Free Trial

Understanding Compliance

Discover the role compliance standards play in the modern IT environment
factors for compliance in the cloud

Compliance involves many separate factors.

Nearly everything we do depends on our increasingly interconnected and rapidly-expanding digital capabilities, and it seems like daily breakthroughs change and streamline how we shop and live online. But with all this high tech power comes exposure, liability, and serious risk. If you operate a business or service on the web, it’s incumbent upon you to remain compliant with any and all regulations governing your industry.

Is your organization ready?

What is Compliance?

Compliance is the general state of being in accordance with prescribed standards and laws. In the digital world compliance concerns generally focus on network and data security, but other details—like how employees move and handle data within your secure environment—are also crucial considerations.

Here are some key compliance focus areas:

PCI DSS Compliance

The Payment Card Industry Security Standard Council is the global consortium of experts dedicated to developing and evolving security measures that protect the billions of online payment card transactions occurring every day in the modern economy. The PCI Council doesn’t just keep your business safe, it charges you with the task of meeting and complying with the minimum security standards it establishes for processing credit card transactions online.

To do so, it has established the Payment Card Industry Data Security Standard (PCI DSS), to govern account data security and best practices. Learn more about PCI DSS Compliance.

HIPAA logoHIPAA Compliance

The now ubiquitous HIPAA is one of the largest and most rigorous compliance areas in the United States. The Health Insurance Portability and Accountability Act of 1996 outlined the requirements for protecting vital patient health data, from physical records like files, to network security for virtual data, to proper procedures for working with this information. Every employer, health care provider, school administrator, and many more interest groups are directly impacted by HIPAA and responsible for complying with the act.

Learn more about HIPAA compliance requirements.

GDPR Compliance

The General Data Protection Regulation (GDPR) is intended to give citizens of the European Union (EU) greater control over their personal data and make data handling regulations consistent across the EU’s 28 member states.

The GDPR implements several measures to protect personal data, including standards for:

  • Citizens’ rights to erase personal data
  • Data security practices and technologies for organizations
  • Assessing the risk of data privacy or protection incidents in projects that deal with personal data
  • Data Protections Officers at organizations that monitor or process high volumes of protected data
  • Supervisory authorities who govern EU data protection in each member state
  • Public notification policies after an organizational data breach
  • Portability of personal data
  • Data retention

Sumo Logic is taking the necessary steps to gain GDPR compliance validation and obtain proof of compliance by May 2018.

Learn more about GDPR compliance requirements. 

SOC 2 Compliance

AICPA SCO 2 logoService Organization Control (SOC) reports came into widespread use in 2011. There are three types of SOC reports, but SOC 2 focuses explicitly on the security protecting financial transactions. SOC 2 compliance requires retail and service providers to submit a written overview of how their system works and the measures in place to protect it, with particular attention to five areas:

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

Popular in part for its scalability, SOC 2 compliance allows organizations to assess and resolve security issues within the custom framework of their environment.

FISMA Compliance

FISMA logoOriginally issued into law in 2002 as the Federal Information Security Management Act, this bill was revised in 2014 to become the current FISMA , which keys on the following five metrics:

  1. Identify: pinpoint all of the equipment involved in your data security plan.
  2. Protect: safeguard these systems with anti-virus and malware programs, physical security plans, and other means for keeping essential data protected.
  3. Detect: Detection compliance includes reactive approaches like stopping an active intrusion and proactive programs like routine deep penetration testing and audits.
  4. Respond: prepare the policies, procedures, and training programs you will need when you face inevitable threats.
  5. Recover: FISMA compliance guidelines are designed to help you recover from a malicious event or disastrous data loss in a fast, logical way.

 

ISO 27001 CertificationISO 27001 Compliance

The International Organization for Standardization was formed in the late 1940s to help businesses trade consistently across national borders. In the technology age its guidelines, called ISO standards, took on increased significance for safely moving data around the internet. ISO 27001 compliance standards specifically detail best information security management practices.

CIPA Compliance

Children’s Internet Protection Act (CIPA) of 2000. In the early days of the internet boom, unmonitored content found its way too easily onto the screens of unsuspecting kids using classroom computers. CIPA was passed to leverage technology like monitors and filters to keep harmful content away from kids. Administrators in every school district in the country are tasked with screening content and complying with this act so that the full educational potential of the web can be unleashed in classrooms without fear of inappropriate detours into the darker side of the internet.

These are just some of the compliance areas that require special attention. But there are other considerations to keep in mind when developing a holistic approach to compliance.

Compliance Security

Security compliance is the firewall between your organization and a failed audit…or worse.

Having a theoretically secure environment isn’t enough. Today compliance requires proving that your network and data security are effectively protecting your customer data. Most compliance models require active proof of your measures’ effectiveness. The most recent changes to PCI DSS 10, for example, call for semi-annual audits from approved third-party security professionals who perform deep penetration trials and report vulnerabilities before they can be exploited.

Complying with security guidelines means constantly testing your organization’s limitations to understand not just their strengths, but where they are most likely to face intrusion attempts and what to do when threats impact your environment.

Compliance & Logs

In any environment, especially those already utilizing DevOps approaches telemetry and feedback power compliance efforts. The ability to look under the hood and see how the pieces and parts of your network are interacting—and what those interactions produce—is the difference between a safe, efficient environment and one with compliance nightmares waiting to happen.

Everything that happens in your network is captured somewhere in the many system pouring data into logs. By unifying logs and metrics into actionable, interactive control panels a clear picture of network life emerges and compliance concerns can be surfaced and solved.

Compliance in the Cloud

The cloud brings new capabilities…and a complicated storm of compliance concerns.

The great migration from on premise data centers to decentralized, virtualized platforms is well underway and eventually almost all services will run in the cloud. Will this make compliance easier or tougher?

The cloud definitely comes with the advantage of a wealth of data. Cloud hosting services like AWS or Microsoft Azure offer native logging services that capture any and every piece of information that could impact your environment or be necessary to illustrate compliance. But sorting through haystacks for the scarce needles that matter is easier with the right help. In this in-depth webcast, experts from IP Architects and Teledoc discuss how Sumo Logic’s suite of tools help them focus on critical compliance areas in the cloud, including:

  • Developing apps that integrate security into every level of development, which makes compliance part of app DNA
  • Understanding platform logging systems and where they store data
  • Realizing that a compliance plan doesn’t guarantee compliance, and planning for worst case scenarios
  • Leveraging Sumo Logic’s tools to manage and simplify cloud compliance

Enterprise-Level Compliance Concerns

At the enterprise level, the information pertinent to compliance can represent a massive amount of data each day. Worse, experts estimate that up to 90 percent of intrusions within an enterprise network go undetected, representing a serious risk to security and compliance.

Tools like Sumo Logic’s LogReduce help you compress and analyze log data, helping you react to anomalies it in real time and even predict coming threats. This datasheet outlines additional ways to bring industry leading tech tools to your enterprise. It keys on three immediate ways to simplify and secure your compliance environment:

Identify data exfiltration. Highlight logins and security events throughout your entire enterprise, with automated machine learning that draws correlations betweens problems and activity and lets you know if data has touched or removed.

Lower compliance cost. Generating and analyzing reports can be expensive and time consuming. Get the data you need instantly and simply, freeing your professionals for more profitable pursuits.

Audit access. Remaining compliant means conducting mandatory audits, which can be a massive undertaking without the right tools.

The Challenge of Compliance

As the capabilities of modern networks continue to expand, so too will the need for reliable, standardized ways of protecting customer information and moving/storing data within your environment. The secret to remaining compliant with emerging standards is deep, real-time insight into how your environment lives and breaths and knowing where and how to obtain, manage and analyze the data you need to meet your requirements.

Sumo Logic Assurance Programs

Previous Next
PCI DSS 3.2 Service Provider Level 1 Certified

Sumo Logic is Service Provider Level 1 compliant under the Payment Card Industry (PCI) Data Security Standard (DSS). Customers can run applications on our PCI-compliant technology infrastructure for storing, processing, and transmitting credit card information in the cloud. In February 2013, the PCI Security Standards Council released PCI DSS Cloud Computing Guidelines. These guidelines provide customers who are managing a cardholder data environment with considerations for maintaining PCI DSS controls in the cloud. Sumo Logic has incorporated the PCI DSS Cloud Computing Guidelines into the Sumo Logic PCI Compliance platform.

For more information on PCI DSS compliance, please visit PCI SSC Data Security Standards Overview.

Previous Next
ISO 27001 Certification

Sumo Logic is ISO 27001 certified under the International Organization for Standardization (ISO) 27001 standard. ISO 27001 is a widely adopted global security standard that outlines the requirements for information security management systems. It provides a systematic approach to managing company and customer information that’s based on periodic risk assessments. In order to achieve the certification, a company must show it has a systematic and ongoing approach to managing information security risks that affect the confidentiality, integrity, and availability of company and customer information.

Sumo Logic has established a formal program to maintain the certification. This certification reinforces our commitment to providing transparency into our security controls and practices. For more information on ISO 27001 compliance, please visit ISO/IEC 27001 – Information security management

Previous Next
HIPAA Attestation

Sumo Logic enables covered entities and their business associates subject to the U.S. Health Insurance Portability and Accountability Act (HIPAA) to leverage the secure Sumo Logic environment to process, maintain, and store protected health information. Additionally, Sumo Logic is able to sign business associate agreements (BAA) with such customers.

For more information on the HIPAA compliance, please visit Summary of the HIPAA Security Rule

Previous Next
SOC 2, Type II Attestation

Similar to the SOC 1 in the evaluation of controls, the SOC 2 report is an attestation report that expands the evaluation of controls to the criteria set forth by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. These principles define leading practice controls relevant to security, availability, processing integrity, confidentiality, and privacy applicable to service organizations such as Sumo Logic.

The Sumo Logic SOC 2 attestation is an evaluation of the design and operating effectiveness of controls that meet the criteria for the security principle set forth in the AICPA’s Trust Services Principles criteria. This report provides additional transparency into Sumo Logic security and availability based on a defined industry standard and further demonstrates Sumo Logic’s commitment to protecting customer data.

For more information on SOC 2, Type II, please visit AICPA SOC 2

Previous Next
FIPS 140 level 2 Compliant

The Federal Information Processing Standard (FIPS) Publication 140-2 is a US government security standard that specifies the security requirements for cryptographic modules protecting sensitive information.

To support customers with FIPS 140-2 requirements, TLS terminations in the Sumo Logic platform operate using FIPS 140-2 validated hardware and software.

For more information on FIPS 140-2, Type II, please visit FIPS 140-2

Previous Next
E.U. Cookie Compliance

European Union websites must follow the Commission’s guidelines on privacy and data protection and inform users that cookies are not being used to gather information unnecessarily.

The ePrivacy directive – more specifically Article 5(3) – requires prior informed consent for storage of/or access to information stored on a user’s terminal equipment. In other words, you must ask users if they agree to most cookies and similar technologies (e.g. web beacons, Flash cookies, etc.) before the site starts to use them.

Sumo Logic complies with the E.U. Commissions guidelines regarding the use of cookies. For more information, please visit the European Commission Information Providers Guide on Cookies.

Previous Next
U.S.-EU & U.S.-Swiss Safe Harbor Certifications

The European Commission’s Directive on Data Protection went into effect in October 1998, and would prohibit the transfer of personal data to non-European Union countries that do not meet the European Union (EU) “adequacy” standard for privacy protection.

Sumo Logic is certified against the U.S.-EU & U.S.-Swiss Safe Harbor Frameworks. These frameworks and certifications are an important way for Sumo Logic customers to satisfy the Directive’s “adequacy” requirement for privacy protection and avoid experiencing interruptions in their business dealings with the EU or facing prosecution by EU member state authorities under EU member state privacy laws.

For more information, on the U.S.-EU & U.S.-Swiss Safe Harbor Frameworks, please visit the Export.Gov Safe Harbor.

Previous Next
CSA STAR Certification

Sumo Logic’s Cloud Security Management System is CSA STAR certified by BrightLine CPA.

The CSA Star is a rigorous assessment of cloud specific security controls and processes. The certification leverages the requirements of the ISO/IEC 27001 management system standard together with the CSA Cloud Controls Matrix specific to cloud security controls, mapped to leading standards, best practices and regulations.

CSA STAR is the industry’s most powerful program for security assurance in the cloud. STAR encompasses key principles of transparency, rigorous auditing, harmonization of standards, with continuous monitoring also available in late 2015. STAR certification provides multiple benefits, including indications of best practices and validation of security posture of cloud offerings.

For more information on C-Star, please visit CSA Security, Trust & Assurance Registry (STAR).

Previous Next
EU-US Privacy Shield

The European Commission’s Directive on Data Protection went into effect in October 1998, and would prohibit the transfer of personal data to non-European Union countries that do not meet the European Union (EU) “adequacy” standard for privacy protection.

In 2016, the European Commission and the US Government agreed on a new framework called the EU-US Privacy Shield, and on July 12, 2016, the European Commission formally adopted it. The EU-US Privacy Shield replaces Safe Harbor. Sumo Logic welcomes this new framework for transatlantic data flow.

Previous Next
TRUSTe

Sumo Logic has been certified against TRUSTe’s Enterprise Privacy Certification Standards. These certification standards apply to businesses who collect or process personal information, and set a standard for responsible data collection practices.

These Certification Standards are based on foundational privacy frameworks including the Fair Information Practice Principles, OECD Privacy Guidelines, APEC Privacy Framework, and the EU­U.S. Privacy Shield Principles.

Sumo Logic Cloud Platform enables our customers to understand the robust controls Sumo Logic has in place to maintain security and data protection in the cloud. Customer security is essential to our business.
CISO, Leading Life Sciences Company

See Who’s Running Securely on the Sumo Logic Cloud Platform

Resources

Download free analyst reports, white papers, data sheets and videos to learn how Sumo Logic Cloud Platform maintains security and compliance in the cloud

Cloud Enlightenment

A journey down the path of enlightenment and leveraging the power of automation.

WATCH RSA KEYNOTE
Sumo Logic Security Model

The Sumo Logic security model is an end-to-end process, focused on keeping customers’ information safe.

DOWNLOAD WHITEPAPER
All-In With AWS

Assessing the Risk: Can the Cloud Can Be More Secure Than Your On-Premise Environments?

DOWNLOAD IDC REPORT

FAQs

What certifications do you currently have and what is on your roadmap?

Sumo Logic currently achieved the following attestations/certifications:

  • PCI DSS 3.2 Service Provider Level 1
  • HIPAA-HITECH
  • SOC 2 Type II
  • ISO 27001
  • CSA Star
  • US-EU Privacy Shield
  • TRUSTe Certified Privacy
Do you rely on AWS compliance?

While many other SaaS providers rely on AWS certifications, Sumo Logic implemented its own security controls, completed audits with a third party independent audit firm, BrightLine CPA, and obtained attestations/certifications for its log management service.

Who has access to my data?

Only customers have access to their data, unless they enable access to their data to Sumo Logic’s Customer Success team. Even then authorized Sumo Logic employees will access a customer data only in response to a specific support request. All access to customer data is logged and auditable. Moreover, Sumo Logic has read only access to customer data.

How do you handle data deletion?

Data ingested by Sumo Logic is split into two streams, an Index stream and a Raw stream. Each of these streams is encrypted using customer specific encryption keys rotated every 24 hours. In addition to the encryption keys, the disks are themselves encrypted. When data expires per the retention period, the indexes and customer specific keys are deleted. This accomplishes two things,

  • The indexes cannot be located and thus recovered
  • The raw data cannot be decrypted

This unrecoverable data will remain on additionally encrypted disks until Sumo Logic runs a periodic disk cleanup, which is done using a DoD 5220.22-M scrub.

If the customer wants to pull out any of their unexpired data in the event they choose to cancel their Sumo contract, the data can be pulled down from the API, exported to CSV or placed in an S3 bucket owned by the customer. This must be done before the contract/subscription expires or is cancelled.

How do you monitor your environment for security events?

We use Sumo Logic for logging and alerting on security events. All security events are addressed in accordance with our incident response policy:

  • Critical Issues: Remediation efforts will begin immediately
  • High Severity Issues: Remediation efforts will begin within 5 days
  • Medium Severity Issues: Remediation efforts will begin within 60 days
  • Low Severity Issues: Remediation efforts begin in accordance with their business and customer impact

To report any disruptions or suspected security incidents to the Sumo Logic platform or service, please contact us at Security-support@sumologic.com.

Get Started Today!

Sign up for your FREE Sumo Logic Trial.

Free Trial
“Sumo Logic brings everything together into one interface 
where we Hudl can quickly scan across 1,000 servers across and gigabytes of logs and quickly identify problems. It’s awesome software 
and awesome support.”

Jon Dokuli,
VP of Engineering

Sign up for your 30 day free trial!*
Sign up for Sumo Logic Free
  • No credit card required to sign-up
  • Create your account in minutes
  • No expiration date*
  • *After 30 day trial period, reverts to Sumo Logic Free
    View All Pricing Options
    Already have an account? Login