Gremlin's Commitment to Security
Gremlin is committed to providing a secure environment for our users to embrace the practice of Chaos Engineering (check out our security page). It is, after all, one of our core principles: Simple, Safe, Secure. In practice, security is a continual journey of improvement and we wanted to share a few milestones.
SOC 2 Type II
We’ve recently completed auditing for the Service Organization Control (SOC) 2 Type II report. Compiled by Peterson & Sullivan, the report documents how Gremlin’s information security practices, policies, and procedures are suitable to meet the SOC 2 trust principles criteria for security and confidentiality.
The goal of the report is to verify the existence of internal controls designed and implemented to meet the requirements for the security principles set forth in the Trust Services Principles and Criteria for Security. It provides a thorough review of how Gremlin’s internal controls affect the security, availability, processing integrity, and confidentiality of the systems it uses to process users’ data, and the confidentiality and privacy of the information processed by these systems. This independent validation of security controls is crucial for customers in highly regulated industries.
Signature Based Authentication
On the product side, we've recently added support for signature based authentication, utilizing certificates for the Gremlin agent. This provides greater flexibility for deploying Gremlin into ephemeral environments such as AWS Lambda, allows for simple integrations with enterprise certificate and key management systems, and also makes it easier to distribute new credentials. The traditional way of authenticating a Gremlin agent (using a shared secret entered via command line or stored in the environment) will continue to be available -- this change simply adds another way to authenticate.
On the subject of data protection, we've always encrypted all communications with our service using TLS and we've always encrypted sensitive data we store using AES-256 (and in the case of passwords a randomly seeded SHA2 hash). Recently, however, we’ve updated our internal systems to encrypt all data that our service stores, regardless of the sensitivity level. We want to ensure our customers that Gremlin provides their data with the same level of protection or better than they would treat it themselves. You can rest easy knowing that we are treating even the most mundane details as if they were your most privileged information!
Role-Based Access Control
With RBAC you can ensure that every Gremlin user at your company has the correct level of permissions for running attacks, managing users and teams, as well as configuring account settings. Permissions are assigned to roles that you can assign to users in order to establish a precise separation of duties. Besides facilitating better segregation of duties among users, it will also improve visibility into what privileges each user possesses. For more information, read RBAC blog post.
Gremlin's automated reliability platform empowers you to find and fix availability risks before they impact your users. Start finding hidden risks in your systems with a free 30 day trial.sTART YOUR TRIAL
What is Failure Flags? Build testable, reliable software—without touching infrastructure
Building provably reliable systems means building testable systems. Testing for failure conditions is the only way to...
Building provably reliable systems means building testable systems. Testing for failure conditions is the only way to...Read more
Introducing Custom Reliability Test Suites, Scoring and Dashboards
Last year, we released Reliability Management, a combination of pre-built reliability tests and scoring to give you a consistent way to define, test, and measure progress toward reliability standards across your organization.
Last year, we released Reliability Management, a combination of pre-built reliability tests and scoring to give you a consistent way to define, test, and measure progress toward reliability standards across your organization.Read more