissioning of both the DNS records and the platform's requisite SSL certificates. CloudSoda will create the DNS records in a publicly-resolved zone. SSL certificates will use well-known Certificate Authorities (CAs).
SaaS Installation
This section outlines the shared responsibilities between CloudSoda and the customer when CloudSoda is deployed as a SaaS solution, including security, maintenance, and compliance obligations.
Customer Responsibilities
1. Account Management
- Ensure proper account management, including the creation of strong passwords.
- Regularly review and update user access control settings.
2. Application Usage
- Ensure that the SaaS product is used in compliance with applicable laws and regulations, including data protection laws (GDPR, CCPA, etc.).
3. Incident Reporting
- Immediately report any suspected security incidents or breaches related to the Customer's account or data usage to CloudSoda Support.
4. Integration & API Management
- Manage all external integrations with CloudSoda and ensure that third-party applications follow security best practices.
- Secure API keys and credentials to avoid unauthorized access.
5. Agent Connectivity
- Ensure that CloudSoda Agents are allowed to connect to the Controller in the customer's environment, as outlined in our security white papers:
CloudSoda Responsibilities
1. Data Security & Encryption
- Encrypt customer data in transit (using TLS/SSL) and sensitive data at rest to ensure its confidentiality and integrity.
2. Software Updates & Patching
- Regularly update and patch the SaaS product to ensure it remains secure and free from vulnerabilities.
- Notify customers of significant updates or changes to the SaaS product that may impact their usage.
3. Service Availability & Uptime
- Ensure high availability of the service, with a target uptime of 99.9%, supported by monitoring systems.
4. Data Backup
- Perform regular backups of customer data to prevent data loss.
- Ensure data recovery mechanisms are in place in the event a system failure or outage occurs.
5. Data Deletion & Retention
- Permanently delete customer data within 24 hours after account deletion or contract termination.
- Ensure compliance with legal and regulatory requirements regarding data retention and deletion.
6. Monitoring & Incident Response
- Continuously monitor for security incidents or threats to the platform.
- Provide timely notifications to the customer in the event of a data breach or incident impacting their data.
7. Access Control
- Enforce role-based access controls and multi-factor authentication (MFA) for service administrators.
- Restrict access to customer data to authorized personnel, as per industry best practices.
Conclusion
By accepting these shared responsibilities, the customer and CloudSoda can ensure the reliable operation of CloudSoda services in a secure environment. CloudSoda remains committed to providing the necessary support and guidance to assist customers in fulfilling their responsibilities.
If you have questions or need additional guidance, please contact CloudSoda Support.
Comments
0 comments
Article is closed for comments.