Elastic Cloud Security

Elastic Cloud is our growing family of Elasticsearch-based SaaS offerings. For each Elastic Cloud service, we strive to provide security and privacy for your data. Here's why thousands of customers trust us with their search requirements and their data.

We Believe in Information Security and Privacy

Elastic maintains a comprehensive information security program that includes appropriate technical and organizational measures designed to protect our customers' cluster data against unauthorized access, modification or deletion.
Learn more... (See 1 below)

We Hire Dedicated Information Security and Privacy Teams

In early 2018, we appointed a data protection officer (DPO) and hired a Chief Information Security Officer (CISO) to help guide and manage our security and privacy programs. In addition, we have dedicated teams focusing on information security (InfoSec), regulatory compliance, software vulnerabilities, and Elastic Cloud security operations to keep your data private and secure. Our legal team includes attorneys who are certified information privacy professionals (CIPP) in the USA and Europe.

Our Privacy Statement is Transparent and Clear

Elastic respects the privacy rights of individuals. Recently, we've updated our privacy statement to make it very clear when we collect personal data and how we use it. We've written our privacy statement in plain language to be transparent to our users and customers.

We Carefully Review Third-Party Suppliers

Elastic maintains an internal Supplier Assessment Standard, which mandates that Elastic's InfoSec team regularly performs security reviews for all third-party suppliers with whom there is potential to share confidential or restricted Elastic information (e.g., Personal Data).

We Build a Leading-Edge Cloud SaaS Platform

Elastic Cloud SaaS offerings are implemented on a modern, flexible, scalable, service-oriented architecture created by Elastic. Elastic manages these offerings using its Elastic Cloud Enterprise architecture at the core.
Learn more… (See 2 below)

We Ensure Strong Physical Security Controls

Elastic Cloud SaaS offerings are hosted on certified cloud platforms managed by industry-leading infrastructure-as-a-service providers, including Amazon Web Services (AWS) and Google Cloud Platform (GCP). Elastic reviews the security certifications and practices of its subprocessors to ensure that there are appropriate physical security measures in effect at all premises at which Elastic Cloud data will be processed and stored.
Learn more… (See 3 below)

We've Built In Logical Security Controls

We've taken significant measures to ensure that Elastic Cloud customer data cannot be read, copied, modified, or deleted during electronic transmission, transport, or storage through unauthorized means. To reduce the likelihood of vulnerability-related incidents, the Elastic Cloud team deploys Elasticsearch instances based on the latest operating system kernels, and patches the computing "fleet" whenever a critical CVE (i.e., "Common Vulnerability and Exposure," in security-speak) is discovered in any component software. Similarly, Elastic software, including Elastic Stack components and Elastic Cloud Enterprise, used in the provisioning of Elastic Cloud SaaS offerings, is updated as soon as it is released to ensure that latest versions are deployed.

To protect customer data, Elastic Cloud clusters are protected with Elastic security features with randomly assigned individual passwords. Clusters are deployed behind redundant proxies and are not visible to internet scanning.Transport Layer Security (TLS) encrypted communication from the Internet is provided in the default configuration. Elasticsearch nodes run in isolated containers, configured according to the principle of least privilege, and with restrictions on system calls and allowed root operations. Elasticsearch nodes communicate using TLS (requires customer to select 6.0 or later versions of the Elastic Stack). Cluster data is encrypted at rest. API access is limited to Elasticsearch APIs, and no remote access to the instance or container at the Linux level is allowed. Containers have no means of setting up communication with containers from another cluster.

We do not perform Internet-based penetration testing against production Elastic Cloud SaaS offerings, however, we do use third parties to perform application security assessments against the Elastic software components used to deliver these services.

We've Implemented Access Controls and Logging

Access controls are established to authenticate the identity of individuals accessing systems that process our customer's cluster data. These controls are designed to ensure that unauthorized persons do not gain access to such systems, and that authorized individuals gain access only to what is appropriate for their role. Such controls include multi-factor authentication, password strength standards, and Virtual Private Networks (VPN) for administrative access. In addition, we've implemented centralized logging, including proxy logs, access logs, Elasticsearch logs, and Auditbeat logs, to record access to customer cluster data and the systems on which it resides.

We Deliver on Data Availability

We've engineered a cloud-based platform that provides for high levels of availability for your data. We use technical and organizational measures, including backup of data, multiple availability zones, and disaster recovery planning, to ensure that customer cluster data is protected against accidental destruction or physical or logical loss.
Learn more… (See 4 below)

We Practice Responsible Vulnerability Management

Elastic recognizes that software development inherently includes the possibility of introducing vulnerabilities. We accept and disclose vulnerabilities discovered in our software in a transparent manner. In addition, Elastic is a CVE Numbering Authority (CNA).
Learn more… (See 5 below)

We Operate in Compliance with the Principles of GDPR

Elastic has prepared for GDPR by carefully reviewing and documenting how it handles personal data, implementing technical and organizational measures to protect the personal data it does handle, and defining and implementing processes to respect the rights of data subjects, across all its products and services. Today, Elastic is operating in compliance with the principles of GDPR. Elastic Cloud customers can request a Data Processing Addendum (DPA) by creating a support case or simply emailing sales@elastic.co.

We Operate in Compliance with SOC 2

Elastic recognizes the importance of adhering to a common set of compliance and certifications from industry auditors. As part of this story, the following Elastic Cloud services — Elasticsearch Service, Elastic Site Search Service, as well as Elastic Support Subscriptions — have SOC 2 Type 1 certification. Elastic also intends to complete a SOC 2 Type II for the Elasticsearch Service, Elastic Site Search Service, Elastic App Search Service, and Elastic Support Subscriptions. A summary of our SOC 2 Type 1 report can be found at the following link. Current customers can issue a "Request for SOC2 report" through the support portal or by contacting their sales representative.

Protecting Your Account

At Elastic we believe that security is everyone's responsibility, and we bake security into the development of our products and into the foundation of Elastic Cloud. However, the security and privacy of your Elastic Cloud SaaS data also relies on you keeping your Elasticsearch cluster configured securely and maintaining the confidentiality of your Elastic Cloud login credentials.

Here's a quick checklist:

  • Don't share your credentials with others.
  • Update your account profile to make sure information is correct and current.
  • Add operational contacts as appropriate.
  • Ensure that you've set secure passwords.
  • Use caution when enabling custom plugins on your Elastic Cloud deployments.
  • Consider setting the option to require index names when initiating destructive actions.

If you need to make changes that are not offered in the Elastic Cloud console, please create an Elastic Support case. If you believe an account has been compromised, please email security@elastic.co. If you need to make an erasure request, please email privacy@elastic.co.

Learn more details

  1. Elastic has formally adopted an Information Security Program, which is generally aligned with ISO 27001. An Elastic Information Security Governance Policy serves as the backbone for all information security policies, standards, and guidelines.
  2. https://www.elastic.co/guide/en/cloud-enterprise/current/ece-architecture.html
  3. Elastic Cloud is hosted on third-party platforms that have the following certifications:
    SOC 1, SOC 2, ISO 27001, ISO 27017, ISO 27018. Please see:
    https://aws.amazon.com/compliance/pci-data-privacy-protection-hipaa-soc-fedramp-faqs and https://cloud.google.com/security/compliance
  4. Elastic Cloud provides the following:
    1. a. Platform infrastructure redundancy across multiple availability zones
    2. b. Capability for customers to replicate cluster data across availability zones
    3. c. Availability monitoring
    4. d. Backups for critical platform data
    5. d. 24/7 operations
    6. f. Status page - https://cloud-status.elastic.co/
  5. Elastic maintains a documented public process for submitting vulnerabilities and security-related issues at https://www.elastic.co/community/security. The company follows a documented (internal) process on responding to vulnerability and other security-related reports. The company has created a team of the most security-knowledgeable people on each product collaborating to evaluate and respond to reports in a private mailing list. The company also publishes vulnerabilities via CVE, and public announcements at https://discuss.elastic.co/c/security-announcements.