3Cloud follows strict standards and procedures in designing and implementing its security controls to protect the confidentiality, integrity, and availability of our data, corporate assets, processes, and technologies.
Built by Experts
3Cloud Security Engineers, Systems Administrators, and Compliance Specialists collaborate to harden 3Cloud’s environment, while empowering 3Clouders to work securely and efficiently.
Designed by Experts
3Cloud security and compliance professionals follow guidelines from NIST, CIS, and data privacy and protection legal counsel when architecting its policies and controls.
Validated by Experts
3Cloud personnel work with Microsoft Security experts, penetration testers, auditors, legal firms, and other professionals to validate policies and controls. Improvements feed back into the design phase.
Protecting your privacy is of paramount importance to us. Therefore, we do not share customer details with any third parties.
Our SOC 2 Type 2 report certifies 3Cloud’s controls for security, availability, integrity, and confidentiality. Available under an NDA for prospective clients upon request.
3Cloud is a team composed of industry-leading minds and problem solvers who launch organizations into the cloud—delivering the ultimate Azure experience. Our laser-focused Azure experts have been entrusted by over 500 clients across the United States to architect solutions that meet their needs. Cloud environments introduce unique security and privacy challenges that we can help you overcome.
The purpose of this statement is to list the pillars of security and privacy 3Cloud incorporates in its environment. As we aim to be a security and privacy leader in the Azure consulting space, we work passionately and efficiently to fortify the confidentiality, integrity and availability of treasured assets. In this statement, we explain the security principles that guide 3Cloud.
3Cloud is a cloud-based organization. Our operations rely on third-party software-as-a-service (SaaS) applications and service to communicate, store data, manage resources and deliver our expertise.
3Cloud provides Professional and Managed Services, which are conducted in client environments, and does not provide environments to its clients. Moreover, data collected and stored by 3Cloud includes business contact information and other information required to fulfill its contractual obligations with its clients, such as project artifacts.
3Cloud has a strict and extensive adjudication process for new hires, which is completed prior to the candidate’s start date. All 3Clouders undergo background checks at the global and national levels. These checks include social security number (SSN), sex offender lists and monitoring of global watchlists & criminal activity. For contractors, letters of attestation are verified by 3Cloud Human Resources.
Access to 3Cloud offices is approved by management at the time of hire, and reviewed annually and as needed to ensure continuing access is authorized.
Keyed locks, electronic access systems, cameras, alarmed entry and exit doors, required reporting of lost or stolen access tokens, restricted access areas and logging have been implemented to protect offices.
Badges are assigned to employees who live within close proximity of 3Cloud offices and deprovisioned within 24 hours should an employee decide to move on from 3Cloud. Guest badges are assigned and revoked when no longer needed. Guests are required to wear unique badges while visiting our facilities.
3Cloud Business Systems retains access logs for at least 90 days and monitors alerts as needed.
All 3Cloud personnel must undergo security awareness training upon hire and annually thereafter.
Training involves video modules, quizzes, simulated and adaptive phishing engagements, and remedial training. Training topics include security awareness, data privacy and protection, remote work security, artificial intelligence security, diversity and inclusion and sexual harassment prevention.
Security posters containing best practices and common scam notifications are routinely distributed.
3Cloud makes use of a CASB to add an additional layer of protection to its endpoints and cloud operations. A CASB enforces security policies across applications and devices to assist with:
3Cloud’s CASB of choice has policies pertaining but not limited to authentication & authorization, device profiling, encryption, logging & alerting and malware detection/prevention. These policies, and violations of them, are funneled into detection and alerting software.
Project artifact data generated from engagements is stored in the client’s and/or 3Cloud’s collaboration environment. Security awareness training, identity & access management and standardized cryptographic algorithms are just some of the ways 3Cloud keeps your data safe.
3Cloud uses strong third-party cryptography to protect data at rest and data in transit. A few of the cryptographic protocols that 3Cloud utilizes include, but are not limited to: BitLocker, Transparent Data Encryption (TDE), Transport Layer Security (TLS) 1.2 (or higher) and other standardized protocols. 3Cloud audits these protocols regularly to validate their security and ensure that they are appropriate for the data they aim to protect.
3Cloud has been audited annually for SOC 2 Type 2 compliance since 2018 on the security trust services criteria. 3Cloud’s SOC 2 Type 2 report is available under a Mutual Confidentiality Agreement (“MCA”).
An Internal Audit Committee tests and verifies the applicable controls for a SOC 2 Type 2 attestation. The following business sectors and their responsibilities are in scope for this committee:
More detail regarding the audit of these functions can be found in our SOC 2 Type 2 report, which is available under an MCA.
3Cloud’s Information Security Policy (“ISP”) provides the foundation for our security philosophy and controls. The ISP is reviewed annually and as needed in accordance with our business objectives, risks and other key considerations
In addition to the sections in this paper, contents include but are not limited to risk assessment handling, secrets management, endpoint security and email security. Other satellite policies surrounding the Information Security Policy include our Incident Response Plan, Information Governance Policy, Third Party Vendor Management Policy and Artificial Intelligence Policy.
Several security models drive the security architecture at 3Cloud: namely defense in depth and zero trust architecture. For more information about zero-trust architecture, check out NIST’s publication. Finally, 3Cloud leverages NIST’s Cybersecurity Framework to guide its cybersecurity program.
These principles harmonize to protect 3Cloud’s people, processes and technologies. Internal and external audits are conducted to ensure compliance with these principles.
A Risk Assessment Committee (“RAC”) identifies, triages and remediates risk to 3Cloud’s business and mission critical operations.
The RAC is composed of stakeholders from the executive level, Business Systems, Accounting & Finance and Security Operations. Meetings are held quarterly and as needed, and communications occur in between meetings as new risks are identified.
Once a risk is identified, it is assigned a priority, owner and a determination is made on how to address said risk—accept or mitigate. If 3Cloud decides to mitigate the risk, controls are implemented at the people, process and/or technology level(s) and the risk level is recalculated at the next conference.
3Cloud assets are run through a lifecycle management process and appropriate use of our assets is governed by policy. All assets are tagged and tracked in a centralized mobile device management (MDM) tool and their health and security are monitored by Business Systems and Security Operations.
If a device is lost or stolen, authorized 3Cloud personnel can remotely wipe the device to prevent unauthorized access to 3Cloud data. Encryption is mandatory for data-at-rest on 3Cloud managed endpoints. We provide more information about our endpoint security controls in the ”Detection, Monitoring and Alerting” section below.
Identities, like assets, go through a lifecycle management process from onboarding, intra-company transitions and off-boarding. These identities are protected with universally applied multi-factor authentication, conditional access policies, location restrictions, among other controls.
When a user is onboarded, they are assigned access to resources with role-based access controls, which follow the principle of least privilege. Strong authentication is enforced for these accounts and they are closely monitored for anomalous and risky behavior. If suspicious activity is detected whether the threat is of an external nature or from an insider, 3Cloud has protocols in place to deal with these alerts in a swift and secure manner. Moreover, separation of duties is in place for damage limitation.
As a user transitions between roles, the access package from their old role is de-provisioned and the newly assigned package is granted based on their new role to ensure no user has gratuitous access. Privileged role access requires approval from system and security administrators, and access is granted only if sufficient business justification has been provided. 3Cloud closely monitors administrator roles and keeps the count to a strict minimum. Administrator roles use separate privileged accounts and require Privileged Identity Management for activation. Finally, administrator roles are audited monthly and as needed to ensure compliance with the principle of least privilege.
In the offboarding stage, our systems and security administrators follow a strict timeline by removing the user’s access to 3Cloud systems and data upon departure.
3Cloud maintains an Incident Response Plan (“IRP”) that is reviewed annually and/or as needed, and improved in consultation with data privacy and protection legal counsel. The plan:
Incident response team members are provided with a copy of the IRP. An incident response tabletop exercise is conducted annually with legal to address highly impactful and highly probable cyber incidents.
3Cloud’s endpoints, virtual resources and collaboration suite is equipped with numerous security and compliance controls to mitigate external threats and insider risk:
Security updates are automatically pushed when available. This ensures malware definitions are current and endpoints are patched with the latest security fixes. Enforced cloud protection dynamically identifies new threats. Finally, security settings can only be disabled by administrators. Enforcement of this policy reduces the risk of malicious actors opening the flood gates for additional attacks.
Resource logs are fed into and monitored within 3Cloud’s security information and event management (“SIEM”) tool of choice, where they are handled by 3Cloud Security Operations. The SIEM aggregates data for its accounts, endpoints, applications and infrastructure; leverages threat intelligence and analytics to detect and investigate suspicious activities and multi-stage attacks; and optimizes our incident response.
3Cloud works with third-parties to increase visibility, fine tune and ensure rapid response within its SIEM and other tools within its security stack. This is unpacked more in the “Penetration Testing, Red Teaming, and Hardening Exercises” section of this paper.
3Cloud undergoes annual penetration testing by TrustedSec. The findings of these exercises are reported to management and remediated in accordance with 3Cloud’s Vulnerability Management Policy. If desired, a retest is done prior to the next engagement.
Red Team exercises are used as a substitute for penetration tests should 3Cloud and TrustedSec decide that the exercise would be of greater benefit. This “assumed breach” approach grants TrustedSec personnel access to the 3Cloud environment and work begins from within. The findings of these exercises are reported to management and remediated in accordance with 3Cloud’s Vulnerability and Patch Management Policy.
3Cloud also works with TrustedSec to conduct hardening exercises. These exercises have helped 3Cloud identify its critical assets and pipe them through a threat matrix. The outcome of these engagements is to develop a defensive playbook that 3Cloud Security Operations can implement and iteratively improve.
Finally, 3Cloud works with Microsoft security experts to harden its Azure resources, Entra environment, and Microsoft 365 environment. Recommendations are provided and risks are mitigated based on their impact to 3Cloud business operations.
Attestation letters for these engagements are available under an MCA.
3Cloud maintains a Vulnerability and Patch Management Policy which governs how security vulnerabilities must be remediated. The Common Vulnerability Scoring System (“CVSS”) is used to classify and remediate vulnerabilities:
|Within 48 hours
|Within 5 days
|Within 30 days
|Within 30 days
Daily system scans are conducted to monitor for vulnerabilities. Findings are triaged, investigated and resolved by 3Cloud Security Operations and/or Business Systems in accordance with the schedule above.
Business continuity and disaster recovery
3Cloud maintains a Disaster Recovery and Business Continuity Plan to ensure smooth operations of the business when the need arises to activate the plan. This plan is submitted annually to the SOC 2 Type 2 auditors for review and verification of testing.
All essential applications are SaaS subscriptions. As such, 3Cloud relies on the service level agreements and business continuity and disaster recovery plans of the subscription vendors. Moreover, as 3Cloud’s employees are distributed geographically, the need for a secondary site or other traditional Business Continuity Plan is not required.
Testing of this plan occurs annually and is verified by SOC 2 Type 2 auditors.
Security and privacy are championed at all levels of the 3Coud organization, which allows us to dedicate resources to ensure the protection of our clients, partners, team members and their data. Our internal security experts work diligently with auditors and consultants to ensure there is continuous improvement in our security and compliance program.
If there are security concerns or risk compliance questions, please email [email protected].