Ascend offers a dedicated Enterprise Package for our platform. In addition to features like HIPAA compliance, the Enterprise Package includes Enterprise Security, which provides enhanced controls for managing access to your Ascend-managed data. It's based on three security controls:
- cloud-level origin-based access controls for your Ascend internal data stores
- authenticated gateway for infrastructure-level support access to the environment
- explicitly granted access for Ascend employees to the application by the customer
Your Ascend environment is backed by two data stores: MySQL and Blob Storage.
In all cloud services, your MySQL instances are deployed on private networks and only accessible from the Ascend-managed Kubernetes cluster. This applies to both the Standard and Enterprise packages.
In AWS and Azure, it is possible to protect Blob storage (S3/ABS) with origin-based access control lists (ACLs). This restricts data access to come from specific IPs or cloud access points. In both AWS and Azure, we lock down the internal buckets so they are only accessible from inside the Ascend VPC/VNet or from the external IP of the network.
Azure Blob Storage
In Azure, we also grant permissions from the Ascend Ops IPs to run Terraform because the firewall is configured at the Storage Account level. To manage the Azure Blob Storage Containers, the management API calls are subject to the same firewall rules as data object access.
GCP does not support origin-based access controls for Google Cloud Storage, so this functionality is unavailable.
To provide tighter control for customers with sensitive data or specific compliance requirements, we offer customer-gated cluster access. This functionality is backed by StrongDM, a leading provider of Just-in-Time access management.
The Kubernetes cluster in your environment is accessible through a StrongDM proxy. By default, engineers have basic access to inspect compute resources and service health (allowing them to perform most basic triage), but they do not have access to perform any more sensitive actions like
exec (in Kubernetes
exec is the equivalent of SSH'ing to prod).
To grant elevated access for advanced triage, Ascend must receive explicit approval from the customer that temporary access may be granted to an engineer responsible for a support investigation. If approved, that engineer is granted temporary permissions to access the cluster with elevated privileges. This grant will automatically expire after the engineer has completed their work.
In addition to the explicit permission grant workflow, all Kubernetes access is logged immutably in StrongDM. If needed, logs are provided on request.
In a standard deployment Ascend support has access to the application in order to perform rapid triage and incident reconciliation. In Enterprise Security environments support access to the environment is managed the same way as any user access is granted to the environment through the standard permissions model.
Updated about 1 year ago