Security & Privacy
We take our responsibility to help protect your data and environments which starts with protecting our own.
Building Security is one thing - providing it is another.
Mission's security and compliance posture is governed by a custom Mission Information Security Management System (ISMS). This ISMS is developed by looking at external compliance regimes (SOC2, ISO, etc.), best practices from organizations like SANS and AWS, and internal Mission requirements.
Mission systems and personnel are expected to abide by the requirements in the ISMS and its sub-policies and procedures. This activity is then mapped to external compliance regimes to provide evidence for our auditors. Mission currently audits against SOC2 and ISO27001 on an annual basis. In addition to these regimes, we are able to map our ISMS to many other regimes or requirements at customer request.
Access to your AWS Environment
Many Mission products and services require that customers provide some form of access to customer-controlled AWS accounts to Mission personnel. This access is protected using native AWS security tools like Identity and Access Management (IAM).
Any access to customer infrastructure starts with the Mission resource authenticating to Mission’s IAM tooling (currently Okta) which requires Multi-Factor Authentication (MFA). Note that only roles that require customer access are allowed to authenticate following a least privilege model and all authentications on the Mission side are logged and audited.
Once authentication is complete, the Mission resources may access the customer environment in a variety of ways.
- AWS Portal - Mission may interact directly with the AWS portal in the customer account to make manual changes or gather information.
- AWS API - Mission may use internal tools and open source tooling like Terraform to interact with the customer’s account through the AWS APIs.
- AWS Infrastructure - Mission may use AWS Systems Manager (SSM) to interact with customer AWS infrastructure such as EC2 instances.
Mission differs from many of your SaaS partners in that our job is to help manage your AWS environment. Your data will stay in your AWS accounts with full access to your team and under your control. Mission does not collect, process or store any data that you have in your AWS account.
Mission does collect data about the team we will interface with - primarily contact information like names, emails and phone numbers. We also collect data that we need for billing - this includes the usage generated in your AWS environment. Data that Mission collects is protected both in transit (using common protections like TLS) and at rest using standard AWS encryption techniques.
Mission Cloud is capable of assisting customers with a wide range of security needs. You can visit our Mission Cloud One product page for more information. This section details Mission’s approach to security for our internal systems.
Mission utilizes a Managed Detection and Response vendor to protect our corporate endpoints - both our laptops / desktops and our AWS accounts and EC2 instances. This platform includes anti-malware (EPP), endpoint detection and response (EDR), managed detection and response (MDR) and some ancillary services like vulnerability management. The service includes a 24x7 security operations center for triage and response.
All Mission employees are required to perform general cybersecurity training at hire time and at least annually thereafter. Some specialized roles also receive additional role-specific security training - for example, our software development teams receive secure development training.
Identity & Access Management
Mission Cloud currently uses Okta as our primary Identity and Access Management (IAM) tool. This platform gates all access to customer environments and Mission critical systems. All users are required to utilize Multi-Factor Authentication (MFA) and all accesses are logged. All access grants are given on a least-privilege basis ensuring that the minimum number of users have access to core systems and customer AWS accounts.
Report a Security Problem
Mission believes that working with skilled security researchers can identify weaknesses in any technology. If you believe you’ve found a security vulnerability in Vanta’s service, please notify us; we will work with you to resolve the issue promptly.
- If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at firstname.lastname@example.org. We will acknowledge your email within one week.
- Please provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within ten business days of disclosure.
- Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Mission Cloud services. Please only interact with accounts you own or for which you have explicit permission from the account holder.
- Mission Cloud does not currently offer a formal bounty program. Reports demanding bounties before disclosure will be ignored.
Mission Cloud is providing this service to help ensure a safe and secure environment for all of its users. As such, any users believed to be engaging in the below activities will have their user credentials immediately deactivated.
While researching, we’d like you to refrain from:
- Denial-of-Service (DoS)
- Social engineering or phishing of Mission Cloud’s employees, customers, or contractors
This policy applies to the Mission Cloud Application hosted at control.missioncloud.com and to any other subdomains or services associated with the Mission CloudApp.
Thank you for helping to keep Mission Cloud and our customers safe!
Mission Cloud is always open to feedback, questions, and suggestions. If you would like to talk to us, please feel free to email us.