Security Certifications
Synchronoss Personal Cloud is built on a foundation of trust, offering robust security backed by industry-recognized certifications. Our solution meets stringent global standards, including information security management, operational security, and data integrity to protect personal data and privacy.
Synchronoss’s SOC 2 Type II certification for Personal Cloud services ensures robust security, controlled access, thorough incident response plans, and regular assessments of risks and vendors.
Synchronoss’s ISO 27001 certification underscores our commitment to information security through comprehensive policies including physical and environmental security, employee awareness and training, access control, and incident management.
Earning the TRUSTe certification highlights our organization’s commitment to privacy and data protection. This involves a comprehensive review of our privacy practices and adherence to TRUSTe’s privacy standards, ensuring that we handle personal data responsibly and transparently.
The DPF is a program developed by the U.S. Department of Commerce in collaboration with the European Commission to facilitate transatlantic data transfers while ensuring adequate safeguards for personal information, in line with EU data protection requirements, and demonstrates our strong commitment to protecting personal data.
Cloud Security Overview
The Synchronoss Information Security Program executed by the Global Information Security (GIS) team seeks to further four key objectives that contribute to the company’s ability to satisfy mission and core values.
Governance, Risk & Compliance
Our Governance function enables Synchronoss to mature its security capabilities appropriately in response to evolving industry threats, new customer requirements, and other technical and business challenges. Clear and accountable decision making is applied to define a comprehensive and cost-effective security framework that is aligned to business objectives. This security environment is reflected in consistent policies and procedures that work together effectively, are communicated to the organization, owned by appropriate business roles, and managed to ensure they remain current and aligned to changing business needs. Continuous benchmarking of our capabilities using established industry maturity models allows the organization to steer investment effectively, leading to steady improvement in areas of highest priority.
Through the Risk Management function, Synchronoss manages security risks that may impact business goals and objectives. Periodic risk assessments consider both internal and external risks, as well as risk arising through use of third parties, to proactively identify new and emerging threats, vulnerabilities, and control weaknesses.
A defined risk framework supports consistent evaluation of risks, and where necessary appropriate risk treatment is applied to decrease risk to acceptable levels. This ensures the overall information security risk exposure to the company remains within management’s stated risk tolerance.
The Compliance function ensures alignment and where necessary certification with critical regulatory and industry requirements such as SOX, GDPR, CCPA, ISO27001, and SOC2 Type II’s for all cloud products. As regulations and standards evolve, Synchronoss modifies technology and operating practice to maintain a strong security posture. The compliance team collaborates with all stakeholders to define new or revised security controls and then performs internal audits as appropriate to ensure successful implementation or remediation. In addition, the team drives education in current Synchronoss info security policies and effective security principles and practices, leading to continuous growth in the organization’s competency and ultimately, to successful customer and certification audits.
Product & Application Security
As part of the Synchronoss Secure SDLC, a Static Application Security Test (SAST) scanning & remediation process is integrated directly into all qualifying application development environments. The SAST process is integrated into our Bamboo/Jenkins CI/CD release process across all verticals. This enables individual programs to control the frequency of scanning and the effective scheduling of resulting remediation effort. Our SCA engine, Fortify SCA, identifies security vulnerabilities efficiently in application source code early in the development process, thus enabling remediation at lower cost than later in the SDLC. The SCA function is in continuously used through- out the life of the application so security vulnerabilities can be resolved with less effort, in less time and with less cost.
Web, Mobile & API Application Penetration Tests are performed on a regular basis for all qualifying applications. We perform comprehensive Pen Testing for all applicable applications utilizing both in-house Pen Testers and external 3rd party security service providers. SNCR in-house Pen Testers are trained and certified. The product/application security team leverages the latest open source and paid penetration testing tools at their disposal, including Burp Suite Professional, Metasploit Pro, Nessus, NMAP, and Kali Linux distro. App Pen Tests are performed in close compliance with the Penetration Testing Execution Standard (PTES) and OWASP Pen Testing guides which would cover at the least, the following: Parameter Fuzzing, Horizontal Privilege Escalation, URL Redirection, Code Reviews/Read through and SQL Injection. Our external providers are vetted, approved and added to our approved vendors list after a rigorous supplier evaluation process.
Security Operations
Synchronoss Security operations use an array of security tools, processes, and people to identify, protect, and respond to malicious activity in the
Synchronoss environments.
Security Assessments Team
Technical risk assessments are performed by the Security Assessments Team. Synchronoss’ Security Assessment Team is a team comprised of certified ethical hackers. Their goal is to challenge the company to improve its effectiveness and overall security posture by assuming an adversarial role. They develop and manage a threat intelligence program to address threats relevant to the information security across the enterprise. The team carry out planned network penetration tests across the environment. The team also provides regular threat/risk briefings to senior management regarding issues raised by the red team.
Security Technology Stack
All security operation tools are managed, upgraded, and monitored for system health. Technologies leveraged include: Endpoint Detection and Response technology, Enterprise Grade Next Generation Firewalls, Web Application Firewalls, Host Intrusion Detection & Prevention, SaaS Internet Proxies, Security Information Event Monitoring system, Distributed Denial of Service, Security Operations Automation & Response tools, Cloud Plane monitoring tools, Container Security monitoring tools and Network Access Control technologies.
Threat & Vulnerability Management
Policy
Establishes mandates, remediation timeframes, and process for exceptions to policies aligned to customer expectations.
Vulnerability Identification
Vulnerability scanning utilizing Rapid7 and integrated into ServiceNow for automatic and real time SLA remediation tracking. Utilizing our Vulnerability Management Platform for managing the lifecycle of vulnerabilities from identification to remediation.
Vulnerability Risk Assessment
The calibration of vulnerability severities based on contextual factors from a technical or business perspective. The outcome of this step is providing a true risk definition going beyond just technical vulnerability details provided by Vendors.
Security Patch Advisory Board
Regularly scheduled meetings to communicate findings, discuss priorities and vulnerability classifications, exceptions, and any other items concerning the vulnerability management process.
Security Monitoring & Incident Response
24x7x365 – U.S. & India based Security Operation Center locations monitor the environment and respond to security alerts correlated through our Security Information Event Management (SIEM) system. Our SIEM tool performs correlation of centralized logs of disparate environment systems and components based on anomaly or known malicious activity indicators with the intent of detecting unauthorized activity in the environment. SNCR’s SIEM is continuously fine-tuned via the collaboration of Red Team and SOC analysts through Red/Blue (Purple) Team campaigns (based on MITRE’s ATT&CK framework) to enhance detection rules based on active attack feedback from penetration testers. This collaborative process ensures the validation of current detection rules and creation of new detection rules around new attack vectors and methods.
Synchronoss incident response process incorporates people, process & tools into an actionable Security Incident Response Plan. There is a dedicated security incident response team who work in conjunction with our operation centers to ensure that security incidents are identified, contained, investigated and remediated in an expeditious fashion. Intrusion detection and prevention systems are used to provide rapid and, in some cases, automated containment of threats. All incidents are documented, tracked and reported on within ServiceNow Security Operations module, including the lifecycle of the incident and any related evidence. Post-mortems (root cause analysis) is carried out by the problem management team in conjunction with the incident response team.
Want to learn more about Synchronoss Personal Cloud?
Get in touch with our team
to see Personal Cloud in action.
