Strategic Blue takes customer data security very seriously and strives to provide our customers with a level of assurance that our data handling meets their expectations.
Customer data security is of utmost importance, which is why Strategic Blue will only ever request the minimum data set required for us to provide our services. As our sphere of interest is the financial delivery of your cloud services, rather than the technical operation and management, by default we only require a limited set of rights within the customers’ environments.
Cloud resale models
Strategic Blue can sell multiple Cloud services from multiple vendors in multiple different ways.
For AWS resale, by default we use the End Customer Account Model (ECAM) which means that the customer owns the Accounts and there is a 3 way relationship with AWS & Strategic Blue. In this model Strategic Blue only has access to the billing information.
For some customers, on request, we can use the AWS Service Provider Account Model (SPAM) which means that the customer only has a contract with Strategic Blue and not with AWS, although various AWS Terms & Conditions must be flow-through contractually. In this model Strategic Blue will own and have Root access to each Account. We only use this access to set up the Accounts, and do not need to use the access on a day-to-day basis.
For Azure resale the process is a contract with Strategic Blue, but acceptance of the Microsoft Customer Agreement by the customer. Strategic Blue has Administrative access to all services. For Microsoft EA customers (such as Education) it may be possible to operate a different model where we have read rights to the cost and billing only, but this reduces the services that can be offered.
For Google Cloud, a customer will normally own their own Organisation and Projects, and the default is for Strategic Blue to only have Billing Access.
In some of these models Strategic Blue has higher levels of access to the cloud services than are required. These are only used when necessary to configure or setup the service, as defined in the service description.
Understanding the Data Processing model
Strategic Blue, by default, follows best practices and works from a principle of least privilege. Strategic Blue will only request the minimum level of permissions required for us to provide our services.
The following diagram shows the data that we hold and process.
Strategic Blue requires no access to any customer data for its day-to-day operations.
Strategic Blue will require read-only access to billing data in order to extract customer metadata regarding billing information and current reservations. The data will be limited to only what is required for Strategic Blue to conduct their review and invoicing function. The data will be aggregated and processed by our automated systems and the resulting summary information is in the form of invoices and recommendations for change, our Blue Review. Strategic Blue will only collect data regarding billing and instances such as the quantity, class and region as this will enable us to make recommendations.
Invoices & Recommendations
We aggregate customer billing data and commitment data to provide (a) invoices, (b) recommendations for cost optimization. These recommendations may include but are not limited to changing an instance size, generation, class or location.
As a customer you will retain responsibility for managing access to all Cloud services and resources outside the remit of Strategic Blue.
Customers are normally responsible for the creation and ownership of accounts and as such will be required to accept the terms and conditions stated by their cloud vendor. Strategic Blue will only look at billing information and will manage instances.
Customers should not use tags with personally identifiable information, or other sensitive information as this will be visible in billing information.
As a precaution, Strategic Blue checks that there are no unnecessary rights during the technical onboarding phase and if there are we will request the removal of these rights.
- What access do you have to my data?
We have read access to the billing information and any associated meta-data for billing and reserved instances. We work on a ‘least privilege’ basis to ensure that only the minimum set of access rights are provided.
- Do you have access to my systems and data once consolidated?
In AWS access within sub accounts has to be explicitly granted and does not flow from a master account into a linked child account. Customers can remove the AWS OrganizationAccountAccessRole within linked accounts, so that Strategic Blue has no access to user data.
In Google Cloud we have no access to customer data, only billing data.
In Azure Cloud we do have access to customer data as the required default is an Administrative role for resellers. We do not use this access, and are happy for our usage to be fully monitored and audited
- How will my data be handled in transit?
TLS and HTTPS encryption will provide secure communication of any data in transit.
- How will my data be handled at rest?
Billing data is encrypted using server side encryption, to provide encryption at rest.
- Do you have access to the IP address information of my servers?
For AWS & Azure users we do have access to the server names and attached internal IP addresses of the servers, although we do not request or use this information. We have no access to VPC and subnet information, nor any access to data flow logs and information.
In Google Cloud we have no access to server information or IP addresses, only billing usage.
- What security frameworks do you have in place?
Strategic Blue does not have any formal security framework accreditation in place, but are currently going through a process of quality assurance to be able to gain these.
- How do you control who has access to my data?
Strategic Blue Staff have very limited access to client information beyond the monthly cloud spend which is managed by the Finance team for billing purposes and the recommendations report which is managed by the Account management team. Access to systems and file shares is managed on a ‘need to know’ basis.
- How long will my data be retained?
Retention of billing data and recommendations reports is for up to 7 years and/or the lifetime of the contract with a given customer. Once data is no longer required the data is deleted.
- How do you manage your infrastructure and systems to ensure they are secured?
Our Corporate infrastructure is provisioned through a mixture of AWS and Google WorkSpaces. The infrastructure is secured by the cloud vendor as their responsibility in a shared security model. Our systems are accessible only through password protected access. Any data held is encrypted. Privileged access to our data is further through Multi-factor authentication (MFA).
- How do you confirm data deletion?
Our data is held within cloud-based systems and the cloud vendor takes responsibility for encryption at rest and non-recoverable deletion.
For example, “When an object is deleted from Amazon S3, removal of the mapping from the public name to the object starts immediately, and is generally processed across the distributed system within several seconds. Once the mapping is removed, there is no remote access to the deleted object. The underlying storage area is then reclaimed for use by the system.”
- Can you give examples of how you adhere to privacy legislation. i.e. GDPR?
We do not hold any customer personally identifiable information and therefore GDPR does not apply for the main data sets. Our sales & marketing team holds (potential) customer information for the purposes of information updates & sales, which is handled appropriately with the required opt-out option available.
- Are staff trained and qualified to handle customer data?
Staff are trained on a regular basis on customer confidentiality, current legislation and how sensitive data should be handled. Our staff are vetted to UK government standard level (BPSS).
- Can you create an Account/Project/Subscription on my behalf?
For AWS and Azure, Strategic Blue can create an Account or Subscription on your behalf, when requested to do so. Customers need to note that we are accepting the Vendor End Customer Agreement on their behalf.
For Google Cloud we would not create new projects as we would not normally have the rights to do so, unless agreed before-hand and explicitly granted by the Customer.
- How are permissions allocated?
Strategic Blue normally only has the permissions granted by the customer for AWS & Google Cloud.
For AWS this is Role-based access to be able to read an S3 bucket of billing information.
We require no additional rights above Billing manager for Google cloud, and require Digital Partner of Record (DPOR) and Billing reader for the Subscriptions for Azure.
- How do you use the data you have?
We use the billing data we hold to provide clear billing across all your cloud services. We can also use this data to set billing alerts on predicted spend so that we can alert you if there is a risk of you exceeding a defined billing threshold.
We use the aggregated billing data along with industry information to provide recommendations on ways to save money on your cloud costs.