We Take Security Seriously
A cloud security solution is a critical component of your IT infrastructure. It controls how employees, contractors, partners and customers gain access to cloud services.
McAfee MVISION Cloud is designed from the ground up to help you meet your security and compliance needs and, be the enterprise grade service you can trust.
McAfee has invested heavily to provide an enterprise grade service. Those investments include:
- SOC2 Type II
- ISO 27018 certification
- ISO 27001 certification
- FIPS 140-2
- EU-U.S. Privacy Shield
- CSA STAR
- Transparency of controls and compliance
- Operations and Data
- Security expertise & oversight
- Independent Penetration & Vulnerability testing
The following section gives an overview of the third-party and industry standard certifications that have been completed or are in progress for the MVISION Cloud’s product suite.
SOC2 Type II Report
SOC 2 Type II report is an attestation for the management of MVISION Cloud organization assertion that certain controls are in place to meet the AICPA’s SOC 2 Trust Services Criteria (TSC).
The Trust Services Criteria are noted below:
- Security—The system is protected against unauthorized access (both physical and logical).
- Availability— The system is available for operation and use as committed or agreed.
- Processing Integrity— System processing is complete, accurate, and authorized.
- Confidentiality— Information that is designated “confidential” is protected according to policy or agreement.
- Privacy— Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice and with criteria set forth in Generally Accepted Privacy Principles issued by the AICPA.
The report contains an opinion from a CPA firm that states whether the CPA firm agrees with management’s assertion. The opinion states that the appropriate controls are in place to address the selected TSCs and the controls are designed (Type I report) or designed and operating effectively (Type II report).
MVISION Cloud has received the Federal Risk and Authorization Management Program (FedRAMP) certification and can enable agencies to meet the US Government’s Cloud policy by enabling them to adopt Software as a Service (SaaS) solutions (e.g. Office 365) while seamlessly enforcing their security, compliance, and governance policies. This certification requires cloud providers to pass rigorous security requirements that are mandatory for all federal agencies. Skyhigh (now MVISION Cloud) is the first Cloud Access Security Broker (CASB) to be designated a “FedRAMP Compliant System”.
ISO 27001 is one of the most robust certifications a cloud provider can attain. Attaining ISO certification is a reflection of MVISION Cloud’s commitment to security across multiple functions. Skyhigh (now MVISION Cloud) is proud to be the first CASB to attain this certification and join the 4% of cloud providers who have gone through this extensive validation process. Conforming to ISO 27001 includes mandatory training and testing of all employees around general IT security issues and online threats. MVISION Cloud has obtained ISO 27001 certification after engaging with the British Standards Institute (BSI), demonstrating its commitment to open standards and controls as well as the maturity of its controls and practices in place.
ISO 27018 is the first international standard focusing on the protection of personal data in the public cloud and establishes controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) stored in the public cloud. Skyhigh (now MVISION Cloud) is not only the first CASB to attain the ISO 27018 certification but is also among the first major cloud service providers to achieve this certification in the United States. This certification confirms that MVISION Cloud has built in the security controls to protect customer PII. It ensures that MVISION Cloud processes PII in accordance to customer instructions, maintains transparency on how information is stored, deleted and accessed, does not use customer data for advertising and will disclose to the customer any law enforcement requests for their data. This certification further enables customers to meet their own privacy obligations as required by local and industry regulations.
MVISION Cloud is FIPS certified. FIPS 140-2 has also become the de-facto standard for encryption beyond the federal government and is recognized as an important security standard outside the United States. The FIPS 140-2 certification provides assurance that MVISION Cloud’s encryption has undergone rigorous third-party testing and can provide the highest level of protection to enterprises.
EU-U.S. Privacy Shield
MVISION Cloud is a member of the Privacy Shield program designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide a mechanism to comply with data protection requirements when transferring personal data from the European Union (EU) and Switzerland to the United States. MVISION Cloud also complied with the U.S. – E.U. Safe Harbor framework, which was declared invalid in October 2015.
CSA STAR is a security assurance program for cloud providers, established by Cloud Security Alliance (CSA), a recognized authority on cloud security. STAR encompasses key principles of transparency, rigorous auditing, harmonization of standards, with continuous monitoring based on CSA’s Cloud Controls Matrix (CCM). CSA’s CCM is a set of cloud-specific security controls mapped to leading standards, best practices and regulations. MVISION Cloud is CSA STAR self-assessed, which confirms its alignment with cloud security best practices and validates the security posture of its cloud offering. MVISION Cloud ‘s Consensus Assessments Initiative Questionnaire (CAIQ) is available at this link: https://cloudsecurityalliance.org/star-registrant/skyhigh-networks
Transparency of controls and compliance
Operations and Data
McAfee Operations partners with trusted industry leaders like AWS and XO communications to provide a secure, performant, highly available infrastructure. Access to infrastructure is closely controlled and limited to trusted senior team members. Two-factor authentication and IPSec Virtual Private Networks (VPNs) ensure strong authentication and encryption of data.
Security expertise & oversight
Our service was built by a team with a proven track record in enterprise security. Prior to founding Skyhigh, the team was responsible at Cisco for products that enable customers to administer, enforce, and audit standards-based, consistent access policies across the IT stack. The team delivered the Identity Services Engine, a product that won the coveted Pioneer Award in Cisco and is considered to be a game changer for Cisco.
Independent Penetration & Vulnerability testing
While we audit ourselves continually, we remember Richard Feynman’s principle: “you must not fool yourself, and you are the easiest person to fool.” Accordingly, major software releases are heavily audited by a 3rd party (Kratos), at least four times a year.