Security and Compliance is a shared responsibility between Contour and the customer. This shared model can help relieve customer’s operational burden as Contour Cloud operates, manages and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. The customer assumes responsibility and management of the guest operating system (including updates and security patches unless leveraging Contour Managed Services), other associated application software as well as the configuration of the Contour Cloud provided security group firewall. Customers should carefully consider the services they choose as their responsibilities vary depending on the services used, the integration of those services into their IT environment, and applicable regulations. The nature of this shared responsibility also provides the flexibility and customer control that permits the deployment. As shown below, this differentiation of responsibility is commonly referred to as Security “of” the Cloud versus Security “in” the Cloud.
Contour’s Cloud responsibility “Security of the Cloud” – Contour Cloud is responsible for protecting the infrastructure that runs all of the services offered in the Contour Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run Contour Cloud services.
Customer responsibility “Security in the Cloud” – Customer responsibility will be determined by the Contour Cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities. For example, services such as Virtual Private Cloud (Contour VPC) is categorized as Infrastructure as a Service (IaaS) and, as such, require the customer to perform all of the necessary security configuration and management tasks. If a customer deploys an VM instance, they are responsible for management of the guest operating system (unless leveraging Contour managed Services (including updates and security patches)), any application software or utilities installed by the customer on the instances, and the configuration of the Contour Cloud-provided firewall (called a security group) on each instance.
This customer/Contour Cloud shared responsibility model also extends to IT controls. Just as the responsibility to operate the IT environment is shared between Contour Cloud and its customers, so is the management, operation and verification of IT controls shared. Contour Cloud can help relieve customer burden of operating controls by managing those controls associated with the physical infrastructure deployed in the Contour Cloud environment that may previously have been managed by the customer. As every customer is deployed differently in the Contour Cloud, customers can take advantage of shifting management of certain IT controls to Contour Cloud which results in a (new) distributed control environment. Customers can then use the Contour Cloud control and compliance documentation available to them to perform their control evaluation and verification procedures as required. Below are examples of controls that are managed by Contour Cloud, Contour Cloud Customers and/or both.
- Inherited Controls – Controls which a customer fully inherits from Contour Cloud.
- Physical and Environmental controls
- Shared Controls – Controls which apply to both the infrastructure layer and customer layers, but
in completely separate contexts or perspectives. In a shared control, Contour Cloud provides the
requirements for the infrastructure and the customer must provide their own control
implementation within their use of Contour Cloud services. Examples include:
- Patch Management – Contour Cloud is responsible for patching and fixing Contour Cloud within the infrastructure, but customers are responsible for patching their guest OS and applications.
- Configuration Management – Contour Cloud maintains the configuration of its infrastructure devices, but a customer is responsible for configuring their own guest operating systems, databases, and applications.
- Awareness & Training – Contour Data Solutions trains Contour Cloud employees, but a customer must train their own employees.
- Customer Specific – Controls which are solely the responsibility of the customer based on the
application they are deploying within Contour Cloud services. Examples include:
- Service and Communications Protection or Zone Security which may require a customer to route or zone data within specific security environments.
The goal of the Contour Cloud General Data Protection Regulation (GDPR) program is to ensure that customers (Controller entities) have assurances of regulatory oversight as well as the ability to perform direct audits of Contour Cloud as defined under Article 28 of the GDPR regulation.
It is important to understand that GDPR is not just an IT function but a high-level organizational activity that encompasses the entirety of an organization, from IT through Marketing to Development and Quality Assurance through the very end user, the Data Subject.
Contour Cloud’s approach to EU General Data Protection Regulation (GDPR) is based on the following frameworks, certifications and attestations along with legal and governance oversight:
Risk, Privacy and Security
At the foundational level Contour Cloud operates in accordance with international standards around privacy and security. These foundational pieces include:
ISO 27001:2013
A systematic approach to managing sensitive information so that it remains secure. It includes people, processes and IT systems by applying a risk management processes and third-party oversight.
Program elements include the following areas: information security policies, organization of information security, human resource security, asset management, access control, cryptography, physical and environmental security, operations security, communications security system acquisition, development and maintenance, supplier relationships, information security incident management, information security aspects of business continuity management and Compliance; with internal and external requirement such as policies, Contour Cloud and regulations.
CSA STAR Certification
The CSA STAR Certification is a rigorous third-party independent assessment of the security of a cloud service provider. The technology-neutral certification leverages the requirements of the ISO/IEC 27001 management system standard together with the CSA Cloud Controls Matrix, a specified set of criteria that measures the capability levels of the cloud service.
CSA STAR conforms with ISO 17021:2011 Conformity Assessment, ISO 27006:2011 Information technology – Security techniques and ISO 19011 Guidelines for auditing management systems
SSAE 16/18 SOC2
The SSAE 16/18 SOC2 mirrors the ISAE 3402 auditor process and is used to ensure that organizations are performing in accordance with what is referred to as Trust Principles. Trust Principle under SOC2 related to Risk, Security and Privacy are Security, Confidentiality and Privacy.
The Contour Cloud Approach
Contour Cloud has taken an aggressive risk-based approach high level standards to ensure proper governance and management of risk and security for all data collection and processing.
Service Management
With the rigor of Risk, Privacy and Security it is easy to lose sight of the goal of delivering services. Contour Cloud has identified the need to ensure that the structure of the GDPR program does not adversely affect the service offerings by ensuring that one of the pillars of the GDPR program is Service Management.
ISO 20000:2011
ISO 20000 is a global standard that describes the requirements for an information technology service management (ITSM) system. The standard was developed to mirror the best practices described within the IT Infrastructure Library (ITIL) framework.
SSAE 16/18 SOC2
As noted previously, SSAE 16/18 SOC2 mirrors the ISAE 3402 auditor process and is used to ensure that organizations are performing in accordance with Trust Principles. For Service Delivery, Availability and Processing Integrity are reviewed.
Using the ISO 20000 and SSAE 16/18 SOC2 standards Contour Cloud maintains visibility into its ability to deliver services in accordance with contractual requirements and once again validates this through external third-party audits.
IT Framework
The Contour Cloud GDPR program is the usage of standardized frameworks. This allows for the repeatable and documented output from the elements that compose services offered by Contour Cloud.
ITIL v2011
The ITIL (Information Technology Infrastructure Library) framework is designed to standardize the selection, planning, delivery and support of IT services to a business. The goal is to improve efficiency and achieve predictable service levels.
Agile Software Development
Agile software development describes a set of values and principles for software development under which requirements and solutions evolve through the collaborative effort of self-organizing cross-functional teams. It advocates adaptive planning, evolutionary development, early delivery, and continuous improvement, and it encourages rapid and flexible response to change.
Within the usage of these frameworks Risk, Privacy and Security are incorporated, as an example, privacy by design has been incorporated into the Agile framework at all levels and is actively overseen by the Contour Cloud GDPR program office. The same efforts occur around ITIL activities to ensure that process and policies conform to the requirements of GDPR.
Legal/Governance
Finally, to validate and oversee GDPR program activities, Legal and Governance which covers contractual formulation of Controller/Processor agreements, the use of Model Contract Clauses, (where applicable), EU/US Privacy shield and Binding Corporate Rules (BCR) for internal Contour Cloud data are managed.
This pillar of the GDPR program also ensures that Controller oversight, through the use of logging, audit artifact generation and customer performed audits is managed, giving customers a dedicated resource to interface with. This segment of the program also employees the Data Protection Officer (DPO) to provide linkage between the customer’s DPO and the Contour Cloud DPO to manage Data Subject Requests as well as breach processes and notifications.
