Elastic maintains a comprehensive information security program that includes appropriate technical and organizational measures designed to protect our customers' cluster data against unauthorized access, modification or deletion.
Learn more... (See 1 below)
Elastic's security and privacy programs are led by a Chief Information Security Officer (CISO) and a data protection officer (DPO). In addition, we have dedicated teams focusing on information security (InfoSec), regulatory compliance, software vulnerabilities, and Elastic Cloud security operations to keep your data private and secure. Our legal team includes attorneys who are certified information privacy professionals (CIPP) in the USA and Europe.
Elastic respects the privacy rights of individuals. We recently updated our privacy statement to make it very clear when we collect personal data and how we use it. We've written our privacy statement in plain language to be transparent to our users and customers.
Elastic maintains an internal Supplier Assessment Standard, which mandates that Elastic's InfoSec team regularly performs security reviews for all third-party suppliers with whom there is potential to share confidential or restricted Elastic information (e.g., personal data).
Elastic Cloud SaaS offerings are implemented on a modern, flexible, scalable, service-oriented architecture created by Elastic. Elastic manages these offerings using its Elastic Cloud Enterprise architecture at the core.
Learn more… (See 2 below)
Elastic Cloud SaaS offerings are hosted on certified cloud platforms managed by industry-leading infrastructure-as-a-service providers, including Amazon Web Services (AWS), Google Cloud, and Microsoft Azure. Elastic reviews the security certifications and practices of its subprocessors to ensure that there are appropriate physical security measures in force at all premises at which Elastic Cloud data will be processed and stored.
Learn more… (See 3 below)
We've taken significant measures to ensure that Elastic Cloud customer data cannot be read, copied, modified, or deleted during electronic transmission, transport, or storage through unauthorized means. To reduce the likelihood of vulnerability-related incidents, the Elastic Cloud team deploys Elasticsearch instances based on the latest operating system kernels, and patches the computing “fleet” whenever a critical CVE (i.e., "Common Vulnerability and Exposure," in security-speak) is discovered in any component software. Similarly, Elastic software, including Elastic Stack components and Elastic Cloud Enterprise, used in the provisioning of Elastic Cloud SaaS offerings, is updated as soon as it is released to ensure the latest versions are deployed.
To protect customer data, Elastic Cloud clusters are equipped with Elastic security features that randomly assign individual passwords. Clusters are deployed behind redundant proxies and are not visible to internet scanning. Transport Layer Security (TLS) encrypted communication from the Internet is provided in the default configuration. Elasticsearch nodes run in isolated containers, configured according to the principle of least privilege, and with restrictions on system calls and allowed root operations. Elasticsearch nodes communicate using TLS (requires customer to select 6.0 or later versions of the Elastic Stack). Cluster data is encrypted at rest. We support IP address-based access controls so users may restrict access to their hosted deployments by filtering specific IP ranges. Additional network layer security is available on Amazon with AWS PrivateLink integration. Our support for AWS PrivateLink helps eliminate the exposure of your data to the public internet. This is accomplished by securing the network connection between your Amazon VPCs, applications, and your Elastic Cloud deployments on AWS. API access is limited to Elasticsearch APIs, and no remote access to the instance or container at the Linux level is allowed. Containers have no means of setting up communication with containers from another cluster.
We do not perform Internet-based penetration testing against production Elastic Cloud SaaS offerings, however, we do use third parties to perform application security assessments against the Elastic software components used to deliver these services.
Access controls are established to authenticate the identity of individuals accessing systems that process our customer's cluster data. These controls are designed to ensure that unauthorized persons do not gain access to such systems, and that authorized individuals gain access only to what is appropriate for their role. Such controls include multi-factor authentication, password strength standards, and Virtual Private Networks (VPN) for administrative access. In addition, we've implemented centralized logging, including proxy logs, access logs, Elasticsearch logs, and Auditbeat logs, to record access to customer cluster data and the systems on which it resides.
We've engineered a cloud-based platform that provides high levels of availability for your data. We use technical and organizational measures, including backup of data, multiple availability zones, and disaster recovery planning, to ensure that customer cluster data is protected against accidental destruction or physical or logical loss.
Learn more… (See 4 below)
Elastic recognizes that software development inherently includes the possibility of introducing vulnerabilities. We accept and disclose vulnerabilities discovered in our software in a transparent manner. In addition, Elastic is a CVE Numbering Authority (CNA).
Learn more… (See 6 below)
Elastic has prepared for GDPR by carefully reviewing and documenting how it handles personal data, implementing technical and organizational measures to protect the personal data it does handle, and defining and implementing processes to respect the rights of data subjects, across all its products and services. Today, Elastic is operating in compliance with the principles of GDPR. Elastic Cloud customers can request a Data Processing Addendum (DPA) by creating a support case or simply emailing firstname.lastname@example.org.
Elastic recognizes the importance of adhering to a common set of compliance and certifications and earning validation from neutral industry auditors. The following Elastic Cloud services — Elasticsearch Service, Elastic Site Search Service, as well as Elastic Support Subscriptions — have been audited by Coalfire and granted SOC 2 Type 2 certification. Customers can issue a "request for SOC 2 report" through the support portal or by contacting their sales representative.
HIPAA (or the Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information. The HIPAA rules apply to “covered entities” that handle data that is protected health information (PHI), such as insurance companies or doctor’s offices, and extend to business associates like Elastic who process PHI on behalf of such covered entities. All Elastic Cloud subscription tiers on Microsoft Azure, Google Cloud, and Amazon Web Services allow for HIPAA business associate agreements (BAAs).
At Elastic, we know that security is everyone's responsibility. That's why we bake security into the development of our products and into the foundation of Elastic Cloud. The security and privacy of your Elastic Cloud SaaS data also relies on you keeping your Elasticsearch cluster configured securely and maintaining the confidentiality of your Elastic Cloud login credentials.
Here's a quick checklist:
- Don't share your credentials with others.
- Update your account profile to make sure information is correct and current.
- Add operational contacts as appropriate.
- Ensure that you've set secure passwords.
- Use caution when enabling custom plugins on your Elastic Cloud deployments.
- Consider setting the option to require index names when initiating destructive actions.
If you need to make changes that are not offered in the Elastic Cloud console, please create an Elastic Support case. If you believe an account has been compromised, please email email@example.com. If you need to make an erasure request, please email firstname.lastname@example.org.
- More information about our security and privacy programs, including our support for security standards and regulations, can be found on our security page.
- Elastic has formally adopted an Information Security Program, which is certified on ISO 27001, including ISO 27017 and ISO 27018. An Elastic Information Security Governance Policy serves as the backbone for all information security policies, standards, and guidelines.
- Elastic Cloud is hosted on third-party platforms that have the following certifications:
SOC 1, SOC 2, ISO 27001, ISO 27017, ISO 27018. Please see:
https://aws.amazon.com/compliance/pci-data-privacy-protection-hipaa-soc-fedramp-faqs and https://cloud.google.com/security/compliance
- Elastic Cloud provides the following:
- Platform infrastructure redundancy across multiple availability zones
- Capability for customers to replicate cluster data across availability zones
- Availability monitoring
- Backups for critical platform data
- 24/7 operations
- Status page - https://cloud-status.elastic.co/
- Elastic maintains a documented public process for submitting vulnerabilities and security-related issues at https://www.elastic.co/community/security. The company follows a documented (internal) process on responding to vulnerability and other security-related reports. The company has created a team of the most security-knowledgeable people on each product collaborating to evaluate and respond to reports in a private mailing list. The company also publishes vulnerabilities via CVE, and public announcements at https://discuss.elastic.co/c/security-announcements.
- Visit the FedRAMP Marketplace to view the Cloud Service Offering (CSO) entry for Elastic Cloud. You will find more information about signing up on our website.