Supporting customer security requirements with people, process, and technology.
Compliance overview
Cognite’s Secure Development lifecycle, spanning infrastructure, applications, and operations, are tested and audited by third parties, demonstrating compliance to:
ISO 27001, ISO 9001, SOC Type 2 (Security), SOC Type 3 (Security) and CCC+
Cognite supports customers with specific regulatory and industry requirements. Cognite Data Fusion supports customers to meet the following industrial security requirements:
NIST CSF, IEC 62443.2-4, IEC 62443.3-2, IEC 62443.3-3, IEC 62443.4-1, CMMC, FIPs, NERC CIP v.5, GxP, CSA STAR Level 1
Accreditation reports
Cognite can provide reports to prospective customers attesting to compliance with the following standards and frameworks:
SOC Type 2 (Security), SOC Type 3 (Security), ISO 27001, ISO 9001
Secure development lifecycle
Cognite’s security engineering team is focused on security features and management controls throughout Cognite Data Fusion’s secure development lifecycle. This team works closely with engineering, solution architects, and implementation teams to ensure security is addressed in design through operation. These security practices are supported by:
- Automated and continuous security testing
- Native Security tooling supporting security observability throughout the lifecycle
- Changes managed in code with approval (peer-review) flow
- A comprehensive audit and observability stack
- Robust incident response processes and practices
Shared responsibility
Cognite’s shared security responsibility model relies on collaboration between customers, cloud service providers, and Cognite.
- Cognite’s world-class Cloud Service Provider partners are responsible for f the hardware, software, networking, and facilities that support Cloud services infrastructure.
- Customers maintain responsibility to protect their data, applications, systems and networks.
- Cognite maintains responsibility for data encryption in transit and at rest in collaboration with CSP. Cognite holds responsibility for the application’s secure development lifecycle and associated vulnerability management.
Authentication, access and authorization
Cognite builds secure applications that minimize complexity for users. Cognite Data Fusion leverages customer’s existing identity management platforms to support Zero Trust.
- Customer controlled authentication and access management: Cognite Data Fusion’s roles and groups are defined and managed by the customer through integration to our customers’ identity providers (IDP).
- Granular authorization: Data sets are defined to support least privilege access
Data security
Data security and privacy are foundational to Cognite Data Fusion. Data is encrypted in transit and at rest, with Cognite authenticating, authorizing, and logging activity. Cognite has robust controls in place to prevent data leakage or intentional/accidental compromise between customers in a multi-tenant environment. Cognite Data Fusion provides:
- Data encryption with cloud service provider (CSP) encryption key
- Network and infrastructure policies that control and restrict access to only authenticated/authorized services.
- Logical separation inside shared data stores
- CSP enabled cryptographic authentication and authorization at the application layer for inter-service communication.
- CSP supported ingress and egress filtering throughout the network to prevent IP spoofing as a further security layer.
Resilience
Deployment is continuous and incremental to minimize disruption. Cognite routinely tests business continuity and disaster recovery plans (tabletop and real exercises) that validate scenarios and functionality, including confidentiality, integrity, and availability. Cognite security resilience controls support NIST 800-61 controls such as:
- Incident handling: Processes certified compliant with ISO 9001 and 27001 standards
- Preparation: Processes and tools in place and continuous improvement through applying lessons learned
- Containment: Organizing and limiting or preventing damage
- Eradication: Eliminate root cause and prepare for system restore
- Recovery: Bring systems back to production in desired state and monitor
Reporting security issues
Resources
Documentation
Security product documentation
White Paper
NIST Cyber Security Framework (CSF) support
White Paper
NERC CIP v.5 support
Cognite news
Cognite achieves SOC 2 Type II compliance
Digitalization community
Cognite joins fellow Oil & Gas companies in making cyber resilience pledge
Blog Post