Building Customer Trust: A CISO's Perspective on Security and Privacy at Firebolt

Security as a Core Value

At Firebolt, security isn't just a feature of our service. From our co-founders' initial vision to our cutting-edge technology, through tuning business processes to fortifying our cyber defense, every aspect of Firebolt is designed with security in mind, influencing every decision and innovation we make. Firebolt’s holistic approach to security ensures that every aspect of our operations is geared towards maintaining the highest standards of protection for our users and their data while underscoring the critical importance of our security practices and the continuous enhancement of our security posture.

With that, our commitment to robust security measures from day one ensures that every customer's data is protected against evolving threats, allowing customers to trust Firebolt as a secure platform for their most sensitive data. We are proud to have achieved key industry certifications, including ISO 27001, ISO 27018, and SOC 2 + HIPAA, which validate our adherence to stringent security and privacy standards.

Integrating Security Throughout the SDLC

As a provider of Cloud Data Warehouse as a Service, Firebolt faces unique challenges in securing vast amounts of data, and at the heart of our Security DevOps approach is the seamless integration of security throughout the software development lifecycle. From the outset, secure coding practices are employed, and as development progresses, each phase undergoes various security testing. This proactive scrutiny helps identify and mitigate vulnerabilities early on, ensuring robust defenses from the ground up. We also actively engage in essential practices like penetration testing and fuzzing, allowing us to uncover potential weaknesses and fortify our systems against emerging threats. 

Data Protection and Network Security

Data protection is paramount, and we employ stringent policies coupled with end-to-end encryption to safeguard data at rest and in transit, maintaining confidentiality. 

• Data at Rest
  • We leverage AWS’s built-in features, like KMS, to handle storage encryption at rest for customer data stored within our systems. Our systems are securely integrated with AWS KMS to ensure seamless key management for data encryption through AWS’s infrastructure.
  • Encryption keys managed by us securely generate, store, rotate, and retire the encryption keys that we manage, particularly those used for encrypting sensitive internal data
  • We enforce strict access controls and separation of duties for individuals authorized to manage the encryption keys under our control.
  • We safeguard the storage of encryption keys to prevent unauthorized access.  
  • We enforce robust authentication mechanisms for users and applications accessing the data. This means that every client, whether it's a UI, SDK, JDBC, or another interface, must be associated with a unique login and user. This approach ensures that each client is individually authenticated and authorized to access the data.
    • Initial authentication is handled by our Identity Provider, which validates the user's or application's identity.
    • Once authenticated, our fine-grained RBAC mechanism further controls access to specific data.
  • We’ve implemented auditing and monitoring mechanisms to track and log access to encrypted data and encryption key management activities.
  • Regularly review and analyze the audit logs for any suspicious or unauthorized activities.
  • We ensure the secure transmission of encryption keys from the key management system to the encryption/decryption components to prevent interception or tampering.
  • We’ve implemented secure data deletion practices to ensure that data is adequately wiped or destroyed when no longer needed.
  • We’ve implemented data integrity checks to detect unauthorized modifications or tampering with encrypted data.
    
    
• Data in Motion Firebolt
  • We’ve implemented TLS to ensure secure communication across all client-server interactions. This applies to external clients, such as a UI accessing a gateway, and internal communications between components within our infrastructure, providing an extra layer of security against man-in-the-middle attacks.
  • Our policy exclusively includes strong cipher suites that offer robust encryption and resist known cryptographic attacks. These suites utilize AES (Advanced Encryption Standard) with 128-bit or 256-bit keys and Galois/Counter Mode (GCM) for authenticated encryption, ensuring data confidentiality and integrity. Additionally, the selected cipher suites support Perfect Forward Secrecy (PFS), meaning that even if a server's private key is compromised, past communications remain secure, as session keys are not derived from the server's private key. We intentionally exclude weaker ciphers and deprecated features like RC4, MD5, and SHA-1, which are vulnerable to cryptographic attacks. By default, we negotiate TLS 1.3, with the ability to fall back to TLS 1.2 if necessary.

Our network architecture is carefully designed, with segmentation for production, development, and testing environments. Each segment is fortified with tailored security controls and subjected to regular security audits. In addition a comprehensive multi-layered security strategy that includes Web Application Firewalls (WAF), Denial of Service (DoS) protection, and bot mitigation is implemented. 

Privacy by Design

Privacy is another core principle in our system design and is embedded to minimize data exposure and proactively mitigate risks with the addition of comprehensive access controls and robust governance frameworks. We protect user and organizational data. Each tenant's data is securely isolated, preventing unauthorized access or data leakage. Our approach ensures that sensitive information is protected through encryption, access controls, and privacy-enhancing technologies.

1. We follow a data minimization strategy, collecting only the essential information for service functionality. Where possible, we apply anonymization and pseudonymization techniques to reduce the exposure of sensitive data during the processing, analytics, and testing phases.
2. We leverage AWS's encryption services, such as AWS Key Management Service (KMS), Secrets Manager, and Vaults, to securely handle encryption keys and sensitive information. Data is encrypted at rest and in transit using industry-standard algorithms like AES-256. Additionally, secrets such as API keys and credentials are securely stored and rotated.
3. Tenant data isolation is enforced using Kubernetes namespaces within our Amazon EKS environment. Each tenant’s resources are segregated into dedicated namespaces, ensuring strict boundaries and preventing cross-tenant access. These namespaces are further secured with role-based access controls and network policies to maintain isolation. 
4. We implement holistic runtime security using a defense-in-depth approach. All of our binaries are built with Position Independent Executable (PIE) to randomize the address space for code execution, stack protection, and Control Flow Integrity (CFI)  to prevent attacks that target both forward as well as backward edge flows by overwriting return addresses on the stack. Next, these hardened binaries are run inside non-root containers with strict namespace isolations and limited capabilities, thus adhering to the Principle of Least Privilege (PoLP). This guarantees that even in the improbable event of an exploit that defeats binary hardening, an attacker still cannot break out of the container and escalate to root. Furthermore, we deploy an advanced runtime protection tool that observes every process for suspicious activities and malware that alerts and blocks anomalous events. Ensuring that our systems are resilient against threats while safeguarding sensitive data.
5. Access to sensitive data is governed by fine-grained RBAC policies, enforcing the principle of least privilege. These controls extend across all system components, ensuring only authorized users and services, including internal employees, can access specific datasets.
6. Logs are explicitly configured for internal use, forensic needs, and compliance, excluding personal identifiers, authentication tokens, and other sensitive attributes. Where logging is essential, sensitive information is hashed, tokenized, or fully redacted. Additionally, we enforce strict retention policies and secure storage for logs containing minimal necessary data.
7. Our platform is designed to support data subject rights, such as data access, rectification, and deletion requests.  

Change Management and Governance

Our change management process is designed to ensure the secure delivery of services. Before deployment, changes undergo thorough risk assessment and testing, minimizing disruption and potential security risks. Governance is central to our security strategy, with policies and procedures in place to ensure compliance with industry standards and regulations. Regular audits and assessments verify adherence to these standards, providing transparency and accountability to our customers.

Securing Customers Trust

We believe in a collaborative approach to security and privacy. By aligning our best practices with customer-managed controls like Single Sign-On (SSO), Multi-Factor Authentication (MFA), Network Policies, and Role-Based Access Control (RBAC), we create a synergistic approach to security. This collaborative effort ensures a layered defense that enhances overall robustness and resilience against evolving threats, demonstrating our commitment to our customers' trust and peace of mind. More information is on our security documentation page.