Frequently Asked Questions
Data protection and data separation
Q: How do you separate “my data” from other customers' data?
A: Tenant Administrators have access only to the data that belongs to their account. Tenant specific details and/or metadata are protected at rest using volume encryption.
Q: Does Thales, my Service Provider, or anyone else have access to my encryption keys stored in a Luna Cloud HSM Service?
A: When the Luna Cloud HSM Service instance is initialized, the service owner creates passwords or phrases for both the Security Officer and Crypto Officer roles. Those secrets are used in a derivation scheme and are required to allow the HSM to unseal the cryptographic material. Only the Security Officer/Crypto Officer are in possession of those secrets. It is left to the discretion of those officers to share the credentials as needed.
Q: How strong is your encryption and data integrity?
A: Data encryption and integrity mechanisms used within the platform meet or exceed industry best practices using FIPS approved mechanisms. Additionally, our general policy is that any keys used to protect other keys must be at the same security strength or higher. Cryptographic controls are applied to data at rest, in transit and in use where possible, but they are only one facet of our defense in depth strategy. Networking level controls such as intelligent routing, traffic segregation, port and application level firewalls, as well as VPN tunnels, are also employed to ensure that confidentiality, integrity, and availability concerns are all met.
Vulnerability management
Q: Can you show evidence of your vulnerability management program?
A: Thales services undergo regular application and network penetration testing by third parties. The assessment methodology includes review processes based on recognized “best-in-class” practices as defined by such methodologies as the ISECOM's Open Source Security Testing Methodology Manual (OSSTMM), the Open Web Application Security Project (OWASP), Web Application Security Consortium (WASC), and ISO 27001:2022 Information Security Standard
Q: What is your vulnerability remediation process?
A: When a potential security incident is detected, a defined incident management process is initiated by authorized personnel. Corrective actions are implemented in accordance with defined policies and procedures. Prior to the actual service update the following tasks are performed:
- Provisioning Testing: This is done on the updated service in a controlled environment and done by the Thales Service Operations team. With the conclusion of these tests the code has passed 3 rounds of testing successfully, each done by a different group: Unit testing done by the developer, Sprint Code Testing done by the QA group, and Service Update Provisioning Testing done by Service operations.
- A Planned Release Notification (PRN) is sent to all existing customers notifying them on the scope of the update and planned date of actual service update.
- Penetration testing: Penetration testing is done on a dedicated non-production system, but runs in the same environment as the operational service.
- At the last stage, all data is backed up from the operational service, which allows Thales to rollback immediately in case of any unexpected challenges.
Q: How often do you scan for vulnerabilities on your network and applications?
A: We conduct monthly reviews of all patches for servers and network equipment.
Data center failover
Q: How does high-availability between the HSMs in the data center work? Do all requests go to a single HSM, or are requests sent to multiple cards?
A: Requests are sent to a single HSM. In the event the HSM fails, requests are routed to a different HSM.
Q: How are keys replicated between data centers?
A: HSM services are protected by multiple layers of encryption. Data centers are kept consistent through a consensus protocol. When key material is changed in the local data store it is also replicated externally. The HSM service can only be instantiated in a specified disaster recovery pool.
Q: When does key replication between data centers occur?
A: Key replication occurs when key material is created or modified. Key material is not returned to the client until local quorum is established.
Q: When a HSM service is created are the primary and backup HSM provisioned at the same time, or is the second HSM provisioned after the service is initialized?
A: When the HSM service is created an empty logical HSM is created and stored in the database. The service contains no secrets at this time and it is not loaded into a physical HSM. When the customer connects the service the empty HSM service is loaded on a physical device. When the service is initialized the HSM service creates any required key material and encrypts it with a key which is partially derived from the customer supplied password. The HSM service can be loaded on any number of physical HSMs to satisfy service requirements.
Physical and personnel security
Q: Is there restricted and monitored access to critical assets 24x7?
A: Yes. Only Thales employees and contractors whose job responsibilities require logical access to the environment are provided access. For the production environment, this is limited to the following personnel:
- Personnel with administrative responsibilities for the Thales DPoD service.
- Personnel with responsibilities to maintain the network and systems.
- Personnel with responsibilities to deploy code.
Requests for access are submitted as a ticket in the Thales ticketing system. Requests are reviewed by the Thales DPoD Infrastructure Manager and approved by the Sr. Director of Infrastructure and Operations before access is granted. Once a request is approved, access is provisioned by one of the Technical Support team. Note that this process is strictly governing internal access to the system for administrative or operational reasons. This process is not intended to cover external users.
Logical access to the Thales DPoD Infrastructure is monitored as follows:
- LogRhythm is used to monitor use of Local Admin accounts, privileged accounts, as well as access to the Thales DPoD Databases. These logs are reviewed on a weekly basis by the Sr. Director of Infrastructure, who does not maintain the prior mentioned levels of access being reviewed.
- Access to and actions taken through the operator console are monitored via the monthly operator console report.
Application security
Q: Do you follow OWASP guidelines for application development?
A: Yes, we follow OWASP guidelines.
Q: Do you have a rigorous testing and acceptance procedure for outsourced and packaged application code?
A: Thales maintains a formally documented development life-cycle policy and process. Thales DPoD is developed using the agile development methodology that ensures quick, yet reliable turnaround between requirements gathered until service delivery. All changes are developed and tested by the appropriate engineering teams in development sprints. All changes are tested and signed-off by the QA team leader and Thales DPoD product manager. Evidence of testing and the requisite approvals are documented in the engineering project tracking system.
Q: What application security measures do you use in your production environment (Example: application-level firewall, database auditing)?
A: Thales utilizes Antivirus software within the Thales DPoD cloud environment and Antivirus software is utilized on workstations. Virus definitions are updated in real-time as they are released and monitoring is performed in real-time. A third-party Service Provider scans the network externally and alerts the Thales Security Team regarding changes in the baseline configuration to increase audit levels.
Incident response
Q: What is your procedure for handling a data breach?
A: When a potential security incident is detected, a defined incident management process is initiated by authorized personnel. Corrective actions are implemented in accordance with defined policies and procedures.
Compliance requirements
Q: Are your data centers under local compliance requirements?
A: Thales DPoD is based on a number of strategically located global Points-of-Presence (PoPs). One PoP is in Europe and the other in North America, and conform to local compliance requirements. For many years, the EU has had a formalized system of privacy legislation, which is regarded as more rigorous than that found in other areas of the world. Companies operating in the European Union are not allowed to send personal data to countries outside the EU unless there is a guarantee that it will receive adequate levels of protection. Thales hosts the DPoD environment within data centers located in Europe and North America. Data privacy protection can also be afforded by limiting the amount of personal information needed to utilize the service. The minimum Thales DPoD personal data requirement is, email address, first and last name.
Q: Are you ISO-270XX compliant?
A: Thales DPoD operations, and operations-related IT is fully compliant with the ISO 27001:2022 standard, having achieved independent ISO 27001:2022 Certification for its Information Security Management System and processes. Thales DPoD operations, and operations-related IT passed the ISO 27001:2022, 27018:2019, and 27017:2015 recertification audit and successfully transitioned to the to the 2022 version of the 27001 standard while extending our scope to include IdCloud and CDSPaaS.
Thales DPoD has also received SOC 2 Certification, proving compliance with the defined five trust service principles, security, availability, processing integrity, confidentiality, and privacy.
In addition DPoD achieved CSA Star Level 2 Third-Party Audit Certification further solidifying our commitment to transparency and trustworthiness in cloud services.
Support levels and response times
Q: What technical support options are provided?
A: Support for customers is normally provided via our network of highly trained and knowledgeable partners around the globe. The services they provide are backed by Thales' comprehensive support capabilities, details of which can be found here: https://cpl.thalesgroup.com/customer-support.
Reporting options
Q: Is it possible to monitor for service availability?
A: There is a Thales DPoD service status dashboard available for all customers.
Q: Is it possible to get activity logs for operations performed on DPoD services?
A: Each operation that occurs on a Luna Cloud HSM Service is recorded in the Data Protection on Demand (DPoD) log system. These logs are available for querying in the DPoD platform for a period of 12 months.
Q: What are the locations and the supplier names for your Data Centers?
A: All Data Centers and outsourcing partners are listed below:
Thales DPoD Data Centers
North America Region
Cyxtera Technologies, Inc.*
1400 Kifer RD
Sunnyvale, CA, 94086, USA
Equinix Data Center
21830 Uunet Dr
20147, Ashburn VA, USA
Rogers Communications
436 Hazeldean Rd
Kanata, ON, K2L1T9, CAN
Europe Region
Equinix Data Center*
Luttenbergweg 4
1101 EC Amsterdam, NL
InterXion
Hanauer Landstrasse 298
60134 Frankfurt am Main, GER
*Denotes primary data center
CipherTrust Data Security Platform as a Service
Q: Does Thales offer migration from DPoD Key Brokers for Google/AWS to CipherTrust as a Service?
A: Yes. For more information see Migrating Key Broker for Google Cloud EKM to CipherTrust Data Security Platform as a Service.
Q: Can CipherTrust as a Service compare in functionality to CipherTrust products?
A: CipherTrust as a Service is based on the market leading CipherTrust Data Security Platform which has been in market for several years. The underlying idea for the CipherTrust service is to match the features and functionalities of the on-premise CipherTrust platform. There might be some difference due to the inherent nature of the different delivery methods (service vs on-premise) or due to roadmap implementation schedules. At launch, the service embodies the functionality contained in CipherTrust Manager (CM) and CipherTrust Cloud Key Manager (CCKM). Please always refer to the latest documentation or reach out to Thales for latest updates on supported services and features! As this is a fully Thales managed service and therefore taking a lot of the admin burden off from the customers some related changes have been done to the platform itself. For example many of the administrative functions in CipherTrust Manager (backups, licensing, etc.) have been removed from CipherTrust as a Service because these operations are offered as part of the Thales managed service. However, the user interface for both products is the same (reducing the learning curve for existing customers interested in migrating to the service).
As new updates are released for these products, evaluation and implementation of new features will be typically completed 4 - 6 weeks after the product has reached General Availability. Other CDSP (CipherTrust Data Security Platform) Connectors like CipherTrust Transparent Encryption, KMIP (Key Management Interoperability Protocol), etc will be appended to CipherTrust as a Service as part of our roadmap developments.
Q: Does Thales, my Service Provider, or anyone else have access to my encryption keys stored in the CipherTrust Service?
A: When the CipherTrust tenant is initialized, a tenant admin account is created (which can be used to define roles-based access controls to the service). In addition, a Cloud HSM partition is created and tethered to the CipherTrust tenant. This ensures that all keys created by the tenant are affiliated to a Master Encryption Key stored in the Cloud HSM partition.
Q: Can customers integrate CipherTrust products with CipherTrust as a Service for high availability?
A: No. While functionally the same, the storage of information and architecture of the product and service are different. A customer may choose to use CipherTrust product and CipherTrust as a Service as complementary technology to solve different use cases, but clustering for the purposes of high availability is not possible. In such scenarios, we recommend clustering Virtual CipherTrust Managers to be geo located to cloud workloads and clustering them with physical or virtual CipherTrust Managers running on premise.
Q: How is the communication secured between the CDSPaaS locations and the customer application?
A Connections between CDSPaaS and the cloud key service or SaaS (Software as a Service) application are configured (through either a browser-based management console or via REST API). Once set up, the customer would then connect their application to the cloud key service or application to use the keys generated by CipherTrust.
Q: Can an external HSM be used as the RoT (Root of Trust)?
A: Luna Network HSM and other physical or cloud HSM’s are not supported at this time.
Q: How are the backups taken from CDSPaaS?
A: A tenant backup is initiated instantaneously as content is generated in the service (adding keys, users/etc.). This incremental backup approach ensures nothing is lost should a DR (Disaster Recovery) event occur.
Q: What is the RTO (Recovery Time Objective) for CipherTrust As a Service?
A: RTO is the time period within which data integrity and service availability must be fully restored to avoid unacceptable consequences associated with the services' interruption. This is calculated to be 1 hour for CDSPaaS.
Q: Can the customer take their own local back up from CDSPaaS?
A: No. If you require a copy or backup of keys in use a support request must be submitted. The support request must include details on the objects required for retrieval.