Cloud Security Service(CS2)

EPAM Cloud Service is subject to the general security policies adopted by EPAM Systems. Additionally, it strictly follows the Cloud-specific security rules and regulations..

The security policies, procedures and tools applied by EPAM Cloud Service are aimed at ensuring maximum protection, integrity and confidentiality of data, information and software being the property of EPAM and/or its users. For these purposes, EPAM Cloud applies various security measures, such as multi-level authentication and authorization, security scanning, events audit as well as additional security measures used for working with external cloud providers and third-party services.

Have a Question?

The current page gives the general information on the service and the main workflows. However, while working with the services, our users encounter new questions they need assistance with. The most frequently asked questions on EPAM Cloud Services are gathered on the Cloud Services FAQ page.
Visit the page to check whether we have a ready answer for your question.

Shared responsibility model

EPAM Cloud follows the industry standard shared responsibility model, with additional layer covered by EPAM Cloud Orchestrator.

The general concept is given on the picture below

Cloud providers enable the security "of" the Cloud by protecting the infrastructure behind all the services. This includes hardware, networking, software, and other assets used to provide services to end users.

The other aspect is providing the security "in" the Cloud which goes to the customer, traditionally. This includes establishing necessary configuration for used services and application to enable data protection, access control, account networks, etc.

This includes automatic role-based access management, providing and enabling verified images, default network and firewall settings, and others.

For details on the Security Policy applicable to EPAM Cloud Service please refer to the Security police document

Security service tools

EPAM Cloud Orchestrator has a wide range of tools enabling the automated security configurations for accounts in Cloud.

In general, the tools can be divided in the following groups:

Most of the tools, especially in Access, Network, and Software groups, are applied automatically and do not need specific user interactions in most cases. The necessary settings are applied on project activation, virtual machines are based on reviewed and approved images, security enabling settings and software is installed mainly automatically or by support teams.

However, when it comes to Security Checks, background activity by Orchestrator is not enough. The security checks cover infrastructure on various levels and are performed by different mechanisms – from industry-standard scanners (Nessus and Qualys) to in-built Orchestrator mechanisms. Check results are shared with users, and it’s their responsibility to fix the detected issues and vulnerabilities.

Security checks

EPAM Cloud Orchestrator uses two security scan tools – Nessus and Qualys which provide regular infrastructure checks aimed to highlight possible issues and vulnerabilities as well as to provide recommendations on fixes.

Nessus security scanner

Nessus Security scanner performs instance checks in EPAM private regions automatically or by user request.

Automatic scans are performed when instance security settings are changed in a specific way. There are also monthly checks covering all instances in DMZ.

Manual security checks are performed by user call. To initiate Nessus scan, go to the Management page select the VM and click Scan Now button in the Security by Nessus section.

  • 1. The general summary of the latest scan.
  • 2. Scan Now button, which initiates scanning details update, if any. If you use Maestro CLI, you can use or2-security-scheck (or2sc) command to get the same result. When the operation is initiated, Orchestrator initiates a Nessus scanning according to the selected tempalte, and sends a letter with the details to you. The information in the VM details on Cloud UI is also updated respectively as soon as scan is completed.
  • 3. Risk Factor section which identifies the detected risk level on the VM. By clicking the link, you can download the detailed Qualys report.

Qualys security Scanner

Qualys security scanner provides regular checks of instances in both private and public regions, irrespective of the provider.

The scanner is hosted on a server, while each VM gets a client installed in 7 days after creation. In case the Qualys agent was not installed, or needed earlier than 7 days after VM creation, you can install the agent in terms of self-service, according to the instractions provided by the Security team.

To get the results of Qualys scan, go to the Management page, select the VM and unfold the Security by Qualys section, which includes the following

  • 1. The general summary of the latest scan.
  • 2. Scan Now button, which initiates scanning details update, if any. If you use Maestro CLI, you can use or2-security-scheck (or2sc) command to get the same result. When the operation is initiated, Orchestrator collects the latest check results from Qualys server, and sends a letter with the details to you. The information in the VM details on Cloud UI is also updated respectively.
  • 3. Risk Factor section which identifies the detected risk level on the VM. By clicking the link, you can download the detailed Qualys report.

Security reports

Security reports are an essential part of a well-architected security service, as this is an effective tool of pro-active reaction to the changes in infrastructure security “health”.

The following main security reports are available for EPAM Cloud users:

  • Weekly Security Report. Security reports are sent to project primary contacts (Project Manager, Delivery Manager) to inform them on the security status of their projects, activated in Cloud. The security information is aggregated once a week, and the report is sent only in case any issues or vulnerabilities are detected. The report includes the summary on vulnerable resources, AWS instances, scan results, and issues detected by AWS Trusted Advisor
  • Unusual Activities Report. The report is sent to project primary contacts (Project Manager, Delivery Manager), when excessive resource creation in AWS or Google is detected. The report identifies the IAM account under which resource creation was performed, the list of the resources, and the buttons to approve or reject resource creation activity.

Vulnerability management

Fixing the security issues and vulnerabilities is the responsibility of project teams. The urgency of issues and vulnerabilities resolving depends on the vulnerability/issue type.

If necessary, Security Team provides assistance with vulnerabilities and issues resolving, by appropriate request to support.epam.com and within the scope of their responsibilities.

If necessary, Security Team provides assistance with vulnerabilities and issues resolving, by appropriate request to Support portal and within the scope of their responsibilities.