Secure and Transparent Data Management Platform
Your company data security is the highest priority
We are driven to build a data platform that scales with the exponential growth in volume and demands for data—and meets the growing need, complexity, and importance of data security.
Strataheads helps you comply with data privacy and security regulations, and is compliant with General Data Protection Regulations (GDPR), Health Insurance Portability and Accountability Act (HIPAA) and California Consumer Privacy Act (CCPA). Get in touch with us to learn more about compliance with your local regulations.
Architected for data security from the start
Strataheads’s data platform sits on top of your existing database, using a secure connection to query your data warehouse directly. Strataheads writes a query to access the data needed to answer your question, returns the result, and holds the answer in a (configurable) temporary cache.
Because Strataheads provides a single point of access for your data, you can establish a robust business intelligence governance infrastructure. Everyone within your company can answer their own questions while keeping data sprawl to a minimum and access to sensitive information restricted.
Administrators can set granular permissions by user or group and can restrict data access from the database level down to the row or column level.
Analyze your data securely where it lives
Ensure your data is safe and secure by limiting its movement
With Strataheads, queries are made directly against your database and not by moving or extracting data to workbooks, cubes, .csv files, proprietary databases, or desktops. This key Strataheads differentiator promotes data integrity while keeping data movement to a minimum and access to sensitive information restricted.
A fully configurable caching layer offers the full processing power of your database and its security model—without long-term storage of data.
Industry-standard encryption & secure connections
Strataheads uses AES 256 bit encryption to secure your database connection credentials and cached data stored at rest. Plus, TLS 1.2 is used to encrypt network traffic between users’ browsers and the Strataheads platform. There are many options to select from for securing connections to your database, including IP whitelisting, SSL, SSH, PKI, and Kerberos authentication.
Authentication, access controls, and data governance
For companies that have invested in modern user authentication tools, Strataheads supports two-factor authentication, integrates with LDAP, and SSO (supporting SAML, OneLogin, and Google Apps).
A layered approach to data governance is of particular value to industries with specialized security requirements and companies with GDPR or other privacy considerations.
Built into the core of Strataheads’s platform are fine-grained access controls which provide three levels of data governance:
- Model level—limits which models users have access to, which also controls database connections.
- Group level—limits what content users have access to in Strataheads.
- Role level—sets specific feature functionality and data an individual has access to in Strataheads.
Comprehensively monitored and fully auditable
Who, what, and when
Because Strataheads’s data platform provides a single point of contact for employees’ work with your enterprise’s data, it’s easy to track user activity. The platform has out of the box and customizable monitoring tools, in addition to alerting capabilities if predefined events of interest take place.
Model development in Git
Borrowing from software engineering best practices, Strataheads’s data model is version-controlled in Git. This allows collaboration and iteration with the ability to easily roll back to previous versions if needed to minimize the impact of an unintended error.
Our shared security partnership
Strataheads connects to your organization’s database, and is designed to leave your data in that database. Because Strataheads connects to technology that you are responsible for maintaining, security becomes a shared responsibility between Strataheads and you. If you use embedded analytics functionality (Powered by Strataheads), Strataheads has developed security best practices you can leverage to help mitigate security concerns.
Application data shared by Strataheads
While there is no permanent storage of your data in the Strataheads application, Strataheads utilizes a number of first- and third-party tools in order to provide and improve the service. Unless stated, all services share data with locations in the United States.
Application services include:
| Licensing data | A Strataheads service that gathers information about how the service is being used to ensure that usage is in compliance with the customer’s licensing terms. This information includes metadata about users, roles, database connections, server settings, features used, API usage, and version. |
| Product usage | A Strataheads service and a third-party service (Google Analytics 360) that gather pseudonymized usage data about how users are using the Strataheads product and how well it is performing. This data is analyzed and used to improve the Strataheads product. Administrators can disable these services for their instance by contacting Support. |
| Configuration backups | A Strataheads service that encrypts backups of Strataheads system’s configuration, which includes saved query history, encrypted user and database credentials, and Strataheads user settings. For redundancy, configuration backups are stored in multiple cloud providers including AWS, Google Cloud, and/or Microsoft Azure. |
| System error reports | A Strataheads service that transmits runtime exceptions to Strataheads internal systems in order for Strataheads technicians to diagnose issues with the product. These messages are first sent as HTTPS requests, but will fail-over to email via a customer’s Strataheads’s SMTP settings if necessary. |
| Support access | An optional Strataheads service that allows Strataheads technicians to troubleshoot problems by permitting authentication into a customer’s Strataheads application. This access is limited to Support use cases and can be disabled when not needed by customers. |
| Data actions | An optional Strataheads service that forwards data to a variety of third-party services. Any data your users send using an action will be processed temporarily on Strataheads’s managed Action Hub rather than in your Strataheads instance. |
| Email notifications | An optional third-party service (SendGrid) that transmits emails from noreply@Strataheads.com and noreply@Strataheadsmail.com in order to provide new account welcome emails, forgotten password reset links, and scheduled data delivery for Strataheads users. If you prefer, you can alter this configuration to use your own SMTP integration instead. |
| Support chat and tickets | An optional third-party service (Zendesk) that provides an embedded chat client in order to facilitate product support. |
NOTE: We regularly review both our internal services and third-party service providers to ensure that the data we collect is aligned with the service’s intent, and that the security measures employed meet our high security standards.
Strataheads’s responsibilities
| Cloud security | Strataheads uses established public cloud hosting providers to augment Strataheads’s security program with additional security and availability operational controls. |
| Product security | Strataheads is responsible for ensuring that the code quality for the Strataheads application is developed according to industry-wide best practices for software development, and is regularly tested for vulnerabilities. |
| Corporate security | Strataheads is responsible for educating and disseminating security best practices throughout its organization, and ensuring that Strataheads’s ancillary applications, systems, and networks are securely configured and monitored. |
| Physical security | Strataheads is responsible for monitoring the Strataheads corporate facilities, and ensuring that offices and hardware are both protected. |
Your responsibilities
Cloud security
You are responsible for configuring secure access between the Strataheads application and your database. Strataheads provides extensive recommendations on how to do this, including:
- Enabling secure database access using tools like IP whitelisting, SSL/TLS encryption, and SSH tunneling
- Setting up the most locked-down database account permissions for Strataheads that still allow it to perform needed functions
Product security
You are also responsible for controlling access and permissions for users of your Strataheads instance within your company. Strataheads recommends:
- Setting up user authentication using either a native username/password option or, preferably, using a more robust authentication mechanism like 2FA, LDAP, or SAML
- Setting up the most restrictive user permissions and content access that still allow people to carry out their work, paying special attention to who has admin privileges
- Setting up any API usage in a secure way
- Regularly auditing any public access links your users create and restricting the permission to create them, as necessary
Cloud security architecture
Strataheads hosts the Strataheads application on proven public clouds, which means that as a Strataheads customer you’ll inherit the robust standards of cloud security maintained by our cloud partners (currently AWS and Google Cloud), which Strataheads builds on top of for its own security best practices. Strataheads also uses industry best practices for the development and testing of the Strataheads application, ensuring that code quality meets our standards before becoming part of a Strataheads release.
Cloud infrastructure |
|||
| Public cloud facilities | The Strataheads application is managed in public cloud datacenters. These facilities implement various physical and environmental controls to ensure that Strataheads customer data is well protected from possible theft or loss. | ||
| Logical separation of data | While Strataheads does not persist customer database information, the application does store configuration information, event data, and cached query results. Strataheads is architected to logically separate this information in order to isolate customer data and reduce cross-tenant exposure risk. | ||
| Data security architecture | Strataheads follows best practices for security architecture. Proxy servers secure access to the Strataheads application by providing a single point to filter attacks through IP blacklisting and connection rate limiting. | ||
| Redundancy | Strataheads employs a Cloud-based distributed backup framework for Strataheads-hosted customer servers. | ||
| Availability and durability | The Strataheads application can be hosted in a variety of different public cloud data centers across the globe. | ||
Monitoring & authentication |
|||
| Access to a customer’s back-end servers | Access to a Strataheads-hosted back-end environment requires approval and multiple layers of authentication. | ||
| Access to a customer’s Strataheads application | Employee access to customer Strataheads instances is provided in order to support a customer's needs. Access requires approval and multiple layers of authentication. Additionally, customers can control all access from Strataheads to their application via a Support toggle. | ||
| Monitored user access | Access to your Strataheads environment is uniquely identified, logged, and monitored. | ||
| Network and application vulnerability scanning | Strataheads’s front-end application and back-end infrastructure are scanned for known security vulnerabilities at least monthly. | ||
| Centralized logging | Logs across the Strataheads production and corporate environments are collected and stored centrally for monitoring and alerting on possible security events. | ||
| Reputation monitoring/threat intelligence | Collected logs and network activity are checked against commercial threat intelligence feeds for potential risks. | ||
| Anomaly detection | Anomalous activity, like unexpected authentication activity, triggers alarms. | ||
Data security encryption |
|||
| AES encryption | Locally-stored sensitive application data, including database connection configurations and cached query data, is encrypted and secured using AES encryption. | ||
| Secure credential storage & encryption | Native usernames and passwords are secured using a dedicated password-based key derivation function (bcrypt) with hashing and salting. | ||
| TLS encryption | Data in transit is encrypted and secured from the user's browser to the application via TLS 1.2. | ||
| SSL / SSH encryption | Strataheads enables you to configure your database connection via encrypted TLS 1.2 or SSH. | ||
Product security
Overview |
|||
| Code development | Code development is done through a documented SDLC process that includes guidance on how code is tested, reviewed, and promoted to production. | ||
| Peer review and unit testing of code | Code is peer reviewed before being committed to the master code branch of the Strataheads application. Functional and unit tests are performed using automated tools. | ||
| Routine developer training | Developers are regularly trained on secure coding practices. | ||
| Code quality tests | Strataheads utilizes automated tests specifically targeting injection flaws, input validation, and proper CSRF token usage. | ||
| Regular third-party penetration testing | Strataheads performs regular third-party penetration tests against the Strataheads application and hosted environment. | ||
| Single sign-on | Strataheads provides SAML-based single sign-on for users, offering support for SSO solutions from Google Apps, Okta, and SAML. | ||
| LDAP authentication | Strataheads provides the ability to authenticate users based on Lightweight Directory Access Protocol (LDAP), enabling administrators to link LDAP groups to Strataheads roles and permissions. | ||
| Two-factor authentication | Strataheads provides the ability to use two-factor authentication via Authy. | ||
| Responsible disclosure | Strataheads embraces the security community and operates a responsible disclosure program to facilitate security vulnerability reporting. | ||
Corporate security
Strataheads has robust security protocols that are meant to secure Strataheads office spaces and materials that contain sensitive information. Strataheads also invests in properly vetting and training staff to ensure that there is an organization-wide appreciation for data security.
Personnel & third parties |
|||
| Security organization | Led by the Chief Security Officer (CSO), Strataheads has established a dedicated information security function responsible for security and data compliance across the organization. | ||
| Policies and procedures | Strataheads has implemented various security policies that are maintained, communicated, and approved by management to ensure everyone clearly knows their security responsibilities. | ||
| Background checks | New contractors and employees are required to pass a background check and sign confidentiality agreements. | ||
| Security awareness education | Strataheads’s new hires complete security training as part of their initial training with the company. Employees receive routine security awareness training and confirm adherence to Company security policies. Strataheads employees are reminded of security best practices through informal and formal communications. | ||
| Vendor management | Strataheads maintains a vendor management program to ensure that third parties comply with an expected level of security controls. | ||
| Risk management | Strataheads maintains a robust security risk management program. Our CSO chairs our internal quarterly Security Steering Committee. | ||
Incident response |
|||
| On-call | Strataheads’s Security and Operations team is available 24/7 to respond to security alerts and events. | ||
| Policies and procedures | Strataheads maintains a documented incident response plan. | ||
| Incident response training | Employees are trained on security incident response processes, including communication channels and escalation paths. | ||
Strataheads premises and hardware |
|||
| Monitoring and secure access to Strataheads offices | Strataheads offices are protected by security measures including badge access and security cameras. By policy, employees are required to escort guests inside the Strataheads offices. | ||
| Laptop protection | Strataheads uses a combination of endpoint management tools to monitor, patch, and protect its laptop population. Laptops have encrypted hard drives and are protected with sign-on password. Additionally, an AV/HIDs solution is installed on laptops to protect against malware and monitor for possible security events. | ||
Data security, privacy & compliance
One of the priorities of Strataheads’s security practices is to ensure that use of your data is transparent, safe, and respectful. To that end, Strataheads maintains a Compliance team to perform regular assessments and ensure that risks are appropriately being mitigated and that controls are designed and operating correctly.