| Access Control |
- Each cloud customer account is deployed with a unique ID to guarantee adequate separation.
- Each cloud customer account is granted with its own unique and narrow role, based on least privilege principle. We grant just the permissions which are required to perform tasks and access shared resources, such as databases and cloud object storage.
- The default and automatic deployment of the JFrog cloud platform is on a shared environment including the following resources:
- The load balancer is a shared component at the region level.
- The applications’ database schema and role are dedicated for each customer. The applications’ database is a cloud provider managed service, shared at the region level.
- Each customer has its own unique role with permissions for their own files. The applications’ file store is a cloud provider managed service, shared at the region level.
- JFrog cloud platform uses managed object storage and databases from the major cloud providers. Each customer has their own unique role with permissions to their own data.
|
| Data Encryption |
- Data in transit is defined as data that is actively transferring between different destinations (e.g., applications to databases or object storage) over the same network or over the internet. In the JFrog cloud platform, every customer’s data is encrypted in transit using HTTPS with TLS V1.2.
- Data at rest is defined as data that is physically stored and hosted in any digital form (e.g., cloud storage, databases, data warehouses, or cloud backups) and not actively transferring between different destinations. In the JFrog cloud platform, all hosted data at rest is securely stored in a database and object storage using 256-bit AES encryption.
|
| Application and Infrastructure Control |
- As part of our multi-layer cloud protection approach, a dedicated DDoS mitigation ecosystem has been put in place. JFrog utilizes anti-DDoS protection, a next-gen WAF, an API protection tool, advanced rate limiting and bot protection.
- JFrog’s Cyber Incident Response Team (CIRT) constantly monitors our products, infrastructure operations and security solutions. JFrog’s security has established a comprehensive strategy and policies to respond, notify, and remediate security incidents promptly and efficiently.
- JFrog’s CIRT continuously monitors our products’ logs, infrastructure operations and systems audit logs in our internal Security Information and Event Management (SIEM) to detect potential incidents promptly and efficiently. As part of this ongoing effort, the CIRT investigates and responds to reports from bug bounty programs, vulnerability disclosure programs, automated scanners, customer support portal and dedicated email inbox.
- To ensure prompt and efficient response time, our Security Operations Center (SOC) is staffed with highly qualified and experienced security experts, who work to fulfill our internal SLA policy.
|
| Internal Controls |
- JFrog has defined access roles for each system and service based on least privilege principle. Access to all our applications is possible only via Single Sign-on (SSO) and 2-factor authentication (2FA) with strong password policies.
- JFrog requires that its employees use a password manager to ensure that they use unique and complex passwords and store them in a secure vault.
- JFrog uses a zero-trust solution to securely connect our employees, devices, and apps over JFrog’s internal network. Our zero-trust solution provides Web and URL filtering, sandboxing, cloud firewall, CASB and DLP.
- JFrog engineers connect to our production resources using an advanced 2FA and just-in-time access solution, which allows us to employ the principle of least privilege and conduct a full audit.
- JFrog laptops are equipped with encryption technology that is turned on by default, in compliance with our policy, along with advanced anti-malware software.
- JFrog uses email protection solutions designed to prevent malware, zero-day attacks, phishing, Business Email Compromise (BEC), spam and N-days.
- All JFrog employees receive mandatory privacy and cyber security awareness training as part of their onboarding, as well as mandatory annual ones thereafter. Moreover, employees receive ongoing security education training about topics such as phishing, password management, secure development, and security best practices for operating cloud accounts.
|
| Security Events |
- JFrog’s CIRT works with external incident response experts to assist us with emergency security incidents. As part of our comprehensive vulnerability management process, JFrog’s CIRT runs continuous and automated vulnerability scans of all our assets; prioritizes vulnerability fixes and releases patches quickly.
|
| Standards |
- JFrog is certified underISO 27001, the global standard for IT security management policies. ISO 27001 is a framework of policies and procedures that includes people, processes, and IT systems, its objective is to provide requirements for establishing, implementing, maintaining, and continuously improving an Information Security Management System (ISMS).
- JFrog is certified underISO 27017, the global security standard for cloud service providers and users. ISO 27017 provides guidance on the information security aspects of cloud computing, to make a safer cloud-based environment and reduce the risk of security issues.
- JFrog engages Ernst & Young to audit its system and organization controls report –SOC 2 Type II Report. This auditing procedure ensures we securely manage and protect our customer’s data. This Report is validated and updated annually and is a key document that outlines and certifies the ways in which JFrog achieves and maintains compliance and control objectives.
|
