Security | Solace PubSub+ Event Broker: Cloud

Data In Transit

Solace PubSub+ Cloud protects your message data against eavesdropping by unauthorized users.

Solace PubSub+ Cloud messaging services support Transport Layer Security using Secure Sockets Layer (TLS/SSL), allowing applications to encrypt their data in transit to and from PubSub+ Cloud.
Certificates are updated in the event of a security advisory and on a regular basis.

For highly sensitive data, Solace also recommends customers encrypt the message payload.

Data At Rest

Solace PubSub+ Cloud ensures any messaging data stored within the service is protected by encryption at rest.

Solace PubSub+ Cloud uses cloud-native services such as AWS Key Management Service (KMS) to adhere to data at rest best practices: the entire disk upon which customer data resides is encrypted.
At-rest encryption is always enabled and is not optional.
Message data is stored in the same cloud region in which the service is provisioned.

Customer Data Protection

Your user account details are secured using the most advanced processes, including:

Password salting.
Revocable API keys to control, manage and audit application access to PubSub+ Cloud.
All personal data is encrypted and pseudonymised.

Solace PubSub+ Cloud stores customer data in AWS in the US East North Virginia region (us-east-1).

VPC Isolation

The ability to create virtual private clouds (VPCs) with separate security, subnets, and isolated network groups for staging, production and development is an application security best practice and is supported by Solace PubSub+ Cloud.

System Security

Solace PubSub+ Cloud is delivered using multiple software components and physical locations. Ensuring the security of this entire system includes:

DevOps standards
- Security is covered in every step of the DevOps process, starting with feature definition, architecture and system design, software design and development, QA, and all way to deployment.
- A security and compliance section is included in both Epics and Stories.
Coding standards / black duck-type checking, such as
- OWASP top 10
- CWE/SANS top 25
Vulnerability scanning conducted on a regular basis and upon changes to the system.
Data centers that host physical infrastructure are reviewed to ensure they provide the utmost in data security and protection, including 24/7 monitoring, limiting physical access to facilities to select cloud staff, and recurring assessments to certify compliance with industry standards.

Security Updates and Patching

It’s critical that all upgrades, service packs, hot fixes and security patches are updated on all Solace PubSub+ Cloud components to ensure they have the latest and most-secure code base. To that end:

Solace PubSub+ Cloud applies patches to your messaging services during scheduled service upgrade windows so that they are always up to date.
Solace PubSub+ Cloud uses a maintenance window to patch its management console, internal services, and any third-party services.
White Source Software vulnerability scans for any open-source source code within Solace PubSub+ Cloud components.

Operational Procedures

Solace has implemented robust and comprehensive operational security procedures to ensure access to Solace PubSub+ Cloud environments is restricted to authorized users, including:

Laptops and computers secured with encrypted storage (FileVault).
Access to production environments restricted to Ops engineers.
All access is logged and tracked.
Malware and anti-virus applications are installed wherever required.
Customer message data is never accessed by PubSub+ Cloud or its employees

GDPR and Compliance

Solace values the privacy and security of all of our customers’ data. Specifically for EU-based customers, Solace PubSub+ Cloud complies with the General Data Protection Regulation (GDPR), which mandates that Solace protects the personal data and privacy of EU subjects. This means personal data will not be used for purposes other than what it was collected for, without explicit customer approval.