cg-logoChaos Genius

Security at Chaos Genius

Date
Effective Date: 

The purpose of this document is to outline the security operations, best practices and application security protocols being followed at Goodhealth Technologies, Inc., (“Chaos Genius”, “we”, “our”). The contents of this document are updated from time to time to reflect the current security practices.

Chaos Genius has best-in-class security, periodic audits, and continuous monitoring to ensure that customer data is always secure.

In case of any questions, please contact us at [email protected].

Architecture & Information Usage

This section contains details of Chaos Genius’ technical architecture, system design and associated security measures and best practices. It also lays out the details of all the customer Snowflake metadata data being used for ingestion and analysis.

Information Usage

This section lists down all details of customer Snowflake metadata being accessed and processed by Chaos Genius systems and applications in order to generate analyses and insights to be delivered to the customer via Chaos Genius’ web application and related software services.

Metadata Access Only

Chaos Genius only requires READ access to a customer's Snowflake account metadata database which contains metadata about customer’s Snowflake usage. This database does not contain any customer data or sensitive information.

The Chaos Genius user can only access the Snowflake metadata database and does not have any access whatsoever to customer data.

READ Access Only

Chaos Genius only requires READ access to a customer's Snowflake account metadata database Chaos Genius user requires minimal permissions and access privileges on this metadata.

List of Metadata being Accessed

Chaos Genius accesses Snowflake usage metadata in order to present users with analyses and recommendations related to Snowflake cost reduction & performance optimization. Chaos Genius uses the following tables for the said analyses and insight generation.

Following views from the account_usage schema are accessed.

  • SNOWFLAKE.ACCOUNT_USAGE.ACCESS_HISTORY
  • SNOWFLAKE.ACCOUNT_USAGE.AUTOMATIC_CLUSTERING_HISTORY
  • SNOWFLAKE.ACCOUNT_USAGE.COPY_HISTORY
  • SNOWFLAKE.ACCOUNT_USAGE.DATABASES
  • SNOWFLAKE.ACCOUNT_USAGE.DATABASE_STORAGE_USAGE_HISTORY
  • SNOWFLAKE.ACCOUNT_USAGE.DATA_TRANSFER_HISTORY
  • SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_ROLES
  • SNOWFLAKE.ACCOUNT_USAGE.GRANTS_TO_USERS
  • SNOWFLAKE.ACCOUNT_USAGE.LOGIN_HISTORY
  • SNOWFLAKE.ACCOUNT_USAGE.MATERIALIZED_VIEW_REFRESH_HISTORY
  • SNOWFLAKE.ACCOUNT_USAGE.METERING_DAILY_HISTORY
  • SNOWFLAKE.ACCOUNT_USAGE.METERING_HISTORY
  • SNOWFLAKE.ACCOUNT_USAGE.OBJECT_DEPENDENCIES
  • SNOWFLAKE.ACCOUNT_USAGE.PIPES
  • SNOWFLAKE.ACCOUNT_USAGE.PIPE_USAGE_HISTORY
  • SNOWFLAKE.ACCOUNT_USAGE.QUERY_ACCELERATION_ELIGIBLE
  • SNOWFLAKE.ACCOUNT_USAGE.QUERY_HISTORY
  • SNOWFLAKE.ORGANIZATION_USAGE.RATE_SHEET_DAILY
  • SNOWFLAKE.ACCOUNT_USAGE.ROLES
  • SNOWFLAKE.ACCOUNT_USAGE.ROW_ACCESS_POLICIES
  • SNOWFLAKE.ACCOUNT_USAGE.SCHEMATA
  • SNOWFLAKE.ACCOUNT_USAGE.SEARCH_OPTIMIZATION_HISTORY
  • SNOWFLAKE.ACCOUNT_USAGE.SESSIONS
  • SNOWFLAKE.ACCOUNT_USAGE.STAGE_STORAGE_USAGE_HISTORY
  • SNOWFLAKE.ACCOUNT_USAGE.STORAGE_USAGE
  • SNOWFLAKE.ACCOUNT_USAGE.TABLES
  • SNOWFLAKE.ACCOUNT_USAGE.TABLE_STORAGE_METRICS
  • SNOWFLAKE.ACCOUNT_USAGE.USERS
  • SNOWFLAKE.ACCOUNT_USAGE.VIEWS
  • SNOWFLAKE.ACCOUNT_USAGE.WAREHOUSE_EVENTS_HISTORY
  • SNOWFLAKE.ACCOUNT_USAGE.WAREHOUSE_LOAD_HISTORY
  • SNOWFLAKE.ACCOUNT_USAGE.WAREHOUSE_METERING_HISTORY

Further details on the above views can be found in Snowflake’s documentation.

Limited access, role & permissions for Chaos Genius User

During onboarding, customers are required to create a Chaos Genius user in their Snowflake environment and grant it access to Snowflake metadata for the purpose of ingestion and processing.

Chaos Genius does not have read or write access to any of the customer's data that is stored in Snowflake. This access and permissions are clearly defined when the customer creates a Chaos Genius user with an extremely limited set of READ permissions on Snowflake Metadata only.

The exact details on User creation, access, role and privileges are provided to the customer in Chaos Genius web application during the onboarding process. It can also be requested by writing to us on [email protected].

PII handling

Chaos Genius does not require access to any PII information for performing analysis and generating cost savings recommendations.

If underlying Usage tables have PII data, Chaos Genius suggests the following as two levels of measures to prevent access to PII.

Level 1: As a default, we suggest that all columns that have PII or sensitive data be masked with Snowflake’s Dynamic Data Masking.

Level 2: As a safeguard measure, Chaos Genius is designed to run PII identifiers on all query texts and mask the metadata before ingesting it into any of our analyses. This feature can be enabled upon request.

Customer Account Information

Chaos Genius collects Customer’s account information provided during the onboarding process like organization name, email address, billing information. The details on this can be found in our privacy policy

The said Customer Account information is stored securely and with encryption in our systems. Our web application uses third party product analytics tools which also collect additional information on product usage and application performance monitoring

Technical Architecture

The following section contains details on the Chaos Genius’ technical architecture, system design and associated security operations and best practices.

IP Whitelisting

Chaos Genius supports IP Whitelisting for customers who wish to restrict access to select IP addresses. We recommend using Snowflake’s network policies. During the onboarding, you will be provided the IP addresses which can be configured in Snowflake.

Secure Infrastructure

Chaos Genius uses Amazon Web Services as our cloud provider. AWS provides an extensive list of compliance assurances, including SOC 2, ISO 27001, PCI Level 1 and FISMA Moderate.

Chaos Genius does not own or maintain any physical infrastructure

Hosting

All of our applications, systems and databases run on AWS and are hosted in the US region. A complete list of compliances offered by AWS can be found here.

Chaos Genius does not own or maintain any physical infrastructure.

Encryption

All Chaos Genius application web traffic (in transit) uses HTTPS protocol using Transport Layer Security. All the server-side certificates are managed and controlled via the AWS Certificate Manager. All sensitive data stored (at rest) is encrypted with AWS Key Management Service SDK. We use AWS KMS for controlling and managing the keys for server-side encryption. AWS Encryption SDK is being used for securely handling all the cryptographic operations in our application. You can learn more about AWS KMS capabilities here

Access Control

We use AWS Cognito for client authentication and access management. You can read more about AWS Cognito's security practices here

All access to our production infrastructure requires multi-factor authentication, and is restricted to authorized personnel only. We limit access to customer data to the employees who need it to provide support and troubleshooting on the customer’s behalf. Accessing customer data is done solely on an as-needed basis.

Vulnerability Scanning & Patching

Chaos Genius also uses high-quality static analysis tooling provided by GitHub Advanced Security such as CodeQL, Secrets Scanner, and Dependabot to secure our product at every step of the development process. We periodically check and apply patches for third-party software/services. As and when vulnerabilities are discovered we apply the fixes within pre-defined SLAs.

Secure Development Life Cycle (SDLC)

Product development is executed through a documented SDLC process.

We follow an Agile methodology for shipping code. We make use of issue tracking and version control while developing services. Automated unit and integration tests are run on every change with the help of Continuous Integration (CI). Most of the code written is linted and type checked as a part of the CI pipeline. All code is reviewed and tested extensively before being merged.

We make use of a tiered architecture with separate environments for production (stable, tested deployment used by all clients) and staging (to run tests on before shipping). These environments are isolated from each other. All changes are continuously deployed (CD) to the staging environment where they are tested again.

Access to code bases, servers and data systems are secured by role-based access control (RBAC) following the principle of least privilege.

The deployments make use of a service-oriented architecture with tightly controlled communication between services. The servers run in a Virtual Private Cloud (VPC) with public endpoints provided only to user-facing services. Backend code is shipped in containers that only contain the required code with secrets being isolated and secured separately.

Security Operations

Identity and Access Management for Employees

Operating on the principle of least privilege, Chaos Genius employees have unique logins for all business critical systems and two-factor authentication is enforced wherever possible.

Employee Security Training

All Chaos Genius personnel are required to undergo a security training, specifically designed for a cloud-hosted setup. It covers industry best practices around typical human-based-attack vectors involving phishing, passwords, attachments etc.

Responsible Disclosure

If you believe you have discovered a vulnerability within Chaos Genius’ application, please submit a report to us by emailing [email protected]. Chaos Genius does not participate in a bug bounty program at this time, nor do we provide monetary rewards for findings.

If you believe your account has been compromised or you are seeing suspicious activity on your account please report it to: [email protected].