Beam: Product Security

Our multi-layered security approach to protect customer’s data and applications is outlined in this document along with the details of specific permissions.

 

DATA SECURITY

All sensitive information in Beam is encrypted with a unique key and hash for each customer. We don’t log or transmit any sensitive information that you share with us. We also ensure important customer data is isolated at various levels in our systems.

Customer data access policy on Beam Platform

The production environment's infrastructure is completely independent of staging and development environments. Developers have zero access to the production environment. A limited number of admins have access to infrastructure. The internal team requests access for limited customer data from admin team only to support customer requests. 

The only two ways customer data can be accessed:

1. Beam Platform - username and password would be required to login. Passwords are encrypted with customer specific salt. 

2. AWS APIs - The cross account IAM role ARN shared with Beam only provides access to Beam's AWS Production account, the access for which is limited. Also the ARNs are encrypted at rest.

Data purge policy after subscription is terminated

After subscription is terminated, all user accounts are disabled. Data is kept for 60 days in case customer decides to renew their subscription. After 60 days, all customer data is purged permanently.

Customer data isolation on a multi-tenant platform

Data isolation is ensured not only at the application layer but also at the data storage layer.

 

ACCESS CONTROL and MFA

We use Identity Access Management(IAM) roles to connect with your cloud account. Rest assured only our application can access your cloud APIs, using temporary access keys for each session. We ensure that all our communication with your cloud account is secured. Beam provides access controls for authentication and authorization to manage your account.

Beam provides Multi-Factor Authentication (MFA) to improve access security by making users enter a unique authentication code from their authentication device along with their username and password.

 

BEAM AUDIT TRAIL

We have an activity history log in place that tracks important changes related to your users and cloud accounts within your Beam  account.

INFRASTRUCTURE and NETWORK SECUIRTY 

Our servers are hosted in Virtual Private Cloud with strong access controls for network and application level security. We protect our application using state of the art web application firewall services. Our backend services like databases, logs etc. isolated into separate private networks for enhanced protection.

Beam ensures any data sent to/from our system is transmitted securely using SSL and HTTPS. This ensures your data is secure over network and we don’t allow non-encrypted communication. You don’t need to open any custom ports for using Beam  from your network or cloud. Our agent is secured with authentication, authorization and tampering protection.

 

Beam : IAM Policy Documents to Access Customer AWS Account

We use the safest method of cross account IAM role to access your AWS account. We only take the minimum required permissions. We do not need Access Key and Secret Key of your AWS account. 

Beam  requires you to generate ARN for third party access to your account for its three products –Cost & Governance and Security & Compliance. The three products are independent of each other and can be accessed independently by granting the corresponding permission.

FREQUENCY OF ACCESS 

Beam  accesses your AWS account programmatically. The frequency of the access is as follows:  

  1. Cost and Security Audits – Beam  scans your infrastructure once a day automatically, you can run an on-demand audit whenever you want. All other accesses are user initiated, like when you perform a Click To Fix action AWS resource API related to that action will be accessed.  
  2. Cost & Governance – Beam  checks for cost related data every 4 hour and only fetch if there is any new data. For this Beam  checks a pre-defined S3 bucket.  

PERMISSION FOR COST & GOVERNANCE ( READ ONLY)

For Cost & Governance you provide Beam  with all the read-only permission for Optimize plus read access to your S3 billing bucket.

Read Access ARN Policy Document

Policy Document required for generation of Read Access ARN from AWS account ( Cost & Governance)
 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "autoscaling:Describe*",
        "cloudfront:Get*",
        "cloudfront:List*",
        "cloudtrail:DescribeTrails",
        "cloudtrail:GetTrailStatus",
        "cloudwatch:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:List*",
        "dynamodb:DescribeTable",
        "dynamodb:ListTables",
        "ec2:Describe*",
        "elasticache:Describe*",
        "elasticbeanstalk:Check*",
        "elasticbeanstalk:Describe*",
        "elasticbeanstalk:List*",
        "elasticbeanstalk:RequestEnvironmentInfo",
        "elasticbeanstalk:RetrieveEnvironmentInfo",
        "elasticloadbalancing:Describe*",
        "elasticmapreduce:Describe*",
        "elasticmapreduce:List*",
        "redshift:Describe*",
        "elasticache:Describe*",
        "iam:List*",
        "iam:Get*",
        "opsworks:Describe*",
        "opsworks:Get*",
        "route53:Get*",
        "route53:List*",
        "rds:Describe*",
        "rds:ListTagsForResource",
        "s3:List*",
        "Sqs: GetQueueAttributes",
        "Sqs: List Queues"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*"
      ],
      "Resource": [
        "arn:aws:s3:::bills/*"
      ]
    }
  ]
}

PERMISSION FOR COST & GOVERNANCE ( WRITE ACCESS)

For Cost & Governance you provide Beam with the write access to perform Click To Fix and enable Smart RI for auto- remediation of unused RI’s. 

For this policy you can chose to eliminate certain access points if you wish but that may result in incomplete feature access.

Write Access ARN Policy Document

Policy Document required for generation of Write Access ARN from AWS account( Cost & Governance)

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1415015011805",
      "Action": [
        "ec2:Describe*",
        "ec2:CreateSnapshot",
        "ec2:DeleteSnapshot",
        "ec2:DeleteVolume",
        "ec2:CreateTags",
        "ec2:ReleaseAddress",
        "ec2:RegisterImage",
        "ec2:CreateImage",
        "ec2:DeregisterImage",
        "ec2:DisassociateAddress",
        "ec2:TerminateInstances",
        "ec2:CreateImage",
        "ec2:ModifySnapshotAttribute",
        "ec2:ModifyInstanceAttribute"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": [
        "arn:aws:s3:::bills/*"
      ]
    },
    {
      "Sid": "Stmt1415015042420",
      "Action": [
        "elasticloadbalancing:DeleteLoadBalancer",
        "elasticloadbalancing:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "Stmt1415015086161",
      "Action": [
        "cloudtrail:DescribeTrails",
        "cloudtrail:GetTrailStatus"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "Stmt1415015300839",
      "Action": [
        "rds:Describe*",
        "rds:List*",
        "rds:CreateDBSnapshot",
        "rds:DeleteDBSnapshot",
        "rds:DeleteDBInstance"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "Stmt1415015300851",
      "Action": [
        "iam:List*",
        "iam:Get*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "Stmt1415015300878",
      "Action": [
        "autoscaling:Describe*"
      ],
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "Stmt1445611947000",
      "Effect": "Allow",
      "Action": [
        "redshift:Describe*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Stmt1445611948000",
      "Effect": "Allow",
      "Action": [
        "cloudwatch:GetMetricStatistics",
        "dynamodb:DeleteTable"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Stmt1445611948010",
      "Effect": "Allow",
      "Action": [
        "opsworks:Describe*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Stmt1445611948020",
      "Effect": "Allow",
      "Action": [
        "route53:Get*",
        "route53:List*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Stmt1445611948021",
      "Effect": "Allow",
      "Action": [
        "elasticache:Describe*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Stmt1445611948022",
      "Effect": "Allow",
      "Action": [
        "elasticmapreduce:Describe*",
        "elasticmapreduce:List*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Stmt1445611948023",
      "Effect": "Allow",
      "Action": [
        "dynamodb:Describe*",
        "dynamodb:List*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Stmt1445611948025",
      "Effect": "Allow",
      "Action": [
        "elasticmapreduce:Describe*",
        "elasticmapreduce:List*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Stmt1445611948024",
      "Effect": "Allow",
      "Action": [
        "elasticbeanstalk:Check*",
        "elasticbeanstalk:Describe*",
        "elasticbeanstalk:List*",
        "elasticbeanstalk:RequestEnvironmentInfo",
        "elasticbeanstalk:RetrieveEnvironmentInfo"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Stmt1445611948028",
      "Effect": "Allow",
      "Action": [
        "cloudfront:Get*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Stmt1445611948029",
      "Effect": "Allow",
      "Action": [
        "elasticache:Describe*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Stmt1445611948030",
      "Effect": "Allow",
      "Action": [
        "config:Describe*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Stmt1445611948035",
      "Effect": "Allow",
      "Action": [
        "cloudwatch:Describe*",
        "cloudwatch:Get*",
        "cloudwatch:List*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Stmt1445611948036",
      "Effect": "Allow",
      "Action": [
        "cloudfront:List*"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Stmt1445611948076",
      "Effect": "Allow",
      "Action": [
        "kinesis:ListStreams"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Stmt1445611948086",
      "Effect": "Allow",
      "Action": [
        "glacier:ListVaults"
      ],
      "Resource": "*"
    },
    {
      "Sid": "Stmt1445611948089",
      "Effect": "Allow",
      "Action": [
        "sqs:ListQueues"
      ],
      "Resource": "*"
    }
  ]
}

PERMISSION FOR SECURITY & COMPLIANCE (READ ACCESS) 

For Security & Compliance read access Beam will only perform daily and self-triggered scans in your environment to determine status of security posture.

Read Access ARN Policy Document

Policy Document required for generation of Read Access ARN from AWS account (Security & Compliance)

{
"Version": "2012-10-17",
"Statement": [{
"Action": [
"autoscaling:Describe*",
"cloudfront:List*",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus",
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*",
"config:Describe*",
"cloudfront:Get*",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"ec2:Describe*",
"elasticache:Describe*",
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticloadbalancing:Describe*",
"elasticmapreduce:Describe*",
"elasticmapreduce:List*",
"redshift:Describe*",
"elasticache:Describe*",
"iam:List*",
"iam:Get*",
"opsworks:Describe*",
"route53:Get*",
"route53:List*",
"rds:Describe*",
"rds:ListTagsForResource",
"s3:List*",
"s3:Get*"
],
"Effect": "Allow",
"Resource": "*"
}]
}

PERMISSION FOR SECURITY & COMPLIANCE (WRITE ACCESS) 

For Security & Compliance write access to Beam  you will provide with the write access to perform Click To Fix.

For this policy you can chose to eliminate certain access points if you wish but that may result in incomplete feature access.

Write Access ARN Policy Document

Policy Document required for generation of Write Access ARN from AWS account (Security & Compliance)

 

{
"Version": "2012-10-17",
"Statement": [{
"Sid": "Stmt1415015011805",
"Action": [
"ec2:Describe*",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:DeleteKeyPair",
"ec2:ModifyInstanceAttribute",
"ec2:DeleteSecurityGroup"
],
"Effect": "Allow",
"Resource": "*"
}, {
"Sid": "Stmt1415015042420",
"Action": [
"elasticloadbalancing:Describe*",
"elasticloadbalancing:ModifyLoadBalancerAttributes"
],
"Effect": "Allow",
"Resource": "*"
}, {
"Sid": "Stmt1415015058175",
"Action": [
"s3:List*",
"s3:Get*"
],
"Effect": "Allow",
"Resource": "*"
}, {
"Sid": "Stmt1415015300839",
"Action": [
"rds:Describe*",
"rds:List*",
"rds:ModifyDBInstance"
],
"Effect": "Allow",
"Resource": "*"
}, {
"Sid": "Stmt1415015300851",
"Action": [
"iam:List*",
"iam:Get*",
"iam:DeleteAccessKey",
"iam:UpdateAccountPasswordPolicy",
"iam:UpdateAccountPasswordPolicy"
],
"Effect": "Allow",
"Resource": "*"
}, {
"Sid": "Stmt1415015300878",
"Action": [
"autoscaling:Describe*",
"autoscaling:UpdateAutoScalingGroup"
],
"Effect": "Allow",
"Resource": "*"
}, {
"Sid": "Stmt1415015086161",
"Action": [
"cloudtrail:CreateTrail",
"cloudtrail:StartLogging",
"cloudtrail:UpdateTrail",
"cloudtrail:DescribeTrails",
"cloudtrail:GetTrailStatus"
],
"Effect": "Allow",
"Resource": "*"
}, {
"Sid": "Stmt1445611947000",
"Effect": "Allow",
"Action": [
"redshift:Describe*"
],
"Resource": "*"
}, {
"Sid": "Stmt1445611948000",
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricStatistics"
],
"Resource": "*"
}, {
"Sid": "Stmt1445611948010",
"Effect": "Allow",
"Action": [
"opsworks:Describe*"
],
"Resource": "*"
}, {
"Sid": "Stmt1445611948020",
"Effect": "Allow",
"Action": [
"route53:Get*",
"route53:List*"
],
"Resource": "*"
}, {
"Sid": "Stmt1445611948021",
"Effect": "Allow",
"Action": [
"elasticache:Describe*"
],
"Resource": "*"
}, {
"Sid": "Stmt1445611948022",
"Effect": "Allow",
"Action": [
"elasticmapreduce:Describe*",
"elasticmapreduce:List*"
],
"Resource": "*"
}, {
"Sid": "Stmt1445611948023",
"Effect": "Allow",
"Action": [
"dynamodb:DescribeTable",
"dynamodb:ListTables"
],
"Resource": "*"
}, {
"Sid": "Stmt1445611948025",
"Effect": "Allow",
"Action": [
"elasticmapreduce:Describe*",
"elasticmapreduce:List*"
],
"Resource": "*"
}, {
"Sid": "Stmt1445611948024",
"Effect": "Allow",
"Action": [
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo"
],
"Resource": "*"
}, {
"Sid": "Stmt1445611948028",
"Effect": "Allow",
"Action": [
"cloudfront:Get*"
],
"Resource": "*"
}, {
"Sid": "Stmt1445611948029",
"Effect": "Allow",
"Action": [
"elasticache:Describe*"
],
"Resource": "*"
}, {
"Sid": "Stmt1445611948030",
"Effect": "Allow",
"Action": [
"config:Describe*"
],
"Resource": "*"
}, {
"Sid": "Stmt1445611948035",
"Effect": "Allow",
"Action": [
"cloudwatch:Describe*",
"cloudwatch:Get*",
"cloudwatch:List*"
],
"Resource": "*"
}, {
"Sid": "Stmt1445611948036",
"Effect": "Allow",
"Action": [
"cloudfront:List*"
],
"Resource": "*"
}, {
"Sid": "Stmt1445611948076",
"Effect": "Allow",
"Action": [
"kinesis:ListStreams"
],
"Resource": "*"
}, {
"Sid": "Stmt1445611948086",
"Effect": "Allow",
"Action": [
"glacier:ListVaults",
"glacier:ListTagsForVault"
],
"Resource": "*"
}, {
"Sid": "Stmt1445611948089",
"Effect": "Allow",
"Action": [
"sqs:ListQueues"
],
"Resource": "*"
}]
}

Beam Azure access capabilities 

Beam’s support on Azure Cost Governance & Security Compliance uses Azure reader policies only, currently there are no write access components in Beam’s support for Azure. To know more on Azure reader capabilities click here. We are in process of developing custom roles that should facilitate further write access capabilities for Azure in Beam.

We understand that security is paramount to any application and it’s end users. You are welcome to report any issues, share suggestions or raise specific concerns to our team using beam-support@nutanix.com

 

 

Did this answer your question?