CloudSuite FAQs

CloudSuite is built on Amazon Web Services (AWS) data center which has achieved SSAE 16 certification and has published a Service Organization Control 1 (SOC 1) report.

In April 2010, the AICPA (American Institute of Certified Public Accountants) announced the retirement of SAS 70 to be replaced by SSAE (Statement on Standards for Attestation Engagements) 16.

SAS 70 does not set any standards for data center excellence; it merely verifies that the controls and processes set in place by a data center are actually followed. It was also intended to report on the financial controls of an organization. SSAE 16 is different because it not only verifies controls and processes, but also requires verification of design and operating effectiveness.

There are two types of SSAE 16 audits:

1. Type 1 - Auditors test the accuracy of the service provider's description and assertion.

2. Type 2 - Auditors test the accuracy of the service provider's description and assertion, as well as the implementation and effectiveness of controls over a specific period of time.

In addition to SSAE 16, a new framework for examining the controls at a service organization has been established by three Service Organization Control (SOC) reports.

Amazon has achieved SSAE 16 certification and has published a Service Organization Control 1 (SOC 1) report. Thermo Fisher Scientific is not legally permitted to provide copies of the SOC 1 report, but we can provide you with a copy of our audit of the SOC 1 report.

CloudSuite is a secured, high performing computing platform built on Amazon Web Services (AWS) cloud computing infrastructure.  Cloudsuite is designed to host data analysis applications (a SaaS delivery model). Data analysis software is a three-tier SaaS application (front-end web tier, application tier and database tier) hosted on an Amazon Elastic Compute Cloud (EC2) instance. Each tier is isolated using Amazon security groups. An Elastic Load Balancer (ELB) instance is used to front-end web/application servers for high availability. The database instances used to support the application are segregated from the web/app tier.

Yes, multiple customers utilize the same software instances. The solution is designed for multi-tenancy. Access and Data are controlled and segregated such that each customer can only access their own data. User access is controlled through an authentication system.

Currently, we do not offer any applications that are HIPAA compliant.  

Yes. Our team utilized industry standard secured coding best practices throughout the development lifecycle.  Our codes are rigorously reviewed and tested for security vulnerabilities and also audited by 3^rd party security experts.

No, HTTPS is the only supported protocol to gain access to the CloudSuite platform and data analysis Software running on Cloudsuite.  Traffic is encrypted between customer’s web browser and Cloudsuite using AES 256-bit SSL encryption.

No, all connections are initiated by the client.

No, all data transfers are done through HTTPS protocol (443/TCP).

Yes, all of the underlying systems within CloudSuite platform use a host base intrusion detection system (IDS) to monitor and analyze all traffic to detect possible intrusion.  IDS automatically feeds data into our Security Event and Incident Management (SEIM) system for real time alert & notifications.

Yes, CloudSuite platform is protected by firewalls.  Firewalls are deployed between each network segment to isolate and control access between systems in each tier to avoid potential intruders from directly accessing backend systems.

Yes. CloudSuite platform is isolated from other AWS customers using security features from Amazon hypervisor and firewalls. 

CloudSuite is hosted on the Amazon cloud in the US East region. All customer data resides there.

Yes. Customer data is isolated and access is restricted to the data owner.  No other customers on CloudSuite can see your data unless you share/collaborate your data with that user.

•  In transit – Data uploads from customer’s computer/instrument to Cloudsuite is encrypted using HTTPS/SSL with a 2048-bit SSL certificate.
• At rest – Yes. At the data storage layer, our system is using server-side AES-256 bit encryption provided by AWS to secure all data.  More secured than typical unencrypted data storage on a PC/Laptop

Technically, yes. 256-bit encryption can be cracked with brute force by automated computer programs. 256-bit encryption really means that there are 2^256 (2 to the power 256^th) possible combinations.  That means it will take the fastest super computer available today more than 9^50 years to complete the process.  

No, the system does not support configuring custom encryption keys per customer.

Amazon AWS maintains the encryption keys.

Data Manager (a component within CloudSuite) has a feature to allow customers to delete data as needed.

Customer data remains in Data Manager and Analysis Projects for as long as the account is active. In general, customer’s account is considered “active” when it is current with payments.  The account can be de-activated and becomes “inactive” upon customer’s request to discontinue the service or if the account is delinquent according to our "Terms of Use".       

Users can delete their own data and analysis results through CloudSuite Data Manager interface.

For data that users do not delete, that data is retained until the account is deactivated/terminated.  

Yes, CloudSuite team will destroy all data upon customer’s request.

All communication and data transmission between customer’s computer and CloudSuite is secured with proven, industry standard SSL encryption.  This security measure at the transit layer is very much the same as your online banking institutions; it protects your data transmission from being hijacked or sniffed over the wire during transfer.

This is much more secured than passing data on USB drives (un-encrypted) and sending data via email.

Yes, collaboration & sharing data is secured.  Only you as the data owner can initiate sharing.  The intended user will then have permission to access your data over secured access from his/her browser via secured HTTP just like you do.

And data does not get transferred to the intended user.  By sharing, the intended user will simply have permission to access your data from your folder. This “shared” access can be revoked by the originator at any time.

No, CloudSuite & Analysis Software receives data but does not initiate connections to the customer's network devices.  If needed, customer can initiate a download of data and analysis results onto to customer’s computer. 

The system uses internal user authentication system to authenticate & authorize logins.

Yes, passwords are stored encrypted on our systems.

Yes, the system requires and enforces complex passwords.

Each customer is assigned a separate account.  All data uploaded by each customer can only be seen/viewed by that customer.  Collaboration/Sharing feature also allows the capability to share or extend permission to another user to view your data.  Each customer account is segmented so no other users can have access to his/her data except when it is shared. This “shared” access can be revoked by the originator at any time. 

Yes, CloudSuite utilizes single sign on (SSO).  Customers with existing accounts on Lifetech.com can use the same credentials to login to CloudSuite.

No, at this time we do not support SSO integration with customer’s authentication platforms.

No, only username/password authentication is supported at this time.

Yes, the system logs all user activities.

We currently retain audit logs indefinitely and expect to build APIs to provide customer access to their logs.

It is true that the application layer is most vulnerable.  CloudSuite & applications running on it are scanned and go through security penetration tests before production releases.  

Our security team performs security tests against OWASP top 10 security threats on CloudSuite application and make sure the vulnerabilities are fixed/patched by a combination of code fixes and configuration changes.  

Yes, security scanning and penetration test are performed both by internal security team and also 3^rd party security assessment experts.

Yes, Thermo Fisher Scientific maintains an incident response plan.

Yes, the system is designed to log access attempts and logs are imported to InfoSec Event Management system for analysis and notifications as a part of standard operating procedure.