tl;dr
Cresta has SOC-2 Type 2 security compliance with no findings. Cresta can easily create dashboards across all our customers.
The status quo
Customers care about the privacy of their data and Cresta has always shared that concern as well. Customers don’t just want talk, they often need proof to back up claims. Before being compliance certified, Cresta had no way to prove to outside parties our compliance posture.
As part of our security posture, we create separate databases for all our customers. This makes it difficult to visualize data across all of them at the same time.
Cresta’s answer on security
Cresta now has SOC-2 Type 2 compliance. This outside validation provides a minimum bar for internal security and best practices. For Cresta, this also enables our sales organization to target larger enterprises that require compliance for external vendors.
One example of our security work recently is creating a multi account AWS cloud deployment. Amazon documents these best practices here, but the short version is that separating products and development environments into different accounts creates a strong security separation between them making it much harder for problems in one area to spread into another.
For internal accounts, we’ve recently migrated to Single Sign-On authentication. Engineers do not use usernames or passwords to log into our cloud accounts. We’ve extended this to EC2 instance connect which means we also require SSO for connections to our bastion hosts or development servers.
Another example of this is Cresta’s use of GitOps. We use GitOps to deploy application and infrastructure changes through CICD. This creates an audit trail of all system changes along with who made the change.
Cresta’s answer on data visualization
Cresta uses PrestoDB/Trino to query and aggregate data across multiple databases in real-time. This allows us to calculate company wide results, such as KPIs, or create single use dashboards for all customers at once. It’s used by internal teams to track and report on Cresta usage and report on it in Slack.
And it allows reuse of customer analysis through simply changing the customer name.
Why you should care?
If you’re a large organization with strict security compliance standards for external vendors, check out Cresta! Our suite of compliance standards is constantly growing!
Special thanks to the Cresta Infra squad: JMatt and Jack L.