Skip to main content

Security

Stream2Vault (S2V) prioritizes security through a multi-layered approach. The S2V client, installed on user workstations, communicates with the cloud-based S2V service (hosted in GCP Europe West1 Region) via APIs. It's designed with a strong emphasis on security, leveraging robust authentication mechanisms, ensuring data privacy by not storing client or business data, and employing secure cloud hosting practices with comprehensive logging and access controls.

Authentication and Authorization:

  • S2V employs an OAuth 2.0 mechanism, integrating with the client organization's Identity Provider (IdP), such as Microsoft Entra.
  • Users authenticate via their organization's IdP, supporting existing policies like Multi-Factor Authentication (MFA). Basic authentication is not supported.
  • The S2V service validates tokens issued by the IdP, ensuring only authorized users from the organization's domain can access the platform.
  • The S2V service itself must be authorized by the client's system administrator to validate these tokens.

Data Handling and Privacy:

  • No PII or Business Data Stored: Stream2Vault does not collect or store any Personally Identifiable Information (PII) or business data.
  • In-Memory Processing: Configuration files sent to the service for validation are processed entirely in-memory and are not retained by the service.
  • No Database Credential Exposure: Database credentials are not exposed to the S2V service.
  • No Access to Client Infrastructure: The S2V service has no direct access to any client infrastructure.

Hosting and Infrastructure Security:

  • GCP Cloud Run: The S2V service is hosted on Google Cloud Run, a fully managed serverless platform.
  • Managed by reeeliance IM GmbH: The GCP tenant hosting S2V is owned and managed by reeeliance IM GmbH. The S2V Product Team within reeeliance is responsible for its management, including provisioning, monitoring, and securing resources, following the principle of least privilege.
  • Containerization: The application runs as a containerized service, with images stored in Google Artifact Registry.
  • IAM and Service Accounts: Access is controlled via Google IAM, and service accounts are used for secure execution.
  • CI/CD Pipelines: All deployments follow CI/CD pipelines for security and consistency.
  • HTTPS Communication: All communication between the client and the S2V service is secured using HTTPS.

Logging and Monitoring:

  • Service-Level Logging: API requests to the S2V service are logged.
  • Google Cloud Logging: Application logs (API requests, processing events), security logs (authentication, access control), and audit logs (infrastructure changes) are collected via Google Cloud Logging.
  • Client-Side Authentication Logs: Authentication attempts are also recorded in the client's Azure AD Sign-in and Audit Logs.
  • Restricted Log Access: Access to logs is restricted to authorized administrators and security teams via Google IAM and the client's Azure AD policies. S2V service logs are retained indefinitely.

Regulatory Alignment:

  • S2V aligns with best practices for SOC 2, ISO 27001, and GDPR by enforcing federated authentication, restricting API access with OAuth 2.0, logging access attempts, and using IAM for role-based access control.