Kyvos Cloud Access Control
Applies to: Kyvos Enterprise Kyvos Cloud (SaaS on AWS) Kyvos AWS Marketplace
Kyvos Azure Marketplace Kyvos GCP Marketplace Kyvos Single Node Installation (Kyvos SNI)
The Kyvos team is responsible for operating, managing, deploying, and implementing Kyvos Cloud on AWS with features such as availability, scalability, fault tolerance, and security controls.
Kyvos Cloud infrastructure access is managed by IAM (Identity & Access Management) identities (users, groups of users, or roles). An IAM policy is an object in AWS that defines its permissions when associated with an identity or resource. AWS uses these policies when an IAM principal (user or role) makes an AWS resource access request. AWS supports six types of policies: identity-based policies, resource-based policies, permissions boundaries, organization SCPs, ACLs, and session policies.
The end-users access the Kyvos Web portal over the web using Kyvos native application credentials and it can be integrated with external Active Directory services.
Kyvos controls access to information based on business and security requirements. The access rights to AWS resources are provided on the basis of:
Create individual IAM users
Use groups to assign permissions to IAM users
Grant least privilege
Use access levels to review IAM permissions
Configure a strong password policy for IAM users
Enable MFA in AWS account
Use roles to delegate permissions
Do not share access keys
Rotate credentials regularly
Remove unnecessary credentials
Use policy conditions for extra security
Monitor activity of our AWS account
IAM - User Management and Authentication
AWS Identity and Access Management (IAM) enables the user to manage access to AWS services and resources securely. Using IAM, the Kyvos team creates and manages Kyvos users and groups and user permissions to allow and deny access to AWS resources.
Information Security
Kyvos is committed to preserving the confidentiality, integrity, and availability services of Kyvos along with customer data.
Information and information security requirements will continue to be aligned with SOC2 compliance goals. The Information Security Management System intends to enable information sharing, electronic operations, and reducing information-related risks to acceptable levels.
Each customer has an isolated Virtual Private Cloud in AWS, and none of the resources are shared across customers. Kyvos team creates unique IAM ARN (Identity and access management Amazon Resource Names) for each customer. Customer enables IAM ARN at their end to give read access to customers S3 (Simple Storage Service) bucket or AWS Glue.
Customer raw data is hosted in S3 (Simple Storage Service) bucket or AWS Glue, and it is accessed by the Kyvos IAM ARN role. No Kyvos components can write on the customer's raw data. The customer's raw data is only accessed by semantic models from the Kyvos Web portal.
Load Balancer and Firewall
AWS ALB (Application Load Balancer) is used to access Kyvos Web portal. AWS ALB only listens on the SSL layer, and a valid SSL certificate is used.
AWS ALB forwards all incoming requests to AWS WAF (Web Application Firewall). AWS WAF has a built-in capacity for monitoring incoming requests. AWS WAF also provides protection against web attacks using specified rules. AWS WAF comes with the following features to enhance security.
Rules that can allow, block, or count web requests that meet the specified Alternatively, rules can block or count web requests that not only meet the specified conditions, but also exceed a specified number of requests in any 5-minute period.
Managed rule groups from AWS and AWS Marketplace sellers
Real-time metrics and sampled web requests
Automated administration using the AWS WAF API
VPC
Kyvos uses Amazon Virtual Private Cloud. AWS VPC is a cloud computing service that provides users a virtual private cloud by provision a logically isolated section of Amazon Web Services Cloud. It enables you to launch Amazon Web Services (AWS) resources into a virtual network you have defined. Kyvos team creates a dedicated VPC for each customer.
Security Groups
A security group acts as a virtual firewall for Elastic Compute Cloud (EC2) instances, Relational Data Base services (RDS), Elastic MapReduce (EMR) services to control incoming and outgoing traffic. Inbound rules control the incoming traffic to AWS instances/services, and outbound rules control the outgoing traffic from AWS instances/services.
Malware and Antivirus
All the Kyvos components are in the private subnet and do not have internet access. All web components are behind the Application Load Balancer
Amazon Guard Duty is enabled for threat detection, which helps accurately and easily to continuously monitor and protect AWS accounts, workloads, and data stored in Amazon S3. Guard Duty analyzes billions of events across AWS accounts from AWS CloudTrail Management
Events (AWS user and API activity in accounts), AWS CloudTrail S3 Data Events (Amazon S3 activity), Amazon VPC Flow Logs (network traffic data), and DNS Logs (name query patterns).
Copyright Kyvos, Inc. All rights reserved.