ISAE 3000 Assurance Validates Druva inSync Cloud

Druva Software Pvt. Ltd., in enterprise endpoint backup with integrated mobile access, data loss prevention, and data analytics, has completed an Assurance Engagement in compliance with the International Standard on Assurance Engagements (ISAE) 3000 for its inSync Cloud.

The Type 1 audit was performed by KPMG International Cooperative, an independent auditing firm. The scope of the report included a description of the general operating environment that supports the delivery of inSync Cloud solution and the design of controls related to the control objectives stated in the description.
 
To complete the audit, Druva management developed control objectives that were determined to be important for providing a secure environment for endpoint cloud backup.

The control objectives covered the following areas:
 
inSync Cloud Solution and Operations:

• Logical access
• Security of customer data
• Network security
• Application deployment

Support Functions:

• Information security
• Human resources
• Physical access
• Environmental controls

In evaluating the control objectives, the audit ensured that Druva provided a complete and accurate description of how the system was designed and implemented. Examples of the evaluated descriptions include the types of services provided, relevant control objectives and the controls designed to achieve those objectives, and the ways in which controls were administered. The audit then ensured that controls related to the objectives were suitably designed, so the risks that threatened achievement of the control objectives were identified.
 
Below is a description of key findings of the audit:
 
Risk Assessment
Druva has an Information Security Group (ISG) in place to drive the initiatives related to information security. The ISG is responsible for the annual review and approval of information-security policy standards, procedures and other guidance. It meets at least quarterly to review the current status of information security within the organization, monitor material security incidents, approve information-security policy changes and perform other information-security stewardship activities as necessary.
 
Secure Cloud Environment for Enterprise Endpoint Backup
The inSync Cloud solution brings together several capabilities to provide secure operating environment for customer data.
 
inSync Cloud protects customer data at rest and during transmission. The client installed on the end-user device is required to be authenticated by the one-time authentication key generated during the user setup process. Backup data is protected by 256-bit SSL encryption during transmission and protected at rest using 256-bit AES encryption. Encryption-key management works like a bank locker system to create unique encryption keys for every customer. No one, including Druva, can gain access to a customer’s encrypted data except the customer that has access credentials.
 
In addition, inSync Cloud offers single sign-on capabilities through Security Assertion Markup Language (SAML), an XML-based open standard for exchanging authentication and authorization data between security domains. This feature permits users to securely log into inSync over the Web using their credentials on external identity services, including a company’s Microsoft Active Directory, with double-factor authentication.
 
"We recognize that the most important asset an enterprise has is its data, and many enterprises are skeptical of storing it in the cloud due to the lack of security controls," said Jaspreet Singh, CEO of Druva. "Druva is committed to offering the most robust and secure enterprise data-protection solutions possible so our customers can take advantage of the many benefits of the cloud, while having the peace of mind that their data is fully protected."