CloudFinOps Logo
CloudFinOps
Version 5.1 (Enterprise)

Security Architecture & Governance

Confidentiality Notice: For IT Security & Compliance Teams

1. Executive Summary

CloudFinOps operates on a Zero-Trust, Read-Only architecture designed to provide deep financial visibility without compromising infrastructure integrity. This whitepaper outlines the technical controls, data governance protocols, and compliance standards adhering to the Digital Personal Data Protection (DPDP) Act, 2023 and aligned with global ISO/IEC 27001:2022 control families.

Architecture Overview

Our platform is engineered to be strictly non-intrusive. We use a unidirectional, read-only data flow ensuring client infrastructure remains isolated, immutable, and secure. Data flows from Client Cloud (AWS/Azure) to our Encrypted Storage via TLS 1.3 using a Secure Connector with Read-Only Roles.

2. Shared Responsibility Model

CloudFinOps Responsibilities

  • Security of SaaS application & code.
  • Encryption of configuration data (At-rest & Transit).
  • Patch management of infrastructure.
  • Supply chain security of dependencies.

Customer Responsibilities

  • Management of IAM Roles (Granting/Revoking).
  • Reviewing cost recommendations.
  • Managing internal user access to dashboard.

3. Identity & Access Management (IAM)

3.1 Customer Integration (Zero-Trust)

We utilize the External ID condition key for AWS integrations to prevent the "Confused Deputy" problem.

  • AWS: Cross-Account Role assumption (STS). We require only SecurityAudit and ViewOnlyAccess.
  • Azure: Service Principal with built-in Reader role.

Guarantee: The system is technically incapable of provisioning, modifying, or deleting resources. Any write attempt is rejected by the cloud provider APIs.

4. Data Protection & Governance

4.1 Encryption Standards

At Rest: AES-256-GCM for snapshots and credentials. Keys managed via centralized KMS with rotation.
In Transit: Strictly enforced TLS 1.3 channels.

4.2 Data Retention

Upon termination, data is deleted per NIST SP 800-88. Soft delete (30 days) followed by Permanent Cryptographic Erasure.

5. Compliance & Hardening

CIS Benchmarks
System Hardening
SBOM
Supply Chain Security
SOC 2 Type II
Inherited Infrastructure

We align with ISO 27001, SOC 2, and PCI-DSS Level 1 via our Tier-1 providers (AWS/GCP). We perform automated dependency scanning and strict SSH access controls.

Contact Security Team

The CloudFinOps Security Office is based in Zirakpur, Punjab (Reg: UDYAM-PB-20-0114306).
For security inquiries or responsible disclosure: sambhav@cloudfinops.solutions