お客様の信頼できるポータル

コンプライアンスプログラム

Rubrik Multi-Cloud Data Control™の製品とサービスはそれぞれ個別に、業界をリードするコンプライアンス、プライバシー、セキュリティ標準に照らし定期的に検証を行うことで、お客様の組織におけるコンプライアンスのニーズをサポートします。

スイス・米国間のプライバシーシールド認定

Rubrikは、スイス・米国間のプライバシーシールドフレームワークの認可を受けており、米国商務省の自己認証プライバシーシールド 加盟者リストに名を連ねています。プライバシーシールドの詳細については、こちらをご覧ください。

プライバシーポリシー

Rubrikのプライバシーポリシーの詳細については、こちらをご覧ください。

Rubrikのコンプライアンス認証はNDA締結後にご覧いただけます。Rubrikの製品とサービスに関する詳細のお問い合わせ、またはRubrikのコンプライアンス認証とプログラムに関するご質問はcompliance@rubrik.comまでお送りください。

セキュリティチーム

弊社は専門のセキュリティチームを世界中に擁しています。これらのセキュリティチームは、セキュアな製品開発とテスト、クラウドセキュリティ、エンドポイント、ユーザーと通信のセキュリティ、脆弱性管理、インシデント管理、セキュリティの文化とトレーニング、セキュアなロギングとモニタリング、セキュリティガバナンス、セキュリティリスク管理、ベンダーリスク管理、IDおよびアクセス管理など、製品とエンタープライズセキュリティの機能に集中して取り組んでいます。

セキュリティ認識

ポリシー

Rubrikは、当社の運用環境に関連する幅広いトピックをカバーする一連のセキュリティポリシーを策定しました。これらのセキュリティポリシーは、毎年実施している必須トレーニングを通じて理解したことをユーザーに必ず確認しているほか、Rubrik情報資産にアクセスできる従業員と請負業者全員にイントラネットで提供しています。

トレーニング

Rubrik情報資産にアクセスできる従業員と請負業者は全員、雇用時および雇用後毎年、セキュリティ認識トレーニングを修了する必要があります。当社の製品セキュリティチームは2カ月に1回、製品に関する更新や関連するセキュリティトピックについてエンジニアをトレーニングするセミナーを開催していました。当社は社内全体で定期的にフィッシングキャンペーンを実施し、カスタマイズしたロールベースのトレーニングと即興的なナノトレーニングを、特定されたリスク要因を基に全社内の関連ユーザーに提供しています。また、#notonmywatchという、エグゼクティブスポンサー出資のセキュリティキャンペーンも実施して、セキュリティ文化を積極的に向上させ、Rubrik全体でポジティブなセキュリティ行動を浸透させています。

Secure Product Development

Rubrik engineers follow secure code practices that span OWASP Top 10 security risks, common attack vectors and Rubrik security controls. Rubrik leverages secure open-source frameworks with security controls in place to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among other risks.

Quality Assurance

We have a team responsible for conducting quality assurance (QA) and maintaining systems needed for testing. Application security engineers on staff identify, test and triage security vulnerabilities in code.

Testing and staging environments are logically separated from the production environment. Customer data is not used in our development or test environments and such data resides in customer owned on-premise or virtual data centers (e.g., cloud deployments).

Vulnerability Management

We employ security tooling to continuously and dynamically scan our products and related infrastructure against common security vulnerabilities. We maintain a dedicated in-house product security team to continuously test and drive remediation of any discovered issues based on internally defined service level agreements (SLAs). The source code repositories for our platform are also scanned for security issues.

Independent Security / Penetration Testing

In addition to our internal vulnerability management and security testing program, Rubrik employs independent, third-party security experts to perform penetration tests prior to general availability (GA) of major product releases.

Encryption

Encryption in Transit

All communications with Rubrik UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2+) over public networks. This ensures that all traffic between customer environments and Rubrik is secure during transit.

Encryption at Rest

Our product offerings support AES-256 key encryption.

Data Center Security

Rubrik hosts internal engineering and product development servers at a co-location service provider with state-of-the-art physical security measures. The co-location provider maintains high SLAs for availability, redundancy, and disaster recovery to support our business continuity plans. 

Rubrik uses third-party SaaS services and co-location data services providers to manage our IT operations. Our HR systems, email and calendaring, internal communications, requirements and ticketing management systems use best-of-breed SaaS services. These services offer more than requisite SLAs for availability, reliability and security.

On-Site Security

On-site security at our core working sites (including HQ) includes a number of features such as security guards, badging, cameras, fencing, security feeds, intrusion detection technology, and other security measures.

Data Hosting Location

Rubrik does not host customer data. Customer data resides in customer owned on-premise or virtual data centers (e.g., cloud deployments). In addition, our SaaS product Polaris is designed to only operate on customer metadata such as cluster capacity, number of nodes, object IP address, object capacity, etc.

Network Security

Protection

Our network is protected through the use of next-generation firewalls and  advanced malware protection. In addition, we use best of- breed-tools for SaaS and endpoint based malware prevention.

Intrusion Detection and Prevention

Our intrusion detection tool provides vulnerability protection, network anti-malware and anti-spyware that scans all traffic for threats. The threat prevention service looks for threats at all points within the cyber attack lifecycle, not just when it first enters the network, thus providing a layered defense, zero trust model with prevention at all points.

Security Monitoring and Alerting

Rubrik has security capabilities in place to detect data exfiltration through Rubrik provided laptops, workstations and cloud environments. We also monitor our on-prem and multi-cloud environment 24x7, detect security threats, investigate and respond to security events and incidents. In addition to capabilities such as log storage, search and indexing, our SIEM solution supports threat detection, monitoring and response, threat hunting, machine learning and digital forensics.

Logical Access

Access to Rubrik’s production environment is restricted on an explicit need-to-know basis, utilizes least privilege, and is frequently audited and monitored. Employees accessing the Rubrik production network are required to use multiple factors of authentication.

Security Incident Response

In case of a system alert, events are escalated to our 24/7 teams that provide operations, network engineering, and security coverage. Employees are trained on security incident reporting and response processes, including communication channels and escalation paths. In case of a Rubrik related security incident, customers should contact security@rubrik.com.

Availability & Continuity

Uptime

Rubrik is currently working on a publicly available system-status webpage, which includes system availability details, scheduled maintenance, service incident history and relevant security events.

Business Continuity and Disaster Recovery

Rubrik’s  business continuity and disaster recovery program is designed to address the risks when Rubrik services are unavailable. Business continuity and disaster recovery plans are reviewed annually and are periodically tested through tabletop tests, functional tests, or actual incidents. Rubrik also leverages leading providers that provide systems and services with high availability and redundancy. 

Cloud Data Management (CDM) data sheet

Get a brief overview of the security capabilities of the CDM product, and the various security measures that we undertake to secure the underlying infrastructure.

View data sheet

Polaris data sheet

Get a brief overview of the security capabilities of the Polaris SaaS product, and the various security measures that we undetake to secure the underlying infrastructure.

View data sheet