Frameworks

Safeguarding Sensitive Information: An Overview of Security Frameworks

Use frameworks based on RegOps workflows to increase development productivity and streamline your security compliance process for the confidentiality, integrity, and availability of your data.

SOC 2

SOC 2 (System and Organization Controls 2) is a security framework designed to evaluate and report on the security, availability, processing integrity, confidentiality, and privacy of customer data. SOC 2 attestation demonstrates an organization's ability to effectively safeguard the privacy and security of customer and client data.
To obtain SOC 2 compliance, organizations must undergo a rigorous audit that evaluates their controls related to security, availability, processing integrity, confidentiality, and privacy. The audit is conducted by a qualified third-party auditor who evaluates the organization's controls and processes against the SOC 2 criteria.
Dashboard mockup
Dashboard mockup

ISO 27001

ISO 27001 is a globally recognized standard for information security management. It provides a systematic approach to managing information security risks and helps organizations identify and mitigate potential threats to their data. ISO 27001 covers a range of areas related to information security management, including risk assessment, security policies and procedures, access control, physical and environmental security, business continuity, and compliance with legal and regulatory requirements.
To become ISO 27001 certified, organizations must undergo an independent audit by an accredited certification body. The audit evaluates the organization's information security management system against the ISO 27001 standard.

PCI-DSS

PCI-DSS (Payment Card Industry Data Security Standard) is a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment. PCI-DSS was created by major credit card companies to protect against data breaches and credit card fraud.
PCI-DSS outlines a set of requirements for protecting sensitive cardholder data, such as encrypting card numbers, maintaining secure networks, implementing access controls, and regularly monitoring and testing security systems. Compliance with PCI-DSS is mandatory for all companies that handle credit card information, regardless of their size or volume of transactions.
To become PCI-DSS compliant, organizations must undergo an independent audit by a Qualified Security Assessor (QSA) or complete a self-assessment questionnaire (SAQ) based on their level of card processing.
Dashboard mockup

Frequently asked questions

Everything you need to know about Aptum Cloud.
Is there a free trial or community edition of Aptum Cloud available?
Yes, you can try our self-service scanner and audit tracker for GCP, AWS or Azure for 30 days. If you so choose, we’ll provide you with a free, personalized 45-minute onboarding call to get you up and running, as soon as humanly possible.
How do I obtain info on available pricing?
Please contact sales@aptumcloud.io to set up a session and provide your inquiry with an available sales advisor who will provide all pricing options.
Does Aptum Cloud use an Open API?
Yes, for Aptum Cloud’s APIs, we use a combination of our own developed REST APIs and OpenPolicy Agent (OPA) which is Open Source Software (OSS) as well as an open source scanner which we have repackaged from CNCF (Cloud Native Computing Foundation). Cloud providers give us APIs to communicate across network borders.
How do we enable developers to pick whatever tools and technologies they want if they want to use Terraform, CloudFormation or Ansible?
Since the cloud gives us REST APIs, we want to provide enablement for those people to use REST APIs in innovative ways. But at the same time, we want to make sure that, regardless of what choices those developers make, the organization is being well managed and all that infrastructure is complying with the organization’s policies. What this means overall is compliance standardization for developers and no more one-offs.
Why is Compliance-as-Code necessary for developers or DevOps?
Speed is everything when developing apps in competitive markets like fintech, banking or even healthcare. But, developing applications while simultaneously trying to remain framework-compliant slows down everyone in the entire process and adds lots of challenges and complexities. Compliance is not a one-time event. Instead, it is a continuous process, with app development at the core, especially when developers add new services or features. So, it can be tempting to set compliance aside and push forward with those new services or features. But, doing away with compliance will make app development and operations time-consuming and costlier in the long run.
Does Aptum Cloud provide auto-remediation?
Yes, we do provide the option for doing an auto-remediation in our tooling, but it is guided by the admin user of the cloud account as it may be impactful to the production infrastructure. We recommend making production changes during offline hours which may take time to reverse or back out, depending on the scope of the change.
Is there a cloud orchestrator or policy engine involved in making changes?
Yes, we use an open-source based orchestrator on an organization’s cloud account that is spun up by an admin user and is created as a way to enforce governance as code with a centralized policy engine, enforcing policies that are dependent on the framework. We do this using a common infrastructure-as-code compatible language along with an open policy agent which works across all our tested cloud providers.