Data Security Policy
Last updated August 16th, 2021
CUSTOMER SECURITY FEATURES
- Account Structure
- Single Sign On (SSO)
- Multi Factor Authentication (MFA)
- Password Complexity
- Company Audit Log
- IP Restrictions
- Data Sharing
- Job, Team, and Budget Restrictions
CORPORATE, PHYSICAL AND PERSONAL SECURITY
- Security Training
- Background Checks
- Employee Workstation Security
- Physical Security – Data Centers
- Physical Security – Headquarters
- Employee Account Access Control
INFRASTRUCTURE AND NETWORK SECURITY
- Input Sanitization
- Password Handling
- Cross-Site Request Forgery (CSRF)
- User Account Logins
- Logging, Monitoring and Alerting
SECURE SOFTWARE DEVELOPMENT LIFECYCLE (SDLC)
- Product Lifecycle
- Source Code Development
- Configuration Management
- Vulnerability Scanning and Penetration Testing
INCIDENT RESPONSE & DISASTER RECOVERY
Rescale is the global leader for high performance computing simulations and deep learning in thecloud. Rescale’s ScaleX platform transforms traditional fixed IT resources into flexible, hybrid,private, and public cloud resources – built on the largest and most powerful high performance computing network globally. Rescale offers user access and administrative controls to a managed secured multi-cloud environment, comprised of cloud service providers, supercomputing centers, and on premises systems.
As cloud service offerings continue to grow, Rescale aims to ensure a secure cloud solution for customers. Rescale is committed to protecting customer data, ensuring the platform meets regulations and mitigating any potential risk. Rescale implements a defense-in-depth security strategy which provides a multi-layered framework to position, drive, and deliver security.
Security Program at Rescale
Rescale follows National Institute of Standards and Technology (NIST) Cybersecurity Framework 1.1 and Risk Management Framework (RMF) as guidance for formulating and managing the Rescale Security Program. These two frameworks provide the high level structure of Rescale’s security posture and cover the whole lifecycle of security and risk management. The resulting specific security measures and controls are mainly selected from NIST 800-53r4, with customizations and additions to reflect the unique high performance, multi-cloud, and dynamic resource consumption nature of the Rescale platform and environment.
Cross-functional Security Teams
Rescale has two teams that work together to achieve, maintain, and improve various aspects of security within the company. The Security Committee is the cross-function, executive-level team that sets the broader security vision, reviews and assesses the latest risks, and aligns the overall security posture with company goals. The technical security team lives along with the development and engineering teams, and is responsible for the assessment, planning, implementation, testing, deployment, monitoring, and reporting of security operations. Security teams fall under the leadership of the CTO.
CUSTOMER SECURITY FEATURES
Rescale is a cloud simulation platform with access to 700+ software applications to run jobs via on-demand cluster. Rescale users are able submit simulation jobs via a simple GUI or powerful CLI/API. Jobs are run on ultra high-performance servers on the cloud, and jobs run on compute power. Rescale offers user access and admin controls to a managed secured multi-cloud environment.
ScaleX Enterprise customers of Rescale are grouped into Company accounts. User accounts in a company have two types of account roles: regular user and company administrator. Company Administrators have higher privileges than regular users and are designated during onboarding. Customer administrative controls are available to tailor access and security to the platform.
Single Sign On (SSO)
Rescale supports Single Sign On (SSO) through SAML 2.0 as an option for customers so users can use their company’s existing identity Provider. Authentication through Active Directory is supported when configured to use SAML 2.0. Additional information on SSO implementation can be found here: https://rescale.com/articles/sso/
Multi Factor Authentication (MFA)
Rescale supports Time-based OTP (TOTP) as a mechanism for Multi Factor Authentication (MFA) for customers. Additional information on MFA configuration can be found here: https://rescale.com/articles/multi-factor-authentication/
Rescale offers custom definition of requirements for customers, including requirements on minimum length, upper/lower case, numbers, special characters, and expiration.
Company Audit Log
All platform events are logged and are available for the company administrators to review and audit.
Company administrators can configure per-company IP CIDR restrictions to access the web platform.
User jobs and files are accessible by that user only unless explicitly shared to another member of the same company or to Support. Support is provided by Rescale (Rescale Support) and depending on the account and software used, by ISV or partner.
Job, Team, and Budget Restrictions
Company administrators can set up subdivisions within a company account with Groups and Projects. Available list of hardware core types, software applications, and budgets can be set for each subdivision. Jobs can be required to be attached to Projects.
CORPORATE, PHYSICAL AND PERSONNEL SECURITY
Rescale employees receive mandatory security training and role-based training upon hire and annually afterwards. Upon hire, employees sign a company confidentiality agreement which obligates their commitment to securing customer data.
Contractors receive the same security trainings as employees.
Background checks are performed on all employees prior to joining Rescale, unless prohibited by law. The background check may include but is not limited to education verification, previous employment verification, and criminal checks.
Employee Workstation Security
Anti-virus software is installed on all employee workstations (desktops and laptops) with automatic daily updates for malware protection. All employee workstations are encrypted and centrally managed. Portable media devices are not permitted for conducting Rescale business. Confidential data and customer data is not allowed to be accessed from mobile devices.
Appropriate endpoint security solutions are deployed on workstations. Employees do not have administrative privileges (root accounts) on their computers.
Rescale follows a clean desk policy indicating that information on desks and workstations have appropriate protections depending on data classification. Unattended confidential data is not permitted to be left out in plain sight.
Physical Security – Data Centers
Rescale does not operate a physical data center footprint and relies on cloud service providers to provide physical security to their respective data centers. These data centers are provided with 24/7 armed security, biometric access, backup systems and protections against environmental threats (e.g. fire, flood). Please see below:
- Amazon Web Services (AWS): https://aws.amazon.com/compliance/data-center/controls/
- Microsoft Azure: https://www.microsoft.com/en-us/trustcenter/security/azure-security
- IBM Cloud: https://www.ibm.com/cloud/garage/architectures/securityArchitecture/physical-asset-security/
- Google Cloud Platform: https://cloud.google.com/security/infrastructure/design/#security_of_physical_premises
Physical Security – Headquarters
Rescale’s physical San Francisco office is protected by security guards during business hours, multiple layers of keycard with access control, and security cameras. Rescale’s office doors always remain closed and locked at all times.
All visitors to Rescale are escorted by staff and checked into the office.
Employee Account Access Control
Internally, employee access control is managed by the principle of least privilege. Access control to various parts of the production environment needs to be approved and is periodically reviewed to ensure accuracy. Rescale uses SSO for internal and external systems wherever possible. Upon employee termination, access to systems is removed immediately.
Rescale does not maintain an intranet and does not assume trusted networks.
Data is always encrypted in transit and at rest. When stored, data is encrypted using AES-256 and data in transit is always transferred with TLS 1.2. Where available and depending on the method of file transfer, files are encrypted and decrypted on the end-user machine.
Data Access Control
Rescale staff’s handling of customer data is only to the extent that jobs are shared with Rescale Support. Rescale Support is a function within Rescale and is not an implied privilege by being a Rescale employee or a member of the technical teams.
Customer and platform metadata workflow can be discussed with signed NDA.
Data stored in one geographical region will use redundancy features provided by cloud service providers where available. This is an automatic redundant replication across multiple data centers offered by, for example, many object storage services.
Rescale performs daily database backups and fulfills relevant SLA and disaster recovery Recovery Point Objective (RPO) and Recovery Time Objective (RTO). Customer data is backed up for as long as contract is in place.
INFRASTRUCTURE AND NETWORK SECURITY
Network Access Control and Firewalls
Rescale divides its internal networks into logical subnets for security and availability. Networks are configured automatically and do not involve humans in the network. Direct access to the production network infrastructure by Rescale staff follows the principle of least privilege. Network access control and firewall configurations are tracked and periodically reviewed. Privileged and unprivileged network penetration testing is also regularly performed.
Server and OS Security
Servers are subject to centralized monitoring and configuration change control, vulnerability scans and penetration testing. Rescale performs system hardening and subscribes to security bulletins. Additional Server and OS security details can be provided with signed NDA.
Rescale is designed with availability as a fundamental consideration. Every layer of the infrastructure is set up with high availability or failover mechanisms.
Monitoring and Alerting
Rescale has implemented monitoring and alerting at application, OS, and network layers. Email and other alerts are sent to administrators as events are detected. Hardware-level monitoring and maintenance is provided by relevant cloud service providers.
Rescale has reviewed OWASP Top 10 application security risks and has implemented explicit measures for each applicable risk. Web frameworks and other mature components are used in the application to leverage well-reviewed code and quick security responses.
Rescale validates and properly handles all input data via input sanitization as a security measure against a variety of attack families including data injection, Cross-Site Scripting (XSS), SQL injection attacks, and deserialization attacks. Rescale code does not construct SQL queries directly.
If password-based authentication method is configured, all passwords are hashed using PBKDF2 with an appropriate work factor.
Cross-Site Request Forgery (CSRF)
Rescale uses CSRF tokens to prevent Cross-Site Request Forgery attacks.
User Account Logins
Rescale monitors for abnormal login attempts including brute force, and blocks as appropriate based on attempt characteristics.
Logging, Monitoring and Alerting
Rescale logs events at the platform level and monitors for notable events and operations performed. Any anomalies are reported through a centralized alerting system.
SECURE SOFTWARE DEVELOPMENT LIFECYCLE (SDLC)
Rescale’s products and features follow standard lifecycle stages comprising of requirements gathering, design, implementation, testing, deployment, and maintenance. In each of the stages, the relevant teams consider changes for security impact and involve the security team for any necessary assessments. Teams that are part of the product lifecycle are trained to recognize and raise potential security concerns.
Source Code Development
Rescale follows Secure Software Development Lifecycle policy and requires all code to be peer reviewed and tested prior to production deployment. Automated testing is performed in the form of unit tests and integration tests, and have to pass before being deployed to production environments. All software development is conducted in-house.
All infrastructure and environment definitions, such as network configuration, are set in reusable configuration files or scripts. They are subject to the same review process as platform code. Tests are performed in staging environments built as replicas to the production environments. Deployments occur without human participation based on the definition files.
Vulnerability Scanning and Penetration Testing
Rescale performs internal and third-party vulnerability scanning and penetration testing at least annually, covering in scope the web platform, API, server operating system, external network, and internal network. Any findings are triaged, tracked in an internal task management tool, and addressed immediately.
INCIDENT RESPONSE & DISASTER RECOVERY
Rescale has an Incident Response and Disaster Recovery plan that outlines and specifies the different stages of an incident including identification, containment, investigation, remediation, and reporting. If an attack is suspected to be occurring or has occurred, Rescale staff follows the relevant sections of the plan to perform necessary actions.
The plan is developed to incorporate company team structures and resources. It is periodically reviewed and updated if needed.
Rescale performs annual incident response exercises and disaster recovery exercises. Any gaps or findings are documented and addressed immediately. Incident response procedures are also part of security training if an employee’s role is relevant.
To comply with legal, regulatory, privacy, and export control compliance requirements, data is resident in the same region as its platform — the United States, Europe, Japan, or South Korea, unless explicitly requested otherwise.
Rescale is SOC 2 attested and completes an annual SOC 2 Type 2 audit. The SOC 2 report provides a detailed account on Rescale’s security measures in place, and can be requested under NDA.
Rescale has registered and maintains active registrations under ITAR with Directorate of Defense Trade Controls (DDTC) of United States Department of State for Rescale’s ITAR platform. Rescale independently ensures that only U.S. Persons can access or manage their respective systems.
Rescale has security measures in place to satisfy HIPAA compliance. Please contact your Account Manager for more information.
Rescale data center partners are further certified or supports the following standards: PCI DSS Level 1, SOC 1/ ISAE 3402, SOC 2, SOC 3, ISO 9001, FIPS 140, CSA, FERPA, HIPAA/HITECH, HITRUST, FedRAMP (SM), DoD Impact Levels 2, 4-6, DIACAP and FISMA, ISO 27001, ITAR, EU Privacy Shield, GDPR, Cyber Essentials Plus (UK) and/or more depending on specific data centers.
Rescale is compliant with the European Union (EU) General Data Protection Regulation (GDPR). Rescale’s technical and organizational measures ensure the protection of personal data of EU subjects in compliance with GDPR.
Rescale signs data processing agreements (DPAs) with Controllers to legitimize data transfer while protecting personal data. DPAs should contain EU standard contractual clauses (EU Model Clauses) to legitimize data transfers to outside the EU or EEA where applicable.
Where Rescale is a Processor under GDPR, Rescale uses third-party Subprocessors to deliver its products and services. Rescale conducts due diligence and risk assessment to ensure these Subprocessors meet or exceed technical and organizational measures that protect personal data.
The Rescale ScaleX Platform provides a holistic security approach exceeding modern enterprise requirements. As a platform, Rescale enables customers to flexibly configure their own security environment. Internally, Rescale has a mature security program and operates with security as its top priority.
Rescale is committed to ensuring trust with their customers and is available to discuss any additional security questions at email@example.com.