Security

Security

Cloud infrastructure and data have multi-level protection in compliance with the security standards and laws

Key features

Flexible setup of access privileges

Flexible setup of access privileges

Leverage IAM to flexibly manage projects, users and their privileges, as well as access to cloud resources and services. Documentation
Activity log

Activity log

CloudTrail helps you track user actions (e.g. resource changing) by logging API calls, including internal ones made via a web interface. Documentation
SSH key access

SSH key access

This method is more secure than password use when accessing instances. Documentation
Two-factor authentication

Two-factor authentication

To make your account even more secure, enable a mandatory two-factor user authentication with Google Authenticator as a second factor, for example. Documentation

Compliance

Personal data protection

CROC Cloud has been certified to comply with the 152-FZ Federal Law for processing any personal data up to protection level 1 inclusively.

PCI DSS certification

Cloud infrastructure components comply with PCI DSS.

Information security management system

Cloud management system complies with Russian GOST R 27001-2006 and international ISO/IEC 27001:2013 and ISO/IEC 27017:2015 standards in terms of cybersecurity.

Tier III data center

Cloud resources can be deployed in any of the three availability zones of your choice. The ru-msk-comp1p zone is based on CROC’s Kompressor Data Center, which is truly reliable and thus awarded Uptime Institute Tier III Gold Certification of Operational Sustainability.
FAQ
How often and in what manner do you audit information security?
Our cybersecurity systems and related management processes regularly undergo independent audits to ensure their proper performance. Competent bodies conduct audits on a regular basis:

 Check criterion

Auditing authority

 Frequency

 ISO/IEC 27001:2013

BSI

 Annually

 ISO/IEC 27017:2015

BSI

 Annually

 GOST R 27001-2006

Test-St.-Petersburg LLC

 Annually

 PCI DSS v. 3.2.1

Compliance Control

 Annually

 Uptime Institute's Tier Certification of Operational Sustainability

Uptime Institute

 At least every 3 years

 Personal data legislation

FSTEC-licensed companies

Every 3 years



In addition, independent companies regularly perform penetration tests (at least once a year and after critical changes) and scan CROC Cloud infrastructure components for vulnerabilities (at least every quarter and after critical changes).
How are VMs secured?
Virtual machines security is ensured on several layers:

  • Operating system configuration management. Changing configuration in CROC Cloud is a regulated process, which includes mandatory change validation in a test environment before transferring OS to production. The OS configurations are defined by code and are stored in the repository.
  • Infrastructure layer protection. Edge (bastion) hosts ensure network segmentation when accessing cloud infrastructure. On each host, CROC Cloud Administrators’ actions are logged and regularly analyzed by CROC Cloud security specialists.
  • SSH key authentication by default. This authentication method reduces the risks of theft of employee credentials with access rights to the production environment. CROC Cloud stores the public key, while the user stores the private key on their local computer.
  • Vulnerability management. All the packages installed in the production environment are regularly checked for vulnerabilities and upgraded to the latest version. The inner and outer perimeters are regularly tested for penetration and scanned for vulnerabilities.
What measures do you take to eliminate and prevent vulnerabilities?
CROC Cloud features a regulated vulnerability management process, including:

  • regular infrastructure scanning inside and outside the perimeter;
  • regular monitoring of the resources that publish information about the latest vulnerabilities;
  • using the configuration standard of devices to be introduced to production environment.

If a vulnerability is found, we analyze it, negotiate remediation deadlines, and control the remedial process.

In addition, security specialists constantly monitor the resources that publish the newly detected vulnerabilities and, if they relate to the CROC Cloud infrastructure, we do our best to patch them with security updates or compensatory measures as soon as possible.
How do you respond to security incidents?
Security events, incidents, and vulnerabilities are managed in compliance with special procedures developed by our team and monitored by dedicated CROC Cloud specialists. These procedures are designed to:

  • collect information security events from monitoring tools, users’ messages and other sources;
  •  detect information security incidents, using automated tools, as well as the CROC Cloud specialists’ skills and expertise;
  •  respond to information security incidents in compliance with the response plans or by engaging specialists to resolve non-typical problems;
  •  analyze information security incidents as soon as they are resolved;
  •  take necessary remedial actions and make improvements following the information security incident analysis.

If information security incidents can affect customer resources, a CROC Cloud security specialist will inform the customer about the event and/or incident and tell how to track its resolution status. The cases when the customer is to be informed about the incidents are specified in the agreement between the parties.

If the customer is to be informed about the information security incident/event, a notification is sent via email within 24 hours. The email may contain the description of recommended measures that a customer can take in order to prevent the incident or mitigate its effects.

In addition, we also provide our customers with the required digital evidence or other information from the cloud environment under a reasoned request.
What happens to data upon agreement expiry or termination?
The archiving mode is triggered in case of the agreement expiry or early termination. Once triggered, the archiving mode first enables the blocking mode, which is then active during 72 hours and imposes certain restrictions on customer operations in the cloud (as per agreement between the parties).

After that, the company’s account and all resources are permanently deleted. We always notify our customers via email that their resources have been switched to the archiving mode and are to be deleted.

API requests to user resources are retained for one year to analyze security incidents and prevent fraud, with information being then permanently deleted.
Is it possible that a third party will gain access to my data?
We do not disclose customers’ information to third parties unless required by the effective legislation of the Russian Federation or provisions of the agreement concluded with the user. In all cases, we do our best to forward all third parties’ requests to the customer.
01

CROC Cloud May Update

You can now create snapshots from volume versions, increase volume size in Kubernetes and filter resources by main parameters.
02

Automatically scale with the new Auto Scaling Groups

This new service allows you to automatically adapt to load changes by adding or deleting instances in a few minutes.
03

Introducing Launch Templates and Related API Methods

Launch templates streamline the launch of instances of the same type and minimize the risk of configuration errors when deploying them.

04

Volume Versions, а New Feature of CROC Cloud

CROC Cloud introduces a new feature, Volume Versions, that you can use to restore your volume content instantly to the original disk.
05

Integrated database monitoring and other CROC Cloud updates

We would like to share our latest updates and some immediate plans.
06

Ansible Dynamic Inventory support and other update of CROC Cloud

You can now deploy Kubernetes clusters version 1.20.9 in the CROC Cloud. 
Have a question?
Fill in the form and a CROC expert will get in touch with you soon

About CROC Cloud Services

CROC Cloud Services is a standalone CROC business unit that offers cloud and managed В2В services.
24/7
10-minute SLA
12 years
in the cloud market
750+
customers across various industries
№1
in cloud service quality (Cnews, 2020)
scrollup