Elastic Cloud is our growing family of Elasticsearch-based SaaS offerings. For each Elastic Cloud service, we strive to provide security and privacy for your data. Here's why thousands of customers trust us with their search requirements and their data.
Elastic maintains a comprehensive information security program that includes appropriate technical and organizational measures designed to protect our customers' cluster data against unauthorized access, modification or deletion.
Learn more... (See 1 below)
In early 2018, we appointed a data protection officer (DPO) and hired a Chief Information Security Officer (CISO) to help guide and manage our security and privacy programs. In addition, we have dedicated teams focusing on information security (InfoSec), regulatory compliance, software vulnerabilities, and Elastic Cloud security operations to keep your data private and secure. Our legal team includes attorneys who are certified information privacy professionals (CIPP) in the USA and Europe.
Elastic respects the privacy rights of individuals. Recently, we've updated our privacy statement to make it very clear when we collect personal data and how we use it. We've written our privacy statement in plain language to be transparent to our users and customers.
Elastic maintains an internal Supplier Assessment Standard, which mandates that Elastic's InfoSec team regularly performs security reviews for all third-party suppliers with whom there is potential to share confidential or restricted Elastic information (e.g., Personal Data).
Elastic Cloud SaaS offerings are implemented on a modern, flexible, scalable, service-oriented architecture created by Elastic. Elastic manages these offerings using its Elastic Cloud Enterprise architecture at the core.
Learn more… (See 2 below)
Elastic Cloud SaaS offerings are hosted on certified cloud platforms managed by industry-leading infrastructure-as-a-service providers, including Amazon Web Services (AWS) and Google Cloud Platform (GCP). Elastic reviews the security certifications and practices of its subprocessors to ensure that there are appropriate physical security measures in effect at all premises at which Elastic Cloud data will be processed and stored.
Learn more… (See 3 below)
We've taken significant measures to ensure that Elastic Cloud customer data cannot be read, copied, modified, or deleted during electronic transmission, transport, or storage through unauthorized means. To reduce the likelihood of vulnerability-related incidents, the Elastic Cloud team deploys Elasticsearch instances based on the latest operating system kernels, and patches the computing "fleet" whenever a critical CVE (i.e., "Common Vulnerability and Exposure," in security-speak) is discovered in any component software. Similarly, Elastic software, including Elastic Stack components and Elastic Cloud Enterprise, used in the provisioning of Elastic Cloud SaaS offerings, is updated as soon as it is released to ensure that latest versions are deployed.
To protect customer data, Elastic Cloud clusters are protected with Elastic security features with randomly assigned individual passwords. Clusters are deployed behind redundant proxies and are not visible to internet scanning.Transport Layer Security (TLS) encrypted communication from the Internet is provided in the default configuration. Elasticsearch nodes run in isolated containers, configured according to the principle of least privilege, and with restrictions on system calls and allowed root operations. Elasticsearch nodes communicate using TLS (requires customer to select 6.0 or later versions of the Elastic Stack). Cluster data is encrypted at rest. API access is limited to Elasticsearch APIs, and no remote access to the instance or container at the Linux level is allowed. Containers have no means of setting up communication with containers from another cluster.
We do not perform Internet-based penetration testing against production Elastic Cloud SaaS offerings, however, we do use third parties to perform application security assessments against the Elastic software components used to deliver these services.
Access controls are established to authenticate the identity of individuals accessing systems that process our customer's cluster data. These controls are designed to ensure that unauthorized persons do not gain access to such systems, and that authorized individuals gain access only to what is appropriate for their role. Such controls include multi-factor authentication, password strength standards, and Virtual Private Networks (VPN) for administrative access. In addition, we've implemented centralized logging, including proxy logs, access logs, Elasticsearch logs, and Auditbeat logs, to record access to customer cluster data and the systems on which it resides.
We've engineered a cloud-based platform that provides for high levels of availability for your data. We use technical and organizational measures, including backup of data, multiple availability zones, and disaster recovery planning, to ensure that customer cluster data is protected against accidental destruction or physical or logical loss.
Learn more… (See 4 below)
Elastic recognizes that software development inherently includes the possibility of introducing vulnerabilities. We accept and disclose vulnerabilities discovered in our software in a transparent manner. In addition, Elastic is a CVE Numbering Authority (CNA).
Learn more… (See 5 below)
Elastic has prepared for GDPR by carefully reviewing and documenting how it handles personal data, implementing technical and organizational measures to protect the personal data it does handle, and defining and implementing processes to respect the rights of data subjects, across all its products and services. Today, Elastic is operating in compliance with the principles of GDPR. Elastic Cloud customers can request a Data Processing Addendum (DPA) by creating a support case or simply emailing email@example.com.
Elastic recognizes the importance of adhering to a common set of compliance and certifications from industry auditors. As part of this story, the following Elastic Cloud services — Elasticsearch Service, Elastic Site Search Service, as well as Elastic Support Subscriptions — have SOC 2 Type 1 certification. Elastic also intends to complete a SOC 2 Type II for the Elasticsearch Service, Elastic Site Search Service, Elastic App Search Service, and Elastic Support Subscriptions. A summary of our SOC 2 Type 1 report can be found at the following link. Current customers can issue a "Request for SOC2 report" through the support portal or by contacting their sales representative.
At Elastic we believe that security is everyone's responsibility, and we bake security into the development of our products and into the foundation of Elastic Cloud. However, the security and privacy of your Elastic Cloud SaaS data also relies on you keeping your Elasticsearch cluster configured securely and maintaining the confidentiality of your Elastic Cloud login credentials.
Here's a quick checklist:
If you need to make changes that are not offered in the Elastic Cloud console, please create an Elastic Support case. If you believe an account has been compromised, please email firstname.lastname@example.org. If you need to make an erasure request, please email email@example.com.