At Narrative Science we use Amazon Web Services (AWS) for our cloud hosting services. This creates a shared responsibility model between customers and AWS. AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate.
Amazon details in their policy documentation: “Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors.” You can read more information about the AWS Compliance center at https://aws.amazon.com/compliance/
Narrative Science hosts its applications on AWS’ virtual private cloud servers, within the us-east-1 Region (Northern Virginia). Amazon is the largest provider of virtualized cloud infrastructure in the world and has become the industry leader in best practices. AWS provides extensive documentation on its security and control environment, industry certifications, and third-party attestations. For more information, please visit https://aws.amazon.com/security. Although AWS is a public cloud environment (physical computing resources are shared by multiple tenants), we leverage the Virtual Private Cloud (VPC) feature of AWS. This allows us to segment our platform into distinct virtual networks, and restrict access to each virtual network as desired.
We operate in a strictly controlled Linux server environment, and there is no direct access to our cloud infrastructure from the public internet. Software downloads to operate the infrastructure are limited to a set of validated software packages required. We regularly rebuild our base Docker images to ensure newly deployed servers benefit from consistent security updates.
Access to Narrative Science’s secure infrastructure is strictly controlled via network security groups, firewalls, and identity-based authentication. Only the minimum level of network access required is permitted. Sensitive assets like database servers are not accessible to the internet at all and are isolated in their own network security group, VPC subnets, and Network ACL’s. Narrative Science employees requiring access to these systems or information must complete successful background checks and use a secure bastion that is used to protect sensitive resources like databases with sensitive information.
Mobile Device Management
Our IT and Security teams use mobile device management (MDM) technology to assist in managing company-supplied mobile devices. This MDM software includes a self-service portal where trusted software can be downloaded and automatically patched as new security patches are released.
Only company-provided hardware is allowed to be used when handling any sensitive customer data. We expressly prohibit the use of any removable media like flash drives or CDs.
Furthermore, all Narrative Science-issued devices encrypt data on the hard drives and require password-protected screensavers. A purchased and reputable anti-virus and anti-malware solution is installed and enforced with regular definition updates. We have the ability to remote wipe these devices if they are lost or stolen.