The Broad Institute, Microsoft, and Verily support the medical research community as it deals with matters of public health. Our security posture addresses the rights of the patients whose data make this work possible, as well as the needs and concerns of the researchers. We work with internal and 3rd party security experts to define the system and security needs of the system, to assess that security controls are implemented, to monitor that controls continue to be effective, and to respond appropriately to incidents or anomalies.
View the full text of our security posture
All data requires explicit authorization to access
Terra leverages Google Cloud Platform and Microsoft Azure Commercial Cloud as our cloud service providers, both of which have extensive compliance certifications and physical security. Though Terra services are available on both cloud platforms, only Terra services hosted on Google Cloud Platform are FedRAMP authorized at this time. Terra services hosted on Microsoft Azure will be FedRAMP authorized in the near future.
Dedicated Security Team
Our Security Team is on call 24/7 to respond to security alerts and events.
Our network is protected through the use of key cloud service provider security services, regular internal assessment and external audits, threat intelligence technologies, which monitor and/or block known malicious traffic and network attacks.
Our network security architecture relies on the built-in logical separation of our cloud services providers. Little of our infrastructure is exposed to the Internet. We utilize GCP’s Load Balancers with CloudArmor and Azure’s Load Balancers with Azure Web Application Firewall. We use kubernetes infrastructure to minimize VM and network exposure and rely on GCP and Azure’s own threat detection to keep those safe.
Third-Party Penetration Tests
In addition to our extensive internal scanning and testing program, each year, Terra employs third-party security experts to perform a broad penetration test.
Security Incident Event Management
Our Security Incident Event Management (SIEM) system gathers extensive logs from important network devices and host systems. The SIEM alerts on triggers that notify the Security team based on correlated events for investigation and response.
Intrusion Detection and Prevention
Service ingress and egress points are instrumented and monitored to detect anomalous behavior. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats. This includes 24/7 system monitoring.
Threat Intelligence Program
Terra participates in several threat intelligence sharing programs. We monitor threats posted to these threat intelligence networks and take action based on risk.
Security Incident Response
In case of a system alert, events are escalated to our 24/7 teams providing Operations coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.
Encryption in Transit
All communications with Terra UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public and private networks.
Encryption at Rest
Service Data is encrypted at rest, by default, in GCP and in Azure using FIPS 140-2 validated encryption. Additional options for Customer Controlled encryption might be available depending on a variety of circumstances.
Our Disaster Recovery (DR) program ensures that our services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities.
Secure development (SDLC)
Secure Code Training
At least annually, engineers participate in secure code training covering OWASP Top 10 security risks, common attack vectors, and Terra security controls.
Framework Security Controls
Terra leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.
All code is reviewed by humans with machine assistance. All code is tested with unit and integration tests. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities based on threat models.
Testing and staging environments are physically separated from the Production environment (different GCP Orgs). No Service Data is used in our development or test environments.
Dynamic Vulnerability Scanning
We employ third-party security tooling to continuously and dynamically scan our core applications against the OWASP Top 10 security risks. We maintain a dedicated in-house product security team to test and work with engineering teams to remediate any discovered issues.
Static Code Analysis
The source code repositories for both our platform and mobile applications are scanned for security issues via our integrated static analysis tooling.
All source code dependencies are scanned for known vulnerabilities, including THEIR dependencies.
Third-Party Penetration Testing
In addition to our extensive internal scanning and testing program, Terra employs third-party security experts to perform detailed penetration tests on different applications within our family of products.