Security whitepaper: Snow Atlas

2021-07-01

Introduction

Snow Atlas is an integrated cloud-native technology intelligence platform that delivers Snow technology and solutions as SaaS. Snow Atlas is deployed in the Microsoft Azure cloud, and Snow experts are managing the infrastructure and application operations, allowing Snow customers to consume Snow products directly from the cloud. Snow Atlas is now available worldwide in Early Access, with general availability planned for late 2021 or early 2022.

This whitepaper provides an overview of the security practices that are being built into Snow Atlas.

Managed cloud instance for your business

All applications in the Snow Atlas platform are deployed to a world-leading cloud provider, Microsoft Azure. The Azure cloud meets a range of security standards, including ISO 27001, HIPAA, FedRAMP, SOC 1, and SOC 2. Azure also provides a full list of its compliance offerings.

The core of the Atlas infrastructure is built using cloud-native technology and is operated by Azure Kubernetes Service (AKS)—a secure and modern deployment of the Kubernetes container orchestration platform.

Snow Atlas introduces a completely new data processing model with a dedicated API gateway that filters and securely directs traffic to unique tenants based on a set of secure attributes provided by the Snow Identity Provider service (IDP). This allows us to provide enhanced data separation and get full control and visibility into data flows as well as any potential malicious requests from infiltrating the system. High severity and priority incidents are alerted to on-call engineers via PagerDuty.

Isolation by design

All customers on the Atlas platform are sole tenants in their product bundle deployment—all the data in the application belongs to the tenant.

All tenant data resides in a specified data region that ensures that the sensitive data does not leave the region and ensures compliance with local data and cipher protection standards.

Data encryption

All data in transit is encrypted using TLS with a compliant-secure cipher suite that prohibits the use of weak or insecure algorithms.

Data at rest is securely stored in Microsoft Azure data centers and is encrypted using Microsoft Disk Encryption technology.

Identity protection

Identity Access Management (IAM) is provided by the Snow Identity Provider (IDP). Snow IDP implements modern and secure frameworks and protocols such as Oauth2 and Open Id Connect (OIDC). Multiple flows are supported depending on client implementation and capabilities, including but not limited to authorization code flow, Proof for Key Code Exchange (PKCE), hybrid, implicit and client credentials grant.

SSO integration is currently supported through Azure Active Directory.

The Snow IDP is protected by policy-based, rate-limiting and metrics-based threat analysis, provides audit-logging capabilities including end-user-facing account logs, and uses modern encryption and hashing standards. The Snow IDP is at the core of tenant-security management and is designed as the modern cloud-native identity and authorization broker.

The identity management and Snow Atlas tenant operations are done via a brand-new component entitled Snow Portal. It is natively integrated with Identity Provider and allows for granular control over the user rights and permissions via setting scopes for accessing various areas of the Snow Atlas platform, products and services.

Multi region

Azure provides data centers in a variety of locations across the globe. Snow Atlas uses a mix of global and regional Azure services. A tenant is pinned to a specific region where the data is kept locally in that region, where the region itself depends on customer preference. Some data is kept in a global storage for global routing purposes.

Snow supports deployment to the following azure regions: EMEA | Amsterdam, APAC | Victoria, and Americas | Virginia.

Protecting and handling confidential information

Snow treats all customer data with the utmost confidentiality, regardless of classification. This policy restricts access to confidential information for those employees who are required to access such confidential information as a part of their job, and then only in those circumstances where access to such confidential information is required to provide a specific service to the customer. In such circumstances, the employee is provided its least privilege account access to perform the task at hand.

User access reviews and policy

On a quarterly basis, Snow management reviews Snow employees’ user access to in-scope systems for continued appropriateness and removes any access that is no longer required. Upon termination of employment, all account access and rights are revoked.

Secure data transit design

Snow has built a secure workflow to make sure that collected information cannot be spoofed by malicious actors. Snow Extender is introduced as part of this workflow, to work as a gateway for securely transferring inventory data from customer environments to Snow Atlas. Users can configure, create, and securely download Snow Extender from Snow Atlas.

Snow Extender validates with Snow Atlas at every sign-in to ensure that data is both allowed to be transferred and is transferred to the correct customer tenant. Snow IDP authenticates the connection from Snow Extender to ensure a secure flow of data. All data is encrypted both in-transit and at-rest to ensure data integrity and confidentiality.

Change management

Snow follows GitOps practices, which implies maintaining strict change control processes, ensuring a transparent and clear view of production releases and all production changes.

SDLC

The development of Snow products is managed by secure development life cycle (SDLC) that injects various security practices and controls into every stage of development cycle — from design to release to operations of the system. These activities include, but are not limited to, security code review, threat modeling, automated scanning, workshops, and education sessions for engineers.

Leading automated tools for verifying the security of the products are used as part of Atlas software development and Snow Continuous Integration pipeline. Snow uses both static application-security analysis, dynamic application-security analysis, and software composition analysis with integrated alerting for newly discovered vulnerabilities.

Penetration tests

The Atlas platform infrastructure, Snow License Manager, Snow Inventory Agents, and other Snow products that comprise the customer platform, are regularly tested by internal and external security researchers.

External security assessments and penetration tests are conducted by an independent CREST approved supplier. Security researchers that participate in the assessment are selected based on their skills, experience, and fit to the domain specifics.

Bug bounty program

Snow has implemented a managed bug bounty program for the critical components of products deployed to millions of devices. The bug bounty program is managed by the independent provider and has the world’s most skilled security researchers working continuously to find vulnerabilities in Snow products. This approach complements regular pen testing and ensures we deliver secure products throughout new versions and releases.

Regulatory compliance and certifications

Snow complies with the GDPR regulation and adheres to its strict compliance rules and the regulation procedures. Snow has implemented controls to ensure GDPR compliance. Our internal incident-reporting policy is aligned with GDPR requirements.

Snow is utilizing the ISO 27001 standard for Information Security Management and has implemented an ISO-aligned Information Security Management System which defines information security activities across the organization and is authorized by the Snow executive leadership team.

Responsible disclosure

Snow follows the principles of responsible disclosure. The responsible disclosure policy is publicly accessible on the Snow Software website.