Fundamentals

Internal access

When assessing any third-party system, it’s critical to determine what level of access the vendor might have to data within the system. This document outlines the controls in place to ensure the internal security of data in Skyflow. We group these controls into two categories: Protect and Detect.

Protect

Protect controls prevent access.

  • All customer data is encrypted using AES-256.
  • Access to encryption keys is restricted to automated systems only. No human has access to encryption keys.
  • A “Separation of Duty” governance model ensures that only the Vault Owner can delegate access to vault data, even to Skyflow personnel.
  • Skyflow standard operating procedure (SoP) precludes Skyflow personnel from accessing or transferring any customer data from a customer environment.

Detect

Detect controls ensure that access has not happened.

  • Cloud observability tooling is configured to detect any and all changes to access policies.
  • Anomaly detection is configured to alert Skyflow about any anomalous access patterns.
  • Periodic log reviews are performed to audit the alerting system.

More security options

The controls listed here apply to all Skyflow customers regardless of deployment and make sure that no personnel can gain access to customer data. In addition to these standard controls, Skyflow customers can also provide an externally-generated encryption key either directly (BYOK) or by integrating with an external key management system (BYOKMS). For more details, see Key Management.