Security built for critical infrastructure

Cognite’s security engineering team is focused on security features and management controls throughout Cognite Data Fusion’s secure development lifecycle. This team works closely with engineering, solution architects, and implementation teams to ensure security is addressed in design through operation. These security practices are supported by:

• Automated and continuous security testing
• Native Security tooling supporting security observability throughout the lifecycle
• Changes managed in code with approval (peer-review) flow
• A comprehensive audit and observability stack
• Robust incident response processes and practices

Cognite’s shared security responsibility model relies on collaboration between customers, cloud service providers, and Cognite.

• Cognite’s world-class Cloud Service Provider partners are responsible for f the hardware, software, networking, and facilities that support Cloud services infrastructure.
• Customers maintain responsibility to protect their data, applications, systems and networks.
• Cognite maintains responsibility for data encryption in transit and at rest in collaboration with CSP.  Cognite holds responsibility for the application’s secure development lifecycle and associated vulnerability management.

Cognite builds secure applications that minimize complexity for users. Cognite Data Fusion leverages customer’s existing identity management platforms to support Zero Trust.

• Customer controlled authentication and access management:  Cognite Data Fusion’s roles and groups are defined and managed by the customer through integration to our customers’ identity providers (IDP).
• Granular authorization: Data sets are defined to support least privilege access

Data security and privacy are foundational to Cognite Data Fusion. Data is encrypted in transit and at rest, with Cognite authenticating, authorizing, and logging activity. Cognite has robust controls in place to prevent data leakage or intentional/accidental compromise between customers in a multi-tenant environment. Cognite Data Fusion provides:

• Data encryption with cloud service provider (CSP) encryption key
• Network and infrastructure policies that control and restrict access to only authenticated/authorized services.
• Logical separation inside shared data stores
• CSP enabled cryptographic authentication and authorization at the application layer for inter-service communication.
• CSP supported ingress and egress filtering throughout the network to prevent IP spoofing as a further security layer.

Deployment is continuous and incremental to minimize disruption. Cognite routinely tests business continuity and disaster recovery plans (tabletop and real exercises) that validate scenarios and functionality, including confidentiality, integrity, and availability. Cognite security resilience controls support NIST 800-61 controls such as:

• Incident handling: Processes certified compliant with ISO 9001 and 27001 standards
• Preparation: Processes and tools in place and continuous improvement through applying lessons learned
• Containment: Organizing and limiting or preventing damage
• Eradication: Eliminate root cause and prepare for system restore
• Recovery: Bring systems back to production in desired state and monitor