Commitment to Cloud Security

Engine Yard is committed to maintaining a safe and secure platform for our customers, business partners, and the broader community. Engine Yard has an in-house information security and compliance function that complements the controls that our IaaS provider, Amazon Web Services, provides. Its charter also includes protecting the confidentiality, integrity, and availability of Engine Yard’s data and computing assets. This includes data that may be housed internally, as well as information that may be shared with external parties. For details, download our security whitepaper.

Engine Yard has also allocated engineering staff to develop, test, and deploy security projects for the Company. Additionally, a number of Engine Yard’s support engineers are formally security- trained, possessing the CISSP certification, the industry’s de facto security credential.

The following information is based of an internal assessment of Engine Yard Cloud to the ISO 27002:2005 Standard control objectives.

Shared Responsibility

An Engine Yard Cloud customer cluster is isolated from other customer clusters, and is a self-contained environment that includes compute, storage, and database services. Unlike some other cloud providers, no functionality is shared between virtualized instances. In our single tenancy model, customers own and operate their own instances, including full administrative access - much like a server that is racked in a data center. Due to this, Engine Yard, our IaaS providers, and our customers jointly share security responsibilities across different domains. For details, download our security whitepaper.

It is possible for customers to enhance their security and/or meet more stringent compliance requirements by working with Engine Yard to leverage technologies such as host based firewalls, host based intrusion detection/prevention systems, 2-factor authentication, encryption, and key management. The nature of this shared responsibility can provide customers flexibility in meeting industry-specific certification requirements.

Risk Assessments

Engine Yard performs regular risk assessments. The scope of these assessments varies, and, depending on the need, is performed either in house, or by a third- party. Engine Yard has recently conducted a penetration test against the product dashboard; our platform services APIs, as well as a general IT business/ security processes review.

Keeping up to date on the latest trends is important to Engine Yard, and we are involved with a number of cloud security organizations. Additionally, Engine Yard maintains relationships with a number of other company’s security organizations; often granting us advanced notice of security issues.

Security Policy Management

Policies are important for setting the tone and direction of the organization, establishing clear responsibilities, and demonstrating accountability to our stakeholders. Engine Yard takes information security seriously and has established Information Security policies that include requirements on:

  • Information security objective and scope
  • Internet usage
  • Information security roles and responsibilities
  • Information classification
  • Policy development, maintenance, and distribution
  • Access management
  • Customer data protection and risk management
  • Compliance

Information security policies are reviewed annually, and updated as necessary to address new threats or findings from our risk assessment process.