From 9ca2a71ebf130b93a4996f3a7b3b72fd45dffb7e Mon Sep 17 00:00:00 2001 From: melindafekete Date: Wed, 4 Dec 2024 16:16:38 +0100 Subject: [PATCH] Add SOC2 docs --- .../compliance/compliance-overview.mdx | 7 +++- .../docs/using-unleash/compliance/fedramp.mdx | 12 +++---- .../docs/using-unleash/compliance/soc2.mdx | 32 +++++++++++++++++++ website/sidebars.ts | 5 +++ 4 files changed, 49 insertions(+), 7 deletions(-) create mode 100644 website/docs/using-unleash/compliance/soc2.mdx diff --git a/website/docs/using-unleash/compliance/compliance-overview.mdx b/website/docs/using-unleash/compliance/compliance-overview.mdx index 9e4f665812cc..3308938598df 100644 --- a/website/docs/using-unleash/compliance/compliance-overview.mdx +++ b/website/docs/using-unleash/compliance/compliance-overview.mdx @@ -9,4 +9,9 @@ description: 'Secure and compliant feature flags at scale with Unleash.' Unleash is designed to help organizations meet strict compliance requirements, supporting frameworks like [FedRAMP](https://www.fedramp.gov/program-basics/), [SOC 2](https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2), [ISO 27001](https://en.wikipedia.org/wiki/ISO/IEC_27001), and more. Features such as [audit logs](/reference/events#event-log), [role-based access control](/reference/rbac) (RBAC), and [change request](/reference/change-requests) workflows enable secure feature management at scale. -For a detailed overview of how Unleash can help you with FedRAMP requirements, refer to our [FedRAMP compliance documentation](/using-unleash/compliance/fedramp). For information regarding any other frameworks, [reach out to us](mailto:sales@getunleash.io). +For a detailed overview of how Unleash can help you with your compliance requirements, refer to our guides: +- [FedRAMP](/using-unleash/compliance/fedramp). +- [SOC 2](/using-unleash/compliance/soc2). + + +For information regarding any other frameworks, [reach out to us](mailto:sales@getunleash.io). diff --git a/website/docs/using-unleash/compliance/fedramp.mdx b/website/docs/using-unleash/compliance/fedramp.mdx index d0c0417ba173..9f986aaf218b 100644 --- a/website/docs/using-unleash/compliance/fedramp.mdx +++ b/website/docs/using-unleash/compliance/fedramp.mdx @@ -13,7 +13,7 @@ This guide provides an overview of how Unleash features align with FedRAMP contr ## Access Control -| **FedRAMP Control** | **Unleash Features** | +| **FedRAMP Control** | **Unleash Feature** | |-------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | [AC-02 Account Management](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-2) | Unleash uses [role-based access control](/reference/rbac) (RBAC) with configurable permissions. In addition, you can integrate Unleash roles with other identity systems using [SCIM](/reference/scim). You can control authorization at different levels with [single sign-on](/reference/sso) (SSO) and [personal access tokens](/reference/api-tokens-and-client-keys#personal-access-tokens). | | [AC-04 Information Flow Enforcement](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AC-4) | Unleash supports information flow control with architectural system components like [Unleash Proxy](/reference/unleash-proxy) or [Unleash Edge](/reference/unleash-edge), and configuration-level options like IP allow-lists. | @@ -21,27 +21,27 @@ This guide provides an overview of how Unleash features align with FedRAMP contr ## Audit and Accountability -| **FedRAMP Control** | **Unleash Features** | +| **FedRAMP Control** | **Unleash Feature** | |----------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | [AU-02 Event Logging](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AU-2) | Unleash provides detailed [audit logs and event tracking](/reference/events), accessible through the Admin UI or exportable for integration with other systems. | | [AU-12 Audit Record Generation](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=AU-12) | Unleash provides detailed [audit logs and event tracking](/reference/events), accessible through the Admin UI or exportable for integration with other systems. | ## Security Assessment and Authorization -| **FedRAMP Control** | **Unleash Features** | +| **FedRAMP Control** | **Unleash Feature** | |-------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | [CA-8 Penetration Testing](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CA-8) | Unleash conducts annual penetration testing by external auditors; results are available upon [request](https://www.getunleash.io/plans/enterprise). | ## Configuration Management -| **FedRAMP Control** | **Unleash Features** | +| **FedRAMP Control** | **Unleash Feature** | |--------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------| | [CM-02 Baseline Configuration](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CM-2) | Unleash provides [Export](/how-to/how-to-environment-import-export) functionality that facilitates keeping a configuration snapshot of feature flags and related entities in the audit records. Instance-wide configurations, such as projects, users, and roles, can be managed and restored using the [Unleash Terraform provider](/reference/terraform). | | [CM-05 Access Restrictions for Change](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=CM-5) | Unleash provides advanced [role-based access control](/reference/rbac) (RBAC) controls to implement logical access restrictions. [Change Requests](/reference/change-requests) help you define and track approval flows. | ## Identification and Authentication -| **FedRAMP Control** | **Unleash Features** | +| **FedRAMP Control** | **Unleash Feature** | |-----------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------| | [IA-02 Identification and Authentication](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IA-2) (Organizational Users) | Unleash provides single sign-on (SSO) to enable customers to enforce multi-factor authentication (MFA) for all Unleash users. | | [IA-02 (01) Identification and Authentication](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=IA-2) (Organizational Users); Multi-factor Authentication to Privileged Accounts | Unleash provides SSO to enable customers to enforce multi-factor authentication (MFA) for all Unleash users. | @@ -50,7 +50,7 @@ This guide provides an overview of how Unleash features align with FedRAMP contr ## System and Communications Protection -| **FedRAMP Control** | **Unleash Features** | +| **FedRAMP Control** | **Unleash Feature** | |-------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------| | [SC-08 (01) Transmission Confidentiality and Integrity](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-8) (Cryptographic Protection) | Unleash implements cryptographic protection for data in transit, as detailed in our SOC2 report (available upon [request](https://www.getunleash.io/plans/enterprise). | | [SC-17 Public Key Infrastructure Certificates](https://csrc.nist.gov/projects/cprt/catalog#/cprt/framework/version/SP_800_53_5_1_0/home?element=SC-17) | Unleash uses PKI certificates issued by AWS and Google. | \ No newline at end of file diff --git a/website/docs/using-unleash/compliance/soc2.mdx b/website/docs/using-unleash/compliance/soc2.mdx new file mode 100644 index 000000000000..6c8ee2197609 --- /dev/null +++ b/website/docs/using-unleash/compliance/soc2.mdx @@ -0,0 +1,32 @@ +--- +title: SOC2 compliance for feature flags +description: 'SOC2-compliant feature flags at scale with Unleash.' +--- + +# SOC2 compliance + +## Overview + +To get SOC2 certified and maintain your compliance, you must ensure that any systems you integrate with, including feature flagging solutions, are also SOC2 certified. Using a homegrown or third-party feature flagging system without SOC2 compliance can compromise your certification and introduce unnecessary risks. + +This guide provides an overview of how Unleash features align with SOC2 controls, helping your organization meet its compliance requirements. + + +## How Unleash features map to SOC2 controls + +| SOC2 Control | SOC2 Control Description | Unleash Feature | +|---------------------------------------------|---------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------| +| CC 2.1, CC 7.2 Log management utilized | The company utilizes a log management tool to identify events that may have a potential impact on the company's ability to achieve its security objectives. | Unleash provides a log of all [events](/reference/events), such as configuration changes and access. | +| CC 2.2, CC 5.3 Roles and responsibilities specified | Roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned in job descriptions and/or the Roles and Responsibilities policy. | Unleash provides [role-based access control](/reference/rbac). | +| CC 2.2 System changes communicated | The company communicates system changes to authorized internal users. | Admins in Unleash can configure [banners](/reference/banners) that can display message for all users in the Unleash Admin UI. | +| CC 3.2, CC 7.5, CC 9.1 Continuity and disaster recovery plans tested | The company has a documented business continuity/disaster recovery (BC/DR) plan and tests it at least annually. | Unleash provides a business continuity disaster recovery (BCDR) policy available to customers in the Trust Center, and annual test results upon request. | +| CC 3.4, CC 7.1 Configuration management system established | The company has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment. | Unleash provides Release Plan Templates to implement consistent release sequences aligned with the customer policy. Additionally, the [Change Request](/reference/change-requests) supports 4-eyes approval workflows for changes. | +| CC 3.4, CC 4.1, CC 7.2, CC 8.1 Penetration testing performed | The company's penetration testing is performed at least annually. A remediation plan is developed and changes are implemented to remediate vulnerabilities in accordance with SLAs. | Unleash provides annual penetration test results to customers in the Trust Center, performed by an external auditor. | +| CC 5.3, CC 7.1, CC 8.1 Change management procedures enforced | Change management procedures are enforced. | Unleash supports defining custom roles with configurable permissions in each environment. [Change Requests](/reference/change-requests) supports a 4-eyes approval workflow for changes. | +| CC 6.1, CC 8.1 Production deployment and application access restricted | The company restricts access to migrate changes to production to authorized personnel. | Unleash supports defining custom roles with configurable permissions in each environment. [Change Requests](/reference/change-requests) supports a 4-eyes approval workflow for changes. | +| CC 6.1 Unique account authentication enforced | The company requires authentication to systems and applications to use unique username and password or authorized Secure Socket Shell (SSH) keys. | Unleash supports both username/password authentication, as well as [single sign-on](/reference/sso). In addition, the [SCIM integration](/reference/scim) facilitates user account provisioning. | +| CC 6.1 Password policy enforced | The company requires passwords for in-scope system components to be configured according to the company's policy. | Unleash has [password strength requirements](/using-unleash/deploy/securing-unleash#password-requirements) for all users using username/password authentication. | +| CC 6.1, CC 6.6 Remote access MFA enforced | The company's production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method. | You can enable MFA through your identity provider, such as Okta or Microsoft Entra ID, after implementing [single sign-on](/reference/sso). | +| CC 6.1, CC 6.6 Remote access encrypted and enforced | The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection. | Unleash is secured by enforcing TLS 1.2. | +| CC 6.7 Data transmission encrypted | The company uses secure data transmission protocols to encrypt confidential and sensitive data when transmitted over public networks. | Unleash is secured by enforcing TLS 1.2. | +| SD SOC 2 System Description | The company has completed a description of its systems for Section III of the audit report. | This documentation is available in the SOC 2 report in the Trust Center. The report is performed by an external auditor and renewed annually. | \ No newline at end of file diff --git a/website/sidebars.ts b/website/sidebars.ts index 2174cecd02c9..e374822ef088 100644 --- a/website/sidebars.ts +++ b/website/sidebars.ts @@ -555,6 +555,11 @@ const sidebars: SidebarsConfig = { label: 'FedRAMP', id: 'using-unleash/compliance/fedramp', }, + { + type: 'doc', + label: 'SOC 2 Type II', + id: 'using-unleash/compliance/soc2', + }, ], }, {