Ensuring the Security and Compliance of your Cloud Native Data Protection Service
As a developer of copy data management and data protection products for 20+ years, Catalogic Software has considerable experience in securing and protecting our customers’ data. For our new CloudCasa backup service for Kubernetes and cloud native databases, security is built into every step of the service using a modern DevSecOps approach. In addition, we are adding new capabilities to meet specific enterprise security and data custodian and governance requirements.
Let’s go through some highlights of how we secure our CloudCasa service, to help ensure your cloud native application data is secure and available.
CloudCasa Service Security
CloudCasa is hosted on Amazon Web Services (AWS) where we leverage the native security mechanisms provided by AWS. We also benefit from the AWS Partner Network (APN) technical review process that assesses an APN Partner's solution against a specific set of AWS best practices around security, performance, and operational processes that are most critical for customer success.
According to Gartner, nearly all successful attacks on cloud services are the result of customer misconfiguration, mismanagement, and mistakes. Knowing this about successful attacks on cloud services, we regularly perform security and compliance checks to help ensure the cloud security posture of CloudCasa.
Further, communications with our home.cloudcasa.io web portal is always encrypted via TLS 1.2 or 1.3. We recommend that you make sure support for TLS 1.3 is enabled in your browser.
CloudCasa Agent Security
The CloudCasa agent runs only on your clusters and it requires the ClusterAdmin role to access the resources and data to protect. All communications between your clusters and CloudCasa are initiated by your local CloudCasa agent as outbound TCP connections to the CloudCasa service (agent.cloudcasa.io) on port 443. The connection are also encrypted with TLS.
Backup Data Encryption
Backup data is sent directly to secure object storage from the agent. This is currently in AWS S3, with an Azure storage option coming soon. Data is encrypted both in transit using TLS and at rest using AES-256. Stored data objects are also isolated so that data belonging to one user can never be seen or accessed by another user.
We are working on an option to allow our users to “bring your own keys” Expect to hear more about this in the next quarter.
With ransomware and malware attacks at all-time highs, it is vitally important to protect your organization by having secure and disconnected (often called air gapped, although this is usually a misnomer) copies of your data to recover from. By using CloudCasa, you will have secure and isolated copies of your Kubernetes resource data and application data that are not directly accessible via your network or cloud service. In Q1, Catalogic is adding to CloudCasa the capability to do block level backups of your Kubernetes persistent volumes, in addition to the resource data you can backup now. This will give users the ability to keep copies of both resource and PV data in a location where it is safe from malware. With CloudCasa, you can recover your entire Kubernetes configuration and data to a point in time before the infection happened.
Your Secure Casa in the Cloud
The CloudCasa service and agent are continuously tested by us and our users. The service is also going through various levels of review and testing by our partners, including where we have the CloudCasa agent certified for catalogs and marketplaces such as AWS Partner Network, Red Hat OpenShift and SUSE Rancher.
Try CloudCasa now knowing that your data is always encrypted and that CloudCasa will remain free forever at the level of service provided today. The free service level includes unlimited worker nodes and clusters, and unlimited CSI snapshots, with 30 days retention.